[
https://issues.apache.org/jira/browse/MESOS-4757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15171267#comment-15171267
]
James Peach commented on MESOS-4757:
------------------------------------
I think this is a problematic approach. Switching credentials tends to be a bit
subtle on many systems and it doesn't easily decompose into separate operations.
For example, BSD requires (or assumes) that the first {{setgroups(2)}} element
is the primary GID. {{NGROUPS_MAX}} is a dynamic parameter on many systems. In
Darwin, {{setgroups(2)}} just primes the kernel credential cache, but only if
you call the {{initgroups}} system call afterwards.
I suggest that a more reliable approach is to keep doing a full credential
switch before the {{pivot_root}}, but retain enough capabilities to be able to
enter the chroot afterwards.
> Mesos containerizer should get uid/gids before pivot_root.
> ----------------------------------------------------------
>
> Key: MESOS-4757
> URL: https://issues.apache.org/jira/browse/MESOS-4757
> Project: Mesos
> Issue Type: Bug
> Reporter: Jie Yu
> Assignee: Jie Yu
>
> Currently, we call os::su(user) after pivot_root. This is problematic because
> /etc/passwd and /etc/group might be missing in container's root filesystem.
> We should instead, get the uid/gids before pivot_root, and call
> setuid/setgroups after pivot_root.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
