[MESOS-9529] `/proc` should be remounted even if a nested container set `share_pid_namespace` to true - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.4.2, 1.5.2, 1.6.2, 1.7.1
Fix Version/s: 1.5.4, 1.6.3, 1.7.3, 1.8.0
Component/s: containerization
Labels:
None

Description

Currently, if a nested container wants to share the pid namespace of its parent container, we allow the framework to set `LinuxInfo.share_pid_namespace`.

If the nested container does not have its own rootfs (i.e., using the host rootfs), the `/proc` is not re-mounted:
https://github.com/apache/mesos/blob/1.7.x/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp#L120-L126

This is problematic because the nested container will fork host's mount namespace, thus inherit the `/proc` there. As a result, `/proc/<pid>` are still for the host pid namespace. The pid namespace of the parent container might be different than that of the host pid namspace.

As a result, `ps aux` in the nested container will show all process information on the host pid namespace. Although, the pid namespace of the nested container is different than that of the host.

Attachments

Activity

People

Assignee:: Jie Yu

Reporter:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 18/Jan/19 22:13

Updated:: 04/Apr/19 05:27

Resolved:: 04/Apr/19 00:29