You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Qian Zhang (JIRA)" <ji...@apache.org> on 2018/10/18 08:42:00 UTC

[jira] [Commented] (MESOS-9332) Debug container should run as the same user of its parent container by default

    [ https://issues.apache.org/jira/browse/MESOS-9332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16654873#comment-16654873 ] 

Qian Zhang commented on MESOS-9332:
-----------------------------------

The possible solution would be, when setting the `user` field of `ContainerLaunchInfo` for a container in the method `MesosContainerizerProcess::_launch`, if it is a debug container, get its parent container's user from the parent container's `ContainerConfig` and use it for the debug container.

> Debug container should run as the same user of its parent container by default
> ------------------------------------------------------------------------------
>
>                 Key: MESOS-9332
>                 URL: https://issues.apache.org/jira/browse/MESOS-9332
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization
>            Reporter: Qian Zhang
>            Priority: Major
>
> Currently when launching a debug container, by default Mesos agent will use the executor's user as the debug container's user if the `user` field is not specified in the debug container's `commandInfo` (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/http.cpp#L2559] for details). This is OK for the command task since the command executor's user is same with command task's user (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L6068:L6070] for details), so the debug container will be launched as the same user of the task. But for the task in a task group, the default executor's user is same with the framework user (see [this code|https://github.com/apache/mesos/blob/1.7.0/src/slave/slave.cpp#L8959] for details), so in this case the debug container will be launched as the same user of the framework rather than the task. So in a scenario that framework user is a normal user but the task user is root, the debug container will be launched as the normal which is not desired, the expectation is the debug container should run as the same user of the container it debugs.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)