[MESOS-7830] Sandbox_path volume does not have ownership set correctly. - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.1.3, 1.2.2, 1.3.1, 1.4.0
Component/s: containerization
Labels:

Target Version/s:

1.4.0
Epic Link:
Unified Container
Sprint:
Mesosphere Sprint 60
Story Points:
3

Description

This issue was exposed when using sandbox_path volume to support shared volume for nested containers under one task group. Here is a scenario:

The agent process runs as 'root' user, while the framework user is set as 'nobody'. No matter the commandinfo user is set or not, any non-root user cannot access the sandbox_path volume (e.g., a PARENT sandbox_path volume is not writable from a nested container). This is because the source path at the parent sandbox level is created by the agent process (aka root in this case).

While the operator is responsible for guaranteeing a nested container should have permission to write to its sandbox path volume at its parent's sandbox, we should guarantee the source path created at parent's sandbox should be set as the same ownership as this sandbox's ownership.

Attachments

Issue Links

relates to

MESOS-5187 The filesystem/linux isolator does not set the permissions of the host_path.

Resolved

Activity

People

Assignee:: Gilbert Song

Reporter:: Gilbert Song

Shepherd:: Jie Yu

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 25/Jul/17 19:15

Updated:: 06/Jul/18 21:30

Resolved:: 28/Jul/17 20:05