Mesos源码分析(3): Mesos Master的启动之二

2. process::firewall::install(move(rules));如果有参数--firewall_rules则会添加规则

 

对应的代码如下：

// Initialize firewall rules. if (flags.firewall_rules.isSome()) {   vector<Owned<FirewallRule>> rules;     const Firewall firewall = flags.firewall_rules.get();     if (firewall.has_disabled_endpoints()) {     hashset<string> paths;       foreach (const string& path, firewall.disabled_endpoints().paths()) {       paths.insert(path);     }       rules.emplace_back(new DisabledEndpointsFirewallRule(paths));   }     process::firewall::install(move(rules)); }

 

对应的命令行参数如下：



 

 

这个参数的主要作用为，并不是Mesos的每一个API都想暴露出来，disabled_endpoints里面就是不能访问的API。

 

上面的install的代码会做下面的事情



 



 

最终会放到环境变量firewallRules里面。

 

那这些firewall是什么事情起作用的呢？

 

在3rdparty/libprocess/src/process.cpp里面有函数



 

synchronized (firewall_mutex) {   // Don't use a const reference, since it cannot be guaranteed   // that the rules don't keep an internal state.   foreach (Owned<firewall::FirewallRule>& rule, firewallRules) {     Option<Response> rejection = rule->apply(socket, *request);     if (rejection.isSome()) {       VLOG(1) << "Returning '"<< rejection.get().status << "' for '"               << request->url.path << "' (firewall rule forbids request)";         // TODO(arojas): Get rid of the duplicated code to return an       // error.         // Get the HttpProxy pid for this socket.       PID<HttpProxy> proxy = socket_manager->proxy(socket);         // Enqueue the response with the HttpProxy so that it respects       // the order of requests to account for HTTP/1.1 pipelining.       dispatch(           proxy,           &HttpProxy::enqueue,           rejection.get(),           *request);         // Cleanup request.       delete request;       return;     }   } }