You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by qi...@apache.org on 2018/11/08 09:31:43 UTC

[mesos] 01/04: Made nested container runs as its parent container's user by default.

This is an automated email from the ASF dual-hosted git repository.

qianzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit be494213083b27bc768c919f3df1df2bca899955
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Oct 26 09:23:27 2018 +0800

    Made nested container runs as its parent container's user by default.
    
    Review: https://reviews.apache.org/r/69234
---
 src/slave/containerizer/mesos/containerizer.cpp | 10 ++++++++++
 src/slave/http.cpp                              | 16 ++--------------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 03a4e0f..181a4da 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1857,6 +1857,16 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
   }
 
   // Determine the user to launch the container as.
+  // Inherit user from the parent container for nested containers, and it can be
+  // overridden by the user in nested container's `commandInfo`, if specified.
+  if (containerId.has_parent()) {
+    if (containers_[containerId.parent()]->config.isSome() &&
+        containers_[containerId.parent()]->config->has_user()) {
+      launchInfo.set_user(
+          containers_[containerId.parent()]->config->user());
+    }
+  }
+
   if (container->config->has_user()) {
     launchInfo.set_user(container->config->user());
   }
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 0d27ab5..816aed1 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -2491,8 +2491,6 @@ Future<Response> Http::_launchContainer(
     ContentType,
     const Owned<ObjectApprovers>& approvers) const
 {
-  Option<string> user;
-
   // Attempt to get the executor associated with this ContainerID.
   // We only expect to get the executor when launching a nested container
   // under a container launched via a scheduler. In other cases, we are
@@ -2510,24 +2508,14 @@ Future<Response> Http::_launchContainer(
             executor->info, framework->info, commandInfo, containerId)) {
       return Forbidden();
     }
-
-    // By default, we use the executor's user.
-    // The CommandInfo can override it, if specified.
-    user = executor->user;
   }
 
   ContainerConfig containerConfig;
   containerConfig.mutable_command_info()->CopyFrom(commandInfo);
 
 #ifndef __WINDOWS__
-  if (slave->flags.switch_user) {
-    if (commandInfo.has_user()) {
-      user = commandInfo.user();
-    }
-
-    if (user.isSome()) {
-      containerConfig.set_user(user.get());
-    }
+  if (slave->flags.switch_user && commandInfo.has_user()) {
+    containerConfig.set_user(commandInfo.user());
   }
 #endif // __WINDOWS__