In Mesos 1.6.0, the container sandbox path mode was changed from 0755 to 0750, for better security control on sandbox access. This provides more reasonable sandbox access.
This is a breaking change in semantic in docker containerizer, if the image specifies a user that is not identical to the task's user UID or frameworkinfo user UID (if task's user not specified).
Before: the task can read sandbox (cannot write)
After: the task cannot read sandbox (still cannot write)
- Use UCR
- Rebuild the docker image and remove the image user
- Set docker app user as root via parameters:
Solution for DC/OS
- Make the sandbox mode configurable in Mesos and backport to dc/os (need approval from Mesos Community)
- Patch dc/os to changed the docker sandbox mode back to 0755 and send out an email to dc/os community to notify this semantic change. Remove this change after a deprecation cycle.