mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From git-site-r...@apache.org
Subject [2/2] mesos-site git commit: Updated the website built from mesos SHA: 4c71ba1.
Date Fri, 18 Aug 2017 17:50:56 GMT
Updated the website built from mesos SHA: 4c71ba1.


Project: http://git-wip-us.apache.org/repos/asf/mesos-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos-site/commit/7f3eab90
Tree: http://git-wip-us.apache.org/repos/asf/mesos-site/tree/7f3eab90
Diff: http://git-wip-us.apache.org/repos/asf/mesos-site/diff/7f3eab90

Branch: refs/heads/asf-site
Commit: 7f3eab90378d67d949436d528c9e4c9fd1720aff
Parents: b4af79f
Author: jenkins <builds@apache.org>
Authored: Fri Aug 18 17:50:53 2017 +0000
Committer: jenkins <builds@apache.org>
Committed: Fri Aug 18 17:50:53 2017 +0000

----------------------------------------------------------------------
 content/documentation/configuration/index.html  |   49 +
 content/documentation/index.html                |    1 +
 .../latest/configuration/index.html             |   49 +
 .../endpoints/master/frameworks/index.html      |    2 +-
 .../slave/api/v1/resource_provider/index.html   |    2 +-
 content/documentation/latest/index.html         |    1 +
 content/documentation/latest/secrets/index.html |  299 +
 content/documentation/secrets/index.html        |  299 +
 content/sitemap.xml                             | 8378 +++++++++---------
 9 files changed, 4893 insertions(+), 4187 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/configuration/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/configuration/index.html b/content/documentation/configuration/index.html
index 84cf5c2..9c4e96f 100644
--- a/content/documentation/configuration/index.html
+++ b/content/documentation/configuration/index.html
@@ -323,6 +323,33 @@ Cannot be used in conjunction with <code>--ip</code>.
 </tr>
 <tr>
   <td>
+    --ip6=VALUE
+  </td>
+  <td>
+IPv6 address to listen on. This cannot be used in conjunction
+with <code>--ip6_discovery_command</code>.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+  </td>
+</tr>
+<tr>
+  <td>
+    --ip6_discovery_command=VALUE
+  </td>
+  <td>
+Optional IPv6 discovery binary: if set, it is expected to emit
+the IPv6 address on which Mesos will try to bind when IPv6 socket
+support is enabled in Mesos.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+  </td>
+</tr>
+<tr>
+  <td>
     --modules=VALUE
   </td>
   <td>
@@ -1766,6 +1793,16 @@ terminations may occur.
   <td>
 Parent directory for fetcher cache directories
 (one subdirectory per agent). (default: /tmp/mesos/fetch)
+
+Directory for the fetcher cache. The agent will clear this directory
+on startup. It is recommended to set this value to a separate volume
+for several reasons:
+<ul>
+<li> The cache directories are transient and not meant to be
+     backed up. Upon restarting the agent, the cache is always empty. </li>
+<li> The cache and container sandboxes can potentially interfere with
+     each other when occupying a shared space (i.e. disk contention). </li>
+</ul>
   </td>
 </tr>
 <tr>
@@ -2190,6 +2227,18 @@ state as possible is recovered.
 </tr>
 <tr>
   <td>
+    --secret_resolver=VALUE
+  </td>
+  <td>
+The name of the secret resolver module to use for resolving
+environment and file-based secrets. If this flag is not specified,
+the default behavior is to resolve value-based secrets and error on
+reference-based secrets.
