@James Peach <jpe...@apple.com> agree, for debug containers, the default
user should inherit from parent, while CLI toolings (e.g., task exec)
should provide an option `--root` (by setting the commandinfo user as root).

@Qian Zhang <qzh...@mesosphere.io> @Benjamin Mahler <bmah...@apache.org> ,
if we step back, it seems to me we should extend the user inheritance for
all nested container (instead of just for debug container). Now the default
user for nested container is from the executor (see this patch
<https://github.com/apache/mesos/commit/558613cc72248b633bb5e26ef93708abca8ccbf0#diff-8fd185b932590eb8fa1c53964f7c5a82R1956>),
which does not make sense for 3rd level nested containers or further.

I would suggest that any type of nested container (debug container, check
container, nested container etc.), its user should just inherit from its
parent's user. This would not change the behavior of default executor,
potentially change behaviors for custom executor which support 3 level or
up nested.

- Gilbert

On Thu, Oct 25, 2018 at 9:51 AM Vinod Kone <vinodk...@apache.org> wrote:

> Sounds good to me.
>
> If I understand correctly, you want to treat this is a bug and backport it
> to previous release branches? So, you are also asking whether backporting
> this bug will be considered a breaking change for any existing users?
>
> On Thu, Oct 25, 2018 at 11:46 AM James Peach <jpe...@apache.org> wrote:
>
>>
>>
>> On Oct 23, 2018, at 7:47 PM, Qian Zhang <zhq527...@gmail.com> wrote:
>>
>> Hi all,
>>
>> Currently when launching a debug container (e.g., via `dcos task exec` or
>> command health check) to debug a task, by default Mesos agent will use the
>> executor's user as the debug container's user. There are actually 2 cases:
>> 1. Command task: Since the command executor's user is same with command
>> task's user, so the debug container will be launched as the same user of
>> the command task.
>> 2. The task in a task group: The default executor's user is same with the
>> framework user, so in this case the debug container will be launched as the
>> same user of the framework rather than the task.
>>
>> Basically I think the behavior of case 1 is correct. For case 2, we may
>> run into a situation that the task is run as a user (e.g., root), but the
>> debug container used to debug that task is run as another user (e.g., a
>> normal user, suppose framework is run as a normal user), this may not be
>> what user expects.
>>
>> So I created MESOS-9332
>> <https://issues.apache.org/jira/browse/MESOS-9332> and propose to run
>> debug container as the same user of its parent container (i.e., the task to
>> be debugged) by default. Please let me know if you have any comments,
>> thanks!
>>
>>
>> This sounds like a sensible default to me. I can imagine for debug use
>> cases you might want to run the debug container as root or give it elevated
>> capabilities, but that should not be the default.
>>
>> J
>>
>

Reply via email to