Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
When launching a container, Mesos setuid to the task's credential before fetching the artifacts into the executor sandbox. However, if any directory in the sandbox path forbids 'x' mode for the task's credential, the fetcher won't be able to store the artifact into the sandbox, but instead get an EACCES from https://github.com/apache/mesos/blob/master/3rdparty/stout/include/stout/net.hpp#L214
We should use the agent's credential to fetch the artifacts, chown them, then setuid.