+  </td>
+</tr>
+
+<tr>
+  <td>
     --[no-]switch_user
   </td>
   <td>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/index.html b/content/documentation/index.html
index 5e33eb3..9870c4f 100644
--- a/content/documentation/index.html
+++ b/content/documentation/index.html
@@ -155,6 +155,7 @@
 <li><a href="/documentation/latest/./monitoring/">Monitoring</a></li>
 <li><a href="/documentation/latest/./operational-guide/">Operational Guide</a></li>
 <li><a href="/documentation/latest/./roles/">Roles</a></li>
+<li><a href="/documentation/latest/./secrets/">Secrets</a> for managing
secrets within Mesos.</li>
 <li><a href="/documentation/latest/./ssl/">SSL</a> for enabling and enforcing
SSL communication.</li>
 <li><a href="/documentation/latest/./nested-container-and-task-group/">Nested
Container and Task Group (Pod)</a></li>
 <li><a href="/documentation/latest/./tools/">Tools</a> for setting up and
running a Mesos cluster.</li>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/configuration/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/configuration/index.html b/content/documentation/latest/configuration/index.html
index 02c75f2..46335ba 100644
--- a/content/documentation/latest/configuration/index.html
+++ b/content/documentation/latest/configuration/index.html
@@ -323,6 +323,33 @@ Cannot be used in conjunction with <code>--ip</code>.
 </tr>
 <tr>
   <td>
+    --ip6=VALUE
+  </td>
+  <td>
+IPv6 address to listen on. This cannot be used in conjunction
+with <code>--ip6_discovery_command</code>.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+  </td>
+</tr>
+<tr>
+  <td>
+    --ip6_discovery_command=VALUE
+  </td>
+  <td>
+Optional IPv6 discovery binary: if set, it is expected to emit
+the IPv6 address on which Mesos will try to bind when IPv6 socket
+support is enabled in Mesos.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+  </td>
+</tr>
+<tr>
+  <td>
     --modules=VALUE
   </td>
   <td>
@@ -1766,6 +1793,16 @@ terminations may occur.
   <td>
 Parent directory for fetcher cache directories
 (one subdirectory per agent). (default: /tmp/mesos/fetch)
+
+Directory for the fetcher cache. The agent will clear this directory
+on startup. It is recommended to set this value to a separate volume
+for several reasons:
+<ul>
+<li> The cache directories are transient and not meant to be
+     backed up. Upon restarting the agent, the cache is always empty. </li>
+<li> The cache and container sandboxes can potentially interfere with
+     each other when occupying a shared space (i.e. disk contention). </li>
+</ul>
   </td>
 </tr>
 <tr>
@@ -2190,6 +2227,18 @@ state as possible is recovered.
 </tr>
 <tr>
   <td>
+    --secret_resolver=VALUE
+  </td>
+  <td>
+The name of the secret resolver module to use for resolving
+environment and file-based secrets. If this flag is not specified,
+the default behavior is to resolve value-based secrets and error on
+reference-based secrets.
+  </td>
+</tr>
+
+<tr>
+  <td>
     --[no-]switch_user
   </td>
   <td>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/endpoints/master/frameworks/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/endpoints/master/frameworks/index.html b/content/documentation/latest/endpoints/master/frameworks/index.html
index 0fea18a..81e1947 100644
--- a/content/documentation/latest/endpoints/master/frameworks/index.html
+++ b/content/documentation/latest/endpoints/master/frameworks/index.html
@@ -138,7 +138,7 @@ found.</p>
 
 <p>Query parameters:</p>
 
-<blockquote><pre><code>   framework_id=VALUE   The ID of the framework
returned (when no framework ID specified, all frameworks will be returned).
+<blockquote><pre><code>   framework_id=VALUE   The ID of the framework
returned (if no framework ID is specified, all frameworks will be returned).
