Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-4415

Container launched by Docker containerizer changed the sandbox mode from 0755 yo 0750 in dc/os 1.12.

    Details

    • Sprint:
      Containerization R7 Sprint 33, Containerization R8 Sprint 34
    • Story Points:
      5

      Description

      Caused by
      https://issues.apache.org/jira/browse/MESOS-8332
      In Mesos 1.6.0, the container sandbox path mode was changed from 0755 to 0750, for better security control on sandbox access. This provides more reasonable sandbox access.

      Impact
      This is a breaking change in semantic in docker containerizer, if the image specifies a user that is not identical to the task's user UID or frameworkinfo user UID (if task's user not specified).
      Before: the task can read sandbox (cannot write)
      After: the task cannot read sandbox (still cannot write)

      Workaround

      1. Use UCR
      2. Rebuild the docker image and remove the image user
      3. Set docker app user as root via parameters:
              "parameters": [
                {
                  "key": "user",
                  "value": "root"
                }
              ]
        

      Solution for DC/OS

      1. Make the sandbox mode configurable in Mesos and backport to dc/os (need approval from Mesos Community)
      2. Patch dc/os to changed the docker sandbox mode back to 0755 and send out an email to dc/os community to notify this semantic change. Remove this change after a deprecation cycle.

        Attachments

          Activity

            People

            • Assignee:
              gilbert Gilbert Song
              Reporter:
              gilbert Gilbert Song
              Team:
              Mesos Team
              Watchers:
              Gilbert Song, Lisa Gunn, Mergebot, Till Toenshoff, Vinod Kone
            • Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: