···
1
+
diff --git a/3rdparty/stout/include/stout/os/posix/chown.hpp b/3rdparty/stout/include/stout/os/posix/chown.hpp
2
+
index c82e2e574..15d332107 100644
3
+
--- a/3rdparty/stout/include/stout/os/posix/chown.hpp
4
+
+++ b/3rdparty/stout/include/stout/os/posix/chown.hpp
5
+
@@ -34,7 +34,7 @@ inline Try<Nothing> chown(
6
+
// TODO(bmahler): Consider walking the file tree instead. We would need
7
+
// to be careful to not miss dotfiles.
8
+
std::string command =
9
+
- "chown -R " + stringify(uid) + ':' + stringify(gid) + " '" + path + "'";
10
+
+ "@chown@ -R " + stringify(uid) + ':' + stringify(gid) + " '" + path + "'";
12
+
int status = os::system(command);
diff --git a/3rdparty/stout/include/stout/os/posix/fork.hpp b/3rdparty/stout/include/stout/os/posix/fork.hpp
2
-
index a29967d..290b98b 100644
15
+
index a29967dcb..290b98b50 100644
--- a/3rdparty/stout/include/stout/os/posix/fork.hpp
+++ b/3rdparty/stout/include/stout/os/posix/fork.hpp
@@ -369,7 +369,7 @@ private:
···
<< "Failed to execute '" << command << "': " << os::strerror(errno);
} else if (wait.isSome()) {
14
-
diff --git a/3rdparty/stout/include/stout/os/posix/shell.hpp b/3rdparty/stout/include/stout/os/posix/shell.hpp
15
-
index 1d73ae5..9bf89b5 100644
16
-
--- a/3rdparty/stout/include/stout/os/posix/shell.hpp
17
-
+++ b/3rdparty/stout/include/stout/os/posix/shell.hpp
18
-
@@ -37,7 +37,7 @@ namespace Shell {
19
-
// received by the callee, usually the command name and `arg1` is the
20
-
// second command argument received by the callee.
22
-
-constexpr const char* name = "sh";
23
-
+constexpr const char* name = "@sh@";
24
-
constexpr const char* arg0 = "sh";
25
-
constexpr const char* arg1 = "-c";
27
+
diff --git a/3rdparty/stout/include/stout/posix/os.hpp b/3rdparty/stout/include/stout/posix/os.hpp
28
+
index c37e64db6..d3d87b7f0 100644
29
+
--- a/3rdparty/stout/include/stout/posix/os.hpp
30
+
+++ b/3rdparty/stout/include/stout/posix/os.hpp
31
+
@@ -375,7 +375,7 @@ inline Option<std::string> getenv(const std::string& key)
32
+
inline Try<Nothing> tar(const std::string& path, const std::string& archive)
34
+
Try<std::string> tarOut =
35
+
- os::shell("tar %s %s %s", "-czf", archive.c_str(), path.c_str());
36
+
+ os::shell("@tar@ %s %s %s", "-czf", archive.c_str(), path.c_str());
38
+
if (tarOut.isError()) {
39
+
return Error("Failed to archive " + path + ": " + tarOut.error());
diff --git a/src/Makefile.am b/src/Makefile.am
28
-
index 28dd151..36fc6ec 100644
41
+
index 3bcc0f2df..e5cbc57e8 100644
31
-
@@ -1528,7 +1528,8 @@ if HAS_JAVA
44
+
@@ -1545,7 +1545,7 @@ if HAS_JAVA
$(MESOS_JAR): $(MESOS_JAR_SOURCE) $(MESOS_JAR_GENERATED) java/mesos.pom
@echo "Building mesos-$(PACKAGE_VERSION).jar ..."
