[ https://issues.apache.org/jira/browse/MESOS-4757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15171267#comment-15171267 ]
James Peach commented on MESOS-4757: ------------------------------------ I think this is a problematic approach. Switching credentials tends to be a bit subtle on many systems and it doesn't easily decompose into separate operations. For example, BSD requires (or assumes) that the first {{setgroups(2)}} element is the primary GID. {{NGROUPS_MAX}} is a dynamic parameter on many systems. In Darwin, {{setgroups(2)}} just primes the kernel credential cache, but only if you call the {{initgroups}} system call afterwards. I suggest that a more reliable approach is to keep doing a full credential switch before the {{pivot_root}}, but retain enough capabilities to be able to enter the chroot afterwards. > Mesos containerizer should get uid/gids before pivot_root. > ---------------------------------------------------------- > > Key: MESOS-4757 > URL: https://issues.apache.org/jira/browse/MESOS-4757 > Project: Mesos > Issue Type: Bug > Reporter: Jie Yu > Assignee: Jie Yu > > Currently, we call os::su(user) after pivot_root. This is problematic because > /etc/passwd and /etc/group might be missing in container's root filesystem. > We should instead, get the uid/gids before pivot_root, and call > setuid/setgroups after pivot_root. -- This message was sent by Atlassian JIRA (v6.3.4#6332)