[jira] [Commented] (MESOS-9332) Nested container should run as the same user of its parent container by default

Sun, 18 Nov 2018 18:23:14 -0800 


    [ 
https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16691178#comment-16691178
 ] 

Qian Zhang commented on MESOS-9332:
-----------------------------------

SHA of 1.7.x backport: 706170289a0d3558d788938eeba6d07dc9504225

SHA of 1.6.x backport: 639d4f2c6e36f6cab9380136286bc3e95855d375

SHA of 1.5.x backport: 742471c575f9959f3ea9ffe7b6a317a033bfb42d

> Nested container should run as the same user of its parent container by 
> default
> -------------------------------------------------------------------------------
>
>                 Key: MESOS-9332
>                 URL: https://issues.apache.org/jira/browse/MESOS-9332
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>            Reporter: Qian Zhang
>            Assignee: Qian Zhang
>            Priority: Major
>              Labels: containerizer, mesosphere
>             Fix For: 1.6.2, 1.7.1, 1.5.3
>
>
> Currently when launching a debug container, by default Mesos agent will use 
> the executor's user as the debug container's user if the `user` field is not 
> specified in the debug container's `commandInfo` (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for 
> details). This is OK for the command task since the command executor's user 
> is same with command task's user (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070]
>  for details), so the debug container will be launched as the same user of 
> the task. But for the task in a task group, the default executor's user is 
> same with the framework user (see [this 
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] 
> for details), so in this case the debug container will be launched as the 
> same user of the framework rather than the task. So in a scenario that 
> framework user is a normal user but the task user is root, the debug 
> container will be launched as the normal which is not desired, the 
> expectation is the debug container should run as the same user of the 
> container it debugs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to