mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From qianzh...@apache.org
Subject [mesos] 01/04: Made nested container runs as its parent container's user by default.
Date Thu, 08 Nov 2018 09:36:44 GMT
This is an automated email from the ASF dual-hosted git repository.

qianzhang pushed a commit to branch 1.7.x
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit 262961d28e454954933ff640285ee2d1af93e554
Author: Qian Zhang <zhq527725@gmail.com>
AuthorDate: Fri Oct 26 09:23:27 2018 +0800

    Made nested container runs as its parent container's user by default.
    
    Review: https://reviews.apache.org/r/69234
---
 src/slave/containerizer/mesos/containerizer.cpp | 10 ++++++++++
 src/slave/http.cpp                              | 16 ++--------------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/src/slave/containerizer/mesos/containerizer.cpp b/src/slave/containerizer/mesos/containerizer.cpp
index 6c27000..8446ba1 100644
--- a/src/slave/containerizer/mesos/containerizer.cpp
+++ b/src/slave/containerizer/mesos/containerizer.cpp
@@ -1855,6 +1855,16 @@ Future<Containerizer::LaunchResult> MesosContainerizerProcess::_launch(
   }
 
   // Determine the user to launch the container as.
+  // Inherit user from the parent container for nested containers, and it can be
+  // overridden by the user in nested container's `commandInfo`, if specified.
+  if (containerId.has_parent()) {
+    if (containers_[containerId.parent()]->config.isSome() &&
+        containers_[containerId.parent()]->config->has_user()) {
+      launchInfo.set_user(
+          containers_[containerId.parent()]->config->user());
+    }
+  }
+
   if (container->config->has_user()) {
     launchInfo.set_user(container->config->user());
   }
diff --git a/src/slave/http.cpp b/src/slave/http.cpp
index bd194ba..f7be16e 100644
--- a/src/slave/http.cpp
+++ b/src/slave/http.cpp
@@ -2498,8 +2498,6 @@ Future<Response> Http::_launchContainer(
     ContentType,
     const Owned<ObjectApprovers>& approvers) const
 {
-  Option<string> user;
-
   // Attempt to get the executor associated with this ContainerID.
   // We only expect to get the executor when launching a nested container
   // under a container launched via a scheduler. In other cases, we are
@@ -2517,24 +2515,14 @@ Future<Response> Http::_launchContainer(
             executor->info, framework->info, commandInfo, containerId)) {
       return Forbidden();
     }
-
-    // By default, we use the executor's user.
-    // The CommandInfo can override it, if specified.
-    user = executor->user;
   }
 
   ContainerConfig containerConfig;
   containerConfig.mutable_command_info()->CopyFrom(commandInfo);
 
 #ifndef __WINDOWS__
-  if (slave->flags.switch_user) {
-    if (commandInfo.has_user()) {
-      user = commandInfo.user();
-    }
-
-    if (user.isSome()) {
-      containerConfig.set_user(user.get());
-    }
+  if (slave->flags.switch_user && commandInfo.has_user()) {
+    containerConfig.set_user(commandInfo.user());
   }
 #endif // __WINDOWS__
 


Mime
View raw message