mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vinod Kone <vinodk...@apache.org>
Subject Re: Propose to run debug container as the same user of its parent container by default
Date Thu, 25 Oct 2018 16:50:31 GMT
Sounds good to me.

If I understand correctly, you want to treat this is a bug and backport it
to previous release branches? So, you are also asking whether backporting
this bug will be considered a breaking change for any existing users?

On Thu, Oct 25, 2018 at 11:46 AM James Peach <jpeach@apache.org> wrote:

>
>
> On Oct 23, 2018, at 7:47 PM, Qian Zhang <zhq527725@gmail.com> wrote:
>
> Hi all,
>
> Currently when launching a debug container (e.g., via `dcos task exec` or
> command health check) to debug a task, by default Mesos agent will use the
> executor's user as the debug container's user. There are actually 2 cases:
> 1. Command task: Since the command executor's user is same with command
> task's user, so the debug container will be launched as the same user of
> the command task.
> 2. The task in a task group: The default executor's user is same with the
> framework user, so in this case the debug container will be launched as the
> same user of the framework rather than the task.
>
> Basically I think the behavior of case 1 is correct. For case 2, we may
> run into a situation that the task is run as a user (e.g., root), but the
> debug container used to debug that task is run as another user (e.g., a
> normal user, suppose framework is run as a normal user), this may not be
> what user expects.
>
> So I created MESOS-9332 <https://issues.apache.org/jira/browse/MESOS-9332> and
> propose to run debug container as the same user of its parent container
> (i.e., the task to be debugged) by default. Please let me know if you have
> any comments, thanks!
>
>
> This sounds like a sensible default to me. I can imagine for debug use
> cases you might want to run the debug container as root or give it elevated
> capabilities, but that should not be the default.
>
> J
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message