This is an automated email from the ASF dual-hosted git repository. qianzhang pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 17f28563488ddaeb2daa60b53bd8dc19e25cddef Author: Qian Zhang <zhq527...@gmail.com> AuthorDate: Wed Aug 26 10:33:26 2020 +0800 Enabled CSI volume access for non-root users. Review: https://reviews.apache.org/r/72804 --- .../mesos/isolators/volume/csi/isolator.cpp | 40 ++++++++++++++++++++++ .../mesos/isolators/volume/csi/isolator.hpp | 2 ++ 2 files changed, 42 insertions(+) diff --git a/src/slave/containerizer/mesos/isolators/volume/csi/isolator.cpp b/src/slave/containerizer/mesos/isolators/volume/csi/isolator.cpp index 02ef1f2..d5d8835 100644 --- a/src/slave/containerizer/mesos/isolators/volume/csi/isolator.cpp +++ b/src/slave/containerizer/mesos/isolators/volume/csi/isolator.cpp @@ -356,6 +356,7 @@ Future<Option<ContainerLaunchInfo>> VolumeCSIIsolatorProcess::prepare( Mount mount; mount.csiVolume = csiVolume; + mount.volume = volume; mount.target = target; mount.volumeMode = _volume.mode(); @@ -398,6 +399,9 @@ Future<Option<ContainerLaunchInfo>> VolumeCSIIsolatorProcess::prepare( &VolumeCSIIsolatorProcess::_prepare, containerId, mounts, + containerConfig.has_user() + ? containerConfig.user() + : Option<string>::none(), lambda::_1)); } @@ -405,6 +409,7 @@ Future<Option<ContainerLaunchInfo>> VolumeCSIIsolatorProcess::prepare( Future<Option<ContainerLaunchInfo>> VolumeCSIIsolatorProcess::_prepare( const ContainerID& containerId, const vector<Mount>& mounts, + const Option<string>& user, const vector<Future<string>>& futures) { @@ -432,6 +437,41 @@ Future<Option<ContainerLaunchInfo>> VolumeCSIIsolatorProcess::_prepare( const string& source = sources[i]; const Mount& mount = mounts[i]; + if (user.isSome() && user.get() != "root") { + bool isVolumeInUse = false; + + // Check if the volume is currently used by another container. + foreachpair (const ContainerID& _containerId, + const Owned<Info>& info, + infos) { + // Skip self. + if (_containerId == containerId) { + continue; + } + + if (info->volumes.contains(mount.volume)) { + isVolumeInUse = true; + break; + } + } + + if (!isVolumeInUse) { + LOG(INFO) << "Changing the ownership of the CSI volume at '" << source + << "' to user '" << user.get() << "' for container " + << containerId; + + Try<Nothing> chown = os::chown(user.get(), source, false); + if (chown.isError()) { + return Failure( + "Failed to set '" + user.get() + "' as the owner of the " + "CSI volume at '" + source + "': " + chown.error()); + } + } else { + LOG(INFO) << "Leaving the ownership of the CSI volume at '" + << source << "' unchanged because it is in use"; + } + } + LOG(INFO) << "Mounting CSI volume mount point '" << source << "' to '" << mount.target << "' for container " << containerId; diff --git a/src/slave/containerizer/mesos/isolators/volume/csi/isolator.hpp b/src/slave/containerizer/mesos/isolators/volume/csi/isolator.hpp index 373b629..4349acd 100644 --- a/src/slave/containerizer/mesos/isolators/volume/csi/isolator.hpp +++ b/src/slave/containerizer/mesos/isolators/volume/csi/isolator.hpp @@ -68,6 +68,7 @@ private: struct Mount { Volume::Source::CSIVolume csiVolume; + CSIVolume volume; std::string target; Volume::Mode volumeMode; }; @@ -92,6 +93,7 @@ private: process::Future<Option<mesos::slave::ContainerLaunchInfo>> _prepare( const ContainerID& containerId, const std::vector<Mount>& mounts, + const Option<std::string>& user, const std::vector<process::Future<std::string>>& futures); process::Future<Nothing> _cleanup(