- @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom clean package
+ @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom -Dmaven.repo.local=@mavenRepo@ clean package
# Convenience library for JNI bindings.
# TODO(Charles Reiss): We really should be building the Java library
diff --git a/src/cli/mesos-scp b/src/cli/mesos-scp
42
-
index a71ab07..feed8c4 100755
54
+
index a71ab0708..1043d1b3c 100755
45
-
@@ -19,7 +19,7 @@ if sys.version_info < (2,6,0):
57
+
@@ -19,7 +19,8 @@ if sys.version_info < (2,6,0):
- cmd = 'scp -pr %s %s' % (src, host + ':' + dst)
+ cmd = '@scp@ -pr %s %s' % (src, host + ':' + dst)
process = subprocess.Popen(
67
+
diff --git a/src/common/command_utils.cpp b/src/common/command_utils.cpp
68
+
index 09e805140..90bf65896 100644
69
+
--- a/src/common/command_utils.cpp
70
+
+++ b/src/common/command_utils.cpp
71
+
@@ -140,7 +140,7 @@ Future<Nothing> tar(
73
+
argv.emplace_back(input);
75
+
- return launch("tar", argv)
76
+
+ return launch("@tar@", argv)
77
+
.then([]() { return Nothing(); });
80
+
@@ -162,7 +162,7 @@ Future<Nothing> untar(
81
+
argv.emplace_back(directory.get());
84
+
- return launch("tar", argv)
85
+
+ return launch("@tar@", argv)
86
+
.then([]() { return Nothing(); });
89
+
@@ -170,7 +170,7 @@ Future<Nothing> untar(
90
+
Future<string> sha512(const Path& input)
93
+
- const string cmd = "sha512sum";
94
+
+ const string cmd = "@sha512sum@";
95
+
vector<string> argv = {
97
+
input // Input file to compute shasum.
98
+
@@ -206,7 +206,7 @@ Future<Nothing> gzip(const Path& input)
102
+
- return launch("gzip", argv)
103
+
+ return launch("@gzip@", argv)
104
+
.then([]() { return Nothing(); });
107
+
@@ -219,7 +219,7 @@ Future<Nothing> decompress(const Path& input)
111
+
- return launch("gzip", argv)
112
+
+ return launch("@gzip@", argv)
113
+
.then([]() { return Nothing(); });
diff --git a/src/launcher/fetcher.cpp b/src/launcher/fetcher.cpp
55
-
index 4456c28..e22c8fc 100644
117
+
index 4456c2813..e22c8fc03 100644
--- a/src/launcher/fetcher.cpp
+++ b/src/launcher/fetcher.cpp
@@ -68,13 +68,13 @@ static Try<bool> extract(
···
LOG(INFO) << "Copying resource with command:" << command;
diff --git a/src/linux/perf.cpp b/src/linux/perf.cpp
85
-
index ea823b3..170f54d 100644
147
+
index aa31982eb..8b5331b17 100644
88
-
@@ -125,7 +125,7 @@ private:
89
-
// NOTE: The watchdog process places perf in its own process group
150
+
@@ -127,7 +127,7 @@ private:
151
+
// NOTE: The supervisor childhook places perf in its own process group
// and will kill the perf process when the parent dies.
Try<Subprocess> _perf = subprocess(
···
command << " --event " << event;
diff --git a/src/linux/systemd.cpp b/src/linux/systemd.cpp
107
-
index 619aa27..c1cbfe4 100644
169
+
index 6318f48fc..394d88d47 100644
--- a/src/linux/systemd.cpp
+++ b/src/linux/systemd.cpp
110
-
@@ -196,12 +196,19 @@ bool exists()
172
+
@@ -196,13 +196,21 @@ bool exists()
// This is static as the init system should not change while we are running.
static const bool exists = []() -> bool {
// (1) Test whether `/sbin/init` links to systemd.
