Re: Propose to run nested container as the same user of its parent container by default

[Qian Zhang <zh...@gmail.com>]

Agree with Gilbert, we should actually run nested container (rather than
just debug container) as the same user of its parent container by default.

Please let me know if you have any concerns, thanks!


Regards,
Qian Zhang


On Sat, Nov 3, 2018 at 2:56 AM Gilbert Song <gi...@mesosphere.io> wrote:

> @James Peach <jp...@apple.com> agree, for debug containers, the default
> user should inherit from parent, while CLI toolings (e.g., task exec)
> should provide an option `--root` (by setting the commandinfo user as root).
>
> @Qian Zhang <qz...@mesosphere.io> @Benjamin Mahler <bm...@apache.org> ,
> if we step back, it seems to me we should extend the user inheritance for
> all nested container (instead of just for debug container). Now the default
> user for nested container is from the executor (see this patch
> <https://github.com/apache/mesos/commit/558613cc72248b633bb5e26ef93708abca8ccbf0#diff-8fd185b932590eb8fa1c53964f7c5a82R1956>),
> which does not make sense for 3rd level nested containers or further.
>
> I would suggest that any type of nested container (debug container, check
> container, nested container etc.), its user should just inherit from its
> parent's user. This would not change the behavior of default executor,
> potentially change behaviors for custom executor which support 3 level or
> up nested.
>
> - Gilbert
>
> On Thu, Oct 25, 2018 at 9:51 AM Vinod Kone <vi...@apache.org> wrote:
>
>> Sounds good to me.
>>
>> If I understand correctly, you want to treat this is a bug and backport
>> it to previous release branches? So, you are also asking whether
>> backporting this bug will be considered a breaking change for any existing
>> users?
>>
>> On Thu, Oct 25, 2018 at 11:46 AM James Peach <jp...@apache.org> wrote:
>>
>>>
>>>
>>> On Oct 23, 2018, at 7:47 PM, Qian Zhang <zh...@gmail.com> wrote:
>>>
>>> Hi all,
>>>
>>> Currently when launching a debug container (e.g., via `dcos task exec`
>>> or command health check) to debug a task, by default Mesos agent will use
>>> the executor's user as the debug container's user. There are actually 2
>>> cases:
>>> 1. Command task: Since the command executor's user is same with command
>>> task's user, so the debug container will be launched as the same user of
>>> the command task.
>>> 2. The task in a task group: The default executor's user is same with
>>> the framework user, so in this case the debug container will be launched as
>>> the same user of the framework rather than the task.
>>>
>>> Basically I think the behavior of case 1 is correct. For case 2, we may
>>> run into a situation that the task is run as a user (e.g., root), but the
>>> debug container used to debug that task is run as another user (e.g., a
>>> normal user, suppose framework is run as a normal user), this may not be
>>> what user expects.
>>>
>>> So I created MESOS-9332
>>> <https://issues.apache.org/jira/browse/MESOS-9332> and propose to run
>>> debug container as the same user of its parent container (i.e., the task to
>>> be debugged) by default. Please let me know if you have any comments,
>>> thanks!
>>>
>>>
>>> This sounds like a sensible default to me. I can imagine for debug use
>>> cases you might want to run the debug container as root or give it elevated
>>> capabilities, but that should not be the default.
>>>
>>> J
>>>
>>