One pain point that currently exists with Aurora/Mesos/Docker integration is that it requires making a choice between two bad options:
1) require that the aurora role exist in the docker image as a unix user 2) run everything as root by setting "USER root" in the Dockerfile and pass --nosetuid to the executor. I'd like to purpose that mesos be modified to generate an /etc/passwd file that includes a single entry: the CommandInfo.user with a stable uid. This file will always overwrite whatever /etc/passwd is provided by the container image. The problem here is that Aurora doesn't set CommandInfo.user and it defaults to root. The aurora executor does chown of the sandbox dir and then does a setuid to the user specified in the job key. This would always fail with "user does not exist" [1] because the executor would only find root in /etc/passwd. Why doesn't aurora set CommandInfo.user to the aurora role? If it did, we would be able to solve this problem by having mesos generate a sensible /etc/passwd for containers. Thanks! Jay [1] https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108
