[
https://issues.apache.org/jira/browse/MESOS-3836?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14996136#comment-14996136
]
Michael Gummelt commented on MESOS-3836:
----------------------------------------
bq. Every marathon app task got every environment variable that mesos-slave had
unless the marathon app definition explicitly overrode it.
That's because marathon tasks run under the command executor. As I said this
is the only scenario where you can say with certainty that tasks inherit env
vars from the host.
bq. Executors in many ways re like Tasks and should be fully containerized like
them
I'm not sure what you mean by "fully" containerized, but tasks aren't fully
isolated. In fact, you can't really say anything about tasks. It doesn't
really even make sense to talk about env vars set on tasks, because tasks
aren't even processes necessarily. All of this env var talk only applies to
executors. We should be clear with terms.
Definitional nitpicks aside, I do agree that we should head toward total host
isolation, but let's focus on solving the immediate problem.
> `--executor-environment-variables` may not apply to docker containers
> ---------------------------------------------------------------------
>
> Key: MESOS-3836
> URL: https://issues.apache.org/jira/browse/MESOS-3836
> Project: Mesos
> Issue Type: Bug
> Components: containerization, slave
> Affects Versions: 0.25.0
> Environment: Mesos 0.25.0 configured with
> --executor-environment-variables
> Reporter: Cody Maloney
> Assignee: Marco Massenzio
> Priority: Minor
> Labels: mesosphere
>
> In our use case we set {{PATH}} as part of the
> {{\-\-executor_environment_variables}} in order to limit what binaries all
> tasks which are launched via Mesos have readily available to them, making it
> much harder for people launching tasks on mesos to accidentally depend on
> something which isn't part of the "guaranteed" environment / platform.
> Docker containers can be used as executors, and have a fully isolated
> filesystem. For executors which run in docker containers setting {{PATH}} to
> our path on the host filesystem may potentially break the docker container.
> The previous code of only copying across environment variables when
> {{includeOsEnvironment}} is set dealt with this
> (https://github.com/apache/mesos/blob/56510afe149758a69a5a714dfaab16111dd0d9c3/src/slave/containerizer/containerizer.cpp#L267)
> if {{includeOsEnvironment}} is set than we should copy across the current
> {{\-\-executor_environment_variables}}. If it isn't, then
> {{\-\-executor_environment_variables}} shouldn't be used at all.
> Another option which could be useful is to make it so that there are two sets
> of "Executor Environment Variables". One for when {{includeOsEnvironment}} is
> set, and one for when it is not.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
