[
https://issues.apache.org/jira/browse/MESOS-9536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16752017#comment-16752017
]
Qian Zhang commented on MESOS-9536:
-----------------------------------
The root cause of this issue is, in this patch
[https://reviews.apache.org/r/64630/], the permission of container's sandbox
was changed from 0755 to 0750, and the nested container's sandbox is under its
parent container's sandbox, so if the user of nested container and its parent
container are different, then the nested container cannot access its sandbox
via absolute path because it has not permission to enter its parent container's
sandbox.
> Nested container launched with non-root user may not be able to write to its
> sandbox via the environment variable `MESOS_SANDBOX`
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MESOS-9536
> URL: https://issues.apache.org/jira/browse/MESOS-9536
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Affects Versions: 1.6.0, 1.6.1, 1.7.0
> Reporter: Qian Zhang
> Assignee: Qian Zhang
> Priority: Major
>
> Launch a nested container to write to its sandbox via the env var
> `MESOS_SANDBOX`. The nested container is launched with a non-root user (e.g.,
> `nobody`) and its parent container (i.e., the default executor) is launched
> with root since `mesos-execute` is executed with `sudo` in the example below.
> {code:java}
> $ sudo src/mesos-execute --master=<master-IP>:5050
> --task_group=file:///tmp/task_group.json
> $ cat /tmp/task_group.json
> {
> "tasks":[
> {
> "name" : "test",
> "task_id" : {"value" : "test"},
> "agent_id": {"value" : ""},
> "resources": [
> {"name": "cpus", "type": "SCALAR", "scalar": {"value": 0.1}},
> {"name": "mem", "type": "SCALAR", "scalar": {"value": 32}}
> ],
> "command": {
> "user": "nobody",
> "value": "echo data > $MESOS_SANDBOX/file"
> }
> }
> ]
> }
> {code}
> The nested container will fail.
> {code:java}
> I0125 16:04:03.610659 10064 scheduler.cpp:189] Version: 1.8.0
> I0125 16:04:03.641856 10066 scheduler.cpp:355] Using default 'basic' HTTP
> authenticatee
> I0125 16:04:03.643841 10063 scheduler.cpp:538] New master detected at
> [email protected]:5050
> Subscribed with ID 1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002
> Submitted task group with tasks [ test ] to agent
> '12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0'
> Received status update TASK_STARTING for task 'test'
> source: SOURCE_EXECUTOR
> Received status update TASK_RUNNING for task 'test'
> source: SOURCE_EXECUTOR
> Received status update TASK_FAILED for task 'test'
> message: 'Command exited with status 2'
> source: SOURCE_EXECUTOR
> {code}
> In the stderr of the nested container, we can see it has no permission to do
> the write.
> {code:java}
> $ sudo cat
> /opt/mesos/slaves/12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0/frameworks/1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002/executors/default-executor/runs/c7173fd8-9c01-49f5-a092-bdad78609260/containers/bf8f6ac8-2f8a-4300-9fe6-a830f602f654/stderr
>
> Marked '/' as rslave
> sh: 1: cannot create
> /opt/mesos/slaves/12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0/frameworks/1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002/executors/default-executor/runs/c7173fd8-9c01-49f5-a092-bdad78609260/containers/bf8f6ac8-2f8a-4300-9fe6-a830f602f654/file:
> Permission denied
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