- const Result<string> realpath = os::realpath("/sbin/init");
- if (realpath.isError() || realpath.isNone()) {
- LOG(WARNING) << "Failed to test /sbin/init for systemd environment: "
117
-
- << realpath.error();
179
+
- << (realpath.isError() ? realpath.error()
180
+
- : "does not exist");
120
-
+ // cstrahan: first assume we're on NixOS, then try non-NixOS
183
+
+ // cstrahan(nixos): first assume we're on NixOS, then try non-NixOS
+ Result<string> realpath = os::realpath("/run/current-system/systemd/lib/systemd/systemd");
+ Result<string> realpathNixOS = realpath;
+ if (realpathNixOS.isError() || realpathNixOS.isNone()) {
+ Result<string> realpathNonNixOS = realpath = os::realpath("/sbin/init");
+ if (realpathNonNixOS.isError() || realpathNonNixOS.isNone()) {
+ LOG(WARNING) << "Failed to test /run/current-system/systemd/lib/systemd/systemd for systemd environment: "
127
-
+ << realpathNixOS.error();
190
+
+ << (realpathNixOS.isError() ? realpathNixOS.error()
191
+
+ : "does not exist");
+ LOG(WARNING) << "Failed to test /sbin/init for systemd environment: "
129
-
+ << realpathNonNixOS.error();
193
+
+ << (realpathNonNixOS.isError() ? realpathNonNixOS.error()
194
+
+ : "does not exist");
201
+
@@ -278,6 +286,10 @@ Path hierarchy()
203
+
Try<Nothing> daemonReload()
205
+
+ // cstrahan(nixos): should we patch these `systemctl`s?
206
+
+ // probably don't want to hard-code a particular systemd store path here,
207
+
+ // but if we use /run/current-system/sw/bin/systemctl,
208
+
+ // we won't be able to support non-NixOS distros.
209
+
Try<string> daemonReload = os::shell("systemctl daemon-reload");
210
+
if (daemonReload.isError()) {
211
+
return Error("Failed to reload systemd daemon: " + daemonReload.error());
diff --git a/src/python/cli/src/mesos/cli.py b/src/python/cli/src/mesos/cli.py
137
-
index f342992..354abf4 100644
213
+
index f342992e0..354abf443 100644
--- a/src/python/cli/src/mesos/cli.py
+++ b/src/python/cli/src/mesos/cli.py
@@ -40,7 +40,7 @@ def resolve(master):
···
225
+
diff --git a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
226
+
index af9f3736b..f8554d414 100644
227
+
--- a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
228
+
+++ b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp
229
+
@@ -499,7 +499,7 @@ Future<Option<ContainerLaunchInfo>> DockerVolumeIsolatorProcess::_prepare(
230
+
// unsafe arbitrary commands).
231
+
CommandInfo* command = launchInfo.add_pre_exec_commands();
232
+
command->set_shell(false);
233
+
- command->set_value("mount");
234
+
+ command->set_value("@mount@");
235
+
command->add_arguments("mount");
236
+
command->add_arguments("-n");
237
+
command->add_arguments("--rbind");
238
+
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
239
+
index df16b8fee..4a17475bd 100644
240
+
--- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
241
+
+++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp
242
+
@@ -159,9 +159,9 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(const Flags& flags)
243
+
// here because 'create' will only be invoked during
245
+
Try<string> mount = os::shell(
246
+
- "mount --bind %s %s && "
247
+
- "mount --make-private %s && "
248
+
- "mount --make-shared %s",
249
+
+ "@mount@ --bind %s %s && "
250
+
+ "@mount@ --make-private %s && "
251
+
+ "@mount@ --make-shared %s",
255
+
@@ -180,8 +180,8 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(const Flags& flags)
256
+
LOG(INFO) << "Making '" << workDir.get() << "' a shared mount";
258
+
Try<string> mount = os::shell(
259
+
- "mount --make-private %s && "
260
+
- "mount --make-shared %s",
261
+
+ "@mount@ --make-private %s && "
262
+
+ "@mount@ --make-shared %s",
266
+
@@ -404,7 +404,7 @@ Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands(
268
+
CommandInfo command;
269
+
command.set_shell(false);
270
+
- command.set_value("mount");
271
+
+ command.set_value("@mount@");
272
+
command.add_arguments("mount");
273
+
command.add_arguments("-n");
274
+
command.add_arguments("--rbind");
275
+
@@ -569,7 +569,7 @@ Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands(
276
+
// TODO(jieyu): Consider the mode in the volume.
