Return-Path: X-Original-To: apmail-aurora-dev-archive@minotaur.apache.org Delivered-To: apmail-aurora-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5A64817229 for ; Wed, 18 Feb 2015 22:34:29 +0000 (UTC) Received: (qmail 2741 invoked by uid 500); 18 Feb 2015 22:34:16 -0000 Delivered-To: apmail-aurora-dev-archive@aurora.apache.org Received: (qmail 2702 invoked by uid 500); 18 Feb 2015 22:34:16 -0000 Mailing-List: contact dev-help@aurora.incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@aurora.incubator.apache.org Delivered-To: mailing list dev@aurora.incubator.apache.org Received: (qmail 2551 invoked by uid 99); 18 Feb 2015 22:34:16 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Feb 2015 22:34:16 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW X-Spam-Check-By: apache.org Received-SPF: error (athena.apache.org: local policy) Received: from [209.85.223.182] (HELO mail-ie0-f182.google.com) (209.85.223.182) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 18 Feb 2015 22:34:11 +0000 Received: by iecrp18 with SMTP id rp18so5118390iec.9 for ; Wed, 18 Feb 2015 14:33:31 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=2x0/2lhFGvzNHRqBsU8MGNbtob54lcpZg6bDOEQwNA4=; b=bAIb+RqIWcieiS0a3CbPMvx12CStEhKqK0ddzMrXCBMkvPSdgmmOVs9t5wgCsRUJtp p7VZ4q3iwVXAuCw69m++nwJPi/23zwXQ+KX+e8HL0b6VzI4Ju+t4cSFxEjQOyJz73Yxe wzDujw3mvNfNysLO9jVp3Jq1sNODJXySYHtrIQhZFlcx9KW5qYeUPk4l6v8H9TIPyFR2 qx8Mqv4qM8y+d0tuosTjW9e5aNpjs5uWLwCd4u12R7jWowzr5MB56reV3zqb9FanhtT1 kaHFrGMRe6w5nU/zPrK1zlPR3zjIHQLKuSt2xFkVr0P+A9w4tQC0rfoybhncriwj9rhe u7jg== X-Gm-Message-State: ALoCoQnLSw2j7Y4L6ngdgKs+LzeHt3fk3ryxxtmq7wV1cZwj+E/85fo+tV8ksyMIryvFndhuDSXC MIME-Version: 1.0 X-Received: by 10.107.129.85 with SMTP id c82mr2132472iod.81.1424298811238; Wed, 18 Feb 2015 14:33:31 -0800 (PST) Received: by 10.64.239.242 with HTTP; Wed, 18 Feb 2015 14:33:31 -0800 (PST) In-Reply-To: References: Date: Wed, 18 Feb 2015 17:33:31 -0500 Message-ID: Subject: Re: Getting secure data into Docker containers From: Steve Niemitz To: dev@aurora.incubator.apache.org Content-Type: multipart/alternative; boundary=001a113e500eb2f3ea050f64686d X-Virus-Checked: Checked by ClamAV on apache.org --001a113e500eb2f3ea050f64686d Content-Type: text/plain; charset=UTF-8 I was planning on starting both mount and network mode support either next week or the week after. (Probably network mode support first). However, based on the feedback from Bill, I think I might start with his suggestion in the ticket, and allow static mounts specified to the scheduler. This would also lay the framework for per-job mounts, but with less of a security concern. On Wed, Feb 18, 2015 at 5:06 PM, Bill Farner wrote: > Mounts is the most lo fi approach that comes to mind. I'd be in support of > patches to satisfy (part of) AURORA-1107 to fulfill this need (which would > hopefully be distinct from another perspective on AURORA-1107 in which > end-users of Aurora can request arbitrary mounts). > > -=Bill > > On Wed, Feb 18, 2015 at 1:19 PM, Hussein Elgridly < > hussein@broadinstitute.org> wrote: > > > Aurorans, > > > > We have some secure data (think login credentials) that we need to access > > from inside a Docker container launched by Aurora. I'm trying to figure > out > > the best approach for getting them inside the container, since baking > them > > into the image is a can of worms I don't want to open. > > > > The ideal solution would be to put the creds on the Mesos slaves and then > > mount them on the container, but Aurora doesn't have the means to do this > > yet. If the answer is "wait a week and AURORA-1107 will be done", then > > great; but if not, anyone have any ideas? > > > > Thanks, > > Hussein Elgridly > > Senior Software Engineer, DSDE > > The Broad Institute of MIT and Harvard > > > --001a113e500eb2f3ea050f64686d--