[
https://issues.apache.org/jira/browse/MESOS-5187?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15241478#comment-15241478
]
Jie Yu commented on MESOS-5187:
-------------------------------
[~idownes] I think there are two problems here:
1) if 'host_path' is relative for a volume, we should change the ownership of
that host path in the sandbox to match that of the container sandbox, instead
of using the agent uid/gids. This to me is a bug and we should fix that.
2) The mode issue as you mentioned above. If we fix (1), the executor should be
able to call chmod itself? Will that be sufficient?
> filesystem/linux isolator does not set the permissions of the host_path
> -----------------------------------------------------------------------
>
> Key: MESOS-5187
> URL: https://issues.apache.org/jira/browse/MESOS-5187
> Project: Mesos
> Issue Type: Bug
> Components: isolation
> Affects Versions: 0.26.0
> Environment: Mesos 0.26.0, Apache Aurora 0.12
> Reporter: Stephan Erb
>
> The {{filesystem/linux}} isolator is not a drop in replacement for the
> {{filesystem/shared}} isolator. This should be considered before the latter
> is deprecated.
> We are currently using the {{filesystem/shared}} isolator together with the
> following slave option. This provides us with a private {{/tmp}} and
> {{/var/tmp}} folder for each task.
> {code}
> --default_container_info='{
> "type": "MESOS",
> "volumes": [
> {"host_path": "system/tmp", "container_path": "/tmp",
> "mode": "RW"},
> {"host_path": "system/vartmp", "container_path": "/var/tmp",
> "mode": "RW"}
> ]
> }'
> {code}
> When browsing the Mesos sandbox, one can see the following permissions:
> {code}
> mode nlink uid gid size mtime
> drwxrwxrwx 3 root root 4 KB Apr 11 18:16 tmp
> drwxrwxrwx 2 root root 4 KB Apr 11 18:15 vartmp
> {code}
> However, when running with the new {{filesystem/linux}} isolator, the
> permissions are different:
> {code}
> mode nlink uid gid size mtime
> drwxr-xr-x 2 root root 4 KB Apr 12 10:34 tmp
> drwxr-xr-x 2 root root 4 KB Apr 12 10:34 vartmp
> {code}
> This prevents user code (running as a non-root user) from writing to those
> folders, i.e. every write attempt fails with permission denied.
> *Context*:
> * We are using Apache Aurora. Aurora is running its custom executor as root
> but then switches to a non-privileged user before running the actual user
> code.
> * The follow code seems to have enabled our usecase in the existing
> {{filesystem/shared}} isolator:
> https://github.com/apache/mesos/blob/4d2b1b793e07a9c90b984ca330a3d7bc9e1404cc/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp#L175-L198
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
