You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mesos.apache.org by ji...@apache.org on 2016/10/15 00:26:04 UTC

[1/2] mesos git commit: Fixed the sandbox owner for command tasks.

Repository: mesos
Updated Branches:
  refs/heads/1.0.x eba605e64 -> 914bb5f2f


Fixed the sandbox owner for command tasks.

If the task has a rootfs, the command executor will be run under root
because it needs to perform pivot_root. Prior to this patch, if the
task wants to run under an unprivileged user, the sandbox of that task
will not be writable because it's owned by root.

This patch fixed the issue (MESOS-6391). The command executor now
changes the owner (non-recursively) of the sandbox to match that of
the task when rootfs is specified for the task.

Review: https://reviews.apache.org/r/52854

*** Modified for 1.0.x ***


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/abdb3e02
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/abdb3e02
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/abdb3e02

Branch: refs/heads/1.0.x
Commit: abdb3e024a9fa8648962f89d27c81e517fa337b8
Parents: eba605e
Author: Jie Yu <yu...@gmail.com>
Authored: Thu Oct 13 20:28:08 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Oct 14 17:20:34 2016 -0700

----------------------------------------------------------------------
 src/launcher/posix/executor.cpp | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/abdb3e02/src/launcher/posix/executor.cpp
----------------------------------------------------------------------
diff --git a/src/launcher/posix/executor.cpp b/src/launcher/posix/executor.cpp
index 6814b9f..1c423f0 100644
--- a/src/launcher/posix/executor.cpp
+++ b/src/launcher/posix/executor.cpp
@@ -22,8 +22,6 @@
 #include <stout/protobuf.hpp>
 #include <stout/strings.hpp>
 
-#include <stout/os/raw/argv.hpp>
-
 #include "internal/devolve.hpp"
 
 #include "launcher/posix/executor.hpp"
@@ -92,6 +90,21 @@ pid_t launchTaskPosix(
     launchFlags.working_directory = workingDirectory.isSome()
       ? workingDirectory
       : sandboxDirectory;
+
+    // TODO(jieyu): If the task has a rootfs, the executor itself will
+    // be running as root. Its sandbox is owned by root as well. In
+    // order for the task to be able to access to its sandbox, we need
+    // to make sure the owner of the sandbox is 'user'. However, this
+    // is still a workaround. The owner of the files downloaded by the
+    // fetcher is still not correct (i.e., root).
+    if (user.isSome()) {
+      // NOTE: We only chown the sandbox directory (non-recursively).
+      Try<Nothing> chown = os::chown(user.get(), os::getcwd(), false);
+      if (chown.isError()) {
+        ABORT("Failed to chown sandbox to user " +
+              user.get() + ": " + chown.error());
+      }
+    }
   }
 
   launchFlags.rootfs = rootfs;

[2/2] mesos git commit: Added MESOS-6391 to 1.0.2 CHANGELOG.

Posted by ji...@apache.org.

Added MESOS-6391 to 1.0.2 CHANGELOG.


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/914bb5f2
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/914bb5f2
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/914bb5f2

Branch: refs/heads/1.0.x
Commit: 914bb5f2f714b925577b2f659cf02f137653008d
Parents: abdb3e0
Author: Jie Yu <yu...@gmail.com>
Authored: Fri Oct 14 17:25:04 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Fri Oct 14 17:25:46 2016 -0700

----------------------------------------------------------------------
 CHANGELOG | 1 +
 1 file changed, 1 insertion(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/914bb5f2/CHANGELOG
----------------------------------------------------------------------
diff --git a/CHANGELOG b/CHANGELOG
index 3a855eb..281725f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -21,6 +21,7 @@ All Issues:
     * [MESOS-6269] - CNI isolator doesn't activate loopback interface.
     * [MESOS-6274] - Agent should not allow HTTP based executors to subscribe before containerizer recovery is done.
     * [MESOS-6324] - CNI should not use `ifconfig` in executors `pre_exec_command`.
+    * [MESOS-6391] - Command task's sandbox should not be owned by root if it uses container image.
 
 
 Release Notes - Mesos - Version 1.0.1