Q: launchd - Mesos - login.keychain
I have about 15 Mac Towers running in a Mesos environment and I am having some issues with the creation and use of the login.keychain.
Mesos is a Data Center Operating system. Instead of thinking of VMs and containers like you would at AWS or Azure you just look at the data center as a way to run a task and that task could run on OSX, Windows, Linux, Solaris ...
We run a Mesos server that talks to a Mesos agent on each OSX machine. The Mesos environment uses libvirtd. The following use case is not working on OSX.
A Mesos agent running as root on OSX 10.11.5 creates a process and sets the UID and EUID to that of a non privileged user. That works as expected. This is what doesn't work. As that user I cannot create and list a login.keychain. There are indications that the following may be the root cause.
The question is -- how do I create a session in the process that has a valid login.keychain? Some snippets from email conversations about this topic on mesos mailing list.
This probably boils down to not being in the right launchd session.
launchd(8) discusses this at a high level. You can see what is going
on in your user session with "launchctl print user/$(id -u)".
I'm not sure what the right mechanics ought to be for Mesos. It used
to be that you would use the "bsexec" subcommand to run something in a
different session, but that is deprecated and I don't see an obvious
replacement in the new subcommands. Maybe worth asking on the
launchd-dev mailing list ...
There is no explicit statement about what Mesos means when it runs a task as some other user.
I think this is just ensure the running user of the task is the user you (sic)
given. In Mesos, it jus call the [setuid](http://linux.die.net/man/2/setuid)
to change the user, It would not execute something like the bashrc script of
user.
When Mesos starts a task on an OSX machine, the task is run with setuid to the user I have asked for. When that user runs I cannot get that user to
have a default login keychain. I want to initialize the environment so that user has something that looks like this.
existinguser$ security login-keychain
"/Users/rinaldo/Library/Keychains/login.keychain”
I have tried many options to create the above keychain for the other user that is running in a process that was created by mesos and changed to that
user with setuid. I understand that is likely not a Mesos issue. I am hoping someone on this alias has come across this issue or something similar. I have tried the following and they have all failed.
su -c .... as existinguser
/bin/login as existinguser
OSX is not Open Source so it is difficult to understand what it is they do to create a user environment. The “security” application has many options
to create keychains but when I use those options the Keychains endup in
"/Library/Keychains/System.keychain"
"/Library/Keychains/System.keychain”
I have no investigated how a user is able to create a keychain in the System.keychain when running as a user in a Mesos created process.
iMac, OS X El Capitan (10.11.5)
Posted on May 20, 2016 6:13 AM