You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2017/03/09 21:44:05 UTC
[2/3] mesos git commit: Fixed command task with container image
'root' user issue.
Fixed command task with container image 'root' user issue.
This issue is command task with container image provided specific.
We used to set user as 'root' explicitly for command task with
container image. However, this would break operators who set 'user'
for FrameworkInfo/CommandInfo to any user other than 'root' because
the task cannot access all other contents owned by 'root', e.g.,
persistent volumes, stdout/stderr or any other directories/files
written by modules.
Instead of relying on each isolator/module to explicitly chown,
Mesos should set user to 'root' right before launching the command
executor, because the root privilege is only necessary for 'chroot'
in command executor launch, which should not impact on other
components.
Review: https://reviews.apache.org/r/57402/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/f32ca017
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/f32ca017
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/f32ca017
Branch: refs/heads/master
Commit: f32ca0173a35f530bfbfc317346e487e25a5b8ce
Parents: e2f46f1
Author: Gilbert Song <so...@gmail.com>
Authored: Thu Mar 9 12:42:44 2017 -0800
Committer: Jie Yu <yu...@gmail.com>
Committed: Thu Mar 9 13:43:59 2017 -0800
----------------------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp | 9 +++++++++
src/slave/slave.cpp | 10 +---------
2 files changed, 10 insertions(+), 9 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/f32ca017/src/slave/containerizer/mesos/containerizer.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index a23a6fa..7676a4d 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1449,6 +1449,15 @@ Future<bool> MesosContainerizerProcess::_launch(
launchInfo.set_user(container->config.user());
}
+ // TODO(gilbert): Remove this once we no longer support command
+ // task in favor of default executor.
+ if (container->config.has_task_info() &&
+ container->config.has_rootfs()) {
+ // We need to set the executor user as root as it needs to
+ // perform chroot (even when switch_user is set to false).
+ launchInfo.set_user("root");
+ }
+
// Use a pipe to block the child until it's been isolated.
// The `pipes` array is captured later in a lambda.
Try<std::array<int_fd, 2>> pipes_ = os::pipe();
http://git-wip-us.apache.org/repos/asf/mesos/blob/f32ca017/src/slave/slave.cpp
----------------------------------------------------------------------
diff --git a/src/slave/slave.cpp b/src/slave/slave.cpp
index 4319f84..2308d5b 100644
--- a/src/slave/slave.cpp
+++ b/src/slave/slave.cpp
@@ -4463,10 +4463,6 @@ ExecutorInfo Slave::getExecutorInfo(
// task. For this reason, we need to strip the image in
// `executor.container.mesos`.
container->mutable_mesos()->clear_image();
-
- // We need to set the executor user as root as it needs to
- // perform chroot (even when switch_user is set to false).
- executor.mutable_command()->set_user("root");
}
// Prepare an executor name which includes information on the
@@ -4545,11 +4541,7 @@ ExecutorInfo Slave::getExecutorInfo(
gracePeriod.ns());
}
- // We skip setting the user for the command executor that has
- // a rootfs image since we need root permissions to chroot.
- // We assume command executor will change to the correct user
- // later on.
- if (!hasRootfs && task.command().has_user()) {
+ if (task.command().has_user()) {
executor.mutable_command()->set_user(task.command().user());
}