Skip to content
This repository has been archived by the owner on Jan 25, 2022. It is now read-only.

merge nested warden into master #27

Merged
merged 20 commits into from
Sep 12, 2013
Merged

merge nested warden into master #27

merged 20 commits into from
Sep 12, 2013

Conversation

syslxg
Copy link
Contributor

@syslxg syslxg commented Aug 15, 2013

merge nested warden into master

David Sabeti and Pieter Noordhuis and others added 13 commits April 5, 2013 14:39
Allow nesting via allow_nested_warden config flag
c8446d7 
Setting this flag will create a number of bind mounts into /tmp/warden
inside the container such that warden can run inside of a container.
Remove cleanup of old cgroup mount
e932f25
Explicitly allow inbound traffic on FORWARD chain
b1cb5f3 
Nested warden forwards both inbound and outbound traffic on interfaces
that match the "w-+" wildcard. This means that inbound traffic is
dropped by default. This change makes sure that traffic that comes in
via the default outbound interface is always allowed.
Only setup cgroups if the cgroup path does not exist
6e1842c
Never try to disable quota
e833b9b
Allow access to all devices for nested warden
be58d88
Add config for warden-cpi
9712451
Remove grace timer from warden cpi config
f664755
make /var rw when setting fs for non-ubuntu linux
105df82
complete release deplay support for network pool
0781da5
add default value when no ip_local_port_range found in /proc
0fa1f98
Merge branch 'master' into nested
2169405
delete warden/config/warden-cpi-linux.yml
4766176
@syslxg
Copy link
Contributor Author

syslxg commented Aug 21, 2013

built a cf-release using this branch. yeti passed:

76 examples, 2 failures, 13 pendings

the two failures are about loggregator, not related with warden. maybe it is because of missing port forwarding rules on ELB.

ryantang
ryantang reviewed Aug 23, 2013
View reviewed changes
warden/lib/warden/config.rb
if File.exist?("/proc/sys/net/ipv4/ip_local_port_range")
File.read("/proc/sys/net/ipv4/ip_local_port_range").split.map(&:to_i)
else
return 32768, 61000
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this is required for nested warden functionality?

@mariash @ryantang

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in newer kernel , /proc/sys/net/ipv4/ip_local_port_range is not exported inside container anymore.
so we should check whether it exist before provide some default values.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, makes sense.

@vito & @mariash

@ryantang
Copy link

@Kaixiang @syslxg — Please add tests with this commit. @mariash and I commented out lines 229 through 242, starting with if Server.config.allow_nested_warden? from linux.rb of this commit. We ran the tests, and everything still passed. We should see at least one failing test as a result of this exercise, telling us that an important feature is broken.

We'd be happy to help you out on this. Please let us know. Thanks.

@andreasmaier
Copy link

@Kaixiang @mkocher Any updates on this one ?

@syslxg
Copy link
Contributor Author

syslxg commented Sep 9, 2013

@ryantang @andreasmaier @mariash we added tests for nested-warden, and answered your comments above.
Please review this pr.
let us know if you have any questions. @Kaixiang @mkocher

cf-frameworks
cf-frameworks reviewed Sep 11, 2013
View reviewed changes
warden/lib/warden/container/linux.rb
@@ -194,38 +195,49 @@ def perform_rsync(src_path, dst_path)
sh *args
end

def write_bind_mount_commands(request)
return if request.bind_mounts.nil? || request.bind_mounts.empty?
def add_bind_mount(file, src_path, dst_path, mode)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will this blow up if src doesn't exist? Previously we used to File.stat it and raise a Warden error if it didn't exist.

@vito & @mariash

@Kaixiang
Copy link
Contributor

After pairing review the PR this morning with @dsabeti @syslxg , we all agree to merge the pull request in the review. as far as we fix the src_path check and revert some unused commit, and add an outbound traffic test for nested warden. all done and the tests pass. so we merge it now.

contact @dsabeti if you have seen some issue when it's out of our time

syslxg pushed a commit that referenced this pull request Sep 12, 2013
Merge pull request #27 from cloudfoundry/nested-rebase
f25ec67 
merge nested warden into master
@syslxg syslxg merged commit f25ec67 into master Sep 12, 2013
@fraenkel fraenkel deleted the nested-rebase branch January 18, 2016 14:41
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@syslxg @ryantang @andreasmaier @Kaixiang @drnic @cf-frameworks