You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by qi...@apache.org on 2018/11/08 09:31:43 UTC
[mesos] 01/04: Made nested container runs as its parent container's
user by default.
This is an automated email from the ASF dual-hosted git repository.
qianzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git
commit be494213083b27bc768c919f3df1df2bca899955
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Fri Oct 26 09:23:27 2018 +0800
Made nested container runs as its parent container's user by default.
Review: https://reviews.apache.org/r/69234
---
src/slave/containerizer/mesos/containerizer.cpp | 10 ++++++++++
src/slave/http.cpp | 16 ++--------------
2 files changed, 12 insertions(+), 14 deletions(-)
diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 03a4e0f..181a4da 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1857,6 +1857,16 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
}
// Determine the user to launch the container as.
+ // Inherit user from the parent container for nested containers, and it can be
+ // overridden by the user in nested container's `commandInfo`, if specified.
+ if (containerId.has_parent()) {
+ if (containers_[containerId.parent()]->config.isSome() &&
+ containers_[containerId.parent()]->config->has_user()) {
+ launchInfo.set_user(
+ containers_[containerId.parent()]->config->user());
+ }
+ }
+
if (container->config->has_user()) {
launchInfo.set_user(container->config->user());
}
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index 0d27ab5..816aed1 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -2491,8 +2491,6 @@ Future<Response> Http::_launchContainer(
ContentType,
const Owned<ObjectApprovers>& approvers) const
{
- Option<string> user;
-
// Attempt to get the executor associated with this ContainerID.
// We only expect to get the executor when launching a nested container
// under a container launched via a scheduler. In other cases, we are
@@ -2510,24 +2508,14 @@ Future<Response> Http::_launchContainer(
executor->info, framework->info, commandInfo, containerId)) {
return Forbidden();
}
-
- // By default, we use the executor's user.
- // The CommandInfo can override it, if specified.
- user = executor->user;
}
ContainerConfig containerConfig;
containerConfig.mutable_command_info()->CopyFrom(commandInfo);
#ifndef __WINDOWS__
- if (slave->flags.switch_user) {
- if (commandInfo.has_user()) {
- user = commandInfo.user();
- }
-
- if (user.isSome()) {
- containerConfig.set_user(user.get());
- }
+ if (slave->flags.switch_user && commandInfo.has_user()) {
+ containerConfig.set_user(commandInfo.user());
}
#endif // __WINDOWS__