subject:"Review Request 43027\: Optionally enable setuid inside Docker containers"

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-08-23 Thread Stephan Erb


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review118107
---




NEWS (line 6)


To make upgrading possible, you have to keep those in for now but make them 
a no-op. See https://reviews.apache.org/r/43112/


- Stephan Erb


On Feb. 13, 2016, 3:17 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 13, 2016, 3:17 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS 11a57bb18817b368f5855d6c3ff4282df3b10283 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f82858c528808d2a9e77bb56f16e897cfb5bbe73 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 36f1eabedc3ae47b23d9ab2ac0ab7a576ea36fd7 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
>   
> src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py
>  e9f7851292aef3a36da5da9b0fc333a7e7750cf3 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-14 Thread Joshua Cohen


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review119205
---



Impl looks good to me in general. Once tests are added, should be good to go.


src/main/python/apache/aurora/executor/bin/thermos_executor_main.py (line 172)


How do you feel about:

return super(DefaultSandboxProvider, 
self)._get_sandbox_user(assigned_task) if self._docker_setuid else None



src/main/python/apache/aurora/executor/bin/thermos_executor_main.py (line 177)


Might be helpful to have a comment here explaining the allowed values?


- Joshua Cohen


On Feb. 13, 2016, 2:17 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 13, 2016, 2:17 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS 11a57bb18817b368f5855d6c3ff4282df3b10283 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f82858c528808d2a9e77bb56f16e897cfb5bbe73 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 36f1eabedc3ae47b23d9ab2ac0ab7a576ea36fd7 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
>   
> src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py
>  e9f7851292aef3a36da5da9b0fc333a7e7750cf3 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-13 Thread Bill Farner


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review119157
---



@ReviewBot retry

- Bill Farner


On Feb. 12, 2016, 6:17 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 12, 2016, 6:17 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS 11a57bb18817b368f5855d6c3ff4282df3b10283 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f82858c528808d2a9e77bb56f16e897cfb5bbe73 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 36f1eabedc3ae47b23d9ab2ac0ab7a576ea36fd7 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
>   
> src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py
>  e9f7851292aef3a36da5da9b0fc333a7e7750cf3 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-12 Thread Aurora ReviewBot


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review119132
---



Master (2b48f22) is red with this patch.
  ./build-support/jenkins/build.sh

status = self.run(options, args)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/commands/install.py",
 line 299, in run
requirement_set.prepare_files(finder)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/req/req_set.py",
 line 359, in prepare_files
ignore_dependencies=self.ignore_dependencies))
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/req/req_set.py",
 line 576, in _prepare_file
session=self.session, hashes=hashes)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/download.py",
 line 809, in unpack_url
hashes=hashes
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/download.py",
 line 648, in unpack_http_url
hashes)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/download.py",
 line 841, in _download_http_url
stream=True,
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/_vendor/requests/sessions.py",
 line 480, in get
return self.request('GET', url, **kwargs)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/download.py",
 line 377, in request
return super(PipSession, self).request(method, url, *args, **kwargs)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/_vendor/requests/sessions.py",
 line 468, in request
resp = self.send(prep, **send_kwargs)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/_vendor/requests/sessions.py",
 line 576, in send
r = adapter.send(request, **kwargs)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/_vendor/cachecontrol/adapter.py",
 line 46, in send
resp = super(CacheControlAdapter, self).send(request, **kw)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv_support/pip-8.0.2-py2.py3-none-any.whl/pip/_vendor/requests/adapters.py",
 line 447, in send
raise SSLError(e, request=request)
SSLError: [Errno 185090050] _ssl.c:344: error:0B084002:x509 certificate 
routines:X509_load_cert_crl_file:system lib

...Installing setuptools, pip, wheel...done.
Traceback (most recent call last):
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv.py",
 line 2284, in 
main()
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv.py",
 line 703, in main
symlink=options.symlink)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv.py",
 line 904, in create_environment
download=download,
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv.py",
 line 861, in install_wheel
call_subprocess(cmd, show_stdout=False, extra_env=env)
  File 
"/home/jenkins/jenkins-slave/workspace/AuroraBot/build-support/virtualenv-14.0.5/virtualenv.py",
 line 781, in call_subprocess
% (cmd_desc, proc.returncode))
OSError: Command /home/jenkins/jenkin...s.venv/bin/python2.7 -c "import sys, 
pip; sys...d\"] + sys.argv[1:]))" setuptools pip wheel failed with error code 2


I will refresh this build result if you post a review containing "@ReviewBot 
retry"

- Aurora ReviewBot


On Feb. 13, 2016, 2:17 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 13, 2016, 2:17 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-12 Thread Benjamin Staffin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/
---

(Updated Feb. 12, 2016, 6:17 p.m.)


Review request for Aurora.


Bugs: AURORA-1237
https://issues.apache.org/jira/browse/AURORA-1237


Repository: aurora


Description
---

Adds a flag to enable the new behavior.  If enabled, also sets
ownership of the sandbox directory appropriately.


Diffs (updated)
-

  NEWS 11a57bb18817b368f5855d6c3ff4282df3b10283 
  src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
f82858c528808d2a9e77bb56f16e897cfb5bbe73 
  src/main/python/apache/aurora/executor/common/sandbox.py 
36f1eabedc3ae47b23d9ab2ac0ab7a576ea36fd7 
  src/main/python/apache/aurora/executor/thermos_task_runner.py 
3896e3841562600379705dbf78a6f62728246348 
  
src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py 
e9f7851292aef3a36da5da9b0fc333a7e7750cf3 

Diff: https://reviews.apache.org/r/43027/diff/


Testing
---

TBD


Thanks,

Benjamin Staffin

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-05 Thread Benjamin Staffin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/
---

(Updated Feb. 5, 2016, 2:57 p.m.)


Review request for Aurora.


Changes
---

Existing tests pass now. Still need to add end-to-end test(s)


Bugs: AURORA-1237
https://issues.apache.org/jira/browse/AURORA-1237


Repository: aurora


Description
---

Adds a flag to enable the new behavior.  If enabled, also sets
ownership of the sandbox directory appropriately.


Diffs (updated)
-

  NEWS 395c281e9b4ad83d2f5ec635fb7ec2da288afbdf 
  src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
f82858c528808d2a9e77bb56f16e897cfb5bbe73 
  src/main/python/apache/aurora/executor/common/sandbox.py 
d4c366e5deba1b03d1727dcc06e41661fff6c2ee 
  src/main/python/apache/aurora/executor/thermos_task_runner.py 
3896e3841562600379705dbf78a6f62728246348 
  
src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py 
e9f7851292aef3a36da5da9b0fc333a7e7750cf3 

Diff: https://reviews.apache.org/r/43027/diff/


Testing
---

TBD


Thanks,

Benjamin Staffin

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-05 Thread Aurora ReviewBot


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review118108
---


Ship it!




Master (a9e7a35) is green with this patch.
  ./build-support/jenkins/build.sh

I will refresh this build result if you post a review containing "@ReviewBot 
retry"

- Aurora ReviewBot


On Feb. 5, 2016, 10:57 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 5, 2016, 10:57 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS 395c281e9b4ad83d2f5ec635fb7ec2da288afbdf 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f82858c528808d2a9e77bb56f16e897cfb5bbe73 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> d4c366e5deba1b03d1727dcc06e41661fff6c2ee 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
>   
> src/test/python/apache/aurora/executor/bin/test_thermos_executor_entry_point.py
>  e9f7851292aef3a36da5da9b0fc333a7e7750cf3 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-04 Thread Benjamin Staffin



> On Feb. 4, 2016, 6:36 a.m., John Sirois wrote:
> > Adding explicit reviewers to the People field is the standard way of moving 
> > an RB forward.  As soon as your ready to have this looked at again, please 
> > add reviewers and give the all clear.

Will do, thank you.


- Benjamin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117814
---


On Feb. 1, 2016, 6:49 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 1, 2016, 6:49 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS ef1e75f7ec467ef3a5a33c6dee5b6ef5743c11f7 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-04 Thread John Sirois


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117814
---



Adding explicit reviewers to the People field is the standard way of moving an 
RB forward.  As soon as your ready to have this looked at again, please add 
reviewers and give the all clear.

- John Sirois


On Feb. 1, 2016, 7:49 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Feb. 1, 2016, 7:49 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   NEWS ef1e75f7ec467ef3a5a33c6dee5b6ef5743c11f7 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-01 Thread Benjamin Staffin



> On Jan. 31, 2016, 3:29 p.m., Stephan Erb wrote:
> > With the new proposed option we'd get `--execute-as-user`, `--nosetuid`, 
> > and `--docker-setuid`. The last two are basically doing the same thing. 
> > 
> > Would it make sense to resolve this by pushing things up the stack and 
> > allow cluster administrators to provide an executor config per 
> > containerizer?
> 
> Benjamin Staffin wrote:
> The last two are doing the same thing, except that the existing behaviour 
> has the docker runner ignoring all setuid options and always running as root 
> (or possibly as the user set in the image def, if set).  I'm still trying to 
> think up a better name for this new flag that doesn't require renaming the 
> existing ones and breaking compatibility.
> 
> What if we replaced all three of those with something like: 
> `--setuid=[auto | off | always:][,nodocker]`
> 
> With the default set to `--setuid=auto,nodocker` for the current 
> behaviour,
> 
> And perhaps aliases for the old flags during a deprecation period:
> `--execute-as-user=` aliased to `--setuid=always:,nodocker`
> `--nosetuid` aliased to `--setuid=off`
> 
> If we want to push this further up the stack as you suggest, what might 
> that interface look like?
> 
> Stephan Erb wrote:
> My idea was in the line of: When starting the the Aurora scheduler, I can 
> provide a different thermos command line for Docker tasks than for ordinary 
> Mesos tasks. 
> 
> But that will probably a more complex change than the one you have 
> proposed here.

