PersistentVolume ownership is not set to match the sandbox user when the docker executor is used. Looks like the issue was introduced by https://reviews.apache.org/r/45963/
I didn't check the universal containerizer yet.
As far as I understand the following code is supposed to check that a volume is not being already used by other tasks/containers.
But it doesn't exclude a container to be launch (In my case I have only one container - no group of tasks). Thus the ownership of PersistentVolume stays "root" (I run mesos-agent under root) and it's impossible to use the volume inside the container. We always run processes inside Docker containers under unprivileged user.
Making a small patch to exclude the container to launch fixes the issue.