277
+
CommandInfo command;
278
+
command.set_shell(false);
279
+
- command.set_value("mount");
280
+
+ command.set_value("@mount@");
281
+
command.add_arguments("mount");
282
+
command.add_arguments("-n");
283
+
command.add_arguments("--rbind");
diff --git a/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp b/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp
150
-
index 51d1518..783adb5 100644
285
+
index a1283e5ee..a918427bf 100644
--- a/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp
+++ b/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp
153
-
@@ -204,7 +204,7 @@ Future<Option<ContainerLaunchInfo>> SharedFilesystemIsolatorProcess::prepare(
288
+
@@ -207,7 +207,7 @@ Future<Option<ContainerLaunchInfo>> SharedFilesystemIsolatorProcess::prepare(
launchInfo.add_pre_exec_commands()->set_value(
···
297
+
diff --git a/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp b/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp
298
+
index e3756c920..cfe458b59 100644
299
+
--- a/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp
300
+
+++ b/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp
301
+
@@ -355,7 +355,7 @@ Future<Option<ContainerLaunchInfo>> NvidiaGpuIsolatorProcess::_prepare(
304
+
launchInfo.add_pre_exec_commands()->set_value(
305
+
- "mount --no-mtab --rbind --read-only " +
306
+
+ "@mount@ --no-mtab --rbind --read-only " +
307
+
volume.HOST_PATH() + " " + target);
310
+
diff --git a/src/slave/containerizer/mesos/isolators/gpu/volume.cpp b/src/slave/containerizer/mesos/isolators/gpu/volume.cpp
311
+
index 478752f37..ab527f0cd 100644
312
+
--- a/src/slave/containerizer/mesos/isolators/gpu/volume.cpp
313
+
+++ b/src/slave/containerizer/mesos/isolators/gpu/volume.cpp
314
+
@@ -281,7 +281,7 @@ Try<NvidiaVolume> NvidiaVolume::create()
315
+
string path = path::join(hostPath, "bin", binary);
317
+
if (!os::exists(path)) {
318
+
- string command = "which " + binary;
319
+
+ string command = "@which@ " + binary;
320
+
Try<string> which = os::shell(command);
322
+
if (which.isSome()) {
323
+
@@ -295,7 +295,7 @@ Try<NvidiaVolume> NvidiaVolume::create()
324
+
: "No such file or directory"));
327
+
- command = "cp " + realpath.get() + " " + path;
328
+
+ command = "@cp@ " + realpath.get() + " " + path;
329
+
Try<string> cp = os::shell(command);
330
+
if (cp.isError()) {
331
+
return Error("Failed to os::shell '" + command + "': " + cp.error());
332
+
@@ -367,7 +367,7 @@ Try<NvidiaVolume> NvidiaVolume::create()
333
+
Path(realpath.get()).basename());
335
+
if (!os::exists(libraryPath)) {
336
+
- string command = "cp " + realpath.get() + " " + libraryPath;
337
+
+ string command = "@cp@ " + realpath.get() + " " + libraryPath;
338
+
Try<string> cp = os::shell(command);
339
+
if (cp.isError()) {
340
+
return Error("Failed to os::shell '" + command + "':"
diff --git a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
163
-
index b41e266..e07c163 100644
342
+
index 0d9ec57d9..a177e4476 100644
--- a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
+++ b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp
166
-
@@ -163,7 +163,7 @@ Future<Option<ContainerLaunchInfo>> NamespacesPidIsolatorProcess::prepare(
167
-
// containers cannot see the namespace bind mount of other
169
-
launchInfo.add_pre_exec_commands()->set_value(
170
-
- "mount -n --bind " + string(PID_NS_BIND_MOUNT_MASK_DIR) +
171
-
+ "@mount@ -n --bind " + string(PID_NS_BIND_MOUNT_MASK_DIR) +
172
-
" " + string(PID_NS_BIND_MOUNT_ROOT));
174
-
// Mount /proc for the container's pid namespace to show the
175
-
@@ -176,9 +176,9 @@ Future<Option<ContainerLaunchInfo>> NamespacesPidIsolatorProcess::prepare(
176
-
// -n flag so the mount is not added to the mtab where it will not
177
-
// be correctly removed with the namespace terminates.
