Repository: mesos
Updated Branches:
  refs/heads/master cfeabec58 -> 6a47d0da2


Fixed the sandbox owner for command tasks.

If the task has a rootfs, the command executor will be run under root
because it needs to perform pivot_root. Prior to this patch, if the
task wants to run under an unprivileged user, the sandbox of that task
will not be writable because it's owned by root.

This patch fixed the issue (MESOS-6391). The command executor now
changes the owner (non-recursively) of the sandbox to match that of
the task when rootfs is specified for the task.

Review: https://reviews.apache.org/r/52854


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/6a47d0da
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/6a47d0da
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/6a47d0da

Branch: refs/heads/master
Commit: 6a47d0da23a45521e9fea5ff8f9d31d041a28bcb
Parents: cfeabec
Author: Jie Yu <yujie....@gmail.com>
Authored: Thu Oct 13 20:28:08 2016 -0700
Committer: Jie Yu <yujie....@gmail.com>
Committed: Fri Oct 14 17:10:43 2016 -0700

----------------------------------------------------------------------
 src/launcher/posix/executor.cpp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/6a47d0da/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index fdee17c..da0081c 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -22,8 +22,6 @@
 #include <stout/protobuf.hpp>
 #include <stout/strings.hpp>
 
-#include <stout/os/raw/argv.hpp>
-
 #include "launcher/posix/executor.hpp"
 
 #ifdef __linux__
@@ -93,6 +91,21 @@ pid_t launchTaskPosix(
     launchFlags.working_directory = workingDirectory.isSome()
       ? workingDirectory
       : sandboxDirectory;
+
+    // TODO(jieyu): If the task has a rootfs, the executor itself will
+    // be running as root. Its sandbox is owned by root as well. In
+    // order for the task to be able to access to its sandbox, we need
+    // to make sure the owner of the sandbox is 'user'. However, this
+    // is still a workaround. The owner of the files downloaded by the
+    // fetcher is still not correct (i.e., root).
+    if (user.isSome()) {
+      // NOTE: We only chown the sandbox directory (non-recursively).
+      Try<Nothing> chown = os::chown(user.get(), os::getcwd(), false);
+      if (chown.isError()) {
+        ABORT("Failed to chown sandbox to user " +
+              user.get() + ": " + chown.error());
+      }
+    }
   }
 
   launchFlags.rootfs = rootfs;

Reply via email to