Stephan Erb created MESOS-5187:
----------------------------------
Summary: filesystem/linux isolator does not set the permissions of
the host_path
Key: MESOS-5187
URL: https://issues.apache.org/jira/browse/MESOS-5187
Project: Mesos
Issue Type: Bug
Components: isolation
Affects Versions: 0.26.0
Environment: Mesos 0.26.0, Apache Aurora 0.12
Reporter: Stephan Erb
The {{filesystem/linux}} isolator is not a drop in replacement for the
{{filesystem/shared}} isolator. This should be considered before the latter is
deprecated.
We are currently using the {{filesystem/shared}} isolator together with the
following slave option. This provides us with a private {{/tmp}} and
{{/var/tmp}} folder for each task.
{code}
--default_container_info='{
"type": "MESOS",
"volumes": [
{"host_path": "system/tmp", "container_path": "/tmp",
"mode": "RW"},
{"host_path": "system/vartmp", "container_path": "/var/tmp",
"mode": "RW"}
]
}'
{code}
When browsing the Mesos sandbox, one can see the following permissions:
{code}
mode nlink uid gid size mtime
drwxrwxrwx 3 root root 4 KB Apr 11 18:16 tmp
drwxrwxrwx 2 root root 4 KB Apr 11 18:15 vartmp
{code}
However, when running with the new {{filesystem/linux}} isolator, the
permissions are different:
{code}
mode nlink uid gid size mtime
drwxr-xr-x 2 root root 4 KB Apr 12 10:34 tmp
drwxr-xr-x 2 root root 4 KB Apr 12 10:34 vartmp
{code}
This prevents user code (running as a non-root user) from writing to those
folders, i.e. every write attempt fails with permission denied.
*Context*:
* We are using Apache Aurora. Aurora is running its custom executor as root but
then switches to a non-privileged user before running the actual user code.
* The follow code seems to have enabled our usecase in the existing
{{filesystem/shared}} isolator:
https://github.com/apache/mesos/blob/4d2b1b793e07a9c90b984ca330a3d7bc9e1404cc/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp#L175-L198
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
