Hi all, Currently when launching a debug container (e.g., via `dcos task exec` or command health check) to debug a task, by default Mesos agent will use the executor's user as the debug container's user. There are actually 2 cases: 1. Command task: Since the command executor's user is same with command task's user, so the debug container will be launched as the same user of the command task. 2. The task in a task group: The default executor's user is same with the framework user, so in this case the debug container will be launched as the same user of the framework rather than the task.
Basically I think the behavior of case 1 is correct. For case 2, we may run into a situation that the task is run as a user (e.g., root), but the debug container used to debug that task is run as another user (e.g., a normal user, suppose framework is run as a normal user), this may not be what user expects. So I created MESOS-9332 <https://issues.apache.org/jira/browse/MESOS-9332> and propose to run debug container as the same user of its parent container (i.e., the task to be debugged) by default. Please let me know if you have any comments, thanks! Regards, Qian Zhang