Repository: mesos
Updated Branches:
  refs/heads/1.0.x eba605e64 -> 914bb5f2f


Fixed the sandbox owner for command tasks.

If the task has a rootfs, the command executor will be run under root
because it needs to perform pivot_root. Prior to this patch, if the
task wants to run under an unprivileged user, the sandbox of that task
will not be writable because it's owned by root.

This patch fixed the issue (MESOS-6391). The command executor now
changes the owner (non-recursively) of the sandbox to match that of
the task when rootfs is specified for the task.

Review: https://reviews.apache.org/r/52854

*** Modified for 1.0.x ***


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/abdb3e02
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/abdb3e02
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/abdb3e02

Branch: refs/heads/1.0.x
Commit: abdb3e024a9fa8648962f89d27c81e517fa337b8
Parents: eba605e
Author: Jie Yu <yujie....@gmail.com>
Authored: Thu Oct 13 20:28:08 2016 -0700
Committer: Jie Yu <yujie....@gmail.com>
Committed: Fri Oct 14 17:20:34 2016 -0700

----------------------------------------------------------------------
 src/launcher/posix/executor.cpp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/abdb3e02/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index 6814b9f..1c423f0 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -22,8 +22,6 @@
 #include <stout/protobuf.hpp>
 #include <stout/strings.hpp>
 
-#include <stout/os/raw/argv.hpp>
-
 #include "internal/devolve.hpp"
 
 #include "launcher/posix/executor.hpp"
@@ -92,6 +90,21 @@ pid_t launchTaskPosix(
     launchFlags.working_directory = workingDirectory.isSome()
       ? workingDirectory
       : sandboxDirectory;
+
+    // TODO(jieyu): If the task has a rootfs, the executor itself will
+    // be running as root. Its sandbox is owned by root as well. In
+    // order for the task to be able to access to its sandbox, we need
+    // to make sure the owner of the sandbox is 'user'. However, this
+    // is still a workaround. The owner of the files downloaded by the
+    // fetcher is still not correct (i.e., root).
+    if (user.isSome()) {
+      // NOTE: We only chown the sandbox directory (non-recursively).
+      Try<Nothing> chown = os::chown(user.get(), os::getcwd(), false);
+      if (chown.isError()) {
+        ABORT("Failed to chown sandbox to user " +
+              user.get() + ": " + chown.error());
+      }
+    }
   }
 
   launchFlags.rootfs = rootfs;

Reply via email to