[
https://issues.apache.org/jira/browse/MESOS-9536?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16829023#comment-16829023
]
Qian Zhang commented on MESOS-9536:
-----------------------------------
commit 40beae143a24a35f85b047ef8ee243581f1c3c69
Author: Qian Zhang
Date: Fri Apr 19 17:22:45 2019 +0800
Made nested contaienr can access its sandbox via `MESOS_SANDBOX`.
Previously in MESOS-8332 we narrowed task sandbox permissions from 0755
to 0750 which will cause nested container may not has permission to
access its sandbox via the environment variable `MESOS_SANDBOX`. Now in
this patch, for nested container which does not have its own rootfs, we
bind mount its sandbox to the directory specified via the agent flag
`--sandbox_directory` and set `MESOS_SANDBOX` to `--sandbox_directory`
as well, in this way such nested container will have the permission
to access its sandbox via `MESOS_SANDBOX`.
Review: [https://reviews.apache.org/r/70514]
commit 510aa02f9a53b1209e9deeaf65f25db2c0ccd96b
Author: Qian Zhang
Date: Mon Apr 22 15:44:35 2019 +0800
Added a test to verify non-root nested container can access its sandbox.
Review: https://reviews.apache.org/r/70515
> Nested container launched with non-root user may not be able to write to its
> sandbox via the environment variable `MESOS_SANDBOX`
> ---------------------------------------------------------------------------------------------------------------------------------
>
> Key: MESOS-9536
> URL: https://issues.apache.org/jira/browse/MESOS-9536
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Affects Versions: 1.6.0, 1.6.1, 1.7.0, 1.8.0
> Reporter: Qian Zhang
> Assignee: Qian Zhang
> Priority: Critical
>
> Launch a nested container to write to its sandbox via the env var
> `MESOS_SANDBOX`. The nested container is launched with a non-root user (e.g.,
> `nobody`) and its parent container (i.e., the default executor) is launched
> with root since `mesos-execute` is executed with `sudo` in the example below.
> {code:java}
> $ sudo src/mesos-execute --master=<master-IP>:5050
> --task_group=file:///tmp/task_group.json
> $ cat /tmp/task_group.json
> {
> "tasks":[
> {
> "name" : "test",
> "task_id" : {"value" : "test"},
> "agent_id": {"value" : ""},
> "resources": [
> {"name": "cpus", "type": "SCALAR", "scalar": {"value": 0.1}},
> {"name": "mem", "type": "SCALAR", "scalar": {"value": 32}}
> ],
> "command": {
> "user": "nobody",
> "value": "echo data > $MESOS_SANDBOX/file"
> }
> }
> ]
> }
> {code}
> The nested container will fail.
> {code:java}
> I0125 16:04:03.610659 10064 scheduler.cpp:189] Version: 1.8.0
> I0125 16:04:03.641856 10066 scheduler.cpp:355] Using default 'basic' HTTP
> authenticatee
> I0125 16:04:03.643841 10063 scheduler.cpp:538] New master detected at
> [email protected]:5050
> Subscribed with ID 1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002
> Submitted task group with tasks [ test ] to agent
> '12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0'
> Received status update TASK_STARTING for task 'test'
> source: SOURCE_EXECUTOR
> Received status update TASK_RUNNING for task 'test'
> source: SOURCE_EXECUTOR
> Received status update TASK_FAILED for task 'test'
> message: 'Command exited with status 2'
> source: SOURCE_EXECUTOR
> {code}
> In the stderr of the nested container, we can see it has no permission to do
> the write.
> {code:java}
> $ sudo cat
> /opt/mesos/slaves/12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0/frameworks/1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002/executors/default-executor/runs/c7173fd8-9c01-49f5-a092-bdad78609260/containers/bf8f6ac8-2f8a-4300-9fe6-a830f602f654/stderr
>
> Marked '/' as rslave
> sh: 1: cannot create
> /opt/mesos/slaves/12866186-dc2b-48a9-88ad-f9d951cf8c7f-S0/frameworks/1ae64562-dbf9-4b24-af88-1cbcdc2ae71d-0002/executors/default-executor/runs/c7173fd8-9c01-49f5-a092-bdad78609260/containers/bf8f6ac8-2f8a-4300-9fe6-a830f602f654/file:
> Permission denied
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
