The filesystem/linux isolator is not a drop in replacement for the filesystem/shared isolator. This should be considered before the latter is deprecated.
We are currently using the filesystem/shared isolator together with the following slave option. This provides us with a private /tmp and /var/tmp folder for each task.
When browsing the Mesos sandbox, one can see the following permissions:
However, when running with the new filesystem/linux isolator, the permissions are different:
This prevents user code (running as a non-root user) from writing to those folders, i.e. every write attempt fails with permission denied.
- We are using Apache Aurora. Aurora is running its custom executor as root but then switches to a non-privileged user before running the actual user code.
- The follow code seems to have enabled our usecase in the existing filesystem/shared isolator: https://github.com/apache/mesos/blob/4d2b1b793e07a9c90b984ca330a3d7bc9e1404cc/src/slave/containerizer/mesos/isolators/filesystem/shared.cpp#L175-L198