mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gilbert Song <songzihao1...@gmail.com>
Subject Re: Review Request 61120: Fixed the sandbox_path volume source path ownership.
Date Wed, 26 Jul 2017 00:09:35 GMT


> On July 25, 2017, 4:25 p.m., Jie Yu wrote:
> > src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp
> > Lines 164-175 (original), 164-177 (patched)
> > <https://reviews.apache.org/r/61120/diff/1/?file=1782378#file1782378line164>
> >
> >     If `source` already exists, let's try not to do chown.

Agree.


- Gilbert


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/61120/#review181402
-----------------------------------------------------------


On July 25, 2017, 4:15 p.m., Gilbert Song wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/61120/
> -----------------------------------------------------------
> 
> (Updated July 25, 2017, 4:15 p.m.)
> 
> 
> Review request for mesos, Greg Mann, Ilya Pronin, Jie Yu, James Peach, Vinod Kone, and
Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7830
>     https://issues.apache.org/jira/browse/MESOS-7830
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> This bugfix addresses the issue from MESOS-7830. Basically, the
> sandbox path volume ownership was not set correctly. This issue
> can be exposed if a framework user is non-root while the agent
> process runs as root. Then, the non-root user does not have
> permissions to write to this volume.
> 
> The correct solution should be giving permissions to corresponding
> users by leveraging supplementary groups. But we can still
> introduce a workaround in this patch by changing the ownership
> of the sandbox path volume to its sandbox's ownership.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/volume/sandbox_path.cpp 6f7304d4aa40eb1b4815ffc1fec61f7e98291cba

> 
> 
> Diff: https://reviews.apache.org/r/61120/diff/1/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Gilbert Song
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message