Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-9529

`/proc` should be remounted even if a nested container set `share_pid_namespace` to true

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 1.4.2, 1.5.2, 1.6.2, 1.7.1
    • Fix Version/s: 1.5.4, 1.6.3, 1.7.3, 1.8.0
    • Component/s: containerization
    • Labels:
      None

      Description

      Currently, if a nested container wants to share the pid namespace of its parent container, we allow the framework to set `LinuxInfo.share_pid_namespace`.

      If the nested container does not have its own rootfs (i.e., using the host rootfs), the `/proc` is not re-mounted:
      https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126

      This is problematic because the nested container will fork host's mount namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are still for the host pid namespace. The pid namespace of the parent container might be different than that of the host pid namspace.

      As a result, `ps aux` in the nested container will show all process information on the host pid namespace. Although, the pid namespace of the nested container is different than that of the host.

        Attachments

          Activity

            People

            • Assignee:
              jieyu Jie Yu
              Reporter:
              jieyu Jie Yu
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: