You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2017/07/28 19:28:17 UTC

[2/4] mesos git commit: Added regression test for sandbox_path volume ownership issue.

Added regression test for sandbox_path volume ownership issue.

Added regression test for sandbox_path volume ownership issue.

Review: https://reviews.apache.org/r/61121/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/f99a7170
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/f99a7170
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/f99a7170

Branch: refs/heads/master
Commit: f99a7170716bba52b05732833fb26df1d01e2b42
Parents: 63fd94c
Author: Gilbert Song <so...@gmail.com>
Authored: Fri Jul 28 12:27:52 2017 -0700
Committer: Gilbert Song <so...@gmail.com>
Committed: Fri Jul 28 12:27:52 2017 -0700

----------------------------------------------------------------------
 .../volume_sandbox_path_isolator_tests.cpp      | 94 ++++++++++++++++++++
 1 file changed, 94 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/f99a7170/src/tests/containerizer/volume_sandbox_path_isolator_tests.cpp
----------------------------------------------------------------------
diff --git a/src/tests/containerizer/volume_sandbox_path_isolator_tests.cpp b/src/tests/containerizer/volume_sandbox_path_isolator_tests.cpp
index 3228b9a..0da01c1 100644
--- a/src/tests/containerizer/volume_sandbox_path_isolator_tests.cpp
+++ b/src/tests/containerizer/volume_sandbox_path_isolator_tests.cpp
@@ -147,6 +147,100 @@ TEST_F(VolumeSandboxPathIsolatorTest, SharedVolume)
   EXPECT_WTERMSIG_EQ(SIGKILL, wait.get()->status());
 }
 
+
+// This is a regression test for MESOS-7830. It is a ROOT test to
+// simulate the scenario that the framework user is non-root while
+// the agent process is root, to make sure that non-root user can
+// still have the permission to write to the volume as expected.
+TEST_F(VolumeSandboxPathIsolatorTest, ROOT_SandboxPathVolumeOwnership)
+{
+  slave::Flags flags = CreateSlaveFlags();
+  flags.isolation = "volume/sandbox_path";
+
+  Fetcher fetcher(flags);
+
+  Try<MesosContainerizer*> create = MesosContainerizer::create(
+      flags,
+      true,
+      &fetcher);
+
+  ASSERT_SOME(create);
+
+  Owned<MesosContainerizer> containerizer(create.get());
+
+  SlaveState state;
+  state.id = SlaveID();
+
+  AWAIT_READY(containerizer->recover(state));
+
+  ContainerID containerId;
+  containerId.set_value(UUID::random().toString());
+
+  ExecutorInfo executor = createExecutorInfo("executor", "sleep 99", "cpus:1");
+
+  Try<string> directory = environment->mkdtemp();
+  ASSERT_SOME(directory);
+
+  // Simulate the executor sandbox ownership as the user
+  // from FrameworkInfo.
+  ASSERT_SOME(os::chown("nobody", directory.get()));
+
+  Future<bool> launch = containerizer->launch(
+      containerId,
+      createContainerConfig(None(), executor, directory.get(), "nobody"),
+      map<string, string>(),
+      None());
+
+  AWAIT_ASSERT_TRUE(launch);
+
+  ContainerID nestedContainerId;
+  nestedContainerId.mutable_parent()->CopyFrom(containerId);
+  nestedContainerId.set_value(UUID::random().toString());
+
+  ContainerInfo containerInfo;
+  containerInfo.set_type(ContainerInfo::MESOS);
+
+  Volume* volume = containerInfo.add_volumes();
+  volume->set_mode(Volume::RW);
+  volume->set_container_path("parent");
+
+  Volume::Source* source = volume->mutable_source();
+  source->set_type(Volume::Source::SANDBOX_PATH);
+
+  Volume::Source::SandboxPath* sandboxPath = source->mutable_sandbox_path();
+  sandboxPath->set_type(Volume::Source::SandboxPath::PARENT);
+  sandboxPath->set_path("shared");
+
+  launch = containerizer->launch(
+      nestedContainerId,
+      createContainerConfig(
+          createCommandInfo("echo 'hello' > parent/file"),
+          containerInfo,
+          None(),
+          "nobody"),
+      map<string, string>(),
+      None());
+
+  AWAIT_ASSERT_TRUE(launch);
+
+  Future<Option<ContainerTermination>> wait =
+    containerizer->wait(nestedContainerId);
+
+  AWAIT_READY(wait);
+  ASSERT_SOME(wait.get());
+  ASSERT_TRUE(wait.get()->has_status());
+  EXPECT_WEXITSTATUS_EQ(0, wait.get()->status());
+
+  wait = containerizer->wait(containerId);
+
+  containerizer->destroy(containerId);
+
+  AWAIT_READY(wait);
+  ASSERT_SOME(wait.get());
+  ASSERT_TRUE(wait.get()->has_status());
+  EXPECT_WTERMSIG_EQ(SIGKILL, wait.get()->status());
+}
+
 } // namespace tests {
 } // namespace internal {
 } // namespace mesos {