This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 16a22b70bbbc3d93087495f48d31e13626046cb8 Author: Qian Zhang <[email protected]> AuthorDate: Wed Feb 27 22:22:01 2019 -0800 Added an agent flag `--volume_gid_range`. When this flag is specified, if a task running as non-root user uses a shared persistent volume or a PARENT type SANDBOX_PATH volume, the volume will be owned by a gid allocated from this range and have the `setgit` bit set, and the task process will be launched with the gid as its supplementary group to make sure it can access the volume. Review: https://reviews.apache.org/r/69342/ --- docs/configuration/agent.md | 13 +++++++++++++ src/slave/flags.cpp | 9 +++++++++ src/slave/flags.hpp | 1 + 3 files changed, 23 insertions(+) diff --git a/docs/configuration/agent.md b/docs/configuration/agent.md index fa2f55f..e744c3c 100644 --- a/docs/configuration/agent.md +++ b/docs/configuration/agent.md @@ -1518,6 +1518,19 @@ The path to the systemd system run time directory. (default: /run/systemd/system) </td> </tr> +<tr> + <td> + --volume_gid_range=VALUE + </td> + <td> +When this flag is specified, if a task running as non-root user uses a +shared persistent volume or a PARENT type SANDBOX_PATH volume, the +volume will be owned by a gid allocated from this range and have the +`setgid` bit set, and the task process will be launched with the gid +as its supplementary group to make sure it can access the volume. +(Example: <code>[10000-20000]</code>) + </td> +</tr> </table> ## Network Isolator Flags diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp index 2a1f3f9..5fe5e05 100644 --- a/src/slave/flags.cpp +++ b/src/slave/flags.cpp @@ -330,6 +330,15 @@ mesos::internal::slave::Flags::Flags() "NOTE: This feature is not yet supported on Windows agent, and\n" "therefore the flag currently does not exist on that platform.", true); + + add(&Flags::volume_gid_range, + "volume_gid_range", + "When this flag is specified, if a task running as non-root user uses a\n" + "shared persistent volume or a PARENT type SANDBOX_PATH volume, the\n" + "volume will be owned by a gid allocated from this range and have the\n" + "`setgid` bit set, and the task process will be launched with the gid\n" + "as its supplementary group to make sure it can access the volume.\n" + "(Example: `[10000-20000]`)"); #endif // __WINDOWS__ add(&Flags::http_heartbeat_interval, diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp index c64edd0..09921cb 100644 --- a/src/slave/flags.hpp +++ b/src/slave/flags.hpp @@ -74,6 +74,7 @@ public: #ifndef __WINDOWS__ bool switch_user; + Option<std::string> volume_gid_range; #endif // __WINDOWS__ Duration http_heartbeat_interval; std::string frameworks_home; // TODO(benh): Make an Option.
