You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by qi...@apache.org on 2018/11/19 02:08:10 UTC
[mesos] branch 1.7.x updated: Fixed an issue about inheriting user
for nested containers.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git
The following commit(s) were added to refs/heads/1.7.x by this push:
new 7061702 Fixed an issue about inheriting user for nested containers.
7061702 is described below
commit 706170289a0d3558d788938eeba6d07dc9504225
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Sat Nov 17 17:28:48 2018 +0800
Fixed an issue about inheriting user for nested containers.
Previously we inherited user from parent container for nested
containers in `MesosContainerizerProcess::_launch`, but that
is too late which will cause an issue that the nested container
is launched as a non-root user but its sandbox directory is
created with root as owner (suppose there is no user specified
in the nested container's `commandInfo` and the default executor
is launched as a non-root user), so the nested container will not
have the permission to write to its own sandbox.
In this patch, we inherit user for nested containers in an earlier
place (i.e., `MesosContainerizerProcess::launch`) to avoid the
above issue.
Review: https://reviews.apache.org/r/69376
---
src/slave/containerizer/mesos/containerizer.cpp | 24 +++++++++++-------------
1 file changed, 11 insertions(+), 13 deletions(-)
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 8446ba1..2345193 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1194,9 +1194,9 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::launch(
// to modify it based on the parent container (for nested containers).
ContainerConfig containerConfig = _containerConfig;
- // For nested containers, we must perform some extra validation
- // (i.e. does the parent exist?) and create the sandbox directory
- // based on the parent's sandbox.
+ // For nested containers, we must perform some extra validation (i.e. does
+ // the parent exist?), inherit user from parent if needed and create the
+ // sandbox directory based on the parent's sandbox.
if (containerId.has_parent()) {
if (containerConfig.has_task_info() ||
containerConfig.has_executor_info()) {
@@ -1222,6 +1222,14 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::launch(
" is in 'DESTROYING' state");
}
+ // Inherit user from the parent container iff there is no
+ // user specified in the nested container's `commandInfo`.
+ if (!containerConfig.has_user() &&
+ containers_[parentContainerId]->config.isSome() &&
+ containers_[parentContainerId]->config->has_user()) {
+ containerConfig.set_user(containers_[parentContainerId]->config->user());
+ }
+
const ContainerID rootContainerId =
protobuf::getRootContainerId(containerId);
@@ -1855,16 +1863,6 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
}
// Determine the user to launch the container as.
- // Inherit user from the parent container for nested containers, and it can be
- // overridden by the user in nested container's `commandInfo`, if specified.
- if (containerId.has_parent()) {
- if (containers_[containerId.parent()]->config.isSome() &&
- containers_[containerId.parent()]->config->has_user()) {
- launchInfo.set_user(
- containers_[containerId.parent()]->config->user());
- }
- }
-
if (container->config->has_user()) {
launchInfo.set_user(container->config->user());
}