I'll take a stab at implementing the --setuid=... approach tonight if that 
sounds sane enough for now.  As far as I know it's the only place where the 
executor has inconsistent behavior between docker and not-docker, so in theory 
we won't need a bunch of special cases like this.


- Benjamin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117162
---


On Jan. 30, 2016, 10:50 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Jan. 30, 2016, 10:50 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-02-01 Thread Stephan Erb



> On Feb. 1, 2016, 12:29 a.m., Stephan Erb wrote:
> > With the new proposed option we'd get `--execute-as-user`, `--nosetuid`, 
> > and `--docker-setuid`. The last two are basically doing the same thing. 
> > 
> > Would it make sense to resolve this by pushing things up the stack and 
> > allow cluster administrators to provide an executor config per 
> > containerizer?
> 
> Benjamin Staffin wrote:
> The last two are doing the same thing, except that the existing behaviour 
> has the docker runner ignoring all setuid options and always running as root 
> (or possibly as the user set in the image def, if set).  I'm still trying to 
> think up a better name for this new flag that doesn't require renaming the 
> existing ones and breaking compatibility.
> 
> What if we replaced all three of those with something like: 
> `--setuid=[auto | off | always:][,nodocker]`
> 
> With the default set to `--setuid=auto,nodocker` for the current 
> behaviour,
> 
> And perhaps aliases for the old flags during a deprecation period:
> `--execute-as-user=` aliased to `--setuid=always:,nodocker`
> `--nosetuid` aliased to `--setuid=off`
> 
> If we want to push this further up the stack as you suggest, what might 
> that interface look like?

My idea was in the line of: When starting the the Aurora scheduler, I can 
provide a different thermos command line for Docker tasks than for ordinary 
Mesos tasks. 

But that will probably a more complex change than the one you have proposed 
here.


- Stephan


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117162
---


On Jan. 31, 2016, 7:50 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Jan. 31, 2016, 7:50 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-01-31 Thread Stephan Erb


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117162
---



With the new proposed option we'd get `--execute-as-user`, `--nosetuid`, and 
`--docker-setuid`. The last two are basically doing the same thing. 

Would it make sense to resolve this by pushing things up the stack and allow 
cluster administrators to provide an executor config per containerizer?

- Stephan Erb


On Jan. 31, 2016, 7:50 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Jan. 31, 2016, 7:50 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-01-30 Thread Benjamin Staffin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117137
---



Tests for this are not written yet.

- Benjamin Staffin


On Jan. 30, 2016, 10:50 p.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Jan. 30, 2016, 10:50 p.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Re: Review Request 43027: Optionally enable setuid inside Docker containers

2016-01-30 Thread Aurora ReviewBot


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/#review117139
---



Master (de0029b) is green with this patch.
  ./build-support/jenkins/build.sh

However, it appears that it might lack test coverage.

I will refresh this build result if you post a review containing "@ReviewBot 
retry"

- Aurora ReviewBot


On Jan. 31, 2016, 6:50 a.m., Benjamin Staffin wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/43027/
> ---
> 
> (Updated Jan. 31, 2016, 6:50 a.m.)
> 
> 
> Review request for Aurora.
> 
> 
> Bugs: AURORA-1237
> https://issues.apache.org/jira/browse/AURORA-1237
> 
> 
> Repository: aurora
> 
> 
> Description
> ---
> 
> Adds a flag to enable the new behavior.  If enabled, also sets
> ownership of the sandbox directory appropriately.
> 
> 
> Diffs
> -
> 
>   src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
> f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
>   src/main/python/apache/aurora/executor/common/sandbox.py 
> 4780232318ffdf8c6bbbe78bee518886cffd580a 
>   src/main/python/apache/aurora/executor/thermos_task_runner.py 
> 3896e3841562600379705dbf78a6f62728246348 
> 
> Diff: https://reviews.apache.org/r/43027/diff/
> 
> 
> Testing
> ---
> 
> TBD
> 
> 
> Thanks,
> 
> Benjamin Staffin
> 
>

Review Request 43027: Optionally enable setuid inside Docker containers

2016-01-30 Thread Benjamin Staffin


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/43027/
---

Review request for Aurora.


Bugs: AURORA-1237
https://issues.apache.org/jira/browse/AURORA-1237


Repository: aurora


Description
---

Adds a flag to enable the new behavior.  If enabled, also sets
ownership of the sandbox directory appropriately.


Diffs
-

  src/main/python/apache/aurora/executor/bin/thermos_executor_main.py 
f4f5cd77b6444c225ec960c7e2cf5349a80bd344 
  src/main/python/apache/aurora/executor/common/sandbox.py 
4780232318ffdf8c6bbbe78bee518886cffd580a 
  src/main/python/apache/aurora/executor/thermos_task_runner.py 
3896e3841562600379705dbf78a6f62728246348 

Diff: https://reviews.apache.org/r/43027/diff/


Testing
---

TBD


Thanks,

Benjamin Staffin

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Re: Review Request 43027: Optionally enable setuid inside Docker containers

Review Request 43027: Optionally enable setuid inside Docker containers

15 matches

Site Navigation

Mail list logo

Footer information