You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by Craig Vanderborgh <cr...@gmail.com> on 2013/03/12 21:11:11 UTC

mesos-slave permissions problem w/multiple users

Hi:

We are trying to run Spark on Mesos on a pseudodistributed  configuration.
 We have run into a problem:

When running mesos-master and mesos-slave, Spark jobs will not work UNLESS:

1. mesos-master and mesos-slave are run as root

OR

2. mesos-master and mesos-slave are run as the SAME USER that runs the
Spark job.

The issue is that mesos-slave is trying to do a "chown -R" to change
ownership of the workspace to the user's user id: group, this looks as
follows in the mesos-slave log:

Sent signal to 19690
I0312 14:04:06.542518 19028 process_based_isolation_module.cpp:108]
Launching 201303121358-154111754-5050-18285-1
(/a/m5/craigv/spark/spark-0.7.0/spark-executor) in
/tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2
with resources mem=512' for framework 201303121358-154111754-5050-18285-0002
I0312 14:04:06.543321 19028 process_based_isolation_module.cpp:153] Forked
executor at 19731
chown: changing ownership of
`/tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2':
Operation not permitted

We do not want to run mesos-master/mesos-slave as root, so what are our
options?  How can we set up our configuration so that the "chown -R" works
but we're not running the process as root?

Please advise.

Thanks in advance,
Craig Vanderborgh

Re: mesos-slave permissions problem w/multiple users

Posted by Benjamin Hindman <be...@eecs.berkeley.edu>.

Hi Craig,

As you determined, the easiest solution for now is to run the mesos-maser
and mesos-slave as the user that you're running your analytics as. This is
clearly an insufficient solution, but we haven't determined a better
solution yet.

If this is too insufficient for you, you can look into enabling chown for
non-root users. I think this is possible on
Fedora<http://aplawrence.com/Words2005/2005_05_24.html>.
In addition, you'll need to give the mesos-slave user the ability to switch
user without a password. See
here<http://serverfault.com/questions/459480/how-to-grant-su-access-without-password-to-one-user-only-in-wheel-group-freebsd>
.

Ben.


On Tue, Mar 12, 2013 at 1:11 PM, Craig Vanderborgh <
craigvanderborgh@gmail.com> wrote:

> Hi:
>
> We are trying to run Spark on Mesos on a pseudodistributed  configuration.
>  We have run into a problem:
>
> When running mesos-master and mesos-slave, Spark jobs will not work UNLESS:
>
> 1. mesos-master and mesos-slave are run as root
>
> OR
>
> 2. mesos-master and mesos-slave are run as the SAME USER that runs the
> Spark job.
>
> The issue is that mesos-slave is trying to do a "chown -R" to change
> ownership of the workspace to the user's user id: group, this looks as
> follows in the mesos-slave log:
>
> Sent signal to 19690
> I0312 14:04:06.542518 19028 process_based_isolation_module.cpp:108]
> Launching 201303121358-154111754-5050-18285-1
> (/a/m5/craigv/spark/spark-0.7.0/spark-executor) in
>
> /tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2
> with resources mem=512' for framework
> 201303121358-154111754-5050-18285-0002
> I0312 14:04:06.543321 19028 process_based_isolation_module.cpp:153] Forked
> executor at 19731
> chown: changing ownership of
>
> `/tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2':
> Operation not permitted
>
> We do not want to run mesos-master/mesos-slave as root, so what are our
> options?  How can we set up our configuration so that the "chown -R" works
> but we're not running the process as root?
>
> Please advise.
>
> Thanks in advance,
> Craig Vanderborgh
>

Re: mesos-slave permissions problem w/multiple users

Posted by Vinod Kone <vi...@gmail.com>.