178
-
launchInfo.add_pre_exec_commands()->set_value(
179
-
- "mount none /proc --make-private -o rec");
180
-
+ "@mount@ none /proc --make-private -o rec");
345
+
@@ -94,7 +94,7 @@ Future<Option<ContainerLaunchInfo>> NamespacesPidIsolatorProcess::prepare(
347
+
// TOOD(jieyu): Consider unmount the existing /proc.
launchInfo.add_pre_exec_commands()->set_value(
- "mount -n -t proc proc /proc -o nosuid,noexec,nodev");
+ "@mount@ -n -t proc proc /proc -o nosuid,noexec,nodev");
354
+
diff --git a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
355
+
index c87e6715a..6601cd1b3 100644
356
+
--- a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
357
+
+++ b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp
358
+
@@ -262,9 +262,9 @@ Try<Isolator*> NetworkCniIsolatorProcess::create(const Flags& flags)
359
+
// here because 'create' will only be invoked during
361
+
Try<string> mount = os::shell(
362
+
- "mount --bind %s %s && "
363
+
- "mount --make-private %s && "
364
+
- "mount --make-shared %s",
365
+
+ "@mount@ --bind %s %s && "
366
+
+ "@mount@ --make-private %s && "
367
+
+ "@mount@ --make-shared %s",
371
+
@@ -284,8 +284,8 @@ Try<Isolator*> NetworkCniIsolatorProcess::create(const Flags& flags)
372
+
LOG(INFO) << "Making '" << rootDir.get() << "' a shared mount";
374
+
Try<string> mount = os::shell(
375
+
- "mount --make-private %s && "
376
+
- "mount --make-shared %s",
377
+
+ "@mount@ --make-private %s && "
378
+
+ "@mount@ --make-shared %s",
382
+
diff --git a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
383
+
index b470f0c82..6110a43ee 100644
384
+
--- a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
385
+
+++ b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp
386
+
@@ -303,7 +303,7 @@ Try<Nothing> PortMapper::addPortMapping(
387
+
# Check if the `chain` exists in the iptable. If it does not
388
+
# exist go ahead and install the chain in the iptables NAT
390
+
- iptables -w -t nat --list %s
391
+
+ @iptables@ -w -t nat --list %s
392
+
if [ $? -ne 0 ]; then
393
+
# NOTE: When we create the chain, there is a possibility of a
394
+
# race due to which a container launch can fail. This can
395
+
@@ -317,25 +317,25 @@ Try<Nothing> PortMapper::addPortMapping(
396
+
# since it can happen only when the chain is created the first
397
+
# time and two commands for creation of the chain are executed
399
+
- (iptables -w -t nat -N %s || exit 1)
400
+
+ (@iptables@ -w -t nat -N %s || exit 1)
402
+
# Once the chain has been installed add a rule in the PREROUTING
403
+
# chain to jump to this chain for any packets that are
404
+
# destined to a local address.
405
+
- (iptables -w -t nat -A PREROUTING \
406
+
+ (@iptables@ -w -t nat -A PREROUTING \
407
+
-m addrtype --dst-type LOCAL -j %s || exit 1)
