Ah, okay this makes a lot of sense. Thanks Zameer!
> On Mar 20, 2015, at 11:19 AM, Zameer Manji <zma...@apache.org> wrote: > > Hey, > > I'm not the authority on this but I suspect Aurora does not set > CommandInfo.user because that feature was added in 0.19.0 > <https://github.com/apache/mesos/commit/23d717741df7ca291270b762b7b93a37b4a144ef> > and > no one has ever thought about setting the field before. Your use case seems > reasonable and I see no reason why Aurora cannot set this value and modify > the executor appropriately. > > >> On Thu, Mar 19, 2015 at 5:57 PM, Jay Buffington <m...@jaybuff.com> wrote: >> >> One pain point that currently exists with Aurora/Mesos/Docker integration >> is that it requires making a choice between two bad options: >> >> 1) require that the aurora role exist in the docker image as a unix user >> 2) run everything as root by setting "USER root" in the Dockerfile and pass >> --nosetuid to the executor. >> >> I'd like to purpose that mesos be modified to generate an /etc/passwd file >> that includes a single entry: the CommandInfo.user with a stable uid. This >> file will always overwrite whatever /etc/passwd is provided by the >> container image. >> >> The problem here is that Aurora doesn't set CommandInfo.user and it >> defaults to root. The aurora executor does chown of the sandbox dir and >> then does a setuid to the user specified in the job key. This would always >> fail with "user does not exist" [1] because the executor would only find >> root in /etc/passwd. >> >> Why doesn't aurora set CommandInfo.user to the aurora role? If it did, we >> would be able to solve this problem by having mesos generate a sensible >> /etc/passwd for containers. >> >> Thanks! >> Jay >> >> [1] >> >> https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108 >> >> -- >> Zameer Manji >> >> >> <https://github.com/apache/incubator-aurora/blob/master/src/main/python/apache/aurora/executor/common/sandbox.py#L108>
