You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Cody Maloney (JIRA)" <ji...@apache.org> on 2015/11/06 04:16:27 UTC

[jira] [Updated] (MESOS-3836) `--executor-environment-variables` may not apply to docker containers

     [ https://issues.apache.org/jira/browse/MESOS-3836?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Cody Maloney updated MESOS-3836:
--------------------------------
    Description: 
In our use case we set {{PATH}} as part of the {{\-\-executor_environment_variables}} in order to limit what binaries all tasks which are launched via Mesos have readily available to them, making it much harder for people launching tasks on mesos to accidentally depend on something which isn't part of the "guaranteed" environment / platform.

Docker containers can be used as executors, and have a fully isolated filesystem. For executors which run in docker containers setting {{PATH}}  to our path on the host filesystem may potentially break the docker container.

The previous code of only copying across environment variables when {{includeOsEnvironment}} is set dealt with this (https://github.com/apache/mesos/blob/56510afe149758a69a5a714dfaab16111dd0d9c3/src/slave/containerizer/containerizer.cpp#L267)

if {{includeOsEnvironment}} is set than we should copy across the current {{\-\-executor_environment_variables}}. If it isn't, then {{\-\-executor_environment_variables}} shouldn't be used at all.

Another option which could be useful is to make it so that there are two sets of "Executor Environment Variables". One for when {{includeOsEnvironment}} is set, and one for when it is not.

  was:
In our use case we set {{PATH}} as part of the {{\-\-executor_environment_variables}} in order to limit what binaries all tasks which are launched via Mesos have readily available to them, making it much harder for people launching tasks on mesos to accidentally depend on something which isn't part of the "guaranteed" environment / platform.

Docker containers can be used as executors, and have a fully isolated filesystem. For executors which run in docker containers setting {{PATH}}  to our path on the host filesystem may potentially break the docker container.

The previous code of only copying across environment variables when {{includeOsEnvironment}} is set dealt with this (https://github.com/apache/mesos/blob/56510afe149758a69a5a714dfaab16111dd0d9c3/src/slave/containerizer/containerizer.cpp#L267)

if {{includeOsEnvironment}} is set than we should copy across the current {{\-\-executor_environment_variables}}. If it isn't, then either {{\-\-executor_environment_variables}} shouldn't be used at all.

Another option which could be useful is to make it so that there are two sets of "Executor Environment Variables". One for when {{includeOsEnvironment}} is set, and one for when it is not.


> `--executor-environment-variables` may not apply to docker containers
> ---------------------------------------------------------------------
>
>                 Key: MESOS-3836
>                 URL: https://issues.apache.org/jira/browse/MESOS-3836
>             Project: Mesos
>          Issue Type: Bug
>          Components: containerization, slave
>    Affects Versions: 0.25.0
>         Environment: Mesos 0.25.0 configured with --executor-environment-variables
>            Reporter: Cody Maloney
>            Priority: Minor
>              Labels: mesosphere
>
> In our use case we set {{PATH}} as part of the {{\-\-executor_environment_variables}} in order to limit what binaries all tasks which are launched via Mesos have readily available to them, making it much harder for people launching tasks on mesos to accidentally depend on something which isn't part of the "guaranteed" environment / platform.
> Docker containers can be used as executors, and have a fully isolated filesystem. For executors which run in docker containers setting {{PATH}}  to our path on the host filesystem may potentially break the docker container.
> The previous code of only copying across environment variables when {{includeOsEnvironment}} is set dealt with this (https://github.com/apache/mesos/blob/56510afe149758a69a5a714dfaab16111dd0d9c3/src/slave/containerizer/containerizer.cpp#L267)
> if {{includeOsEnvironment}} is set than we should copy across the current {{\-\-executor_environment_variables}}. If it isn't, then {{\-\-executor_environment_variables}} shouldn't be used at all.
> Another option which could be useful is to make it so that there are two sets of "Executor Environment Variables". One for when {{includeOsEnvironment}} is set, and one for when it is not.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)