Qian Zhang created MESOS-9332:
---------------------------------
Summary: Debug container should run as the same user of its parent
container by default
Key: MESOS-9332
URL: https://issues.apache.org/jira/browse/MESOS-9332
Project: Mesos
Issue Type: Bug
Components: containerization
Reporter: Qian Zhang
Currently when launching a debug container, by default Mesos agent will use the
executor's user as the debug container's user if the `user` field is not
specified in the debug container's `commandInfo` (see [this
code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for
details). This is OK for the command task since the command executor's user is
same with command task's user (see [this
code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070]
for details), so the debug container will be launched as the same user of the
task. But for the task in a task group, the default executor's user is same
with the framework user (see [this
code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] for
details), so in this case the debug container will be launched as the same user
of the framework rather than the task. So in a scenario that framework user is
a normal user but the task user is root, the debug container will be launched
as the normal which is not desired, the expectation is the debug container
should run as the same user of the container it debugs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
