You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by qi...@apache.org on 2018/11/08 09:36:43 UTC
[mesos] branch 1.7.x updated (f87d669 -> 222ec27)
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a change to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git.
from f87d669 Added MESOS-9152 and MESOS-9164 to the 1.7.1 CHANGELOG.
new 262961d Made nested container runs as its parent container's user by default.
new 614a8d6 Added a test `ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
new f63e3d1 Fixed a coding error that a test waited on a wrong task status update.
new 222ec27 Added MESOS-9332 to the 1.7.1 CHANGELOG.
The 4 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
CHANGELOG | 1 +
src/slave/containerizer/mesos/containerizer.cpp | 10 ++
src/slave/http.cpp | 16 +--
src/tests/health_check_tests.cpp | 143 +++++++++++++++++++++++-
4 files changed, 155 insertions(+), 15 deletions(-)
[mesos] 04/04: Added MESOS-9332 to the 1.7.1 CHANGELOG.
Posted by qi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 222ec278aeb98ef9c6fc948df182a42f27552b44
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Nov 8 17:26:41 2018 +0800
Added MESOS-9332 to the 1.7.1 CHANGELOG.
---
CHANGELOG | 1 +
1 file changed, 1 insertion(+)
diff --git a/CHANGELOG b/CHANGELOG
index 0353172..e487b89 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -23,6 +23,7 @@ Release Notes - Mesos - Version 1.7.1 (WIP)
* [MESOS-9295] - Nested container launch could fail if the agent upgrade with new cgroup subsystems.
* [MESOS-9308] - URI disk profile adaptor could deadlock.
* [MESOS-9325] - Optimize `Resources::filter` operation.
+ * [MESOS-9332] - Nested container should run as the same user of its parent container by default.
* [MESOS-9334] - Container stuck at ISOLATING state due to libevent poll never returns.
** Improvement:
[mesos] 01/04: Made nested container runs as its parent container's
user by default.
Posted by qi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 262961d28e454954933ff640285ee2d1af93e554
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Oct 26 09:23:27 2018 +0800
Made nested container runs as its parent container's user by default.
Review: https://reviews.apache.org/r/69234
---
src/slave/containerizer/mesos/containerizer.cpp | 10 ++++++++++
src/slave/http.cpp | 16 ++--------------
2 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 6c27000..8446ba1 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1855,6 +1855,16 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
}
// Determine the user to launch the container as.
+ // Inherit user from the parent container for nested containers, and it can be
+ // overridden by the user in nested container's `commandInfo`, if specified.
+ if (containerId.has_parent()) {
+ if (containers_[containerId.parent()]->config.isSome() &&
+ containers_[containerId.parent()]->config->has_user()) {
+ launchInfo.set_user(
+ containers_[containerId.parent()]->config->user());
+ }
+ }
+
if (container->config->has_user()) {
launchInfo.set_user(container->config->user());
}
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index bd194ba..f7be16e 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -2498,8 +2498,6 @@ Future<Response> Http::_launchContainer(
ContentType,
const Owned<ObjectApprovers>& approvers) const
{
- Option<string> user;
-
// Attempt to get the executor associated with this ContainerID.
// We only expect to get the executor when launching a nested container
// under a container launched via a scheduler. In other cases, we are
@@ -2517,24 +2515,14 @@ Future<Response> Http::_launchContainer(
executor->info, framework->info, commandInfo, containerId)) {
return Forbidden();
}
-
- // By default, we use the executor's user.
- // The CommandInfo can override it, if specified.
- user = executor->user;
}
ContainerConfig containerConfig;
containerConfig.mutable_command_info()->CopyFrom(commandInfo);
#ifndef __WINDOWS__
- if (slave->flags.switch_user) {
- if (commandInfo.has_user()) {
- user = commandInfo.user();
- }
-
- if (user.isSome()) {
- containerConfig.set_user(user.get());
- }
+ if (slave->flags.switch_user && commandInfo.has_user()) {
+ containerConfig.set_user(commandInfo.user());
}
#endif // __WINDOWS__
[mesos] 02/04: Added a test
`ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
Posted by qi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit 614a8d6d641d910ec7bb7a38ac9c141d38f089e7
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Wed Oct 31 17:18:18 2018 -0700
Added a test `ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck`.