 </code></pre></blockquote>
 
 <h3>AUTHENTICATION</h3>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
b/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
index 3234403..3078712 100644
--- a/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
+++ b/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
@@ -124,7 +124,7 @@
 
 <h3>TL;DR;</h3>
 
-<p>Endpoint for the Local Resource Provider HTTP API.</p>
+<p>Endpoint for the local resource provider HTTP API.</p>
 
 <h3>DESCRIPTION</h3>
 

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/index.html b/content/documentation/latest/index.html
index 1c1513c..1273427 100644
--- a/content/documentation/latest/index.html
+++ b/content/documentation/latest/index.html
@@ -155,6 +155,7 @@
 <li><a href="/documentation/latest/./monitoring/">Monitoring</a></li>
 <li><a href="/documentation/latest/./operational-guide/">Operational Guide</a></li>
 <li><a href="/documentation/latest/./roles/">Roles</a></li>
+<li><a href="/documentation/latest/./secrets/">Secrets</a> for managing
secrets within Mesos.</li>
 <li><a href="/documentation/latest/./ssl/">SSL</a> for enabling and enforcing
SSL communication.</li>
 <li><a href="/documentation/latest/./nested-container-and-task-group/">Nested
Container and Task Group (Pod)</a></li>
 <li><a href="/documentation/latest/./tools/">Tools</a> for setting up and
running a Mesos cluster.</li>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/secrets/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/secrets/index.html b/content/documentation/latest/secrets/index.html
new file mode 100644
index 0000000..2f539f4
--- /dev/null
+++ b/content/documentation/latest/secrets/index.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Apache Mesos - Secrets Handling</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+    <meta property="og:locale" content="en_US"/>
+    <meta property="og:type" content="website"/>
+    <meta property="og:title" content="Apache Mesos"/>
+    <meta property="og:site_name" content="Apache Mesos"/>
+    <meta property="og:url" content="http://mesos.apache.org/"/>
+    <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+    <meta property="og:description"
+          content="Apache Mesos abstracts resources away from machines,
+                   enabling fault-tolerant and elastic distributed systems
+                   to easily be built and run effectively."/>
+
+    <meta name="twitter:card" content="summary"/>
+    <meta name="twitter:site" content="@ApacheMesos"/>
+    <meta name="twitter:title" content="Apache Mesos"/>
+    <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+    <meta name="twitter:description"
+          content="Apache Mesos abstracts resources away from machines,
+                   enabling fault-tolerant and elastic distributed systems
+                   to easily be built and run effectively."/>
+
+    <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+    <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+    <link href="../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css"
/>
+
+    
+
+    <!-- Google Analytics Magic -->
+    <script type="text/javascript">
+    var _gaq = _gaq || [];
+    _gaq.push(['_setAccount', 'UA-20226872-1']);
+    _gaq.push(['_setDomainName', 'apache.org']);
+    _gaq.push(['_trackPageview']);
+
+    (function() {
+      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async =
true;
+      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') +
'.google-analytics.com/ga.js';
+      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+    })();
+    </script>
+    
+  </head>
+  <body>
+    <!-- magical breadcrumbs -->
+    <div class="topnav">
+      <div class="container">
+        <ul class="breadcrumb">
+          <li>
+            <div class="dropdown">
+              <a data-toggle="dropdown" href="#">Apache Software Foundation <span
class="caret"></span></a>
+              <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+                <li><a href="http://www.apache.org">Apache Homepage</a></li>
+                <li><a href="http://www.apache.org/licenses/">License</a></li>
+                <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+                <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+                <li><a href="http://www.apache.org/security/">Security</a></li>
+              </ul>
+            </div>
+          </li>
+
+          <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+          
+          
+          <li><a href="/documentation
+/">Documentation
+</a></li>
+          
+          
+        </ul><!-- /.breadcrumb -->
+      </div><!-- /.container -->
+    </div><!-- /.topnav -->
+
+    <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+  <div class="container">
