[jira] [Commented] (MESOS-9332) Nested container should run as the same user of its parent container by default

Wed, 14 Nov 2018 18:59:48 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16687425#comment-16687425
 ] 

Qian Zhang commented on MESOS-9332:
-----------------------------------

SHA of 1.7.x backport: 222ec278aeb98ef9c6fc948df182a42f27552b44
SHA of 1.6.x backport: a3cb327926456725b19bc900b6c0f80c4f5815aa
SHA of 1.5.x backport: 19ea5384a4009351f31a82647642b584b54939f9

> Nested container should run as the same user of its parent container by 
> default
> -------------------------------------------------------------------------------
>
>                 Key: MESOS-9332
>                 URL: https://issues.apache.org/jira/browse/MESOS-9332
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>            Reporter: Qian Zhang
>            Assignee: Qian Zhang
>            Priority: Major
>              Labels: containerizer, mesosphere
>             Fix For: 1.6.2, 1.7.1, 1.5.3
>
>
> Currently when launching a debug container, by default Mesos agent will use 
> the executor's user as the debug container's user if the `user` field is not 
> specified in the debug container's `commandInfo` (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for 
> details). This is OK for the command task since the command executor's user 
> is same with command task's user (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070]
>  for details), so the debug container will be launched as the same user of 
> the task. But for the task in a task group, the default executor's user is 
> same with the framework user (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] 
> for details), so in this case the debug container will be launched as the 
> same user of the framework rather than the task. So in a scenario that 
> framework user is a normal user but the task user is root, the debug 
> container will be launched as the normal which is not desired, the 
> expectation is the debug container should run as the same user of the 
> container it debugs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to