You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Till Toenshoff (JIRA)" <ji...@apache.org> on 2016/12/07 17:54:58 UTC
[jira] [Commented] (MESOS-6747) ContainerLogger runnable must not
inherit the slave environment.
[ https://issues.apache.org/jira/browse/MESOS-6747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15729392#comment-15729392 ]
Till Toenshoff commented on MESOS-6747:
---------------------------------------
This did not pop up earlier because originally the mesos-logrotate-logger was running in the agent context and as the agent user, hence it did have no issues accessing the key-file. Now that https://issues.apache.org/jira/browse/MESOS-5856 has landed, the logger is running as a different user, causing this problem to surface.
> ContainerLogger runnable must not inherit the slave environment.
> ----------------------------------------------------------------
>
> Key: MESOS-6747
> URL: https://issues.apache.org/jira/browse/MESOS-6747
> Project: Mesos
> Issue Type: Bug
> Reporter: Till Toenshoff
> Priority: Blocker
>
> The ContainerLogger module which forks a child process named "mesos-logrotate-logger" does inherit the slave's environment. Specifically things like {{LIBPROCESS_SSL_....}} variables are not meant to be picked up by that runnable and cause issues as soon as the owning user is not the same as the one owning the agent process.
> So if the agent has an SSL key setup via {{LIBPROCESS_SSL_KEY_FILE}} and if that key-file is readable by the agent user (root) only, then the {{mesos-logrotate-logger}} will try to read that file as well even though it is being run as nobody - that action will then fail the runnable and hence fail the entire task.
> {noformat}
> Could not load key file '/my/funky/key/path/key.key' (OpenSSL error #33558541): error:0200100D:system library:fopen:Permission denied
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)