mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Konstantin Kalin (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MESOS-8356) Persistent volume ownership is set to root despite of sandbox owner (frameworkInfo.user) when docker executor is used
Date Fri, 22 Dec 2017 14:55:00 GMT

     [ https://issues.apache.org/jira/browse/MESOS-8356?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Konstantin Kalin updated MESOS-8356:
------------------------------------
    Description: 
PersistentVolume ownership is not set to match the sandbox user when the docker executor is
used. Looks like the issue was introduced by https://reviews.apache.org/r/45963/
I didn't check the universal containerizer yet. 

As far as I understand the following code is supposed to check that a volume is not being
already used by other tasks/containers.

src/slave/containerizer/docker.cpp
{code:java}
    foreachvalue (const Container* container, containers_) {
      if (container->resources.contains(resource)) {
        isVolumeInUse = true;
        break;
      }
    }
{code}
But it doesn't exclude a container to be launch (In my case I have only one container - no
group of tasks). Thus the ownership of PersistentVolume stays "root" (I run mesos-agent under
root) and it's impossible to use the volume inside the container. We always run processes
inside Docker containers under unprivileged user. 

Making a small patch to exclude the container to launch fixes the issue.
{code:java}
    foreachvalue (const Container* container, containers_) {
      if (container->resources.contains(resource) &&
          containerId != container->id) {
        isVolumeInUse = true;
        break;
      }
    }
{code}


  was:
PersistentVolume ownership is not set to match the sandbox user when the docker executor is
used. Looks like the issue was introduced by https://reviews.apache.org/r/45963/
I didn't check the universal containerizer yet. 

As far as I understand the following code is supposed to check that a volume is not being
already used by other tasks/containers.

src/slave/containerizer/docker.cpp
{code:java}
    foreachvalue (const Container* container, containers_) {
      if (container->resources.contains(resource)) {
        isVolumeInUse = true;
        break;
      }
    }
{code}
But it doesn't exclude a container to be launch (In my case I have only one container - no
group of tasks). Thus the ownership of PersistentVolume stays "root" (I run mesos-agent under
root)

Making a small patch to exclude the container to launch fixes the issue.
{code:java}
    foreachvalue (const Container* container, containers_) {
      if (container->resources.contains(resource) &&
          containerId != container->id) {
        isVolumeInUse = true;
        break;
      }
    }
{code}



> Persistent volume ownership is set to root despite of sandbox owner (frameworkInfo.user)
when docker executor is used
> ---------------------------------------------------------------------------------------------------------------------
>
>                 Key: MESOS-8356
>                 URL: https://issues.apache.org/jira/browse/MESOS-8356
>             Project: Mesos
>          Issue Type: Bug
>         Environment: Centos 7, Mesos 1.4.1, Docker Engine 1.13
>            Reporter: Konstantin Kalin
>              Labels: persistent-volumes
>
> PersistentVolume ownership is not set to match the sandbox user when the docker executor
is used. Looks like the issue was introduced by https://reviews.apache.org/r/45963/
> I didn't check the universal containerizer yet. 
> As far as I understand the following code is supposed to check that a volume is not being
already used by other tasks/containers.
> src/slave/containerizer/docker.cpp
> {code:java}
>     foreachvalue (const Container* container, containers_) {
>       if (container->resources.contains(resource)) {
>         isVolumeInUse = true;
>         break;
>       }
>     }
> {code}
> But it doesn't exclude a container to be launch (In my case I have only one container
- no group of tasks). Thus the ownership of PersistentVolume stays "root" (I run mesos-agent
under root) and it's impossible to use the volume inside the container. We always run processes
inside Docker containers under unprivileged user. 
> Making a small patch to exclude the container to launch fixes the issue.
> {code:java}
>     foreachvalue (const Container* container, containers_) {
>       if (container->resources.contains(resource) &&
>           containerId != container->id) {
>         isVolumeInUse = true;
>         break;
>       }
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message