> On Oct 23, 2018, at 7:47 PM, Qian Zhang <zhq527...@gmail.com> wrote: > > Hi all, > > Currently when launching a debug container (e.g., via `dcos task exec` or > command health check) to debug a task, by default Mesos agent will use the > executor's user as the debug container's user. There are actually 2 cases: > 1. Command task: Since the command executor's user is same with command > task's user, so the debug container will be launched as the same user of the > command task. > 2. The task in a task group: The default executor's user is same with the > framework user, so in this case the debug container will be launched as the > same user of the framework rather than the task. > > Basically I think the behavior of case 1 is correct. For case 2, we may run > into a situation that the task is run as a user (e.g., root), but the debug > container used to debug that task is run as another user (e.g., a normal > user, suppose framework is run as a normal user), this may not be what user > expects. > > So I created MESOS-9332 <https://issues.apache.org/jira/browse/MESOS-9332> > and propose to run debug container as the same user of its parent container > (i.e., the task to be debugged) by default. Please let me know if you have > any comments, thanks!
This sounds like a sensible default to me. I can imagine for debug use cases you might want to run the debug container as root or give it elevated capabilities, but that should not be the default. J