diff --git a/3rdparty/stout/include/stout/os/posix/chown.hpp b/3rdparty/stout/include/stout/os/posix/chown.hpp index c82e2e574..15d332107 100644 --- a/3rdparty/stout/include/stout/os/posix/chown.hpp +++ b/3rdparty/stout/include/stout/os/posix/chown.hpp @@ -34,7 +34,7 @@ inline Try chown( // TODO(bmahler): Consider walking the file tree instead. We would need // to be careful to not miss dotfiles. std::string command = - "chown -R " + stringify(uid) + ':' + stringify(gid) + " '" + path + "'"; + "@chown@ -R " + stringify(uid) + ':' + stringify(gid) + " '" + path + "'"; int status = os::system(command); if (status != 0) { diff --git a/3rdparty/stout/include/stout/os/posix/fork.hpp b/3rdparty/stout/include/stout/os/posix/fork.hpp index a29967dcb..290b98b50 100644 --- a/3rdparty/stout/include/stout/os/posix/fork.hpp +++ b/3rdparty/stout/include/stout/os/posix/fork.hpp @@ -369,7 +369,7 @@ private: if (exec.isSome()) { // Execute the command (via '/bin/sh -c command'). const char* command = exec.get().command.c_str(); - execlp("sh", "sh", "-c", command, (char*) nullptr); + execlp("@sh@", "sh", "-c", command, (char*) nullptr); EXIT(EXIT_FAILURE) << "Failed to execute '" << command << "': " << os::strerror(errno); } else if (wait.isSome()) { diff --git a/3rdparty/stout/include/stout/posix/os.hpp b/3rdparty/stout/include/stout/posix/os.hpp index c37e64db6..d3d87b7f0 100644 --- a/3rdparty/stout/include/stout/posix/os.hpp +++ b/3rdparty/stout/include/stout/posix/os.hpp @@ -375,7 +375,7 @@ inline Option getenv(const std::string& key) inline Try tar(const std::string& path, const std::string& archive) { Try tarOut = - os::shell("tar %s %s %s", "-czf", archive.c_str(), path.c_str()); + os::shell("@tar@ %s %s %s", "-czf", archive.c_str(), path.c_str()); if (tarOut.isError()) { return Error("Failed to archive " + path + ": " + tarOut.error()); diff --git a/src/Makefile.am b/src/Makefile.am index 3bcc0f2df..e5cbc57e8 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1545,7 +1545,7 @@ if HAS_JAVA $(MESOS_JAR): $(MESOS_JAR_SOURCE) $(MESOS_JAR_GENERATED) java/mesos.pom @echo "Building mesos-$(PACKAGE_VERSION).jar ..." - @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom clean package + @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom -Dmaven.repo.local=@mavenRepo@ clean package # Convenience library for JNI bindings. # TODO(Charles Reiss): We really should be building the Java library diff --git a/src/cli/mesos-scp b/src/cli/mesos-scp index a71ab0708..1043d1b3c 100755 --- a/src/cli/mesos-scp +++ b/src/cli/mesos-scp @@ -19,7 +19,8 @@ if sys.version_info < (2,6,0): def scp(host, src, dst): - cmd = 'scp -pr %s %s' % (src, host + ':' + dst) + cmd = '@scp@ -pr %s %s' % (src, host + ':' + dst) + try: process = subprocess.Popen( cmd, diff --git a/src/common/command_utils.cpp b/src/common/command_utils.cpp index 09e805140..90bf65896 100644 --- a/src/common/command_utils.cpp +++ b/src/common/command_utils.cpp @@ -140,7 +140,7 @@ Future tar( argv.emplace_back(input); - return launch("tar", argv) + return launch("@tar@", argv) .then([]() { return Nothing(); }); } @@ -162,7 +162,7 @@ Future untar( argv.emplace_back(directory.get()); } - return launch("tar", argv) + return launch("@tar@", argv) .then([]() { return Nothing(); }); } @@ -170,7 +170,7 @@ Future untar( Future sha512(const Path& input) { #ifdef __linux__ - const string cmd = "sha512sum"; + const string cmd = "@sha512sum@"; vector argv = { cmd, input // Input file to compute shasum. @@ -206,7 +206,7 @@ Future gzip(const Path& input) input }; - return launch("gzip", argv) + return launch("@gzip@", argv) .then([]() { return Nothing(); }); } @@ -219,7 +219,7 @@ Future decompress(const Path& input) input }; - return launch("gzip", argv) + return launch("@gzip@", argv) .then([]() { return Nothing(); }); } diff --git a/src/launcher/fetcher.cpp b/src/launcher/fetcher.cpp index 4456c2813..e22c8fc03 100644 --- a/src/launcher/fetcher.cpp +++ b/src/launcher/fetcher.cpp @@ -68,13 +68,13 @@ static Try