[
https://issues.apache.org/jira/browse/MESOS-5187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237725#comment-15237725
]
Ian Downes commented on MESOS-5187:
-----------------------------------
The highlighted code was intended for this quite specific use-case: masking a
system directory and inheriting its mode. I agree that the filesystem/linux
isolator should support this use-case but suggest that it be made explicit,
perhaps by extending the Volume message to include setting the directory mode
(different to the existing Volume::Mode) when creating container relative
paths. [~jieyu] thoughts?
> filesystem/linux isolator does not set the permissions of the host_path
> -----------------------------------------------------------------------
>
> Key: MESOS-5187
> URL: https://issues.apache.org/jira/browse/MESOS-5187
> Project: Mesos
> Issue Type: Bug
> Components: isolation
> Affects Versions: 0.26.0
> Environment: Mesos 0.26.0, Apache Aurora 0.12
> Reporter: Stephan Erb
>
> The {{filesystem/linux}} isolator is not a drop in replacement for the
> {{filesystem/shared}} isolator. This should be considered before the latter
> is deprecated.
> We are currently using the {{filesystem/shared}} isolator together with the
> following slave option. This provides us with a private {{/tmp}} and
> {{/var/tmp}} folder for each task.
> {code}
> --default_container_info='{
> "type": "MESOS",
> "volumes": [
> {"host_path": "system/tmp", "container_path": "/tmp",
> "mode": "RW"},
> {"host_path": "system/vartmp", "container_path": "/var/tmp",
> "mode": "RW"}
> ]
> }'
> {code}
> When browsing the Mesos sandbox, one can see the following permissions:
> {code}
> mode nlink uid gid size mtime
> drwxrwxrwx 3 root root 4 KB Apr 11 18:16 tmp
> drwxrwxrwx 2 root root 4 KB Apr 11 18:15 vartmp
> {code}
> However, when running with the new {{filesystem/linux}} isolator, the
> permissions are different:
> {code}
> mode nlink uid gid size mtime
> drwxr-xr-x 2 root root 4 KB Apr 12 10:34 tmp
> drwxr-xr-x 2 root root 4 KB Apr 12 10:34 vartmp
> {code}
> This prevents user code (running as a non-root user) from writing to those
> folders, i.e. every write attempt fails with permission denied.
> *Context*:
> * We are using Apache Aurora. Aurora is running its custom executor as root
> but then switches to a non-privileged user before running the actual user
> code.
> * The follow code seems to have enabled our usecase in the existing
> {{filesystem/shared}} isolator:
> https://github.com/apache/mesos/blob/4d2b1b793e07a9c90b984ca330a3d7bc9e1404cc/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp#L175-L198
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
