Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-5187

The filesystem/linux isolator does not set the permissions of the host_path.

    XMLWordPrintableJSON

Details

    Description

      The filesystem/linux isolator is not a drop in replacement for the filesystem/shared isolator. This should be considered before the latter is deprecated.

      We are currently using the filesystem/shared isolator together with the following slave option. This provides us with a private /tmp and /var/tmp folder for each task.

          --default_container_info='{
                  "type": "MESOS",
                  "volumes": [
                      {"host_path": "system/tmp",     "container_path": "/tmp",        "mode": "RW"},
                      {"host_path": "system/vartmp",  "container_path": "/var/tmp",    "mode": "RW"}
                  ]
              }'
      

      When browsing the Mesos sandbox, one can see the following permissions:

      mode	nlink	uid	gid	size	mtime		
      drwxrwxrwx	3	root	root	4 KB	Apr 11 18:16	 tmp	
      drwxrwxrwx	2	root	root	4 KB	Apr 11 18:15	 vartmp	
      

      However, when running with the new filesystem/linux isolator, the permissions are different:

      mode	nlink	uid	gid	size	mtime		
      drwxr-xr-x	 2	root	root	4 KB	Apr 12 10:34	 tmp	
      drwxr-xr-x	 2	root	root	4 KB	Apr 12 10:34	 vartmp
      

      This prevents user code (running as a non-root user) from writing to those folders, i.e. every write attempt fails with permission denied.

      Context:

      Attachments

        Issue Links

          Activity

            People

              gilbert Gilbert Song
              StephanErb Stephan Erb
              Jie Yu Jie Yu
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: