diff options
Diffstat (limited to 'pkgs/applications/networking/cluster/mesos/nixos.patch')
| -rw-r--r-- | pkgs/applications/networking/cluster/mesos/nixos.patch | 731 |
1 files changed, 0 insertions, 731 deletions
diff --git a/pkgs/applications/networking/cluster/mesos/nixos.patch b/pkgs/applications/networking/cluster/mesos/nixos.patch deleted file mode 100644 index a6fea024b08..00000000000 --- a/pkgs/applications/networking/cluster/mesos/nixos.patch +++ /dev/null @@ -1,731 +0,0 @@ -diff --git i/3rdparty/stout/include/stout/os/posix/fork.hpp w/3rdparty/stout/include/stout/os/posix/fork.hpp -index a29967d..290b98b 100644 ---- i/3rdparty/stout/include/stout/os/posix/fork.hpp -+++ w/3rdparty/stout/include/stout/os/posix/fork.hpp -@@ -369,7 +369,7 @@ private: - if (exec.isSome()) { - // Execute the command (via '/bin/sh -c command'). - const char* command = exec.get().command.c_str(); -- execlp("sh", "sh", "-c", command, (char*) nullptr); -+ execlp("@sh@", "sh", "-c", command, (char*) nullptr); - EXIT(EXIT_FAILURE) - << "Failed to execute '" << command << "': " << os::strerror(errno); - } else if (wait.isSome()) { -diff --git i/3rdparty/stout/include/stout/posix/os.hpp w/3rdparty/stout/include/stout/posix/os.hpp -index 8511dfd..1e7be01 100644 ---- i/3rdparty/stout/include/stout/posix/os.hpp -+++ w/3rdparty/stout/include/stout/posix/os.hpp -@@ -366,7 +366,7 @@ inline Try<std::set<pid_t>> pids(Option<pid_t> group, Option<pid_t> session) - inline Try<Nothing> tar(const std::string& path, const std::string& archive) - { - Try<std::string> tarOut = -- os::shell("tar %s %s %s", "-czf", archive.c_str(), path.c_str()); -+ os::shell("@tar@ %s %s %s", "-czf", archive.c_str(), path.c_str()); - - if (tarOut.isError()) { - return Error("Failed to archive " + path + ": " + tarOut.error()); -diff --git i/src/Makefile.am w/src/Makefile.am -index 68fff14..c572f92 100644 ---- i/src/Makefile.am -+++ w/src/Makefile.am -@@ -1775,7 +1775,7 @@ if HAS_JAVA - - $(MESOS_JAR): $(MESOS_JAR_SOURCE) $(MESOS_JAR_GENERATED) java/mesos.pom - @echo "Building mesos-$(PACKAGE_VERSION).jar ..." -- @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom clean package -+ @cd $(abs_top_builddir)/src/java && $(MVN) -B -f mesos.pom -Dmaven.repo.local=@mavenRepo@ clean package - - # Convenience library for JNI bindings. - # TODO(Charles Reiss): We really should be building the Java library -diff --git i/src/cli/mesos-scp w/src/cli/mesos-scp -index a71ab07..1043d1b 100755 ---- i/src/cli/mesos-scp -+++ w/src/cli/mesos-scp -@@ -19,7 +19,8 @@ if sys.version_info < (2,6,0): - - - def scp(host, src, dst): -- cmd = 'scp -pr %s %s' % (src, host + ':' + dst) -+ cmd = '@scp@ -pr %s %s' % (src, host + ':' + dst) -+ - try: - process = subprocess.Popen( - cmd, -diff --git i/src/common/command_utils.cpp w/src/common/command_utils.cpp -index c50be76..388cc53 100644 ---- i/src/common/command_utils.cpp -+++ w/src/common/command_utils.cpp -@@ -142,7 +142,7 @@ Future<Nothing> tar( - - argv.emplace_back(input); - -- return launch("tar", argv) -+ return launch("@tar@", argv) - .then([]() { return Nothing(); }); - } - -@@ -164,7 +164,7 @@ Future<Nothing> untar( - argv.emplace_back(directory.get()); - } - -- return launch("tar", argv) -+ return launch("@tar@", argv) - .then([]() { return Nothing(); }); - } - -@@ -172,7 +172,7 @@ Future<Nothing> untar( - Future<string> sha512(const Path& input) - { - #ifdef __linux__ -- const string cmd = "sha512sum"; -+ const string cmd = "@sha512sum@"; - vector<string> argv = { - cmd, - input // Input file to compute shasum. -@@ -208,7 +208,7 @@ Future<Nothing> gzip(const Path& input) - input - }; - -- return launch("gzip", argv) -+ return launch("@gzip@", argv) - .then([]() { return Nothing(); }); - } - -@@ -221,7 +221,7 @@ Future<Nothing> decompress(const