+    <div class="navbar-header">
+      <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu"
aria-expanded="false">
+      <span class="sr-only">Toggle navigation</span>
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+      </button>
+      <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache
Mesos logo"/></a>
+    </div><!-- /.navbar-header -->
+
+    <div class="navbar-collapse collapse" id="mesos-menu">
+      <ul class="nav navbar-nav navbar-right">
+        <li><a href="/gettingstarted/">Getting Started</a></li>
+        <li><a href="/blog/">Blog</a></li>
+        <li><a href="/documentation/latest/">Documentation</a></li>
+        <li><a href="/downloads/">Downloads</a></li>
+        <li><a href="/community/">Community</a></li>
+      </ul>
+    </div><!-- /#mesos-menu -->
+  </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+  <div class="container">
+    <div class="row-fluid">
+  <div class="col-md-4">
+    <h4>If you're new to Mesos</h4>
+    <p>See the <a href="/gettingstarted/">getting started</a> page for
more
+       information about downloading, building, and deploying Mesos.</p>
+
+    <h4>If you'd like to get involved or you're looking for support</h4>
+    <p>See our <a href="/community/">community</a> page for more details.</p>
+  </div>
+  <div class="col-md-8">
+    <h1>Secrets</h1>
+
+<p>Starting 1.4.0 release, Mesos allows tasks to populate environment variables and
+file volumes with secret contents that are retrieved using a secret-resolver
+interface. It also allows specifying image-pull secrets for private container
+registry. This allows users to avoid exposing critical secrets in task
+definitions. Secrets are fetched/resolved using a secret-resolver module (see
+below).</p>
+
+<p>NOTE: Secrets are only supported for Mesos containerizer and not for the Docker
+containerizer.</p>
+
+<h2>Secrets Message</h2>
+
+<p>Secrets can be specified using the following protobuf message:</p>
+
+<pre><code>message Secret {
+  enum Type {
+    UNKNOWN = 0;
+    REFERENCE = 1;
+    VALUE = 2;
+  }
+
+  message Reference {
+    required string name = 1;
+    optional string key = 2;
+  }
+
+  message Value {
+    required bytes data = 1;
+  }
+
+  optional Type type = 1;
+
+  optional Reference reference = 2;
+  optional Value value = 3;
+}
+</code></pre>
+
+<p>Secrets can be of type <code>reference</code> or <code>value</code>
(only one of <code>reference</code> and <code>value</code> must be
set).
+A secret reference can be used by modules to refer to a secret stored in a secure back-end.
+The <code>key</code> field can be used to reference a single value within a secret
containing arbitrary key-value pairs.</p>
+
+<p>For example, given a back-end secret store with a secret named &ldquo;/my/secret&rdquo;
containing the following key-value pairs:</p>
+
+<pre><code>{
+  "username": "my-user",
+  "password": "my-password
+}
+</code></pre>
+
+<p>The username could be referred to in a <code>Secret</code> by specifying
&ldquo;my/secret&rdquo; for the <code>name</code> and &ldquo;username&rdquo;
for the <code>key</code>.</p>
+
+<p>Secret also supports pass-by-value where the value of a secret can be directly
+passed in the message.</p>
+
+<h2>Environment-based Secrets</h2>
+
+<p>Environment variables can either be traditional value-based or secret-based. For
+the latter, one can specify a secret as part of environment definition as shown
+in the following example:</p>
+
+<pre><code>{
+  "variables" : [
+    {
+      "name": "MY_SECRET_ENV",
+      "type": "SECRET",
+      "secret": {
+        "type": "REFERENCE",
+        "reference": {
+          "name": "/my/secret",
+          "key": "username"
+        }
+      }
+    },
+    {
+      "name": "MY_NORMAL_ENV",
+      "value": "foo"
+    }
+  ]
+}
+</code></pre>
+
+<h2>File-based Secrets</h2>
+
+<p>A new <code>volume/secret</code> isolator is available to create secret-based
files inside
+the task container. To use a secret, one can specify a new volume as follows:</p>
+
+<pre><code>{
+  "mode": "RW",
+  "container_path": "path/to/secret/file",
+  "source":
+  {
+    "type": "SECRET",
+    "secret": {
+      "type": "REFERENCE",
+      "reference": {
+        "name": "/my/secret",
+        "key": "username"
+      }
+    }
+  }
+}
+</code></pre>
+
+<p>This will create a tmpfs-based file mount in the container at &ldquo;path/to/secret/file&rdquo;
which will contain the secret text fetched from the back-end secret store.</p>
+
+<p>The <code>volume/secret</code> isolator is not enabled by default. To
enable it, it must be specified in <code>--isolator=volume/secret</code> agent
flag.</p>
+
+<h2>Image-pull Secrets</h2>
+
+<p>Currently, image-pull secrets only support Docker images for Mesos
+containerizer. Appc images are not supported.
