This is an automated email from the ASF dual-hosted git repository. gilbert pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit a44eaca379da7779955a3e94b92e1199e9b203b8 Author: Gilbert Song <[email protected]> AuthorDate: Mon May 20 14:46:16 2019 -0700 Revert "Added a test to verify non-root nested container can access its sandbox." This reverts commit 510aa02f9a53b1209e9deeaf65f25db2c0ccd96b. --- .../nested_mesos_containerizer_tests.cpp | 82 ---------------------- 1 file changed, 82 deletions(-) diff --git a/src/tests/containerizer/nested_mesos_containerizer_tests.cpp b/src/tests/containerizer/nested_mesos_containerizer_tests.cpp index 42cfe3a..bbf83fa 100644 --- a/src/tests/containerizer/nested_mesos_containerizer_tests.cpp +++ b/src/tests/containerizer/nested_mesos_containerizer_tests.cpp @@ -243,88 +243,6 @@ TEST_F(NestedMesosContainerizerTest, ROOT_CGROUPS_LaunchNested) } -// This is a regression test for MESOS-9536. It verifies that a nested -// container launched with a non-root user has the permission to write -// to its own sandbox via the `MESOS_SANDBOX` environment variable while -// its parent container is launched with a different user (root). -TEST_F(NestedMesosContainerizerTest, - ROOT_CGROUPS_UNPRIVILEGED_USER_NestedContainerAccessMesosSandbox) -{ - slave::Flags flags = CreateSlaveFlags(); - flags.launcher = "linux"; - flags.isolation = "cgroups/cpu,filesystem/linux,namespaces/pid"; - - Fetcher fetcher(flags); - - Try<MesosContainerizer*> create = MesosContainerizer::create( - flags, - false, - &fetcher); - - ASSERT_SOME(create); - - Owned<MesosContainerizer> containerizer(create.get()); - - SlaveState state; - state.id = SlaveID(); - - AWAIT_READY(containerizer->recover(state)); - - ContainerID containerId; - containerId.set_value(id::UUID::random().toString()); - - Try<string> directory = environment->mkdtemp(); - ASSERT_SOME(directory); - - Future<Containerizer::LaunchResult> launch = containerizer->launch( - containerId, - createContainerConfig( - None(), - createExecutorInfo("executor", "sleep 1000", "cpus:1"), - directory.get()), - map<string, string>(), - None()); - - AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch); - - // Launch the nested container with a non-root user. - ContainerID nestedContainerId; - nestedContainerId.mutable_parent()->CopyFrom(containerId); - nestedContainerId.set_value(id::UUID::random().toString()); - - Option<string> user = os::getenv("SUDO_USER"); - ASSERT_SOME(user); - - launch = containerizer->launch( - nestedContainerId, - createContainerConfig( - createCommandInfo("echo 'hello' > $MESOS_SANDBOX/file"), - None(), - None(), - user.get()), - map<string, string>(), - None()); - - AWAIT_ASSERT_EQ(Containerizer::LaunchResult::SUCCESS, launch); - - Future<Option<ContainerTermination>> wait = containerizer->wait( - nestedContainerId); - - AWAIT_READY(wait); - ASSERT_SOME(wait.get()); - ASSERT_TRUE(wait.get()->has_status()); - EXPECT_WEXITSTATUS_EQ(0, wait.get()->status()); - - Future<Option<ContainerTermination>> termination = - containerizer->destroy(containerId); - - AWAIT_READY(termination); - ASSERT_SOME(termination.get()); - ASSERT_TRUE(termination.get()->has_status()); - EXPECT_WTERMSIG_EQ(SIGKILL, termination.get()->status()); -} - - // This test verifies that a debug container inherits the // environment of its parent even after agent failover. TEST_F(NestedMesosContainerizerTest,