extract( strings::endsWith(sourcePath, ".tar.bz2") || strings::endsWith(sourcePath, ".txz") || strings::endsWith(sourcePath, ".tar.xz")) { - command = "tar -C '" + destinationDirectory + "' -xf"; + command = "@tar@ -C '" + destinationDirectory + "' -xf"; } else if (strings::endsWith(sourcePath, ".gz")) { string pathWithoutExtension = sourcePath.substr(0, sourcePath.length() - 3); string filename = Path(pathWithoutExtension).basename(); - command = "gzip -dc > '" + destinationDirectory + "/" + filename + "' <"; + command = "@gzip@ -dc > '" + destinationDirectory + "/" + filename + "' <"; } else if (strings::endsWith(sourcePath, ".zip")) { - command = "unzip -o -d '" + destinationDirectory + "'"; + command = "@unzip@ -o -d '" + destinationDirectory + "'"; } else { return false; } @@ -162,7 +162,7 @@ static Try copyFile( const string& sourcePath, const string& destinationPath) { - const string command = "cp '" + sourcePath + "' '" + destinationPath + "'"; + const string command = "@cp@ '" + sourcePath + "' '" + destinationPath + "'"; LOG(INFO) << "Copying resource with command:" << command; diff --git a/src/linux/perf.cpp b/src/linux/perf.cpp index aa31982eb..8b5331b17 100644 --- a/src/linux/perf.cpp +++ b/src/linux/perf.cpp @@ -127,7 +127,7 @@ private: // NOTE: The supervisor childhook places perf in its own process group // and will kill the perf process when the parent dies. Try _perf = subprocess( - "perf", + "@perf@", argv, Subprocess::PIPE(), Subprocess::PIPE(), @@ -319,7 +319,7 @@ bool valid(const set& events) ostringstream command; // Log everything to stderr which is then redirected to /dev/null. - command << "perf stat --log-fd 2"; + command << "@perf@ stat --log-fd 2"; foreach (const string& event, events) { command << " --event " << event; } diff --git a/src/linux/systemd.cpp b/src/linux/systemd.cpp index 6318f48fc..394d88d47 100644 --- a/src/linux/systemd.cpp +++ b/src/linux/systemd.cpp @@ -196,13 +196,21 @@ bool exists() // This is static as the init system should not change while we are running. static const bool exists = []() -> bool { // (1) Test whether `/sbin/init` links to systemd. - const Result realpath = os::realpath("/sbin/init"); - if (realpath.isError() || realpath.isNone()) { - LOG(WARNING) << "Failed to test /sbin/init for systemd environment: " - << (realpath.isError() ? realpath.error() - : "does not exist"); - - return false; + // cstrahan(nixos): first assume we're on NixOS, then try non-NixOS + Result realpath = os::realpath("/run/current-system/systemd/lib/systemd/systemd"); + Result realpathNixOS = realpath; + if (realpathNixOS.isError() || realpathNixOS.isNone()) { + Result realpathNonNixOS = realpath = os::realpath("/sbin/init"); + if (realpathNonNixOS.isError() || realpathNonNixOS.isNone()) { + LOG(WARNING) << "Failed to test /run/current-system/systemd/lib/systemd/systemd for systemd environment: " + << (realpathNixOS.isError() ? realpathNixOS.error() + : "does not exist"); + LOG(WARNING) << "Failed to test /sbin/init for systemd environment: " + << (realpathNonNixOS.isError() ? realpathNonNixOS.error() + : "does not exist"); + + return false; + } } CHECK_SOME(realpath); @@ -278,6 +286,10 @@ Path hierarchy() Try daemonReload() { + // cstrahan(nixos): should we patch these `systemctl`s? + // probably don't want to hard-code a particular systemd store path here, + // but if we use /run/current-system/sw/bin/systemctl, + // we won't be able to support non-NixOS distros. Try daemonReload = os::shell("systemctl daemon-reload"); if (daemonReload.isError()) { return Error("Failed to reload systemd daemon: " + daemonReload.error()); diff --git a/src/python/cli/src/mesos/cli.py b/src/python/cli/src/mesos/cli.py index f342992e0..354abf443 100644 --- a/src/python/cli/src/mesos/cli.py +++ b/src/python/cli/src/mesos/cli.py @@ -40,7 +40,7 @@ def resolve(master): import subprocess process = subprocess.Popen( - ['mesos-resolve', master], + ['@mesos-resolve@', master], stdin=None, stdout=subprocess.PIPE, stderr=subprocess.PIPE, diff --git