rinaldodigital

Q: launchd - Mesos - login.keychain

I have about 15 Mac Towers running in a Mesos environment and I am having some issues with the creation and use of the login.keychain.

 

Mesos is a Data Center Operating system. Instead of thinking of VMs and containers like you would at AWS or Azure you just look at the data center as a way to run a task and that task could run on OSX, Windows, Linux, Solaris ...

 

We run a Mesos server that talks to a Mesos agent on each OSX machine. The Mesos environment uses libvirtd.  The following use case is not working on OSX.

 

A Mesos agent running as root on OSX 10.11.5 creates a process and sets the UID and EUID to that of a non privileged user.  That works as expected.  This is what doesn't work. As that user I cannot create and list a login.keychain.  There are indications that the following may be the root cause.

 

 

The question is -- how do I create a session in the process that has a valid login.keychain? Some snippets from email conversations about this topic on mesos mailing list.

 

This probably boils down to not being in the right launchd session.

launchd(8) discusses this at a high level. You can see what is going

on in your user session with "launchctl print user/$(id -u)".

 

I'm not sure what the right mechanics ought to be for Mesos. It used

to be that you would use the "bsexec" subcommand to run something in a

different session, but that is deprecated and I don't see an obvious

replacement in the new subcommands. Maybe worth asking on the

launchd-dev mailing list ...


 

 

 

 

There is no explicit statement about what Mesos means when it runs a task as some other user.


I think this is just ensure the running user of the task is the user you (sic)

given. In Mesos, it jus call the [setuid](http://linux.die.net/man/2/setuid)

to change the user, It would not execute something like the bashrc script of

user.


 

 

 

 

 

 

When Mesos starts a task on an OSX machine, the task is run with setuid to the user I have asked for.  When that user runs I cannot get that user to

have a default login keychain.  I want to initialize the environment so that user has something that looks like this.


 

existinguser$ security login-keychain

"/Users/rinaldo/Library/Keychains/login.keychain”


 

 

I have tried many options to create the above keychain for the other user that is running in a process that was created by mesos and changed to that

user with setuid. I understand that is likely not a Mesos issue. I am hoping someone on this alias has come across this issue or something similar.  I have tried the following and they have all failed.

 

su -c   ....    as existinguser

 

/bin/login as existinguser

 

OSX is not Open Source so it is difficult to understand what it is they do to create a user environment.  The “security” application has many options

to create keychains but when I use those options the Keychains endup in


 

 

"/Library/Keychains/System.keychain"

 

      "/Library/Keychains/System.keychain”


 

 

I have no investigated how a user is able to create a keychain in the System.keychain when running as a user in a Mesos created process.

 

 

iMac, OS X El Capitan (10.11.5)

Posted on May 20, 2016 6:13 AM