[
https://issues.apache.org/jira/browse/MESOS-4757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15172440#comment-15172440
]
Ian Downes commented on MESOS-4757:
-----------------------------------
IMHO this is incorrect and highlights the inconsistent relationship we have
between the host and the container environments, mostly attributable to our
history of running in the host context. Ideally, the container should be
completely independent of the host configuration! It should not be resolving
user/group names to uids/gids using the host's database. That is making huge
assumptions about consistent configuration across a cluster -- and an external
system to maintain it -- that are unnecessary and undesirable.
I suggest something like the following behavior when container images are used:
# If a job specifies a user and group name then the container image *must*
include the necessary user and group database files and must resolve the names
to ids. If not, then it fails.
# Support the job specifying uid and gid(s) directly.
# Also support picking the user and gid off a file in the image (I think appc
supports this?).
If a container image is not used then fallback to the current (and terrible)
behavior of using the host's databases.
Thoughts?
> Mesos containerizer should get uid/gids before pivot_root.
> ----------------------------------------------------------
>
> Key: MESOS-4757
> URL: https://issues.apache.org/jira/browse/MESOS-4757
> Project: Mesos
> Issue Type: Bug
> Reporter: Jie Yu
> Assignee: Jie Yu
>
> Currently, we call os::su(user) after pivot_root. This is problematic because
> /etc/passwd and /etc/group might be missing in container's root filesystem.
> We should instead, get the uid/gids before pivot_root, and call
> setuid/setgroups after pivot_root.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