a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp index af9f3736b..f8554d414 100644 --- a/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp +++ b/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp @@ -499,7 +499,7 @@ Future> DockerVolumeIsolatorProcess::_prepare( // unsafe arbitrary commands). CommandInfo* command = launchInfo.add_pre_exec_commands(); command->set_shell(false); - command->set_value("mount"); + command->set_value("@mount@"); command->add_arguments("mount"); command->add_arguments("-n"); command->add_arguments("--rbind"); diff --git a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp index df16b8fee..4a17475bd 100644 --- a/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp +++ b/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp @@ -159,9 +159,9 @@ Try LinuxFilesystemIsolatorProcess::create(const Flags& flags) // here because 'create' will only be invoked during // initialization. Try mount = os::shell( - "mount --bind %s %s && " - "mount --make-private %s && " - "mount --make-shared %s", + "@mount@ --bind %s %s && " + "@mount@ --make-private %s && " + "@mount@ --make-shared %s", workDir->c_str(), workDir->c_str(), workDir->c_str(), @@ -180,8 +180,8 @@ Try LinuxFilesystemIsolatorProcess::create(const Flags& flags) LOG(INFO) << "Making '" << workDir.get() << "' a shared mount"; Try mount = os::shell( - "mount --make-private %s && " - "mount --make-shared %s", + "@mount@ --make-private %s && " + "@mount@ --make-shared %s", workDir->c_str(), workDir->c_str()); @@ -404,7 +404,7 @@ Try> LinuxFilesystemIsolatorProcess::getPreExecCommands( CommandInfo command; command.set_shell(false); - command.set_value("mount"); + command.set_value("@mount@"); command.add_arguments("mount"); command.add_arguments("-n"); command.add_arguments("--rbind"); @@ -569,7 +569,7 @@ Try> LinuxFilesystemIsolatorProcess::getPreExecCommands( // TODO(jieyu): Consider the mode in the volume. CommandInfo command; command.set_shell(false); - command.set_value("mount"); + command.set_value("@mount@"); command.add_arguments("mount"); command.add_arguments("-n"); command.add_arguments("--rbind"); diff --git a/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp b/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp index a1283e5ee..a918427bf 100644 --- a/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp +++ b/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp @@ -207,7 +207,7 @@ Future> SharedFilesystemIsolatorProcess::prepare( } launchInfo.add_pre_exec_commands()->set_value( - "mount -n --bind " + hostPath + " " + volume.container_path()); + "@mount@ -n --bind " + hostPath + " " + volume.container_path()); } return launchInfo; diff --git a/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp b/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp index e3756c920..cfe458b59 100644 --- a/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp +++ b/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp @@ -355,7 +355,7 @@ Future> NvidiaGpuIsolatorProcess::_prepare( } launchInfo.add_pre_exec_commands()->set_value( - "mount --no-mtab --rbind --read-only " + + "@mount@ --no-mtab --rbind --read-only " + volume.HOST_PATH() + " " + target); } diff --git a/src/slave/containerizer/mesos/isolators/gpu/volume.cpp b/src/slave/containerizer/mesos/isolators/gpu/volume.cpp index 478752f37..ab527f0cd 100644 --- a/src/slave/containerizer/mesos/isolators/gpu/volume.cpp +++ b/src/slave/containerizer/mesos/isolators/gpu/volume.cpp @@ -281,7 +281,7 @@ Try NvidiaVolume::create() string path = path::join(hostPath, "bin", binary); if (!os::exists(path)) { - string command = "which " + binary; + string command = "@which@ " + binary; Try which = os::shell(command); if (which.isSome()) { @@ -295,7 +295,7 @@ Try NvidiaVolume::create() : "No such file or directory")); } - command = "cp " + realpath.get() + " " + path; + command = "@cp@ " + realpath.get() + " " + path; Try cp = os::shell(command); if (cp.isError()) { return Error("Failed to os::shell '" + command + "': " + cp.error()); @@ -367,7 +367,7 @@ Try NvidiaVolume::create() Path(realpath.get()).basename()); if (!os::exists(libraryPath)) { - string command = "cp " + realpath.get() + " " + libraryPath; + string command = "@cp@ " + realpath.get() + " " + libraryPath; Try cp = os::shell(command); if (cp.isError()) { return Error("Failed to os::shell '" + command + "':" diff --git a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp index 0d9ec57d9..a177e4476 100644 --- a/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp +++ b/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp @@ -94,7 +94,7 @@ Future> NamespacesPidIsolatorProcess::prepare( // // TOOD(jieyu): Consider unmount the existing /proc. launchInfo.add_pre_exec_commands()->set_value( - "mount -n -t proc proc /proc -o nosuid,noexec,nodev"); + "@mount@ -n -t proc proc /proc -o nosuid,noexec,nodev"); return launchInfo; } diff --git a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp index c87e6715a..6601cd1b3 100644 --- a/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp +++ b/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp @@ -262,9 +262,9 @@ Try NetworkCniIsolatorProcess::create(const Flags& flags) // here because 'create' will only be invoked during // initialization. Try mount = os::shell( - "mount --bind %s %s && " - "mount --make-private %s && " - "mount --make-shared %s", + "@mount@ --bind %s %s && " + "@mount@ --make-private %s && " + "@mount@ --make-shared %s", rootDir->c_str(), rootDir->c_str(), rootDir->c_str(), @@ -284,8 +284,8 @@ Try NetworkCniIsolatorProcess::create(const Flags& flags) LOG(INFO) << "Making '" << rootDir.get() << "' a shared mount"; Try mount = os::shell( - "mount --make-private %s && " - "mount --make-shared %s", + "@mount@ --make-private %s && " + "@mount@ --make-shared %s", rootDir->c_str(), rootDir->c_str()); diff --git a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp index b470f0c82..6110a43ee 100644 --- a/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp +++ b/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp @@ -303,7 +303,7 @@ Try PortMapper::addPortMapping( # Check if the `chain` exists in the iptable. If it does not # exist go ahead and install the chain in the iptables NAT # table. - iptables -w -t nat --list %s + @iptables@ -w -t nat --list %s if [ $? -ne 0 ]; then # NOTE: When we create the chain, there is a possibility of a # race due to which a container launch can fail. This can @@ -317,25 +317,25 @@ Try PortMapper::addPortMapping( # since it can happen only when the chain is created the first # time and two commands for creation of the chain are executed # simultaneously. - (iptables -w -t nat -N %s || exit 1) + (@iptables@ -w -t nat -N %s || exit 1) # Once the chain has been installed add a rule in the PREROUTING # chain to jump to this chain for any packets that are # destined to a local address. - (iptables -w -t nat -A PREROUTING \ + (@iptables@ -w -t nat -A PREROUTING \ -m addrtype --dst-type LOCAL -j %s || exit 1) # For locally generated packets we need a rule in the OUTPUT # chain as well, since locally generated packets directly hit # the output CHAIN, bypassing PREROUTING. - (iptables -w -t nat -A OUTPUT \ + (@iptables@ -w -t nat -A OUTPUT \ ! -d 127.0.0.0/8 -m addrtype \ --dst-type LOCAL -j %s || exit 1) fi # Within the `chain` go ahead and install the DNAT rule, if it # does not exist. - (iptables -w -t nat -C %s || iptables -t nat -A %s))~", + (@iptables@ -w -t nat -C %s || @iptables@ -t nat -A %s))~", chain, chain, chain, @@ -362,7 +362,7 @@ Try PortMapper::delPortMapping() # The iptables command searches for the DNAT rules with tag # "container_id: ", and if it exists goes ahead # and deletes it. - iptables -w -t nat -S %s | sed "/%s/ s/-A/iptables -w -t nat -D/e")~", + @iptables@ -w -t nat -S %s | sed "/%s/ s/-A/@iptables@ -w -t nat -D/e")~", chain, getIptablesRuleTag()).get(); diff --git a/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp b/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp index 20fb6ab35..46c160977 