Hey, I'm not the authority on this but I suspect Aurora does not set CommandInfo.user because that feature was added in 0.19.0 <https://github.com/apache/mesos/commit/23d717741df7ca291270b762b7b93a37b4a144ef> and no one has ever thought about setting the field before. Your use case seems reasonable and I see no reason why Aurora cannot set this value and modify the executor appropriately.
On Thu, Mar 19, 2015 at 5:57 PM, Jay Buffington <m...@jaybuff.com> wrote: > One pain point that currently exists with Aurora/Mesos/Docker integration > is that it requires making a choice between two bad options: > > 1) require that the aurora role exist in the docker image as a unix user > 2) run everything as root by setting "USER root" in the Dockerfile and pass > --nosetuid to the executor. > > I'd like to purpose that mesos be modified to generate an /etc/passwd file > that includes a single entry: the CommandInfo.user with a stable uid. This > file will always overwrite whatever /etc/passwd is provided by the > container image. > > The problem here is that Aurora doesn't set CommandInfo.user and it > defaults to root. The aurora executor does chown of the sandbox dir and > then does a setuid to the user specified in the job key. This would always > fail with "user does not exist" [1] because the executor would only find > root in /etc/passwd. > > Why doesn't aurora set CommandInfo.user to the aurora role? If it did, we > would be able to solve this problem by having mesos generate a sensible > /etc/passwd for containers. > > Thanks! > Jay > > [1] > > https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108 > > -- > Zameer Manji > > > <https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108>
