[jira] [Commented] (MESOS-5754) CommandInfo.user not honored in docker containerizer

2016-07-14 Thread Jie Yu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15378313#comment-15378313
 ] 

Jie Yu commented on MESOS-5754:
---

Some notes here:

This change will potentially break some of exiting Mesos users. For instance, 
if their running cluster has `--switch-user` being turned on, here is the 
difference:
Before: the docker container will run under uid=0 (assuming image does not 
specify a user), it's able to create directories under /var/lib
After: the docker container will run under the user specified in commandInfo or 
frameworkInfo. It might not be able to write to directories like /var/lib

> CommandInfo.user not honored in docker containerizer
> 
>
> Key: MESOS-5754
> URL: https://issues.apache.org/jira/browse/MESOS-5754
> Project: Mesos
>  Issue Type: Bug
>  Components: containerization, docker, slave
>Affects Versions: 1.0.0
>Reporter: Michael Gummelt
>Assignee: Gilbert Song
>  Labels: mesosphere
>
> Repro by creating a framework that starts a task with CommandInfo.user set, 
> and observe that the dockerized executor is still running as the default 
> (e.g. root).
> cc [~kaysoky]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5754) CommandInfo.user not honored in docker containerizer

2016-07-12 Thread Adam B (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15374091#comment-15374091
 ] 

Adam B commented on MESOS-5754:
---

Not necessarily. Any scheduler that constructs a ContainerInfo can set the 
Parameters field in DockerInfo to set "user=not-root" as a command-line 
parameter to docker when launching that container.

> CommandInfo.user not honored in docker containerizer
> 
>
> Key: MESOS-5754
> URL: https://issues.apache.org/jira/browse/MESOS-5754
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Michael Gummelt
>  Labels: mesosphere
>
> Repro by creating a framework that starts a task with CommandInfo.user set, 
> and observe that the dockerized executor is still running as the default 
> (e.g. root).
> cc [~kaysoky]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5754) CommandInfo.user not honored in docker containerizer

2016-06-30 Thread Michael Gummelt (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15358002#comment-15358002
 ] 

Michael Gummelt commented on MESOS-5754:


> The workaround is to specify a CLI parameter: 

Assuming you're launching through marathon, yes

> CommandInfo.user not honored in docker containerizer
> 
>
> Key: MESOS-5754
> URL: https://issues.apache.org/jira/browse/MESOS-5754
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Michael Gummelt
>
> Repro by creating a framework that starts a task with CommandInfo.user set, 
> and observe that the dockerized executor is still running as the default 
> (e.g. root).
> cc [~kaysoky]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (MESOS-5754) CommandInfo.user not honored in docker containerizer

2016-06-30 Thread Joseph Wu (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-5754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15357994#comment-15357994
 ] 

Joseph Wu commented on MESOS-5754:
--

I'd be curious if this has affected any users negatively.  If users have not 
noticed this, then they may be inadvertently relying on the incorrect behavior 
(of always running docker tasks as root).

The workaround is to specify a CLI parameter: 
https://github.com/apache/mesos/blob/db8b0f16c1c8c6e683a4b788262f307a8bc218e0/include/mesos/v1/mesos.proto#L1826-L1830
i.e.
{code}
"container" : {
  ...,
  "docker" : {
...,
"parameters" : [{
  "key": "user",
  "value": "not-root"
}]
  }
}
{code}

> CommandInfo.user not honored in docker containerizer
> 
>
> Key: MESOS-5754
> URL: https://issues.apache.org/jira/browse/MESOS-5754
> Project: Mesos
>  Issue Type: Bug
>Affects Versions: 1.0.0
>Reporter: Michael Gummelt
>
> Repro by creating a framework that starts a task with CommandInfo.user set, 
> and observe that the dockerized executor is still running as the default 
> (e.g. root).
> cc [~kaysoky]



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)