----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/72478/#review220671 -----------------------------------------------------------
Ship it! Ship It! - Qian Zhang On May 7, 2020, 2:19 a.m., Andrei Budnik wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/72478/ > ----------------------------------------------------------- > > (Updated May 7, 2020, 2:19 a.m.) > > > Review request for mesos, Andrei Sekretenko, Benjamin Mahler, Greg Mann, and > Qian Zhang. > > > Repository: mesos > > > Description > ------- > > Previously, the default permissions for domain sockets allowed > r/w access only for the file's user, so an executor launched under > a non-privileged user could not open the agent's socket. This patch > adds r/w permissions for the group and other users to address > the access problem. > > > Diffs > ----- > > src/common/domain_sockets.hpp 6d2b0abfa456aa2b95d60057ecc94c6f075e74d9 > > > Diff: https://reviews.apache.org/r/72478/diff/1/ > > > Testing > ------- > > # Without this patch > > 1. run master: > ``` > $ bin/mesos-master.sh --work_dir=~/mesos/build/vars/master > ``` > > 2. run agent with `--http_executor_domain_sockets=true` and > `--http_command_executor=true`: > ``` > $ sudo GLOG_v=2 ./bin/mesos-agent.sh --resources="cpus:10;mem:100000" > --http_executor_domain_sockets=true --http_command_executor=true > --work_dir=/home/nobody/mesos/build/var/agent-1' > --containerizers="docker,mesos" --master="`hostname`:5050" > ``` > > 3. launch a task via `mesos-execute` as a non-root user: > ``` > $ ./src/mesos-execute --master="`hostname`:5050" --name="a" > --containerizer=mesos --command="sleep 1" > > ... > Received status update TASK_FAILED for task 'a' > message: 'Executor terminated' > source: SOURCE_AGENT > reason: REASON_EXECUTOR_TERMINATED > ``` > > # This patch applied > > Task successfully finished. > > > Thanks, > > Andrei Budnik > >