The default Linux user of a service or job can vary according to the security mode and the container type. See Linux users for more information.
The procedure for overriding the default Linux user varies by the type of service or job.
- Overriding the default Linux user of a Catalog service
- Overriding the default user of a service via Marathon app definition
- Overriding the default user of a job via Metronome job definition
Overriding the default Linux user of a Catalog service
Many Catalog services ignore overrides of their user accounts except in strict
mode. We provide detailed steps for overriding the default Linux user for services that support this in Service Accounts. Refer to the section pertaining to the service of interest for step-by-step instructions. The procedures also describe how to configure the service to use encryption and service accounts.
Remember to grant permission to perform the create
action on the dcos:mesos:master:task:user[:<linux-user-name>]
resource to the service account user that the Catalog service is launched with. See Mesos Permissions for more information.
Overriding the default Linux user via Marathon app definition
Marathon app definitions provide a "user"
key which you can use to override the default Linux user. Tip: Reference the Marathon documentation for more details on writing Marathon services.
The following tutorial will demonstrate how ownership works in action. Before you begin, make sure that:
- The Linux user account already exists on the agent.
- You have installed and are logged into the DC/OS CLI.
- You must follow the steps in Downloading the Root Cert before issuing the curl commands in this section.
- You have granted permission to perform the
create
action on thedcos:mesos:master:task:user:<linux-user-name>
resource to thedcos_marathon
DC/OS service account user.
Once you have met these prerequisites, complete the following steps to override the default Linux user.
-
Create a Marathon app definition and save it with an informative name such as
myservice.json
. The following service will write the name of the user it’s running under to the logs, create a new file, and fetch the Mesosphere logo from dcos.io.{ "id": "linux-user-override", "cmd": "whoami && tee file && sleep 1000", "user": "<your-test-user-account>", "uris": [ "/mesosphere/dcos/2.2/img/logos/mesosphere.svg" ] }
-
Deploy the service using the Marathon API.
curl -X POST --cacert dcos-ca.crt $(dcos config show core.dcos_url)/service/marathon/v2/apps -d @myservice.json -H "Content-type: application/json" -H "Authorization: token=$(dcos config show core.dcos_acs_token)"
-
Check the Services tab of the DC/OS web interface to confirm that your app has been created successfully.
-
Click your service and then click the Configuration tab.
-
Scroll down to see the Linux user account that you specified as the value of User.
-
Click the Tasks tab. By this time, your service should have succeeded in deploying. Click the task name.
-
Click the Files tab.
-
Observe the Linux user name that you passed in as the OWNER of the fetched and created files.
-
Click to open the stdout file.
-
Scroll to the bottom and you should see the results of the
whoami
command, for example, the name of the user your task is running under.
Overriding the default Linux user via Metronome job definition
Metronome job definitions provide a "user"
key which you can use to override the default Linux user.
The following procedure will walk you through a quick tutorial to demonstrate how the ownership works in action. Before you begin, make sure that:
- The Linux user account already exists on the agent.
- You have installed and are logged into the DC/OS CLI.
- You must follow the steps in Downloading the Root Cert before issuing the curl commands in this section.
- You have granted permission to perform the
create
action on thedcos:mesos:master:task:user:<linux-user-name>
resource to thedcos_metronome
DC/OS service account user.
Once you have met these prerequisites, complete the following steps to override the default Linux user.
-
Create a Metronome job definition and save it with an informative name such as
myjob.json
.{ "id": "test-user-override", "run": { "artifacts": [ { "uri": "/mesosphere/dcos/2.2/img/logos/mesosphere.svg" } ], "cmd": "whoami && printf 'iamme' | tee file && sleep 1000", "cpus": 0.01, "mem": 32, "disk": 0, "user": "<your-test-user-account>" } }
-
Deploy the job using the Metronome REST API.
curl -X POST --cacert dcos-ca.crt $(dcos config show core.dcos_url)/service/metronome/v1/jobs -d @myjob.json -H "Content-type: application/json" -H "Authorization: token=$(dcos config show core.dcos_acs_token)"
-
Check the Jobs tab of the DC/OS web interface to confirm that your job has successfully deployed.
-
Click your job and then click Run Now.
-
Open the drop-down menu from the top right by clicking the three stacked dots and select Run Now.
-
Expand the job and click to open its task.
-
Click to open the Files tab. Observe that all of the files have your Linux user as the OWNER.
-
Click to open the
stdout
file. -
Scroll to the bottom and you should see the results of the
whoami
command, the name of the user your task is running under, followed byiamme
.