409
+
# For locally generated packets we need a rule in the OUTPUT
410
+
# chain as well, since locally generated packets directly hit
411
+
# the output CHAIN, bypassing PREROUTING.
412
+
- (iptables -w -t nat -A OUTPUT \
413
+
+ (@iptables@ -w -t nat -A OUTPUT \
414
+
! -d 127.0.0.0/8 -m addrtype \
415
+
--dst-type LOCAL -j %s || exit 1)
418
+
# Within the `chain` go ahead and install the DNAT rule, if it
420
+
- (iptables -w -t nat -C %s || iptables -t nat -A %s))~",
421
+
+ (@iptables@ -w -t nat -C %s || @iptables@ -t nat -A %s))~",
425
+
@@ -362,7 +362,7 @@ Try<Nothing> PortMapper::delPortMapping()
426
+
# The iptables command searches for the DNAT rules with tag
427
+
# "container_id: <CNI_CONTAINERID>", and if it exists goes ahead
429
+
- iptables -w -t nat -S %s | sed "/%s/ s/-A/iptables -w -t nat -D/e")~",
430
+
+ @iptables@ -w -t nat -S %s | sed "/%s/ s/-A/@iptables@ -w -t nat -D/e")~",
432
+
getIptablesRuleTag()).get();
diff --git a/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp b/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp
188
-
index 79ee960..d55a353 100644
435
+
index 20fb6ab35..46c160977 100644
--- a/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp
+++ b/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp
191
-
@@ -1392,19 +1392,19 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
438
+
@@ -1393,19 +1393,19 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
// Check the availability of a few Linux commands that we will use.
// We use the blocking os::shell here because 'create' will only be
// invoked during initialization.
···
if (checkCommandIp.isError()) {
return Error("Check command 'ip' failed: " + checkCommandIp.error());
214
-
@@ -1924,9 +1924,9 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
461
+
@@ -1925,9 +1925,9 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
// visible. It's OK to use the blocking os::shell here because
// 'create' will only be invoked during initialization.
Try<string> mount = os::shell(
···
227
-
@@ -1943,8 +1943,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
474
+
@@ -1944,8 +1944,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
// shared mount yet (possibly due to slave crash while preparing
// the work directory mount). It's safe to re-do the following.
Try<string> mount = os::shell(
···
238
-
@@ -1963,8 +1963,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
485
+
@@ -1964,8 +1964,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags)
// so that they are in different peer groups.
if (entry.shared() == bindMountEntry->shared()) {
Try<string> mount = os::shell(
···
249
-
@@ -3916,13 +3916,13 @@ string PortMappingIsolatorProcess::scripts(Info* info)
496
+
@@ -3911,6 +3911,8 @@ Try<Nothing> PortMappingIsolatorProcess::removeHostIPFilters(
497
+
// TODO(jieyu): Use the Subcommand abstraction to remove most of the
498
+
// logic here. Completely remove this function once we can assume a
499
+
// newer kernel where 'setns' works for mount namespaces.
500
+
+// cstrahan(nixos): this is executed in the container,
501
+
+// so we don't want to substitute paths here.
502
+
string PortMappingIsolatorProcess::scripts(Info* info)
253
-
- script << "#!/bin/sh\n";
254
-
+ script << "#!@sh@\n";
255
-
script << "set -xe\n";
505
+
@@ -3921,7 +3923,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// Mark the mount point PORT_MAPPING_BIND_MOUNT_ROOT() as slave
// mount so that changes in the container will not be propagated to
···
// Disable IPv6 when IPv6 module is loaded as IPv6 packets won't be
265
-
@@ -3930,7 +3930,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
514
+
@@ -3929,7 +3931,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
<< " echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6\n";
// Configure lo and eth0.
···
<< " mtu " << hostEth0MTU << " up\n";
// NOTE: This is mostly a kernel issue: in veth_xmit() the kernel
274
-
@@ -3939,12 +3939,12 @@ string PortMappingIsolatorProcess::scripts(Info* info)
523
+
@@ -3938,12 +3940,12 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// when we receive a packet with a bad checksum. Disabling rx
// checksum offloading ensures the TCP layer will checksum and drop
···
// Restrict the ephemeral ports that can be used by the container.
script << "echo " << info->ephemeralPorts.lower() << " "
291
-
@@ -3973,19 +3973,19 @@ string PortMappingIsolatorProcess::scripts(Info* info)
540
+
@@ -3972,19 +3974,19 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// Set up filters on lo and eth0.
···
<< " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32"
315
-
@@ -3996,7 +3996,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
564
+
@@ -3995,7 +3997,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
foreach (const PortRange& range,
getPortRanges(info->nonEphemeralPorts + info->ephemeralPorts)) {
// Local traffic inside a container will not be redirected to eth0.
