[
https://issues.apache.org/jira/browse/MESOS-3836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14996121#comment-14996121
]
Cody Maloney commented on MESOS-3836:
-------------------------------------
>From what we've seen in practice, whatever environment variables which were
>set on the executor every task gets. Every marathon app task got every
>environment variable that mesos-slave had unless the marathon app definition
>explicitly overrode it.
Executors in many ways re like Tasks and should be fully containerized like
them, which is a direction Mesos has been moving for a while (right now they
aren't isolated at all, and having custom executors which are custom code
running without isolation is not a great thing).
Arguably the model should be that no containerized task sees anything except
what is explicitly told to see. Things shouldn't leak through from the host
whatsoever. Mesos tells the tasks the couple things that they are allowed to
use. In the case of filesystem isolation (such as docker does) then it doesn't
inform special filesystem things unless it also adds a volume mount for them
(rkt / appc may introduce another root filesystem isolation).
>From a DCOS perspective what we really want is all tasks are fully host
>isolated, so they all run with filesystem isolated / even mesos native
>containerizer tasks run in effectively a chroot with very limited files, very
>limited environment variables set, so we only expose a small interface which
>we have to watch and version.
> `--executor-environment-variables` may not apply to docker containers
> ---------------------------------------------------------------------
>
> Key: MESOS-3836
> URL: https://issues.apache.org/jira/browse/MESOS-3836
> Project: Mesos
> Issue Type: Bug
> Components: containerization, slave
> Affects Versions: 0.25.0
> Environment: Mesos 0.25.0 configured with
> --executor-environment-variables
> Reporter: Cody Maloney
> Assignee: Marco Massenzio
> Priority: Minor
> Labels: mesosphere
>
> In our use case we set {{PATH}} as part of the
> {{\-\-executor_environment_variables}} in order to limit what binaries all
> tasks which are launched via Mesos have readily available to them, making it
> much harder for people launching tasks on mesos to accidentally depend on
> something which isn't part of the "guaranteed" environment / platform.
> Docker containers can be used as executors, and have a fully isolated
> filesystem. For executors which run in docker containers setting {{PATH}} to
> our path on the host filesystem may potentially break the docker container.
> The previous code of only copying across environment variables when
> {{includeOsEnvironment}} is set dealt with this
> (https://github.com/apache/mesos/blob/56510afe149758a69a5a714dfaab16111dd0d9c3/src/slave/containerizer/containerizer.cpp#L267)
> if {{includeOsEnvironment}} is set than we should copy across the current
> {{\-\-executor_environment_variables}}. If it isn't, then
> {{\-\-executor_environment_variables}} shouldn't be used at all.
> Another option which could be useful is to make it so that there are two sets
> of "Executor Environment Variables". One for when {{includeOsEnvironment}} is
> set, and one for when it is not.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
