You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ya...@apache.org on 2016/11/08 18:28:02 UTC
mesos git commit: Used an environment variable to pass command
environment.
Repository: mesos
Updated Branches:
refs/heads/master a0309709f -> ee0830675
Used an environment variable to pass command environment.
Review: https://reviews.apache.org/r/53500
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ee083067
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ee083067
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ee083067
Branch: refs/heads/master
Commit: ee083067551bc324b6e4b3285dedf15f3b4a07d9
Parents: a030970
Author: Jiang Yan Xu <xu...@apple.com>
Authored: Fri Nov 4 00:20:45 2016 -0700
Committer: Jiang Yan Xu <xu...@apple.com>
Committed: Tue Nov 8 08:44:15 2016 -0800
----------------------------------------------------------------------
src/slave/containerizer/mesos/containerizer.cpp | 15 +++++++++++++--
src/slave/containerizer/mesos/main.cpp | 2 +-
2 files changed, 14 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/ee083067/src/slave/containerizer/mesos/containerizer.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 32fba76..e57064c 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1191,6 +1191,7 @@ Future<bool> MesosContainerizerProcess::_launch(
CHECK_EQ(container->state, PREPARING);
+ // The environment for the launched command.
JSON::Object environment;
foreachpair (const string& key, const string& value, _environment) {
environment.values[key] = value;
@@ -1391,7 +1392,17 @@ Future<bool> MesosContainerizerProcess::_launch(
MesosContainerizerLaunch::Flags launchFlags;
launchFlags.command = JSON::protobuf(launchCommand.get());
- launchFlags.environment = environment;
+
+ // The launch helper should inherit the agent's environment.
+ map<string, string> launchEnvironment = os::environment();
+
+ // Passing the command environment via an environment variable
+ // to the lauch helper instead of a flag due to the sensitivity
+ // of environment variables. Otherwise the command environment
+ // would have been visible through commands like `ps` which are
+ // not protected from unprivileged users on the host.
+ launchEnvironment["MESOS_CONTAINERIZER_ENVIRONMENT"] =
+ stringify(environment);
if (rootfs.isNone()) {
// NOTE: If the executor shares the host filesystem, we should
@@ -1484,7 +1495,7 @@ Future<bool> MesosContainerizerProcess::_launch(
(local ? Subprocess::FD(STDERR_FILENO)
: Subprocess::IO(subprocessInfo.err)),
&launchFlags,
- None(),
+ launchEnvironment,
namespaces); // 'namespaces' will be ignored by PosixLauncher.
if (forked.isError()) {
http://git-wip-us.apache.org/repos/asf/mesos/blob/ee083067/src/slave/containerizer/mesos/main.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/main.cpp b/src/slave/containerizer/mesos/main.cpp
index 1a0e765..f2d9afb 100644
--- a/src/slave/containerizer/mesos/main.cpp
+++ b/src/slave/containerizer/mesos/main.cpp
@@ -40,7 +40,7 @@ int main(int argc, char** argv)
#ifdef __linux__
return Subcommand::dispatch(
- None(),
+ "MESOS_CONTAINERIZER_",
argc,
argv,
new MesosContainerizerLaunch(),