Review: https://reviews.apache.org/r/69235
---
src/tests/health_check_tests.cpp | 141 +++++++++++++++++++++++++++++++++++++++
1 file changed, 141 insertions(+)
diff --git a/src/tests/health_check_tests.cpp b/src/tests/health_check_tests.cpp
index fe3937d..5eb2bbf 100644
--- a/src/tests/health_check_tests.cpp
+++ b/src/tests/health_check_tests.cpp
@@ -1904,6 +1904,147 @@ TEST_F_TEMP_DISABLED_ON_WINDOWS(
}
+// This test verifies that the debug container launched by the command health
+// check will be run as the user of its parent container rather than the user
+// of the default executor. This is a regression test for MESOS-9332.
+TEST_F_TEMP_DISABLED_ON_WINDOWS(
+ HealthCheckTest, ROOT_UNPRIVILEGED_USER_DefaultExecutorCommandHealthCheck)
+{
+ Try<Owned<cluster::Master>> master = StartMaster();
+ ASSERT_SOME(master);
+
+ slave::Flags flags = CreateSlaveFlags();
+
+#ifndef USE_SSL_SOCKET
+ // Set permissive ACLs in the agent so that the local authorizer will be
+ // loaded and implicit executor authorization will be tested.
+ ACLs acls;
+ acls.set_permissive(true);
+
+ flags.acls = acls;
+#endif // USE_SSL_SOCKET
+
+ Fetcher fetcher(flags);
+
+ // We have to explicitly create a `Containerizer` in non-local mode,
+ // because `LaunchNestedContainerSession` (used by command health
+ // checks) tries to start a IO switchboard, which doesn't work in
+ // local mode yet.
+ Try<MesosContainerizer*> _containerizer =
+ MesosContainerizer::create(flags, false, &fetcher);
+
+ ASSERT_SOME(_containerizer);
+
+ Owned<slave::Containerizer> containerizer(_containerizer.get());
+ Owned<MasterDetector> detector = master.get()->createDetector();
+
+ Try<Owned<cluster::Slave>> agent =
+ StartSlave(detector.get(), containerizer.get(), flags);
+
+ ASSERT_SOME(agent);
+
+ Option<string> user = os::getenv("SUDO_USER");
+ ASSERT_SOME(user);
+
+ // Set the framework user to a non-root user so the default executor will
+ // also be run as this non-root user since the default executor always runs
+ // as the same user of the framework.
+ FrameworkInfo frameworkInfo = DEFAULT_FRAMEWORK_INFO;
+ frameworkInfo.set_user(user.get());
+
+ MockScheduler sched;
+ MesosSchedulerDriver driver(
+ &sched, frameworkInfo, master.get()->pid, DEFAULT_CREDENTIAL);
+
+ Future<FrameworkID> frameworkId;
+ EXPECT_CALL(sched, registered(&driver, _, _))
+ .WillOnce(FutureArg<1>(&frameworkId));
+
+ Future<vector<Offer>> offers;
+ EXPECT_CALL(sched, resourceOffers(&driver, _))
+ .WillOnce(FutureArg<1>(&offers))
+ .WillRepeatedly(Return()); // Ignore subsequent offers.
+
+ driver.start();
+
+ AWAIT_READY(frameworkId);
+
+ AWAIT_READY(offers);
+ ASSERT_FALSE(offers->empty());
+
+ Future<TaskStatus> statusStarting;
+ Future<TaskStatus> statusRunning;
+ Future<TaskStatus> statusHealthy;
+
+ EXPECT_CALL(sched, statusUpdate(&driver, _))
+ .WillOnce(FutureArg<1>(&statusStarting))
+ .WillOnce(FutureArg<1>(&statusRunning))
+ .WillOnce(FutureArg<1>(&statusHealthy));
+
+ // Launch a task as root user to create a file.
