linux/fs isolator on slaves is incompatible with k8s-mesos

[jdef]

• the isolator will be enabled by default in DCOS 1.7
• the isolator is incompatible with volume management as implemented by kubelet
  • kubelet expects to manage the mount namespace of the host
  • linux/fs isolator clones the hosts mount namespace, child namespace is a slave of the host
    • this breaks k8s volume management

xref d2iq-archive/universe#379

[thebennos]

how can we help?

[jdef]

I'd start with support for the kubelet's --containerized flag. The docs
say that it's still experimental, so I'm not sure what's working vs. not.
Using --containerized requires that nsenter is present and in the
kubelet's PATH. It's used for creating files on the host FS and for
mounting volumes. Once the flag is in place and nsenter is available to the
kubelet-executor you can test that (volume-based) secrets still work.

On Tue, Jul 19, 2016 at 7:18 AM, Benjamin [email protected] wrote:

how can we help?

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
#799 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ACPVLJT1sNI1EAPsIufr3GCBh78yiQIhks5qXLKKgaJpZM4IDem9
.