Overriding the default Linux user

ENTERPRISE

Learn how to override the default Linux user of your tasks and sandboxes.

About overriding the default Linux user

The default Linux user of a service or job can vary according to the security mode and the container type. See Linux users for more information.

The procedure for overriding the default Linux user varies by the type of service or job.

Overriding the default Linux user of a Universe service

Many Universe services ignore overrides of their user accounts except in strict mode. We provide detailed steps for overriding the default Linux user for services that support this in Service Accounts. Refer to the section that pertains to the service of interest for step-by-step instructions. The procedures also include how to configure the service to use encryption and service accounts.

Remember to grant permission to perform the create action on the dcos:mesos:master:task:user[:<linux-user-name>] resource to the service account user that the Universe service is launched with. See Mesos Permissions for more information.

Overriding the default Linux user via Marathon app definition

Marathon app definitions provide a "user" key which you can use to override the default Linux user. Tip: Reference the Marathon documentation for more details on writing Marathon services.

The following procedure will walk you through a quick tutorial to demonstrate how the ownership works in action. Before you begin, make sure that:

  • The Linux user account already exists on the agent.
  • You have installed and are logged into the DC/OS CLI.
  • If your security mode is permissive or strict, you must follow the steps in Downloading the Root Cert before issuing the curl commands in this section. If your security mode is disabled, you must delete --cacert dcos-ca.crt from the commands before issuing them.
  • You have granted permission to perform the create action on the dcos:mesos:master:task:user:<linux-user-name> resource to the dcos_marathon DC/OS service account user.

Once you have met these prerequisites, complete the following steps to override the default Linux user.

  1. Create a Marathon app definition and save it with an informative name such as myservice.json. The following service will write the name of the user it’s running under to the logs, create a new file, and fetch the Mesosphere logo from dcos.io.
{
  "id": "linux-user-override",
  "cmd": "whoami && tee file && sleep 1000",
  "user": "<your-test-user-account>",
  "uris": [
      "/1.11/img/logos/mesosphere.svg"
  ]
}

Important: Don’t forget to replace <your-test-user-account> with the name of a Linux user that exists on the agent and differs from the default.

  1. Deploy the service using the Marathon API.
curl -X POST --cacert dcos-ca.crt $(dcos config show core.dcos_url)/service/marathon/v2/apps -d @myservice.json -H "Content-type: application/json" -H "Authorization: token=$(dcos config show core.dcos_acs_token)"
  1. Check the Services tab of the DC/OS GUI to confirm that your app has successfully been created.

  2. Click your service and then click the Configuration tab.

  3. Scroll down to see the Linux user account that you specified as the value of User.

  4. Click the Tasks tab. By this time, your service should have succeeded in deploying. Click the task name.

  5. Click the Files tab.

  6. Observe the Linux user name that you passed in as the OWNER of the fetched and created files.

  7. Click to open the stdout file.

  8. Scroll to the bottom and you should see the results of the whoami command, i.e., the name of the user your task is running under.

Overriding the default Linux user via Metronome job definition

Metronome job definitions provide a "user" key which you can use to override the default Linux user.

Tip: Refer to the Jobs documentation for more information about creating and deploying jobs.

The following procedure will walk you through a quick tutorial to demonstrate how the ownership works in action. Before you begin, make sure that:

  • The Linux user account already exists on the agent.
  • You have installed and are logged into the DC/OS CLI.
  • If your security mode is permissive or strict, you must follow the steps in Downloading the Root Cert before issuing the curl commands in this section. If your security mode is disabled, you must delete --cacert dcos-ca.crt from the commands before issuing them.
  • You have granted permission to perform the create action on the dcos:mesos:master:task:user:<linux-user-name> resource to the dcos_metronome DC/OS service account user.

Once you have met these prerequisites, complete the following steps to override the default Linux user.

  1. Create a Metronome job definition and save it with an informative name such as myjob.json.
{
"id": "test-user-override",
"run": {
  "artifacts": [
    {
      "uri": "/1.11/img/logos/mesosphere.svg"
    }
  ],
  "cmd": "whoami && printf 'iamme' | tee file && sleep 1000",
  "cpus": 0.01,
  "mem": 32,
  "disk": 0,
  "user": "<your-test-user-account>"
}
}

Important: Don’t forget to replace <your-test-user-account> with the name of a Linux user that exists on the agent and differs from the default. The Linux user nobody will exist if you have not already provisioned a user.

  1. Deploy the job using the Metronome REST API.

    curl -X POST --cacert dcos-ca.crt $(dcos config show core.dcos_url)/service/metronome/v1/jobs -d @myjob.json -H "Content-type: application/json" -H "Authorization: token=$(dcos config show core.dcos_acs_token)"
    
  2. Check the Jobs tab of the DC/OS GUI to confirm that your job has successfully deployed.

  3. Click your job and then click Run Now.

  4. Open the drop-down menu from the top right by clicking the three stacked dots and select Run Now.

  5. Expand the job and click to open its task.

  6. Click to open the Files tab. Observe that all of the files have your Linux user as the OWNER.

  7. Click to open the stdout file.

  8. Scroll to the bottom and you should see the results of the whoami command, the name of the user your task is running under, followed by iamme.