On Tue, Mar 12, 2013 at 1:30 PM, Vinod Kone <vi...@twitter.com> wrote:

> Hi Craig,
>
> There is a flag called '--switch_user' for mesos-slave, that instructs
> whether the slave should run the executor/spark-job as the user submitting
> the job (default) or whether to run it as user under which mesos-slave is
> running (--switch_user=false).
>
> I imagine you want to turn the flag off and let the job run as mesos-slave
> user.
>
>
> @vinodkone
>
>
> On Tue, Mar 12, 2013 at 1:11 PM, Craig Vanderborgh <
> craigvanderborgh@gmail.com> wrote:
>
>> Hi:
>>
>> We are trying to run Spark on Mesos on a pseudodistributed  configuration.
>>  We have run into a problem:
>>
>> When running mesos-master and mesos-slave, Spark jobs will not work
>> UNLESS:
>>
>> 1. mesos-master and mesos-slave are run as root
>>
>> OR
>>
>> 2. mesos-master and mesos-slave are run as the SAME USER that runs the
>> Spark job.
>>
>> The issue is that mesos-slave is trying to do a "chown -R" to change
>> ownership of the workspace to the user's user id: group, this looks as
>> follows in the mesos-slave log:
>>
>> Sent signal to 19690
>> I0312 14:04:06.542518 19028 process_based_isolation_module.cpp:108]
>> Launching 201303121358-154111754-5050-18285-1
>> (/a/m5/craigv/spark/spark-0.7.0/spark-executor) in
>>
>> /tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2
>> with resources mem=512' for framework
>> 201303121358-154111754-5050-18285-0002
>> I0312 14:04:06.543321 19028 process_based_isolation_module.cpp:153] Forked
>> executor at 19731
>> chown: changing ownership of
>>
>> `/tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2':
>> Operation not permitted
>>
>> We do not want to run mesos-master/mesos-slave as root, so what are our
>> options?  How can we set up our configuration so that the "chown -R" works
>> but we're not running the process as root?
>>
>> Please advise.
>>
>> Thanks in advance,
>> Craig Vanderborgh
>>
>
>

Re: mesos-slave permissions problem w/multiple users

Posted by Vinod Kone <vi...@twitter.com>.

Hi Craig,

There is a flag called '--switch_user' for mesos-slave, that instructs
whether the slave should run the executor/spark-job as the user submitting
the job (default) or whether to run it as user under which mesos-slave is
running (--switch_user=false).

I imagine you want to turn the flag off and let the job run as mesos-slave
user.

Note that, if the the slave is not running as super-user there is no way to
do a 'chown <different-user>'.
>From the chown's man page:
     For obvious security reasons, the ownership of a file may only be
altered by a super-user.  Similarly, only a member of a group can change a
file's group ID to that group.


@vinodkone


On Tue, Mar 12, 2013 at 1:11 PM, Craig Vanderborgh <
craigvanderborgh@gmail.com> wrote:

> Hi:
>
> We are trying to run Spark on Mesos on a pseudodistributed  configuration.
>  We have run into a problem:
>
> When running mesos-master and mesos-slave, Spark jobs will not work UNLESS:
>
> 1. mesos-master and mesos-slave are run as root
>
> OR
>
> 2. mesos-master and mesos-slave are run as the SAME USER that runs the
> Spark job.
>
> The issue is that mesos-slave is trying to do a "chown -R" to change
> ownership of the workspace to the user's user id: group, this looks as
> follows in the mesos-slave log:
>
> Sent signal to 19690
> I0312 14:04:06.542518 19028 process_based_isolation_module.cpp:108]
> Launching 201303121358-154111754-5050-18285-1
> (/a/m5/craigv/spark/spark-0.7.0/spark-executor) in
>
> /tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2
> with resources mem=512' for framework
> 201303121358-154111754-5050-18285-0002
> I0312 14:04:06.543321 19028 process_based_isolation_module.cpp:153] Forked
> executor at 19731
> chown: changing ownership of
>
> `/tmp/mesos/slaves/201303121358-154111754-5050-18285-1/frameworks/201303121358-154111754-5050-18285-0002/executors/201303121358-154111754-5050-18285-1/runs/079573f4-33f2-43aa-b75d-75f09c34dfd2':
> Operation not permitted
>
> We do not want to run mesos-master/mesos-slave as root, so what are our
> options?  How can we set up our configuration so that the "chown -R" works
> but we're not running the process as root?
>
> Please advise.
>
> Thanks in advance,
> Craig Vanderborgh
>