+One can store Docker config containing credentials to authenticate with Docker registry in
the secret store.
+The secret is expected to be a Docker config file in JSON format with UTF-8 character encoding.
+The secret can then be referenced in the <code>Image</code> protobuf as follows:</p>
+
+<pre><code>{
+  "type": "DOCKER",
+  "docker":
+  message Docker {
+    "name": "&lt;REGISTRY_HOST&gt;/path/to/image",
+    "secret": {
+      "type": "REFERENCE",
+      "reference": {
+        "name": "/my/secret/docker/config"
+      }
+    }
+  }
+}
+</code></pre>
+
+<h2>SecretResolver Module</h2>
+
+<p>The SecretResolver module is called from Mesos agent to fetch/resolve any image-pull,
environment-based, or file-based secrets. (See <a href="/documentation/latest/./modules/">Mesos
Modules</a> for more information on using Mesos modules).</p>
+
+<pre><code>class SecretResolver
+{
+  virtual process::Future&lt;Secret::Value&gt; resolve(const Secret&amp; secret)
const;
+};
+</code></pre>
+
+<p>The default implementation simply resolves value-based Secrets. A custom secret-resolver
module can be specified using the <code>--secret_resolver=&lt;module-name&gt;</code>
agent flag.</p>
+
+  </div>
+</div>
+
+  </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+    <!-- footer -->
+    <div class="footer">
+      <div class="container">
+        <div class="col-md-4 social-blk">
+          <span class="social">
+            <a href="https://twitter.com/ApacheMesos"
+              class="twitter-follow-button"
+              data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+            <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document,
'script', 'twitter-wjs');</script>
+            <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+              class="twitter-hashtag-button"
+              data-size="large"
+              data-related="ApacheMesos">Tweet #mesos</a>
+            <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document,
'script', 'twitter-wjs');</script>
+          </span>
+        </div>
+
+        <div class="col-md-8 trademark">
+          <p>&copy; 2012-2017 <a href="http://apache.org">The Apache Software
Foundation</a>.
+            Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are
trademarks of The Apache Software Foundation.
+          <p>
+        </div>
+      </div><!-- /.container -->
+    </div><!-- /.footer -->
+
+    <!-- JS -->
+    <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+    <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/secrets/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/secrets/index.html b/content/documentation/secrets/index.html
new file mode 100644
index 0000000..36d245c
--- /dev/null
+++ b/content/documentation/secrets/index.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <title>Apache Mesos - Secrets Handling</title>
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+    <meta property="og:locale" content="en_US"/>
+    <meta property="og:type" content="website"/>
+    <meta property="og:title" content="Apache Mesos"/>
+    <meta property="og:site_name" content="Apache Mesos"/>
+    <meta property="og:url" content="http://mesos.apache.org/"/>
+    <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+    <meta property="og:description"
+          content="Apache Mesos abstracts resources away from machines,
+                   enabling fault-tolerant and elastic distributed systems
+                   to easily be built and run effectively."/>
+
+    <meta name="twitter:card" content="summary"/>
+    <meta name="twitter:site" content="@ApacheMesos"/>
+    <meta name="twitter:title" content="Apache Mesos"/>
+    <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+    <meta name="twitter:description"
+          content="Apache Mesos abstracts resources away from machines,
+                   enabling fault-tolerant and elastic distributed systems
+                   to easily be built and run effectively."/>
+
+    <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+    <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+    <link href="../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css"
/>
+
+    
+
+    <!-- Google Analytics Magic -->
+    <script type="text/javascript">
+    var _gaq = _gaq || [];
+    _gaq.push(['_setAccount', 'UA-20226872-1']);
+    _gaq.push(['_setDomainName', 'apache.org']);
+    _gaq.push(['_trackPageview']);
+
+    (function() {
+      var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async =
true;
+      ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') +
'.google-analytics.com/ga.js';
+      var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+    })();
+    </script>
+    
+  </head>
+  <body>
+    <!-- magical breadcrumbs -->
+    <div class="topnav">
+      <div class="container">
+        <ul class="breadcrumb">
+          <li>
+            <div class="dropdown">
+              <a data-toggle="dropdown" href="#">Apache Software Foundation <span
class="caret"></span></a>
+              <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+                <li><a href="http://www.apache.org">Apache Homepage</a></li>
+                <li><a href="http://www.apache.org/licenses/">License</a></li>
+                <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+                <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+                <li><a href="http://www.apache.org/security/">Security</a></li>
+              </ul>
+            </div>
+          </li>
+
+          <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+          
+          
+          <li><a href="/documentation
+/">Documentation
+</a></li>
+          
+          
+        </ul><!-- /.breadcrumb -->
+      </div><!-- /.container -->
+    </div><!-- /.topnav -->
+
+    <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+  <div class="container">
+    <div class="navbar-header">
+      <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu"
aria-expanded="false">
+      <span class="sr-only">Toggle navigation</span>
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+      <span class="icon-bar"></span>
+      </button>
+      <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache
Mesos logo"/></a>
+    </div><!-- /.navbar-header -->
+
+    <div class="navbar-collapse collapse" id="mesos-menu">
+      <ul class="nav navbar-nav navbar-right">
+        <li><a href="/gettingstarted/">Getting Started</a></li>
+        <li><a href="/blog/">Blog</a></li>
+        <li><a href="/documentation/latest/">Documentation</a></li>
+        <li><a href="/downloads/">Downloads</a></li>
+        <li><a href="/community/">Community</a></li>
+      </ul>
+    </div><!-- /#mesos-menu -->
+  </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+  <div class="container">
+    <div class="row-fluid">
+  <div class="col-md-4">
+    <h4>If you're new to Mesos</h4>
+    <p>See the <a href="/gettingstarted/">getting started</a> page for
more
+       information about downloading, building, and deploying Mesos.</p>
+
+    <h4>If you'd like to get involved or you're looking for support</h4>
+    <p>See our <a href="/community/">community</a> page for more details.</p>
+  </div>
+  <div class="col-md-8">
+    <h1>Secrets</h1>
+
+<p>Starting 1.4.0 release, Mesos allows tasks to populate environment variables and
+file volumes with secret contents that are retrieved using a secret-resolver
+interface. It also allows specifying image-pull secrets for private container
+registry. This allows users to avoid exposing critical secrets in task
+definitions. Secrets are fetched/resolved using a secret-resolver module (see
+below).</p>
+
+<p>NOTE: Secrets are only supported for Mesos containerizer and not for the Docker
+containerizer.</p>
+
+<h2>Secrets Message</h2>
+
+<p>Secrets can be specified using the following protobuf message:</p>
+
+<pre><code>message Secret {
+  enum Type {
+    UNKNOWN = 0;
+    REFERENCE = 1;
+    VALUE = 2;
+  }
+
+  message Reference {
+    required string name = 1;
+    optional string key = 2;
+  }
+
+  message Value {
+    required bytes data = 1;
+  }
+
+  optional Type type = 1;
+
+  optional Reference reference = 2;
+  optional Value value = 3;
+}
+</code></pre>
+
+<p>Secrets can be of type <code>reference</code> or <code>value</code>
(only one of <code>reference</code> and <code>value</code> must be
set).
+A secret reference can be used by modules to refer to a secret stored in a secure back-end.
