[ https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691168#comment-16691168 ]
Qian Zhang commented on MESOS-9332: ----------------------------------- commit c5ecd424259651dcb47321516914295ebef2bc48 Author: Qian Zhang Date: Sat Nov 17 17:28:48 2018 +0800 Fixed an issue about inheriting user for nested containers. Previously we inherited user from parent container for nested containers in `MesosContainerizerProcess::_launch`, but that is too late which will cause an issue that the nested container is launched as a non-root user but its sandbox directory is created with root as owner (suppose there is no user specified in the nested container's `commandInfo` and the default executor is launched as a non-root user), so the nested container will not have the permission to write to its own sandbox. In this patch, we inherit user for nested containers in an earlier place (i.e., `MesosContainerizerProcess::launch`) to avoid the above issue. Review: https://reviews.apache.org/r/69376 > Nested container should run as the same user of its parent container by > default > ------------------------------------------------------------------------------- > > Key: MESOS-9332 > URL: https://issues.apache.org/jira/browse/MESOS-9332 > Project: Mesos > Issue Type: Bug > Components: containerization > Reporter: Qian Zhang > Assignee: Qian Zhang > Priority: Major > Labels: containerizer, mesosphere > Fix For: 1.6.2, 1.7.1, 1.5.3 > > > Currently when launching a debug container, by default Mesos agent will use > the executor's user as the debug container's user if the `user` field is not > specified in the debug container's `commandInfo` (see [this > code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for > details). This is OK for the command task since the command executor's user > is same with command task's user (see [this > code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070] > for details), so the debug container will be launched as the same user of > the task. But for the task in a task group, the default executor's user is > same with the framework user (see [this > code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] > for details), so in this case the debug container will be launched as the > same user of the framework rather than the task. So in a scenario that > framework user is a normal user but the task user is root, the debug > container will be launched as the normal which is not desired, the > expectation is the debug container should run as the same user of the > container it debugs. -- This message was sent by Atlassian JIRA (v7.6.3#76005)