mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Budnik <abud...@mesosphere.com>
Subject Review Request 72478: Changed permissions for domain sockets to allow non-root executors.
Date Wed, 06 May 2020 18:19:45 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/72478/
-----------------------------------------------------------

Review request for mesos, Andrei Sekretenko, Benjamin Mahler, Greg Mann, and Qian Zhang.


Repository: mesos


Description
-------

Previously, the default permissions for domain sockets allowed
r/w access only for the file's user, so an executor launched under
a non-privileged user could not open the agent's socket. This patch
adds r/w permissions for the group and other users to address
the access problem.


Diffs
-----

  src/common/domain_sockets.hpp 6d2b0abfa456aa2b95d60057ecc94c6f075e74d9 


Diff: https://reviews.apache.org/r/72478/diff/1/


Testing
-------

# Without this patch

1. run master:
```
$ bin/mesos-master.sh --work_dir=~/mesos/build/vars/master
```

2. run agent with `--http_executor_domain_sockets=true` and `--http_command_executor=true`:
```
$ sudo GLOG_v=2 ./bin/mesos-agent.sh --resources="cpus:10;mem:100000" --http_executor_domain_sockets=true
--http_command_executor=true --work_dir=/home/nobody/mesos/build/var/agent-1' --containerizers="docker,mesos"
--master="`hostname`:5050"
```

3. launch a task via `mesos-execute` as a non-root user:
```
$ ./src/mesos-execute --master="`hostname`:5050" --name="a" --containerizer=mesos --command="sleep
1"

...
Received status update TASK_FAILED for task 'a'
  message: 'Executor terminated'
  source: SOURCE_AGENT
  reason: REASON_EXECUTOR_TERMINATED
```

# This patch applied

Task successfully finished.


Thanks,

Andrei Budnik


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message