···
<< " prio " << Priority(IP_FILTER_PRIORITY, HIGH).get() << " u32"
324
-
@@ -4005,7 +4005,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
573
+
@@ -4004,7 +4006,7 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// Traffic going to host loopback IP and ports assigned to this
// container will be redirected to lo.
···
<< " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32"
333
-
@@ -4017,14 +4017,14 @@ string PortMappingIsolatorProcess::scripts(Info* info)
582
+
@@ -4016,14 +4018,14 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// Do not forward the ICMP packet if the destination IP is self.
···
<< " prio " << Priority(ICMP_FILTER_PRIORITY, NORMAL).get() << " u32"
350
-
@@ -4033,9 +4033,9 @@ string PortMappingIsolatorProcess::scripts(Info* info)
599
+
@@ -4032,9 +4034,9 @@ string PortMappingIsolatorProcess::scripts(Info* info)
<< net::IPNetwork::LOOPBACK_V4().address() << "\n";
// Display the filters created on eth0 and lo.
···
<< " parent " << ingress::HANDLE << "\n";
// If throughput limit for container egress traffic exists, use HTB
362
-
@@ -4047,9 +4047,9 @@ string PortMappingIsolatorProcess::scripts(Info* info)
611
+
@@ -4046,9 +4048,9 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// throughput. TBF requires other parameters such as 'burst' that
// HTB already has default values for.
if (egressRateLimitPerContainer.isSome()) {
···
<< CONTAINER_TX_HTB_HANDLE << " classid "
<< CONTAINER_TX_HTB_CLASS_ID << " htb rate "
<< egressRateLimitPerContainer.get().bytes() * 8 << "bit\n";
374
-
@@ -4060,12 +4060,12 @@ string PortMappingIsolatorProcess::scripts(Info* info)
623
+
@@ -4059,12 +4061,12 @@ string PortMappingIsolatorProcess::scripts(Info* info)
// fq_codel, which has a larger buffer and better control on
// TODO(cwang): Verity that fq_codel qdisc is available.
- script << "tc qdisc add dev " << eth0
379
-
+ script << "@tC@ qdisc add dev " << eth0
628
+
+ script << "@tc@ qdisc add dev " << eth0
<< " parent " << CONTAINER_TX_HTB_CLASS_ID << " fq_codel\n";
// Display the htb qdisc and class created on eth0.
···
diff --git a/src/slave/containerizer/mesos/isolators/posix/disk.cpp b/src/slave/containerizer/mesos/isolators/posix/disk.cpp
391
-
index 3dfe7ad..4288666 100644
640
+
index db0583386..542586370 100644
--- a/src/slave/containerizer/mesos/isolators/posix/disk.cpp
+++ b/src/slave/containerizer/mesos/isolators/posix/disk.cpp
394
-
@@ -492,7 +492,7 @@ private:
395
-
// NOTE: The monitor watchdog will watch the parent process and kill
643
+
@@ -540,7 +540,7 @@ private:
644
+
// NOTE: The supervisor childhook will watch the parent process and kill
// the 'du' process in case that the parent die.
