diff --git a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/config/SingularityExecutorConfiguration.java b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/config/SingularityExecutorConfiguration.java index be44d8845d..2f9267b050 100644 --- a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/config/SingularityExecutorConfiguration.java +++ b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/config/SingularityExecutorConfiguration.java @@ -219,6 +219,10 @@ public class SingularityExecutorConfiguration extends BaseRunnerConfiguration { @JsonProperty private String procCgroupFormat = "/proc/%s/cgroup"; + @NotEmpty + @JsonProperty + private String switchUserCommandFormat = "sudo -E -u %s"; + @JsonProperty @NotEmpty private List artifactSignatureVerificationCommand = Arrays.asList("/usr/bin/gpg", "--verify", "{artifactSignaturePath}"); @@ -528,6 +532,14 @@ public void setProcCgroupFormat(String procCgroupFormat) { this.procCgroupFormat = procCgroupFormat; } + public String getSwitchUserCommandFormat() { + return switchUserCommandFormat; + } + + public void setSwitchUserCommandFormat(String switchUserCommandFormat) { + this.switchUserCommandFormat = switchUserCommandFormat; + } + public List getArtifactSignatureVerificationCommand() { return artifactSignatureVerificationCommand; } @@ -587,8 +599,14 @@ public String toString() { ", useLocalDownloadService=" + useLocalDownloadService + ", localDownloadServiceTimeoutMillis=" + localDownloadServiceTimeoutMillis + ", maxTaskThreads=" + maxTaskThreads + - ", dockerPrefix=" + dockerPrefix + + ", dockerPrefix='" + dockerPrefix + '\'' + ", dockerStopTimeout=" + dockerStopTimeout + + ", cgroupsMesosCpuTasksFormat='" + cgroupsMesosCpuTasksFormat + '\'' + + ", procCgroupFormat='" + procCgroupFormat + '\'' + + ", switchUserCommandFormat='" + switchUserCommandFormat + '\'' + + ", artifactSignatureVerificationCommand=" + artifactSignatureVerificationCommand + + ", failTaskOnInvalidArtifactSignature=" + failTaskOnInvalidArtifactSignature + + ", signatureVerifyOut='" + signatureVerifyOut + '\'' + ']'; } diff --git a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/models/RunnerContext.java b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/models/RunnerContext.java index 606b52f2b1..81655af2f6 100644 --- a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/models/RunnerContext.java +++ b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/models/RunnerContext.java @@ -17,8 +17,9 @@ public class RunnerContext { private final Optional maxTaskThreads; private final boolean shouldChangeUser; private final Integer maxOpenFiles; + private final String switchUserCommand; - public RunnerContext(String cmd, String taskAppDirectory, String logDir, String user, String logFile, String taskId, Optional maxTaskThreads, boolean shouldChangeUser, Integer maxOpenFiles) { + public RunnerContext(String cmd, String taskAppDirectory, String logDir, String user, String logFile, String taskId, Optional maxTaskThreads, boolean shouldChangeUser, Integer maxOpenFiles, String switchUserCommand) { this.cmd = cmd; this.taskAppDirectory = taskAppDirectory; this.logDir = logDir; @@ -29,6 +30,7 @@ public RunnerContext(String cmd, String taskAppDirectory, String logDir, String this.maxTaskThreads = maxTaskThreads; this.shouldChangeUser = shouldChangeUser; this.maxOpenFiles = maxOpenFiles; + this.switchUserCommand = switchUserCommand; } public String getCmd() { @@ -67,6 +69,10 @@ public Integer getMaxOpenFiles() { return maxOpenFiles; } + public String getSwitchUserCommand() { + return switchUserCommand; + } + @Override public String toString() { return "RunnerContext[" + @@ -78,6 +84,7 @@ public String toString() { ", taskId='" + taskId + '\'' + ", maxTaskThreads=" + maxTaskThreads + ", shouldChangeUser=" + shouldChangeUser + + ", switchUserCommand=" + switchUserCommand + ']'; } } diff --git a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskProcessBuilder.java b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskProcessBuilder.java index bb4d89d33a..2feeed32bc 100644 --- a/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskProcessBuilder.java +++ b/SingularityExecutor/src/main/java/com/hubspot/singularity/executor/task/SingularityExecutorTaskProcessBuilder.java @@ -112,7 +112,8 @@ private ProcessBuilder buildProcessBuilder(TaskInfo taskInfo, ExecutorData execu task.getTaskId(), executorData.getMaxTaskThreads().or(configuration.getMaxTaskThreads()), !getExecutorUser().equals(executorData.getUser().or(configuration.getDefaultRunAsUser())), - executorData.getMaxOpenFiles().orNull()); + executorData.getMaxOpenFiles().orNull(), + String.format(configuration.getSwitchUserCommandFormat(), executorData.getUser().or(configuration.getDefaultRunAsUser()))); EnvironmentContext environmentContext = new EnvironmentContext(taskInfo); if (taskInfo.hasContainer() && taskInfo.getContainer().hasDocker()) { task.getLog().info("Writing a runner script to execute {} in docker container", cmd); diff --git a/SingularityExecutor/src/main/resources/runner.sh.hbs b/SingularityExecutor/src/main/resources/runner.sh.hbs index a7ab75f245..bbf4372bd2 100644 --- a/SingularityExecutor/src/main/resources/runner.sh.hbs +++ b/SingularityExecutor/src/main/resources/runner.sh.hbs @@ -62,8 +62,8 @@ fi # execute command {{#if shouldChangeUser}} -echo "Executing: sudo -E -u {{{ user }}} {{#if maxOpenFiles}}/bin/bash -c 'ulimit -n {{{maxOpenFiles}}} && {{/if}}{{{ cmd }}}{{#if maxOpenFiles}}'{{/if}} >> ../{{{ logFile }}} 2>&1" -exec sudo -E -u {{{ user }}} {{#if maxOpenFiles}}/bin/bash -c 'ulimit -n {{{maxOpenFiles}}} && {{/if}}{{{ cmd }}}{{#if maxOpenFiles}}'{{/if}} >> ../{{{ logFile }}} 2>&1 +echo "Executing: {{{ switchUserCommand }}} {{#if maxOpenFiles}}/bin/bash -c 'ulimit -n {{{maxOpenFiles}}} && {{/if}}{{{ cmd }}}{{#if maxOpenFiles}}'{{/if}} >> ../{{{ logFile }}} 2>&1" +exec {{{ switchUserCommand }}} {{#if maxOpenFiles}}/bin/bash -c 'ulimit -n {{{maxOpenFiles}}} && {{/if}}{{{ cmd }}}{{#if maxOpenFiles}}'{{/if}} >> ../{{{ logFile }}} 2>&1 {{else}} echo "Executing: {{{ cmd }}} >> ../{{{ logFile }}} 2>&1" {{#if maxOpenFiles}}ulimit -n {{{maxOpenFiles}}}{{/if}}