100644 --- a/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp +++ b/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp @@ -1393,19 +1393,19 @@ Try PortMappingIsolatorProcess::create(const Flags& flags) // Check the availability of a few Linux commands that we will use. // We use the blocking os::shell here because 'create' will only be // invoked during initialization. - Try checkCommandTc = os::shell("tc filter show"); + Try checkCommandTc = os::shell("@tc@ filter show"); if (checkCommandTc.isError()) { return Error("Check command 'tc' failed: " + checkCommandTc.error()); } // NOTE: loopback device always exists. - Try checkCommandEthtool = os::shell("ethtool -k lo"); + Try checkCommandEthtool = os::shell("@ethtool@ -k lo"); if (checkCommandEthtool.isError()) { return Error("Check command 'ethtool' failed: " + checkCommandEthtool.error()); } - Try checkCommandIp = os::shell("ip link show"); + Try checkCommandIp = os::shell("@ip@ link show"); if (checkCommandIp.isError()) { return Error("Check command 'ip' failed: " + checkCommandIp.error()); } @@ -1925,9 +1925,9 @@ Try PortMappingIsolatorProcess::create(const Flags& flags) // visible. It's OK to use the blocking os::shell here because // 'create' will only be invoked during initialization. Try mount = os::shell( - "mount --bind %s %s && " - "mount --make-slave %s && " - "mount --make-shared %s", + "@mount@ --bind %s %s && " + "@mount@ --make-slave %s && " + "@mount@ --make-shared %s", bindMountRoot->c_str(), bindMountRoot->c_str(), bindMountRoot->c_str(), @@ -1944,8 +1944,8 @@ Try PortMappingIsolatorProcess::create(const Flags& flags) // shared mount yet (possibly due to slave crash while preparing // the work directory mount). It's safe to re-do the following. Try mount = os::shell( - "mount --make-slave %s && " - "mount --make-shared %s", + "@mount@ --make-slave %s && " + "@mount@ --make-shared %s", bindMountRoot->c_str(), bindMountRoot->c_str()); @@ -1964,8 +1964,8 @@ Try PortMappingIsolatorProcess::create(const Flags& flags) // so that they are in different peer groups. if (entry.shared() == bindMountEntry->shared()) { Try mount = os::shell( - "mount --make-slave %s && " - "mount --make-shared %s", + "@mount@ --make-slave %s && " + "@mount@ --make-shared %s", bindMountRoot->c_str(), bindMountRoot->c_str()); @@ -3911,6 +3911,8 @@ Try PortMappingIsolatorProcess::removeHostIPFilters( // TODO(jieyu): Use the Subcommand abstraction to remove most of the // logic here. Completely remove this function once we can assume a // newer kernel where 'setns' works for mount namespaces. +// cstrahan(nixos): this is executed in the container, +// so we don't want to substitute paths here. string PortMappingIsolatorProcess::scripts(Info* info) { ostringstream script; @@ -3921,7 +3923,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) // Mark the mount point PORT_MAPPING_BIND_MOUNT_ROOT() as slave // mount so that changes in the container will not be propagated to // the host. - script << "mount --make-rslave " << bindMountRoot << "\n"; + script << "@mount@ --make-rslave " << bindMountRoot << "\n"; // Disable IPv6 when IPv6 module is loaded as IPv6 packets won't be // forwarded anyway. @@ -3929,7 +3931,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) << " echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6\n"; // Configure lo and eth0. - script << "ip link set " << lo << " address " << hostMAC + script << "@ip@ link set " << lo << " address " << hostMAC << " mtu " << hostEth0MTU << " up\n"; // NOTE: This is mostly a kernel issue: in veth_xmit() the kernel @@ -3938,12 +3940,12 @@ string PortMappingIsolatorProcess::scripts(Info* info) // when we receive a packet with a bad checksum. Disabling rx // checksum offloading ensures the TCP layer will checksum and drop // it. - script << "ethtool -K " << eth0 << " rx off\n"; - script << "ip link set " << eth0 << " address " << hostMAC << " up\n"; - script << "ip addr add " << hostIPNetwork << " dev " << eth0 << "\n"; + script << "@ethtool@ -K " << eth0 << " rx off\n"; + script << "@ip@ link set " << eth0 << " address " << hostMAC << " up\n"; + script << "@ip@ addr add " << hostIPNetwork << " dev " << eth0 << "\n"; // Set up the default gateway to match that of eth0. - script << "ip route add default via " << hostDefaultGateway << "\n"; + script << "@ip@ route add default via " << hostDefaultGateway << "\n"; // Restrict the ephemeral ports that can be used by the container. script << "echo " << info->ephemeralPorts.lower() << " " @@ -3972,19 +3974,19 @@ string PortMappingIsolatorProcess::scripts(Info* info) } // Set up filters on lo and eth0. - script << "tc qdisc add dev " << lo << " ingress\n"; - script << "tc qdisc add dev " << eth0 << " ingress\n"; + script << "@tc@ qdisc add dev " << lo << " ingress\n"; + script << "@tc@ qdisc add dev " << eth0 << " ingress\n"; // Allow talking between containers and from container to host. // TODO(chzhcn): Consider merging the following two filters. - script << "tc filter add dev " << lo << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" << " flowid ffff:0" << " match ip dst " << hostIPNetwork.address() << " action mirred egress redirect dev " << eth0 << "\n"; - script << "tc filter add dev " << lo << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" << " flowid ffff:0" @@ -3995,7 +3997,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) foreach (const PortRange& range, getPortRanges(info->nonEphemeralPorts + info->ephemeralPorts)) { // Local traffic inside a container will not be redirected to eth0. - script << "tc filter add dev " << lo << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(IP_FILTER_PRIORITY, HIGH).get() << " u32" << " flowid ffff:0" @@ -4004,7 +4006,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) // Traffic going to host loopback IP and ports assigned to this // container will be redirected to lo. - script << "tc filter add dev " << eth0 << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << eth0 << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" << " flowid ffff:0" @@ -4016,14 +4018,14 @@ string PortMappingIsolatorProcess::scripts(Info* info) } // Do not forward the ICMP packet if the destination IP is self. - script << "tc filter add dev " << lo << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(ICMP_FILTER_PRIORITY, NORMAL).get() << " u32" << " flowid ffff:0" << " match ip protocol 1 0xff" << " match ip dst " << hostIPNetwork.address() << "\n"; - script << "tc filter add dev " << lo << " parent " << ingress::HANDLE + script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE << " protocol ip" << " prio " << Priority(ICMP_FILTER_PRIORITY, NORMAL).get() << " u32" << " flowid ffff:0" @@ -4032,9 +4034,9 @@ string PortMappingIsolatorProcess::scripts(Info* info) << net::IPNetwork::LOOPBACK_V4().address() << "\n"; // Display the filters created on eth0 and lo. - script << "tc filter show dev " << eth0 + script << "@tc@ filter show dev " << eth0 << " parent " << ingress::HANDLE << "\n"; - script << "tc filter show dev " << lo + script << "@tc@ filter show dev " << lo << " parent " << ingress::HANDLE << "\n"; // If throughput limit for container egress traffic exists, use HTB @@ -4046,9 +4048,9 @@ string PortMappingIsolatorProcess::scripts(Info* info) // throughput. TBF requires other parameters such as 'burst' that // HTB already has default values for. if (egressRateLimitPerContainer.isSome()) { - script << "tc qdisc add dev " << eth0 << " root handle " + script << "@tc@ qdisc add dev " << eth0 << " root handle " << CONTAINER_TX_HTB_HANDLE << " htb default 1\n"; - script << "tc class add dev " << eth0 << " parent " + script << "@tc@ class add dev " << eth0 << " parent " << CONTAINER_TX_HTB_HANDLE << " classid " << CONTAINER_TX_HTB_CLASS_ID << " htb rate " << egressRateLimitPerContainer.get().bytes() * 8 << "bit\n"; @@ -4059,12 +4061,12 @@ string PortMappingIsolatorProcess::scripts(Info* info) // fq_codel, which has a larger buffer and better control on // buffer bloat. // TODO(cwang): Verity that