Path& input) - input - }; - -- return launch("gzip", argv) -+ return launch("@gzip@", argv) - .then([]() { return Nothing(); }); - } - -diff --git i/src/launcher/fetcher.cpp w/src/launcher/fetcher.cpp -index 42980f5..3aebeed 100644 ---- i/src/launcher/fetcher.cpp -+++ w/src/launcher/fetcher.cpp -@@ -80,17 +80,17 @@ static Try<bool> extract( - strings::endsWith(sourcePath, ".tar.bz2") || - strings::endsWith(sourcePath, ".txz") || - strings::endsWith(sourcePath, ".tar.xz")) { -- command = {"tar", "-C", destinationDirectory, "-xf", sourcePath}; -+ command = {"@tar@", "-C", destinationDirectory, "-xf", sourcePath}; - } else if (strings::endsWith(sourcePath, ".gz")) { - string pathWithoutExtension = sourcePath.substr(0, sourcePath.length() - 3); - string filename = Path(pathWithoutExtension).basename(); - string destinationPath = path::join(destinationDirectory, filename); - -- command = {"gunzip", "-d", "-c"}; -+ command = {"@gunzip@", "-d", "-c"}; - in = Subprocess::PATH(sourcePath); - out = Subprocess::PATH(destinationPath); - } else if (strings::endsWith(sourcePath, ".zip")) { -- command = {"unzip", "-o", "-d", destinationDirectory, sourcePath}; -+ command = {"@unzip@", "-o", "-d", destinationDirectory, sourcePath}; - } else { - return false; - } -@@ -193,7 +193,7 @@ static Try<string> copyFile( - const string& sourcePath, - const string& destinationPath) - { -- int status = os::spawn("cp", {"cp", sourcePath, destinationPath}); -+ int status = os::spawn("cp", {"@cp@", sourcePath, destinationPath}); - - if (status == -1) { - return ErrnoError("Failed to copy '" + sourcePath + "'"); -diff --git i/src/linux/perf.cpp w/src/linux/perf.cpp -index b301e25..356a2cf 100644 ---- i/src/linux/perf.cpp -+++ w/src/linux/perf.cpp -@@ -128,7 +128,7 @@ private: - // NOTE: The supervisor childhook places perf in its own process group - // and will kill the perf process when the parent dies. - Try<Subprocess> _perf = subprocess( -- "perf", -+ "@perf@", - argv, - Subprocess::PIPE(), - Subprocess::PIPE(), -diff --git i/src/linux/systemd.cpp w/src/linux/systemd.cpp -index 6318f48..394d88d 100644 ---- i/src/linux/systemd.cpp -+++ w/src/linux/systemd.cpp -@@ -196,13 +196,21 @@ bool exists() - // This is static as the init system should not change while we are running. - static const bool exists = []() -> bool { - // (1) Test whether `/sbin/init` links to systemd. -- const Result<string> realpath = os::realpath("/sbin/init"); -- if (realpath.isError() || realpath.isNone()) { -- LOG(WARNING) << "Failed to test /sbin/init for systemd environment: " -- << (realpath.isError() ? realpath.error() -- : "does not exist"); -- -- return false; -+ // cstrahan(nixos): first assume we're on NixOS, then try non-NixOS -+ Result<string> realpath = os::realpath("/run/current-system/systemd/lib/systemd/systemd"); -+ Result<string> realpathNixOS = realpath; -+ if (realpathNixOS.isError() || realpathNixOS.isNone()) { -+ Result<string> realpathNonNixOS = realpath = os::realpath("/sbin/init"); -+ if (realpathNonNixOS.isError() || realpathNonNixOS.isNone()) { -+ LOG(WARNING) << "Failed to test /run/current-system/systemd/lib/systemd/systemd for systemd environment: " -+ << (realpathNixOS.isError() ? realpathNixOS.error() -+ : "does not exist"); -+ LOG(WARNING) << "Failed to test /sbin/init for systemd environment: " -+ << (realpathNonNixOS.isError() ? realpathNonNixOS.error() -+ : "does not exist"); -+ -+ return false; -+ } - } - - CHECK_SOME(realpath); -@@ -278,6 +286,10 @@ Path hierarchy() - - Try<Nothing> daemonReload() - { -+ // cstrahan(nixos): should we patch these `systemctl`s? -+ // probably don't want to hard-code a particular systemd store path here, -+ // but if we use /run/current-system/sw/bin/systemctl, -+ // we won't be able to support non-NixOS distros. - Try<string> daemonReload = os::shell("systemctl daemon-reload"); - if (daemonReload.isError()) { - return Error("Failed to reload systemd daemon: " + daemonReload.error()); -diff --git i/src/python/cli/src/mesos/cli.py w/src/python/cli/src/mesos/cli.py -index 4a9b558..c08a8b9 100644 ---- i/src/python/cli/src/mesos/cli.py -+++ w/src/python/cli/src/mesos/cli.py -@@ -40,7 +40,7 @@ def resolve(master): - import subprocess - - process = subprocess.Popen( -- ['mesos-resolve', master], -+ ['@mesos-resolve@', master], - stdin=None, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE, -diff --git i/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp w/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp -index 5b630c1..d63ad69 100644 ---- i/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp -+++ w/src/slave/containerizer/mesos/isolators/docker/volume/isolator.cpp -@@ -499,7 +499,7 @@ Future<Option<ContainerLaunchInfo>> DockerVolumeIsolatorProcess::_prepare( - // unsafe arbitrary commands). - CommandInfo* command = launchInfo.add_pre_exec_commands(); - command->set_shell(false); -- command->set_value("mount"); -+ command->set_value("@mount@"); - command->add_arguments("mount"); - command->add_arguments("-n"); - command->add_arguments("--rbind"); -diff --git i/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp w/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp -index d7fe9a8..1361a4e 100644 ---- i/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp -+++ w/src/slave/containerizer/mesos/isolators/filesystem/linux.cpp -@@ -154,9 +154,9 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(const Flags& flags) - // here because 'create' will only be invoked during - // initialization. - Try<string> mount = os::shell( -- "mount --bind %s %s && " -- "mount --make-private %s && " -- "mount --make-shared %s", -+ "@mount@ --bind %s %s && " -+ "@mount@ --make-private %s && " -+ "@mount@ --make-shared %s", - workDir->c_str(), - workDir->c_str(), - workDir->c_str(), -@@ -175,8 +175,8 @@ Try<Isolator*> LinuxFilesystemIsolatorProcess::create(const Flags& flags) - LOG(INFO) << "Making '" << workDir.get() << "' a shared mount"; - - Try<string> mount = os::shell( -- "mount --make-private %s && " -- "mount --make-shared %s", -+ "@mount@ --make-private %s && " -+ "@mount@ --make-shared %s", - workDir->c_str(), - workDir->c_str()); - -@@ -422,7 +422,7 @@ Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands( - - CommandInfo command; - command.set_shell(false); -- command.set_value("mount"); -+ command.set_value("@mount@"); - command.add_arguments("mount"); - command.add_arguments("-n"); - command.add_arguments("--rbind"); -@@ -610,7 +610,7 @@ Try<vector<CommandInfo>> LinuxFilesystemIsolatorProcess::getPreExecCommands( - // TODO(jieyu): Consider the mode in the volume. - CommandInfo command; - command.set_shell(false); -- command.set_value("mount"); -+ command.set_value("@mount@"); - command.add_arguments("mount"); - command.add_arguments("-n"); - command.add_arguments("--rbind"); -diff --git i/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp w/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp -index 927d95b..576dc63 100644 ---- i/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp -+++ w/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp -@@ -208,7 +208,7 @@ Future<Option<ContainerLaunchInfo>> SharedFilesystemIsolatorProcess::prepare( - } - - launchInfo.add_pre_exec_commands()->set_value( -- "mount -n --bind " + hostPath + " " + volume.container_path()); -+ "@mount@ -n --bind " + hostPath + " " + volume.container_path()); - } - - return launchInfo; -diff --git i/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp w/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp -index 25636b5..33ec315 100644 ---- i/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp -+++ w/src/slave/containerizer/mesos/isolators/gpu/isolator.cpp -@@ -401,7 +401,7 @@ Future<Option<ContainerLaunchInfo>> NvidiaGpuIsolatorProcess::_prepare( - } - - launchInfo.add_pre_exec_commands()->set_value( -- "mount --no-mtab --rbind --read-only " + -+ "@mount@ --no-mtab --rbind --read-only " + - volume.HOST_PATH() + " " + target); - } - -diff --git i/src/slave/containerizer/mesos/isolators/gpu/volume.cpp w/src/slave/containerizer/mesos/isolators/gpu/volume.cpp -index 536a3c7..e2819dd 100644 ---- i/src/slave/containerizer/mesos/isolators/gpu/volume.cpp -+++ w/src/slave/containerizer/mesos/isolators/gpu/volume.cpp -@@ -274,7 +274,7 @@ Try<NvidiaVolume> NvidiaVolume::create() - string path = path::join(hostPath, "bin", binary); - - if (!os::exists(path)) { -- string command = "which " + binary; -+ string command = "@which@ " + binary; - Try<string> which = os::shell(command); - - if (which.isSome()) { -@@ -288,7 +288,7 @@ Try<NvidiaVolume> NvidiaVolume::create() - : "No such file or directory")); - } - -- command = "cp " + realpath.get() + " " + path; -+ command = "@cp@ " + realpath.get() + " " + path; - Try<string> cp = os::shell(command); - if (cp.isError()) { - return Error("Failed to os::shell '" + command + "': " + cp.error()); -@@ -360,7 +360,7 @@ Try<NvidiaVolume> NvidiaVolume::create() - Path(realpath.get()).basename()); - - if (!os::exists(libraryPath)) { -- string command = "cp " + realpath.get() + " " + libraryPath; -+ string command = "@cp@ " + realpath.get() + " " + libraryPath; - Try<string> cp = os::shell(command); - if (cp.isError()) { - return Error("Failed to os::shell '" + command + "':" -diff --git i/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp w/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp -index 42bc2e1..2f9066e 100644 ---- i/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp -+++ w/src/slave/containerizer/mesos/isolators/namespaces/pid.cpp -@@ -131,7 +131,7 @@ Future<Option<ContainerLaunchInfo>> NamespacesPidIsolatorProcess::prepare( - // - // TOOD(jieyu): Consider unmount the existing /proc. - launchInfo.add_pre_exec_commands()->set_value( -- "mount -n -t proc proc /proc -o nosuid,noexec,nodev"); -+ "@mount@ -n -t proc proc /proc -o nosuid,noexec,nodev"); - - return launchInfo; - } -diff --git i/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp w/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp -index fc68f04..267b040 100644 ---- i/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp -+++ w/src/slave/containerizer/mesos/isolators/network/cni/cni.cpp -@@ -205,9 +205,9 @@ Try<Isolator*> NetworkCniIsolatorProcess::create(const Flags& flags) - // here because 'create' will only be invoked during - // initialization. - Try<string> mount = os::shell( -- "mount --bind %s %s && " -- "mount --make-private %s && " -- "mount --make-shared %s", -+ "@mount@ --bind %s %s && " -+ "@mount@ --make-private %s && " -+ "@mount@ --make-shared %s", - rootDir->c_str(), - rootDir->c_str(), - rootDir->c_str(), -@@ -227,8 +227,8 @@ Try<Isolator*> NetworkCniIsolatorProcess::create(const Flags& flags) - LOG(INFO) << "Making '" << rootDir.get() << "' a shared mount"; - - Try<string> mount = os::shell( -- "mount --make-private %s && " -- "mount --make-shared %s", -+ "@mount@ --make-private %s && " -+ "@mount@ --make-shared %s", - rootDir->c_str(), - rootDir->c_str()); - -diff --git i/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp w/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp -index 43cf3e4..94bad8b 100644 ---- i/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp -+++ w/src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp -@@ -301,7 +301,7 @@ Try<Nothing> PortMapper::addPortMapping( - # Check if the `chain` exists in the iptable. If it does