[
https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691168#comment-16691168
]
Qian Zhang commented on MESOS-9332:
-----------------------------------
commit c5ecd424259651dcb47321516914295ebef2bc48
Author: Qian Zhang
Date: Sat Nov 17 17:28:48 2018 +0800
Fixed an issue about inheriting user for nested containers.
Previously we inherited user from parent container for nested
containers in `MesosContainerizerProcess::_launch`, but that
is too late which will cause an issue that the nested container
is launched as a non-root user but its sandbox directory is
created with root as owner (suppose there is no user specified
in the nested container's `commandInfo` and the default executor
is launched as a non-root user), so the nested container will not
have the permission to write to its own sandbox.
In this patch, we inherit user for nested containers in an earlier
place (i.e., `MesosContainerizerProcess::launch`) to avoid the
above issue.
Review: https://reviews.apache.org/r/69376
> Nested container should run as the same user of its parent container by
> default
> -------------------------------------------------------------------------------
>
> Key: MESOS-9332
> URL: https://issues.apache.org/jira/browse/MESOS-9332
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Reporter: Qian Zhang
> Assignee: Qian Zhang
> Priority: Major
> Labels: containerizer, mesosphere
> Fix For: 1.6.2, 1.7.1, 1.5.3
>
>
> Currently when launching a debug container, by default Mesos agent will use
> the executor's user as the debug container's user if the `user` field is not
> specified in the debug container's `commandInfo` (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for
> details). This is OK for the command task since the command executor's user
> is same with command task's user (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070]
> for details), so the debug container will be launched as the same user of
> the task. But for the task in a task group, the default executor's user is
> same with the framework user (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959]
> for details), so in this case the debug container will be launched as the
> same user of the framework rather than the task. So in a scenario that
> framework user is a normal user but the task user is root, the debug
> container will be launched as the normal which is not desired, the
> expectation is the debug container should run as the same user of the
> container it debugs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
