This is an automated email from the ASF dual-hosted git repository. qianzhang pushed a commit to branch 1.6.x in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 4aad719121c6f0910d8b6a2059d9c17048957ea2 Author: Qian Zhang <zhq527...@gmail.com> AuthorDate: Fri Oct 26 09:23:27 2018 +0800 Made nested container runs as its parent container's user by default. Review: https://reviews.apache.org/r/69234 --- src/slave/containerizer/mesos/containerizer.cpp | 10 ++++++++++ src/slave/http.cpp | 16 ++-------------- 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp index 2b28e41..1fba8b7 100644 --- a/src/slave/containerizer/mesos/containerizer.cpp +++ b/src/slave/containerizer/mesos/containerizer.cpp @@ -1823,6 +1823,16 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch( } // Determine the user to launch the container as. + // Inherit user from the parent container for nested containers, and it can be + // overridden by the user in nested container's `commandInfo`, if specified. + if (containerId.has_parent()) { + if (containers_[containerId.parent()]->config.isSome() && + containers_[containerId.parent()]->config->has_user()) { + launchInfo.set_user( + containers_[containerId.parent()]->config->user()); + } + } + if (container->config->has_user()) { launchInfo.set_user(container->config->user()); } diff --git a/src/slave/http.cpp b/src/slave/http.cpp index 386e9aa..691de82 100644 --- a/src/slave/http.cpp +++ b/src/slave/http.cpp @@ -2485,8 +2485,6 @@ Future<Response> Http::_launchContainer( ContentType acceptType, const Owned<ObjectApprovers>& approvers) const { - Option<string> user; - // Attempt to get the executor associated with this ContainerID. // We only expect to get the executor when launching a nested container // under a container launched via a scheduler. In other cases, we are @@ -2504,24 +2502,14 @@ Future<Response> Http::_launchContainer( executor->info, framework->info, commandInfo, containerId)) { return Forbidden(); } - - // By default, we use the executor's user. - // The CommandInfo can override it, if specified. - user = executor->user; } ContainerConfig containerConfig; containerConfig.mutable_command_info()->CopyFrom(commandInfo); #ifndef __WINDOWS__ - if (slave->flags.switch_user) { - if (commandInfo.has_user()) { - user = commandInfo.user(); - } - - if (user.isSome()) { - containerConfig.set_user(user.get()); - } + if (slave->flags.switch_user && commandInfo.has_user()) { + containerConfig.set_user(commandInfo.user()); } #endif // __WINDOWS__