not - # exist go ahead and install the chain in the iptables NAT - # table. -- iptables -w -t nat --list %s -+ @iptables@ -w -t nat --list %s - if [ $? -ne 0 ]; then - # NOTE: When we create the chain, there is a possibility of a - # race due to which a container launch can fail. This can -@@ -315,25 +315,25 @@ Try<Nothing> PortMapper::addPortMapping( - # since it can happen only when the chain is created the first - # time and two commands for creation of the chain are executed - # simultaneously. -- (iptables -w -t nat -N %s || exit 1) -+ (@iptables@ -w -t nat -N %s || exit 1) - - # Once the chain has been installed add a rule in the PREROUTING - # chain to jump to this chain for any packets that are - # destined to a local address. -- (iptables -w -t nat -A PREROUTING \ -+ (@iptables@ -w -t nat -A PREROUTING \ - -m addrtype --dst-type LOCAL -j %s || exit 1) - - # For locally generated packets we need a rule in the OUTPUT - # chain as well, since locally generated packets directly hit - # the output CHAIN, bypassing PREROUTING. -- (iptables -w -t nat -A OUTPUT \ -+ (@iptables@ -w -t nat -A OUTPUT \ - ! -d 127.0.0.0/8 -m addrtype \ - --dst-type LOCAL -j %s || exit 1) - fi - - # Within the `chain` go ahead and install the DNAT rule, if it - # does not exist. -- (iptables -w -t nat -C %s || iptables -t nat -A %s))~", -+ (@iptables@ -w -t nat -C %s || @iptables@ -t nat -A %s))~", - chain, - chain, - chain, -@@ -360,7 +360,7 @@ Try<Nothing> PortMapper::delPortMapping() - # The iptables command searches for the DNAT rules with tag - # "container_id: <CNI_CONTAINERID>", and if it exists goes ahead - # and deletes it. -- iptables -w -t nat -S %s | sed "/%s/ s/-A/iptables -w -t nat -D/e")~", -+ @iptables@ -w -t nat -S %s | sed "/%s/ s/-A/@iptables@ -w -t nat -D/e")~", - chain, - getIptablesRuleTag()).get(); - -diff --git i/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp w/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp -index 57d4ccd..68c9577 100644 ---- i/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp -+++ w/src/slave/containerizer/mesos/isolators/network/port_mapping.cpp -@@ -1394,19 +1394,19 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags) - // Check the availability of a few Linux commands that we will use. - // We use the blocking os::shell here because 'create' will only be - // invoked during initialization. -- Try<string> checkCommandTc = os::shell("tc filter show"); -+ Try<string> checkCommandTc = os::shell("@tc@ filter show"); - if (checkCommandTc.isError()) { - return Error("Check command 'tc' failed: " + checkCommandTc.error()); - } - - // NOTE: loopback device always exists. -- Try<string> checkCommandEthtool = os::shell("ethtool -k lo"); -+ Try<string> checkCommandEthtool = os::shell("@ethtool@ -k lo"); - if (checkCommandEthtool.isError()) { - return Error("Check command 'ethtool' failed: " - + checkCommandEthtool.error()); - } - -- Try<string> checkCommandIp = os::shell("ip link show"); -+ Try<string> checkCommandIp = os::shell("@ip@ link show"); - if (checkCommandIp.isError()) { - return Error("Check command 'ip' failed: " + checkCommandIp.error()); - } -@@ -1940,9 +1940,9 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags) - // visible. It's OK to use the blocking os::shell here because - // 'create' will only be invoked during initialization. - Try<string> mount = os::shell( -- "mount --bind %s %s && " -- "mount --make-slave %s && " -- "mount --make-shared %s", -+ "@mount@ --bind %s %s && " -+ "@mount@ --make-slave %s && " -+ "@mount@ --make-shared %s", - bindMountRoot->c_str(), - bindMountRoot->c_str(), - bindMountRoot->c_str(), -@@ -1959,8 +1959,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags) - // shared mount yet (possibly due to slave crash while preparing - // the work