aurora-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zameer Manji <zma...@apache.org>
Subject Re: /etc/passwd in containers
Date Fri, 20 Mar 2015 18:19:30 GMT
Hey,

I'm not the authority on this but I suspect Aurora does not set
CommandInfo.user because that feature was added in 0.19.0
<https://github.com/apache/mesos/commit/23d717741df7ca291270b762b7b93a37b4a144ef>
and
no one has ever thought about setting the field before. Your use case seems
reasonable and I see no reason why Aurora cannot set this value and modify
the executor appropriately.


On Thu, Mar 19, 2015 at 5:57 PM, Jay Buffington <me@jaybuff.com> wrote:

> One pain point that currently exists with Aurora/Mesos/Docker integration
> is that it requires making a choice between two bad options:
>
> 1) require that the aurora role exist in the docker image as a unix user
> 2) run everything as root by setting "USER root" in the Dockerfile and pass
> --nosetuid to the executor.
>
> I'd like to purpose that mesos be modified to generate an /etc/passwd file
> that includes a single entry: the CommandInfo.user with a stable uid.  This
> file will always overwrite whatever /etc/passwd is provided by the
> container image.
>
> The problem here is that Aurora doesn't set CommandInfo.user and it
> defaults to root.  The aurora executor does chown of the sandbox dir and
> then does a setuid to the user specified in the job key. This would always
> fail with "user does not exist" [1] because the executor would only find
> root in /etc/passwd.
>
> Why doesn't aurora set CommandInfo.user to the aurora role?  If it did, we
> would be able to solve this problem by having mesos generate a sensible
> /etc/passwd for containers.
>
> Thanks!
> Jay
>
> [1]
>
> https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108
>
> --
> Zameer Manji
>
>
> <https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message