Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-2592

The sandbox directory is not chown'ed if the fetcher doesn't run

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 0.22.0
    • Fix Version/s: 0.22.1, 0.23.0
    • Component/s: None
    • Labels:
      None
    • Target Version/s:
    • Sprint:
      Mesosphere Q1 Sprint 7 - 4/17

      Description

      We have run into issues with the sandbox permissions and ownership. It looks like the sandbox isn't chown'ed if no URIs are put in the task info. Recent changes have moved the chown'ing from the containerizer to the fetcher, however if the fetcher isn't run - the sandbox owner will remain the user of the slave (in our case, root).

      Have anyone run into something similar?

      1. switchUser.patch
        4 kB
        Niklas Quarfot Nielsen

        Issue Links

          Activity

          Hide
          nnielsen Niklas Quarfot Nielsen added a comment -

          commit d9315d97afd08d52b75d8c36efa2148988e7db88
          Author: Niklas Nielsen <nik@qni.dk>
          Date: Tue Apr 7 11:54:08 2015 -0700

          Fixed sandbox ownership bug for executors without URIs.

          During recent refactorings, executor directory ownership was delegated
          to the fetcher. However, the fetcher is not invoked if no URIs are
          present in the executor or task command. This left some of these tasks
          broken as the directory ownership defaulted to the mesos-slave's (root).

          Review: https://reviews.apache.org/r/32911

          Show
          nnielsen Niklas Quarfot Nielsen added a comment - commit d9315d97afd08d52b75d8c36efa2148988e7db88 Author: Niklas Nielsen <nik@qni.dk> Date: Tue Apr 7 11:54:08 2015 -0700 Fixed sandbox ownership bug for executors without URIs. During recent refactorings, executor directory ownership was delegated to the fetcher. However, the fetcher is not invoked if no URIs are present in the executor or task command. This left some of these tasks broken as the directory ownership defaulted to the mesos-slave's (root). Review: https://reviews.apache.org/r/32911
          Show
          nnielsen Niklas Quarfot Nielsen added a comment - https://reviews.apache.org/r/32911/
          Hide
          nnielsen Niklas Quarfot Nielsen added a comment -

          Like the command.user tests (which I had to disable due to too limited privileges for `nobody`), there were no tests that verified the ownership as our tests haven't made any assumptions around a test or 'mesos' user. Think it would be generally useful to have a well-known (or configurable) user for mesos, so we can test these scenarios.

          Show
          nnielsen Niklas Quarfot Nielsen added a comment - Like the command.user tests (which I had to disable due to too limited privileges for `nobody`), there were no tests that verified the ownership as our tests haven't made any assumptions around a test or 'mesos' user. Think it would be generally useful to have a well-known (or configurable) user for mesos, so we can test these scenarios.
          Hide
          nnielsen Niklas Quarfot Nielsen added a comment -

          Joris and I have been talking about a few options:

          1) Always run the fetcher. The fetcher currently sets the owner on the executor directory while iterating the URI's, so that would have to be fixed first off.
          2) Set the owner when the executor directory is created in createExecutorDirectory() (I attached a patch which shows how that looks like). It is a fairly localized change, but the overlap of having the fetcher and the slave setting the owner is not very clean.
          3) Have the containerizer set it.

          Show
          nnielsen Niklas Quarfot Nielsen added a comment - Joris and I have been talking about a few options: 1) Always run the fetcher. The fetcher currently sets the owner on the executor directory while iterating the URI's, so that would have to be fixed first off. 2) Set the owner when the executor directory is created in createExecutorDirectory() (I attached a patch which shows how that looks like). It is a fairly localized change, but the overlap of having the fetcher and the slave setting the owner is not very clean. 3) Have the containerizer set it.
          Hide
          idownes Ian Downes added a comment -

          Yep, added me as a shepherd.

          Show
          idownes Ian Downes added a comment - Yep, added me as a shepherd.
          Hide
          nnielsen Niklas Quarfot Nielsen added a comment -

          Ian Downes Can you shepherd a fix?

          Show
          nnielsen Niklas Quarfot Nielsen added a comment - Ian Downes Can you shepherd a fix?
          Hide
          idownes Ian Downes added a comment -

          Also: MESOS-2523?

          Show
          idownes Ian Downes added a comment - Also: MESOS-2523 ?

            People

            • Assignee:
              nnielsen Niklas Quarfot Nielsen
              Reporter:
              nnielsen Niklas Quarfot Nielsen
              Shepherd:
              Ian Downes
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development

                  Agile