Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id B0435200C1D for ; Thu, 16 Feb 2017 17:10:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id AEEBD160B61; Thu, 16 Feb 2017 16:10:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 030E4160B57 for ; Thu, 16 Feb 2017 17:10:47 +0100 (CET) Received: (qmail 13914 invoked by uid 500); 16 Feb 2017 16:10:47 -0000 Mailing-List: contact issues-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@mesos.apache.org Delivered-To: mailing list issues@mesos.apache.org Received: (qmail 13904 invoked by uid 99); 16 Feb 2017 16:10:46 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 16 Feb 2017 16:10:46 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 83CC3C191B for ; Thu, 16 Feb 2017 16:10:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -1.998 X-Spam-Level: X-Spam-Status: No, score=-1.998 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999, URIBL_BLOCKED=0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id nq4CG05K6bY8 for ; Thu, 16 Feb 2017 16:10:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 6FA965F370 for ; Thu, 16 Feb 2017 16:10:44 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 4A802E073F for ; Thu, 16 Feb 2017 16:10:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id A881624127 for ; Thu, 16 Feb 2017 16:10:42 +0000 (UTC) Date: Thu, 16 Feb 2017 16:10:42 +0000 (UTC) From: "Till Toenshoff (JIRA)" To: issues@mesos.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (MESOS-7133) mesos-fetcher fails with openssl-related output. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Thu, 16 Feb 2017 16:10:48 -0000 [ https://issues.apache.org/jira/browse/MESOS-7133?page=3Dcom.atlassia= n.jira.plugin.system.issuetabpanels:all-tabpanel ] Till Toenshoff updated MESOS-7133: ---------------------------------- Shepherd: Adam B > mesos-fetcher fails with openssl-related output. > ------------------------------------------------ > > Key: MESOS-7133 > URL: https://issues.apache.org/jira/browse/MESOS-7133 > Project: Mesos > Issue Type: Bug > Affects Versions: 1.1.1, 1.2.0 > Reporter: Till Toenshoff > Assignee: Till Toenshoff > Priority: Blocker > > Running a task as non root user while having a fetcherinfo setup for down= loading some .zip or .tar.gz may cause the fetcher to break. > {noformat} > I0215 03:52:55.702874 4800 fetcher.cpp:531] Fetcher Info: {"cache_direct= ory":"\/tmp\/mesos\/fetch\/slaves\/5c12449d-a933-44aa-ad03-5a9a2ff0161e-S4\= /core","items":[{"action":"BYPASS_CACHE","uri":{"extract":true,"value":"htt= ps:\/\/downloads.mesosphere.com\/elastic\/assets\/1.0.4-5.1.2\/executor.zip= "}},{"action":"BYPASS_CACHE","uri":{"extract":true,"value":"https:\/\/downl= oads.mesosphere.com\/libmesos-bundle\/libmesos-bundle-1.9-argus-1.1.x-2.tar= .gz"}},{"action":"BYPASS_CACHE","uri":{"extract":true,"value":"https:\/\/ar= tifacts.elastic.co\/downloads\/elasticsearch\/elasticsearch-5.1.2.tar.gz"}}= ,{"action":"BYPASS_CACHE","uri":{"extract":true,"value":"https:\/\/download= s.mesosphere.com\/java\/jre-8u112-linux-x64.tar.gz"}},{"action":"BYPASS_CAC= HE","uri":{"extract":true,"value":"https:\/\/downloads.mesosphere.com\/elas= tic\/assets\/1.0.4-5.1.2\/bootstrap.zip"}},{"action":"BYPASS_CACHE","uri":{= "extract":true,"value":"https:\/\/downloads.mesosphere.com\/elastic\/assets= \/1.0.4-5.1.2\/elastic-scheduler.zip"}},{"action":"BYPASS_CACHE","uri":{"ex= tract":true,"value":"https:\/\/github.com\/elastic\/elasticsearch-support-d= iagnostics\/releases\/download\/5.1\/support-diagnostics-5.1-dist.zip"}},{"= action":"BYPASS_CACHE","uri":{"extract":false,"output_file":"config-templat= es\/elasticsearch","value":"http:\/\/api.elastic.marathon.l4lb.thisdcos.dir= ectory\/v1\/artifacts\/template\/96a656ca-8a10-469c-9f4f-22a6f4d7264d\/inge= st\/server\/elasticsearch"}},{"action":"BYPASS_CACHE","uri":{"extract":true= ,"value":"https:\/\/artifacts.elastic.co\/downloads\/packs\/x-pack\/x-pack-= 5.1.2.zip"}}],"sandbox_directory":"\/var\/lib\/mesos\/slave\/slaves\/5c1244= 9d-a933-44aa-ad03-5a9a2ff0161e-S4\/frameworks\/5c12449d-a933-44aa-ad03-5a9a= 2ff0161e-0002\/executors\/ingest__491a21e0-b984-49df-a015-b4df0b43f83a\/run= s\/1d282b1a-5403-461e-ae55-b675daf6fcb5","user":"core"} > I0215 03:52:55.705590 4800 fetcher.cpp:442] Fetching URI 'https://downlo= ads.mesosphere.com/elastic/assets/1.0.4-5.1.2/executor.zip' > I0215 03:52:55.705608 4800 fetcher.cpp:283] Fetching directly into the s= andbox directory > I0215 03:52:55.705631 4800 fetcher.cpp:220] Fetching URI 'https://downlo= ads.mesosphere.com/elastic/assets/1.0.4-5.1.2/executor.zip' > I0215 03:52:55.705653 4800 fetcher.cpp:163] Downloading resource from 'h= ttps://downloads.mesosphere.com/elastic/assets/1.0.4-5.1.2/executor.zip' to= '/var/lib/mesos/slave/slaves/5c12449d-a933-44aa-ad03-5a9a2ff0161e-S4/frame= works/5c12449d-a933-44aa-ad03-5a9a2ff0161e-0002/executors/ingest__491a21e0-= b984-49df-a015-b4df0b43f83a/runs/1d282b1a-5403-461e-ae55-b675daf6fcb5/execu= tor.zip' > W0215 03:52:55.947074 4800 openssl.cpp:402] Failed SSL connections will = be downgraded to a non-SSL socket > I0215 03:52:55.947113 4800 openssl.cpp:424] CA directory path unspecifie= d! NOTE: Set CA directory path with LIBPROCESS_SSL_CA_DIR=3D > I0215 03:52:55.947124 4800 openssl.cpp:429] Will not verify peer certifi= cate! > NOTE: Set LIBPROCESS_SSL_VERIFY_CERT=3D1 to enable peer certificate verif= ication > I0215 03:52:55.947131 4800 openssl.cpp:435] Will only verify peer certif= icate if presented! > NOTE: Set LIBPROCESS_SSL_REQUIRE_CERT=3D1 to require peer certificate ver= ification > Could not load key file '/run/dcos/pki/tls/private/mesos-slave.key' (Open= SSL error #33558541): error:0200100D:system library:fopen:Permission denied > {noformat} > The variable {{LIBPROCESS_SSL_KEY_FILE}} obviously was handed from the ag= ent to the mesos-fetcher. The fetcher does a SUID shortly after spawning bu= t before initializing libprocess. libprocess gets initialized via subproces= s call in {{static Try extract()}}. The file linked by that environme= nt variable is root-only readable and hence that failure. -- This message was sent by Atlassian JIRA (v6.3.15#6346)