You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Qian Zhang (JIRA)" <ji...@apache.org> on 2018/11/08 09:34:00 UTC

[jira] [Commented] (MESOS-9332) Nested container should run as the same user of its parent container by default

    [ https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16679501#comment-16679501 ] 

Qian Zhang commented on MESOS-9332:
-----------------------------------

commit be494213083b27bc768c919f3df1df2bca899955
Author: Qian Zhang 
Date:   Fri Oct 26 09:23:27 2018 +0800

    Made nested container runs as its parent container's user by default.
    
    Review: https://reviews.apache.org/r/69234

commit 4e00b663910ac3a37dd86e454acadb78dba1322a
Author: Qian Zhang 
Date:   Wed Oct 31 17:18:18 2018 -0700

    Added a test `ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
    
    Review: https://reviews.apache.org/r/69235

commit 05e2cb58dde866b67955304417804bee684d5817
Author: Qian Zhang 
Date:   Thu Nov 1 13:35:49 2018 -0700

    Fixed a coding error that a test waited on a wrong task status update.
    
    Review: https://reviews.apache.org/r/69236

> Nested container should run as the same user of its parent container by default
> -------------------------------------------------------------------------------
>
>                 Key: MESOS-9332
>                 URL: https://issues.apache.org/jira/browse/MESOS-9332
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>            Reporter: Qian Zhang
>            Assignee: Qian Zhang
>            Priority: Major
>              Labels: containerizer, mesosphere
>
> Currently when launching a debug container, by default Mesos agent will use the executor's user as the debug container's user if the `user` field is not specified in the debug container's `commandInfo` (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for details). This is OK for the command task since the command executor's user is same with command task's user (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070] for details), so the debug container will be launched as the same user of the task. But for the task in a task group, the default executor's user is same with the framework user (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] for details), so in this case the debug container will be launched as the same user of the framework rather than the task. So in a scenario that framework user is a normal user but the task user is root, the debug container will be launched as the normal which is not desired, the expectation is the debug container should run as the same user of the container it debugs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)