+ TaskInfo task = createTask(offers->front(), "touch file && sleep 120");
+ task.mutable_command()->set_user("root");
+
+ // Run the command health check without specifying user in its `CommandInfo`,
+ // and the health check will try to write to the file created by the task.
+ // Since the debug container launched by the health check will run as the same
+ // user (i.e., root user) of its parent container (i.e., the task), it will
+ // have the permission to write to the file.
+ HealthCheck healthCheck;
+ healthCheck.set_type(HealthCheck::COMMAND);
+ healthCheck.mutable_command()->set_value("echo abc > file");
+ healthCheck.set_delay_seconds(0);
+ healthCheck.set_interval_seconds(0);
+ healthCheck.set_grace_period_seconds(0);
+
+ task.mutable_health_check()->CopyFrom(healthCheck);
+
+ Resources executorResources =
+ allocatedResources(Resources::parse("cpus:0.1;mem:32;disk:32").get(), "*");
+
+ task.mutable_resources()->CopyFrom(task.resources() - executorResources);
+
+ TaskGroupInfo taskGroup;
+ taskGroup.add_tasks()->CopyFrom(task);
+
+ ExecutorInfo executor;
+ executor.mutable_executor_id()->set_value("default");
+ executor.set_type(ExecutorInfo::DEFAULT);
+ executor.mutable_framework_id()->CopyFrom(frameworkId.get());
+ executor.mutable_resources()->CopyFrom(executorResources);
+ executor.mutable_shutdown_grace_period()->set_nanoseconds(Seconds(10).ns());
+
+ driver.acceptOffers(
+ {offers->front().id()}, {LAUNCH_GROUP(executor, taskGroup)});
+
+ AWAIT_READY(statusStarting);
+ EXPECT_EQ(TASK_STARTING, statusStarting->state());
+
+ AWAIT_READY(statusRunning);
+ EXPECT_EQ(TASK_RUNNING, statusRunning->state());
+
+ AWAIT_READY(statusHealthy);
+ EXPECT_EQ(TASK_RUNNING, statusHealthy->state());
+ EXPECT_EQ(
+ TaskStatus::REASON_TASK_HEALTH_CHECK_STATUS_UPDATED,
+ statusHealthy->reason());
+ EXPECT_TRUE(statusHealthy->has_healthy());
+ EXPECT_TRUE(statusHealthy->healthy());
+
+ Future<hashset<ContainerID>> containerIds = containerizer->containers();
+
+ AWAIT_READY(containerIds);
+
+ driver.stop();
+ driver.join();
+
+ // Cleanup all mesos launched containers.
+ foreach (const ContainerID& containerId, containerIds.get()) {
+ AWAIT_READY(containerizer->wait(containerId));
+ }
+}
+
+
// Fixture for testing TCP/HTTP(S) health check support
// for Docker containers on Docker user network.
class DockerContainerizerHealthCheckTest
[mesos] 03/04: Fixed a coding error that a test waited on a wrong
task status update.
Posted by qi...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit f63e3d14fd56f5eb37aa1e40c4939bad9254c738
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Thu Nov 1 13:35:49 2018 -0700
Fixed a coding error that a test waited on a wrong task status update.
Review: https://reviews.apache.org/r/69236
---
src/tests/health_check_tests.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/tests/health_check_tests.cpp b/src/tests/health_check_tests.cpp
index 5eb2bbf..55a2581 100644
--- a/src/tests/health_check_tests.cpp
+++ b/src/tests/health_check_tests.cpp
@@ -1740,7 +1740,7 @@ TEST_F_TEMP_DISABLED_ON_WINDOWS(
driver.acceptOffers(
{offers->front().id()}, {LAUNCH_GROUP(executor, taskGroup)});
- AWAIT_READY(statusRunning);
+ AWAIT_READY(statusStarting);
EXPECT_EQ(TASK_STARTING, statusStarting->state());
AWAIT_READY(statusRunning);