Thanks for picking this up, Daniel Templeton.
Quick high-level question. After chowning to the user who would run the container, can we setfacl to give access to user "yarn" as well?
Comments on the patch itself:
- The log messages for failure to open/read directory are missing the word NOT?
- After readdir, I see the patch resets errno. What happens if the first call to readdir fails? Don't we lose the errno and fail to log and return -1? May be reset before the readdir call? Skip resetting altogether?
- For the (dir == NULL), can we invert the operands to (NULL == dir)?
- test-container-executor.c - typo: s/existant/existent
On the tests, do we need tests with linux-container-executor.nonsecure-mode.limit-users turned on/off?