[
https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16679501#comment-16679501
]
Till Toenshoff edited comment on MESOS-9332 at 11/14/18 7:23 PM:
-----------------------------------------------------------------
master:
{noformat}
commit be494213083b27bc768c919f3df1df2bca899955
Author: Qian Zhang
Date: Fri Oct 26 09:23:27 2018 +0800
Made nested container runs as its parent container's user by default.
Review: https://reviews.apache.org/r/69234
commit 4e00b663910ac3a37dd86e454acadb78dba1322a
Author: Qian Zhang
Date: Wed Oct 31 17:18:18 2018 -0700
Added a test `ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
Review: https://reviews.apache.org/r/69235
commit 05e2cb58dde866b67955304417804bee684d5817
Author: Qian Zhang
Date: Thu Nov 1 13:35:49 2018 -0700
Fixed a coding error that a test waited on a wrong task status update.
Review: https://reviews.apache.org/r/69236
{noformat}
was (Author: qianzhang):
commit be494213083b27bc768c919f3df1df2bca899955
Author: Qian Zhang
Date: Fri Oct 26 09:23:27 2018 +0800
Made nested container runs as its parent container's user by default.
Review: https://reviews.apache.org/r/69234
commit 4e00b663910ac3a37dd86e454acadb78dba1322a
Author: Qian Zhang
Date: Wed Oct 31 17:18:18 2018 -0700
Added a test `ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
Review: https://reviews.apache.org/r/69235
commit 05e2cb58dde866b67955304417804bee684d5817
Author: Qian Zhang
Date: Thu Nov 1 13:35:49 2018 -0700
Fixed a coding error that a test waited on a wrong task status update.
Review: https://reviews.apache.org/r/69236
> Nested container should run as the same user of its parent container by
> default
> -------------------------------------------------------------------------------
>
> Key: MESOS-9332
> URL: https://issues.apache.org/jira/browse/MESOS-9332
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Reporter: Qian Zhang
> Assignee: Qian Zhang
> Priority: Major
> Labels: containerizer, mesosphere
> Fix For: 1.6.2, 1.7.1, 1.5.3
>
>
> Currently when launching a debug container, by default Mesos agent will use
> the executor's user as the debug container's user if the `user` field is not
> specified in the debug container's `commandInfo` (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for
> details). This is OK for the command task since the command executor's user
> is same with command task's user (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070]
> for details), so the debug container will be launched as the same user of
> the task. But for the task in a task group, the default executor's user is
> same with the framework user (see [this
> code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959]
> for details), so in this case the debug container will be launched as the
> same user of the framework rather than the task. So in a scenario that
> framework user is a normal user but the task user is root, the debug
> container will be launched as the normal which is not desired, the
> expectation is the debug container should run as the same user of the
> container it debugs.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