fq_codel qdisc is available. - script << "tc qdisc add dev " << eth0 + script << "@tc@ qdisc add dev " << eth0 << " parent " << CONTAINER_TX_HTB_CLASS_ID << " fq_codel\n"; // Display the htb qdisc and class created on eth0. - script << "tc qdisc show dev " << eth0 << "\n"; - script << "tc class show dev " << eth0 << "\n"; + script << "@tc@ qdisc show dev " << eth0 << "\n"; + script << "@tc@ class show dev " << eth0 << "\n"; } return script.str(); diff --git a/src/slave/containerizer/mesos/isolators/posix/disk.cpp b/src/slave/containerizer/mesos/isolators/posix/disk.cpp index db0583386..542586370 100644 --- a/src/slave/containerizer/mesos/isolators/posix/disk.cpp +++ b/src/slave/containerizer/mesos/isolators/posix/disk.cpp @@ -540,7 +540,7 @@ private: // NOTE: The supervisor childhook will watch the parent process and kill // the 'du' process in case that the parent die. Try s = subprocess( - "du", + "@du@", command, Subprocess::PATH("/dev/null"), Subprocess::PIPE(), diff --git a/src/slave/containerizer/mesos/isolators/volume/image.cpp b/src/slave/containerizer/mesos/isolators/volume/image.cpp index 210e67ad0..60b3a15e4 100644 --- a/src/slave/containerizer/mesos/isolators/volume/image.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/image.cpp @@ -214,7 +214,7 @@ Future> VolumeImageIsolatorProcess::_prepare( CommandInfo* command = launchInfo.add_pre_exec_commands(); command->set_shell(false); - command->set_value("mount"); + command->set_value("@mount@"); command->add_arguments("mount"); command->add_arguments("-n"); command->add_arguments("--rbind"); diff --git a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp index 7b976d292..474dcd486 100644 --- a/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp @@ -240,7 +240,7 @@ Future> VolumeSandboxPathIsolatorProcess::prepare( CommandInfo* command = launchInfo.add_pre_exec_commands(); command->set_shell(false); - command->set_value("mount"); + command->set_value("@mount@"); command->add_arguments("mount"); command->add_arguments("-n"); command->add_arguments("--rbind"); diff --git a/src/slave/containerizer/mesos/provisioner/backends/copy.cpp b/src/slave/containerizer/mesos/provisioner/backends/copy.cpp index 9c5354e5f..a73a9692e 100644 --- a/src/slave/containerizer/mesos/provisioner/backends/copy.cpp +++ b/src/slave/containerizer/mesos/provisioner/backends/copy.cpp @@ -147,7 +147,7 @@ Future CopyBackendProcess::_provision( #endif // __APPLE__ || __FreeBSD__ Try s = subprocess( - "cp", + "@cp@", args, Subprocess::PATH("/dev/null"), Subprocess::PATH("/dev/null"), @@ -180,7 +180,7 @@ Future CopyBackendProcess::destroy(const string& rootfs) vector argv{"rm", "-rf", rootfs}; Try s = subprocess( - "rm", + "@rm@", argv, Subprocess::PATH("/dev/null"), Subprocess::FD(STDOUT_FILENO), diff --git a/src/uri/fetchers/copy.cpp b/src/uri/fetchers/copy.cpp index 2cfef5ab0..8a62f7699 100644 --- a/src/uri/fetchers/copy.cpp +++ b/src/uri/fetchers/copy.cpp @@ -97,7 +97,7 @@ Future CopyFetcherPlugin::fetch( const vector argv = {"cp", "-a", uri.path(), directory}; Try s = subprocess( - "cp", + "@cp@", argv, Subprocess::PATH("/dev/null"), Subprocess::PIPE(), diff --git a/src/uri/fetchers/curl.cpp b/src/uri/fetchers/curl.cpp index 7b746d619..12bbb04df 100644 --- a/src/uri/fetchers/curl.cpp +++ b/src/uri/fetchers/curl.cpp @@ -107,7 +107,7 @@ Future CurlFetcherPlugin::fetch( }; Try s = subprocess( - "curl", + "@curl@", argv, Subprocess::PATH("/dev/null"), Subprocess::PIPE(), diff --git a/src/uri/fetchers/docker.cpp b/src/uri/fetchers/docker.cpp index 3f38dddfb..fd991ee74 100644 --- a/src/uri/fetchers/docker.cpp +++ b/src/uri/fetchers/docker.cpp @@ -114,7 +114,7 @@ static Future curl( // TODO(jieyu): Kill the process if discard is called. Try s = subprocess( - "curl", + "@curl@", argv, Subprocess::PATH("/dev/null"), Subprocess::PIPE(), @@ -213,7 +213,7 @@ static Future download( // TODO(jieyu): Kill the process if discard is called. Try s = subprocess( - "curl", + "@curl@", argv, Subprocess::PATH("/dev/null"), Subprocess::PIPE(),