directory mount). It's safe to re-do the following. - Try<string> mount = os::shell( -- "mount --make-slave %s && " -- "mount --make-shared %s", -+ "@mount@ --make-slave %s && " -+ "@mount@ --make-shared %s", - bindMountRoot->c_str(), - bindMountRoot->c_str()); - -@@ -1979,8 +1979,8 @@ Try<Isolator*> PortMappingIsolatorProcess::create(const Flags& flags) - // so that they are in different peer groups. - if (entry.shared() == bindMountEntry->shared()) { - Try<string> mount = os::shell( -- "mount --make-slave %s && " -- "mount --make-shared %s", -+ "@mount@ --make-slave %s && " -+ "@mount@ --make-shared %s", - bindMountRoot->c_str(), - bindMountRoot->c_str()); - -@@ -3927,6 +3927,8 @@ Try<Nothing> PortMappingIsolatorProcess::removeHostIPFilters( - // TODO(jieyu): Use the Subcommand abstraction to remove most of the - // logic here. Completely remove this function once we can assume a - // newer kernel where 'setns' works for mount namespaces. -+// cstrahan(nixos): this is executed in the container, -+// so we don't want to substitute paths here. - string PortMappingIsolatorProcess::scripts(Info* info) - { - ostringstream script; -@@ -3937,7 +3939,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) - // Mark the mount point PORT_MAPPING_BIND_MOUNT_ROOT() as slave - // mount so that changes in the container will not be propagated to - // the host. -- script << "mount --make-rslave " << bindMountRoot << "\n"; -+ script << "@mount@ --make-rslave " << bindMountRoot << "\n"; - - // Disable IPv6 when IPv6 module is loaded as IPv6 packets won't be - // forwarded anyway. -@@ -3945,7 +3947,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) - << " echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6\n"; - - // Configure lo and eth0. -- script << "ip link set " << lo << " address " << hostMAC -+ script << "@ip@ link set " << lo << " address " << hostMAC - << " mtu " << hostEth0MTU << " up\n"; - - // NOTE: This is mostly a kernel issue: in veth_xmit() the kernel -@@ -3954,12 +3956,12 @@ string PortMappingIsolatorProcess::scripts(Info* info) - // when we receive a packet with a bad checksum. Disabling rx - // checksum offloading ensures the TCP layer will checksum and drop - // it. -- script << "ethtool -K " << eth0 << " rx off\n"; -- script << "ip link set " << eth0 << " address " << hostMAC << " up\n"; -- script << "ip addr add " << hostIPNetwork << " dev " << eth0 << "\n"; -+ script << "@ethtool@ -K " << eth0 << " rx off\n"; -+ script << "@ip@ link set " << eth0 << " address " << hostMAC << " up\n"; -+ script << "@ip@ addr add " << hostIPNetwork << " dev " << eth0 << "\n"; - - // Set up the default gateway to match that of eth0. -- script << "ip route add default via " << hostDefaultGateway << "\n"; -+ script << "@ip@ route add default via " << hostDefaultGateway << "\n"; - - // Restrict the ephemeral ports that can be used by the container. - script << "echo " << info->ephemeralPorts.lower() << " " -@@ -3988,19 +3990,19 @@ string PortMappingIsolatorProcess::scripts(Info* info) - } - - // Set up filters on lo and eth0. -- script << "tc qdisc add dev " << lo << " ingress\n"; -- script << "tc qdisc add dev " << eth0 << " ingress\n"; -+ script << "@tc@ qdisc add dev " << lo << " ingress\n"; -+ script << "@tc@ qdisc add dev " << eth0 << " ingress\n"; - - // Allow talking between containers and from container to host. - // TODO(chzhcn): Consider merging the following two filters. -- script << "tc filter add dev " << lo << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" - << " flowid ffff:0" - << " match ip dst " << hostIPNetwork.address() - << " action mirred egress redirect dev " << eth0 << "\n"; - -- script << "tc filter add dev " << lo << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" - << " flowid ffff:0" -@@ -4011,7 +4013,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) - foreach (const PortRange& range, - getPortRanges(info->nonEphemeralPorts + info->ephemeralPorts)) { - // Local traffic inside a container will not be redirected to eth0. -- script << "tc filter add dev " << lo << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(IP_FILTER_PRIORITY, HIGH).get() << " u32" - << " flowid ffff:0" -@@ -4020,7 +4022,7 @@ string PortMappingIsolatorProcess::scripts(Info* info) - - // Traffic going to host loopback IP and ports assigned to this - // container will be redirected to lo. -- script << "tc filter add dev " << eth0 << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << eth0 << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(IP_FILTER_PRIORITY, NORMAL).get() << " u32" - << " flowid ffff:0" -@@ -4032,14 +4034,14 @@ string PortMappingIsolatorProcess::scripts(Info* info) - } - - // Do not forward the ICMP packet if the destination IP is self. -- script << "tc filter add dev " << lo << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(ICMP_FILTER_PRIORITY, NORMAL).get() << " u32" - << " flowid ffff:0" - << " match ip protocol 1 0xff" - << " match ip dst " << hostIPNetwork.address() << "\n"; - -- script << "tc filter add dev " << lo << " parent " << ingress::HANDLE -+ script << "@tc@ filter add dev " << lo << " parent " << ingress::HANDLE - << " protocol ip" - << " prio " << Priority(ICMP_FILTER_PRIORITY, NORMAL).get() << " u32" - << " flowid ffff:0" -@@ -4048,9 +4050,9 @@ string PortMappingIsolatorProcess::scripts(Info* info) - << net::IP::Network::LOOPBACK_V4().address() << "\n"; - - // Display the filters created on eth0 and lo. -- script << "tc filter show dev " << eth0 -+ script << "@tc@ filter show dev " << eth0 - << " parent " << ingress::HANDLE << "\n"; -- script << "tc filter show dev " << lo -+ script << "@tc@ filter show dev " << lo - << " parent " << ingress::HANDLE << "\n"; - - // If throughput limit for container egress traffic exists, use HTB -@@ -4062,9 +4064,9 @@ string PortMappingIsolatorProcess::scripts(Info* info) - // throughput. TBF requires other parameters such as 'burst' that - // HTB already has default values for. - if (egressRateLimitPerContainer.isSome()) { -- script << "tc qdisc add dev " << eth0 << " root handle " -+ script << "@tc@ qdisc add dev " << eth0 << " root handle " - << CONTAINER_TX_HTB_HANDLE << " htb default 1\n"; -- script << "tc class add dev " << eth0 << " parent " -+ script << "@tc@ class add dev " << eth0 << " parent " - << CONTAINER_TX_HTB_HANDLE << " classid " - << CONTAINER_TX_HTB_CLASS_ID << " htb rate " - << egressRateLimitPerContainer.get().bytes() * 8 << "bit\n"; -@@ -4075,12 +4077,12 @@ string PortMappingIsolatorProcess::scripts(Info* info) - // fq_codel, which has a larger buffer and better control on - // buffer bloat. - // TODO(cwang): Verity that fq_codel qdisc is available. -- script << "tc qdisc add dev " << eth0 -+ script << "@tc@ qdisc add dev " << eth0 - << " parent " << CONTAINER_TX_HTB_CLASS_ID << " fq_codel\n"; - - // Display the htb qdisc and class created on eth0. -- script << "tc qdisc show dev " << eth0 << "\n"; -- script << "tc class show dev " << eth0 << "\n"; -+ script << "@tc@ qdisc show dev " << eth0 << "\n"; -+ script << "@tc@ class show dev " << eth0 << "\n"; - } - - return script.str(); -diff --git i/src/slave/containerizer/mesos/isolators/posix/disk.cpp w/src/slave/containerizer/mesos/isolators/posix/disk.cpp -index eb23025..db268ea 100644 ---- i/src/slave/containerizer/mesos/isolators/posix/disk.cpp -+++ w/src/slave/containerizer/mesos/isolators/posix/disk.cpp -@@ -572,7 +572,7 @@ private: - // NOTE: The supervisor childhook will watch the parent process and kill - // the 'du' process in case that the parent die. - Try<Subprocess> s = subprocess( -- "du", -+ "@du@", - command, - Subprocess::PATH(os::DEV_NULL), - Subprocess::PIPE(), -diff --git i/src/slave/containerizer/mesos/isolators/volume/image.cpp w/src/slave/containerizer/mesos/isolators/volume/image.cpp -index 35966aa..b62fc86 100644 ---- i/src/slave/containerizer/mesos/isolators/volume/image.cpp -+++ w/src/slave/containerizer/mesos/isolators/volume/image.cpp -@@ -231,7 +231,7 @@ Future<Option<ContainerLaunchInfo>> VolumeImageIsolatorProcess::_prepare( - - CommandInfo* command = launchInfo.add_pre_exec_commands(); - command->set_shell(false); -- command->set_value("mount"); -+ command->set_value("@mount@"); - command->add_arguments("mount"); - command->add_arguments("-n"); - command->add_arguments("--rbind"); -diff --git i/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp w/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp -index b321b86..8ed3e78 100644 ---- i/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp -+++ w/src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp -@@ -265,7 +265,7 @@ Future<Option<ContainerLaunchInfo>> VolumeSandboxPathIsolatorProcess::prepare( - - CommandInfo* command = launchInfo.add_pre_exec_commands(); - command->set_shell(false); -- command->set_value("mount"); -+ command->set_value("@mount@"); - command->add_arguments("mount"); - command->add_arguments("-n"); - command->add_arguments("--rbind"); -diff --git i/src/slave/containerizer/mesos/provisioner/backends/copy.cpp w/src/slave/containerizer/mesos/provisioner/backends/copy.cpp -index 69faa03..01a3ed6 100644 ---- i/src/slave/containerizer/mesos/provisioner/backends/copy.cpp -+++ w/src/slave/containerizer/mesos/provisioner/backends/copy.cpp -@@ -266,7 +266,7 @@ Future<Nothing> CopyBackendProcess::_provision( - #endif // __APPLE__ || __FreeBSD__ - - Try<Subprocess> s = subprocess( -- "cp", -+ "@cp@", - args, - Subprocess::PATH(os::DEV_NULL), - Subprocess::PATH(os::DEV_NULL), -@@ -313,7 +313,7 @@ Future<bool> CopyBackendProcess::destroy(const string& rootfs) - vector<string> argv{"rm", "-rf", rootfs}; - - Try<Subprocess> s = subprocess( -- "rm", -+ "@rm@", - argv, - Subprocess::PATH(os::DEV_NULL), - Subprocess::FD(STDOUT_FILENO), -diff --git i/src/uri/fetchers/copy.cpp w/src/uri/fetchers/copy.cpp -index 17f69be..831b08a 100644 ---- i/src/uri/fetchers/copy.cpp -+++ w/src/uri/fetchers/copy.cpp -@@ -97,8 +97,8 @@ Future<Nothing> CopyFetcherPlugin::fetch( - VLOG(1) << "Copying '" << uri.path() << "' to '" << directory << "'"; - - #ifndef __WINDOWS__ -- const char* copyCommand = "cp"; -- const vector<string> argv = {"cp", "-a", uri.path(), directory}; -+ const char* copyCommand = "@cp@"; -+ const vector<string> argv = {"@cp@", "-a", uri.path(), directory}; - #else // __WINDOWS__ - const char* copyCommand = os::Shell::name; - const vector<string> argv = -diff --git i/src/uri/fetchers/curl.cpp w/src/uri/fetchers/curl.cpp -index f34daf2..6a50341 100644 ---- i/src/uri/fetchers/curl.cpp -+++ w/src/uri/fetchers/curl.cpp -@@ -109,7 +109,7 @@ Future<Nothing> CurlFetcherPlugin::fetch( - }; - - Try<Subprocess> s = subprocess( -- "curl", -+ "@curl@", - argv, - Subprocess::PATH(os::DEV_NULL), - Subprocess::PIPE(), -diff --git i/src/uri/fetchers/docker.cpp w/src/uri/fetchers/docker.cpp -index 91db13b..82a7fc4 100644 ---- i/src/uri/fetchers/docker.cpp -+++ w/src/uri/fetchers/docker.cpp -@@ -114,7 +114,7 @@ static Future<http::Response> curl( - - // TODO(jieyu): Kill the process if discard is called. - Try<Subprocess> s = subprocess( -- "curl", -+ "@curl@", - argv, - Subprocess::PATH(os::DEV_NULL), - Subprocess::PIPE(), -@@ -229,7 +229,7 @@ static Future<int> download( - - // TODO(jieyu): Kill the process if discard is called. - Try<Subprocess> s = subprocess( -- "curl", -+ "@curl@", - argv, - Subprocess::PATH(os::DEV_NULL), - Subprocess::PIPE(), |