[ https://issues.apache.org/jira/browse/MESOS-5187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15237725#comment-15237725 ]
Ian Downes commented on MESOS-5187: ----------------------------------- The highlighted code was intended for this quite specific use-case: masking a system directory and inheriting its mode. I agree that the filesystem/linux isolator should support this use-case but suggest that it be made explicit, perhaps by extending the Volume message to include setting the directory mode (different to the existing Volume::Mode) when creating container relative paths. [~jieyu] thoughts? > filesystem/linux isolator does not set the permissions of the host_path > ----------------------------------------------------------------------- > > Key: MESOS-5187 > URL: https://issues.apache.org/jira/browse/MESOS-5187 > Project: Mesos > Issue Type: Bug > Components: isolation > Affects Versions: 0.26.0 > Environment: Mesos 0.26.0, Apache Aurora 0.12 > Reporter: Stephan Erb > > The {{filesystem/linux}} isolator is not a drop in replacement for the > {{filesystem/shared}} isolator. This should be considered before the latter > is deprecated. > We are currently using the {{filesystem/shared}} isolator together with the > following slave option. This provides us with a private {{/tmp}} and > {{/var/tmp}} folder for each task. > {code} > --default_container_info='{ > "type": "MESOS", > "volumes": [ > {"host_path": "system/tmp", "container_path": "/tmp", > "mode": "RW"}, > {"host_path": "system/vartmp", "container_path": "/var/tmp", > "mode": "RW"} > ] > }' > {code} > When browsing the Mesos sandbox, one can see the following permissions: > {code} > mode nlink uid gid size mtime > drwxrwxrwx 3 root root 4 KB Apr 11 18:16 tmp > drwxrwxrwx 2 root root 4 KB Apr 11 18:15 vartmp > {code} > However, when running with the new {{filesystem/linux}} isolator, the > permissions are different: > {code} > mode nlink uid gid size mtime > drwxr-xr-x 2 root root 4 KB Apr 12 10:34 tmp > drwxr-xr-x 2 root root 4 KB Apr 12 10:34 vartmp > {code} > This prevents user code (running as a non-root user) from writing to those > folders, i.e. every write attempt fails with permission denied. > *Context*: > * We are using Apache Aurora. Aurora is running its custom executor as root > but then switches to a non-privileged user before running the actual user > code. > * The follow code seems to have enabled our usecase in the existing > {{filesystem/shared}} isolator: > https://github.com/apache/mesos/blob/4d2b1b793e07a9c90b984ca330a3d7bc9e1404cc/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp#L175-L198 > -- This message was sent by Atlassian JIRA (v6.3.4#6332)