Re: Review Request 72478: Changed permissions for domain sockets to allow non-root executors.

Thu, 07 May 2020 02:52:00 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72478/#review220671
-----------------------------------------------------------


Ship it!




Ship It!

- Qian Zhang


On May 7, 2020, 2:19 a.m., Andrei Budnik wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/72478/
> -----------------------------------------------------------
> 
> (Updated May 7, 2020, 2:19 a.m.)
> 
> 
> Review request for mesos, Andrei Sekretenko, Benjamin Mahler, Greg Mann, and 
> Qian Zhang.
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Previously, the default permissions for domain sockets allowed
> r/w access only for the file's user, so an executor launched under
> a non-privileged user could not open the agent's socket. This patch
> adds r/w permissions for the group and other users to address
> the access problem.
> 
> 
> Diffs
> -----
> 
>   src/common/domain_sockets.hpp 6d2b0abfa456aa2b95d60057ecc94c6f075e74d9 
> 
> 
> Diff: https://reviews.apache.org/r/72478/diff/1/
> 
> 
> Testing
> -------
> 
> # Without this patch
> 
> 1. run master:
> ```
> $ bin/mesos-master.sh --work_dir=~/mesos/build/vars/master
> ```
> 
> 2. run agent with `--http_executor_domain_sockets=true` and 
> `--http_command_executor=true`:
> ```
> $ sudo GLOG_v=2 ./bin/mesos-agent.sh --resources="cpus:10;mem:100000" 
> --http_executor_domain_sockets=true --http_command_executor=true 
> --work_dir=/home/nobody/mesos/build/var/agent-1' 
> --containerizers="docker,mesos" --master="`hostname`:5050"
> ```
> 
> 3. launch a task via `mesos-execute` as a non-root user:
> ```
> $ ./src/mesos-execute --master="`hostname`:5050" --name="a" 
> --containerizer=mesos --command="sleep 1"
> 
> ...
> Received status update TASK_FAILED for task 'a'
>   message: 'Executor terminated'
>   source: SOURCE_AGENT
>   reason: REASON_EXECUTOR_TERMINATED
> ```
> 
> # This patch applied
> 
> Task successfully finished.
> 
> 
> Thanks,
> 
> Andrei Budnik
> 
>

Reply via email to