Try<Subprocess> s = subprocess(
···
Subprocess::PATH("/dev/null"),
652
+
diff --git a/src/slave/containerizer/mesos/isolators/volume/image.cpp b/src/slave/containerizer/mesos/isolators/volume/image.cpp
653
+
index 210e67ad0..60b3a15e4 100644
654
+
--- a/src/slave/containerizer/mesos/isolators/volume/image.cpp
655
+
+++ b/src/slave/containerizer/mesos/isolators/volume/image.cpp
656
+
@@ -214,7 +214,7 @@ Future<Option<ContainerLaunchInfo>> VolumeImageIsolatorProcess::_prepare(
658
+
CommandInfo* command = launchInfo.add_pre_exec_commands();
659
+
command->set_shell(false);
660
+
- command->set_value("mount");
661
+
+ command->set_value("@mount@");
662
+
command->add_arguments("mount");
663
+
command->add_arguments("-n");
664
+
command->add_arguments("--rbind");
665
+
diff --git a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
666
+
index 7b976d292..474dcd486 100644
667
+
--- a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
668
+
+++ b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
669
+
@@ -240,7 +240,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSandboxPathIsolatorProcess::prepare(
671
+
CommandInfo* command = launchInfo.add_pre_exec_commands();
672
+
command->set_shell(false);
673
+
- command->set_value("mount");
674
+
+ command->set_value("@mount@");
675
+
command->add_arguments("mount");
676
+
command->add_arguments("-n");
677
+
command->add_arguments("--rbind");
diff --git a/src/slave/containerizer/mesos/provisioner/backends/copy.cpp b/src/slave/containerizer/mesos/provisioner/backends/copy.cpp
404
-
index b9f6d7a..0fcf455 100644
679
+
index 9c5354e5f..a73a9692e 100644
--- a/src/slave/containerizer/mesos/provisioner/backends/copy.cpp
+++ b/src/slave/containerizer/mesos/provisioner/backends/copy.cpp
407
-
@@ -141,7 +141,7 @@ Future<Nothing> CopyBackendProcess::_provision(
682
+
@@ -147,7 +147,7 @@ Future<Nothing> CopyBackendProcess::_provision(
#endif // __APPLE__ || __FreeBSD__
Try<Subprocess> s = subprocess(
···
Subprocess::PATH("/dev/null"),
Subprocess::PATH("/dev/null"),
691
+
@@ -180,7 +180,7 @@ Future<bool> CopyBackendProcess::destroy(const string& rootfs)
692
+
vector<string> argv{"rm", "-rf", rootfs};
694
+
Try<Subprocess> s = subprocess(
698
+
Subprocess::PATH("/dev/null"),
699
+
Subprocess::FD(STDOUT_FILENO),
diff --git a/src/uri/fetchers/copy.cpp b/src/uri/fetchers/copy.cpp
417
-
index f095ad6..ee0c2a7 100644
701
+
index 2cfef5ab0..8a62f7699 100644
--- a/src/uri/fetchers/copy.cpp
+++ b/src/uri/fetchers/copy.cpp
420
-
@@ -88,7 +88,7 @@ Future<Nothing> CopyFetcherPlugin::fetch(
704
+
@@ -97,7 +97,7 @@ Future<Nothing> CopyFetcherPlugin::fetch(
const vector<string> argv = {"cp", "-a", uri.path(), directory};
Try<Subprocess> s = subprocess(
···
Subprocess::PATH("/dev/null"),
diff --git a/src/uri/fetchers/curl.cpp b/src/uri/fetchers/curl.cpp
430
-
index cc3f9ee..691d2d9 100644
714
+
index 7b746d619..12bbb04df 100644
--- a/src/uri/fetchers/curl.cpp
+++ b/src/uri/fetchers/curl.cpp
433
-
@@ -98,7 +98,7 @@ Future<Nothing> CurlFetcherPlugin::fetch(
717
+
@@ -107,7 +107,7 @@ Future<Nothing> CurlFetcherPlugin::fetch(
Try<Subprocess> s = subprocess(
···
Subprocess::PATH("/dev/null"),
diff --git a/src/uri/fetchers/docker.cpp b/src/uri/fetchers/docker.cpp
443
-
index 211be6f..d7e3771 100644
727
+
index 3f38dddfb..fd991ee74 100644
--- a/src/uri/fetchers/docker.cpp
+++ b/src/uri/fetchers/docker.cpp
446
-
@@ -113,7 +113,7 @@ static Future<http::Response> curl(
730
+
@@ -114,7 +114,7 @@ static Future<http::Response> curl(
// TODO(jieyu): Kill the process if discard is called.
Try<Subprocess> s = subprocess(
···
Subprocess::PATH("/dev/null"),
455
-
@@ -212,7 +212,7 @@ static Future<int> download(
739
+
@@ -213,7 +213,7 @@ static Future<int> download(
// TODO(jieyu): Kill the process if discard is called.
Try<Subprocess> s = subprocess(
pyrox.dev