+The <code>key</code> field can be used to reference a single value within a secret
containing arbitrary key-value pairs.</p>
+
+<p>For example, given a back-end secret store with a secret named &ldquo;/my/secret&rdquo;
containing the following key-value pairs:</p>
+
+<pre><code>{
+  "username": "my-user",
+  "password": "my-password
+}
+</code></pre>
+
+<p>The username could be referred to in a <code>Secret</code> by specifying
&ldquo;my/secret&rdquo; for the <code>name</code> and &ldquo;username&rdquo;
for the <code>key</code>.</p>
+
+<p>Secret also supports pass-by-value where the value of a secret can be directly
+passed in the message.</p>
+
+<h2>Environment-based Secrets</h2>
+
+<p>Environment variables can either be traditional value-based or secret-based. For
+the latter, one can specify a secret as part of environment definition as shown
+in the following example:</p>
+
+<pre><code>{
+  "variables" : [
+    {
+      "name": "MY_SECRET_ENV",
+      "type": "SECRET",
+      "secret": {
+        "type": "REFERENCE",
+        "reference": {
+          "name": "/my/secret",
+          "key": "username"
+        }
+      }
+    },
+    {
+      "name": "MY_NORMAL_ENV",
+      "value": "foo"
+    }
+  ]
+}
+</code></pre>
+
+<h2>File-based Secrets</h2>
+
+<p>A new <code>volume/secret</code> isolator is available to create secret-based
files inside
+the task container. To use a secret, one can specify a new volume as follows:</p>
+
+<pre><code>{
+  "mode": "RW",
+  "container_path": "path/to/secret/file",
+  "source":
+  {
+    "type": "SECRET",
+    "secret": {
+      "type": "REFERENCE",
+      "reference": {
+        "name": "/my/secret",
+        "key": "username"
+      }
+    }
+  }
+}
+</code></pre>
+
+<p>This will create a tmpfs-based file mount in the container at &ldquo;path/to/secret/file&rdquo;
which will contain the secret text fetched from the back-end secret store.</p>
+
+<p>The <code>volume/secret</code> isolator is not enabled by default. To
enable it, it must be specified in <code>--isolator=volume/secret</code> agent
flag.</p>
+
+<h2>Image-pull Secrets</h2>
+
+<p>Currently, image-pull secrets only support Docker images for Mesos
+containerizer. Appc images are not supported.
+One can store Docker config containing credentials to authenticate with Docker registry in
the secret store.
+The secret is expected to be a Docker config file in JSON format with UTF-8 character encoding.
+The secret can then be referenced in the <code>Image</code> protobuf as follows:</p>
+
+<pre><code>{
+  "type": "DOCKER",
+  "docker":
+  message Docker {
+    "name": "&lt;REGISTRY_HOST&gt;/path/to/image",
+    "secret": {
+      "type": "REFERENCE",
+      "reference": {
+        "name": "/my/secret/docker/config"
+      }
+    }
+  }
+}
+</code></pre>
+
+<h2>SecretResolver Module</h2>
+
+<p>The SecretResolver module is called from Mesos agent to fetch/resolve any image-pull,
environment-based, or file-based secrets. (See <a href="/documentation/latest/./modules/">Mesos
Modules</a> for more information on using Mesos modules).</p>
+
+<pre><code>class SecretResolver
+{
+  virtual process::Future&lt;Secret::Value&gt; resolve(const Secret&amp; secret)
const;
+};
+</code></pre>
+
+<p>The default implementation simply resolves value-based Secrets. A custom secret-resolver
module can be specified using the <code>--secret_resolver=&lt;module-name&gt;</code>
agent flag.</p>
+
+  </div>
+</div>
+
+  </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+    <!-- footer -->
+    <div class="footer">
+      <div class="container">
+        <div class="col-md-4 social-blk">
+          <span class="social">
+            <a href="https://twitter.com/ApacheMesos"
+              class="twitter-follow-button"
+              data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+            <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document,
'script', 'twitter-wjs');</script>
+            <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+              class="twitter-hashtag-button"
+              data-size="large"
+              data-related="ApacheMesos">Tweet #mesos</a>
+            <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document,
'script', 'twitter-wjs');</script>
+          </span>
+        </div>
+
+        <div class="col-md-8 trademark">
+          <p>&copy; 2012-2017 <a href="http://apache.org">The Apache Software
Foundation</a>.
+            Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are
trademarks of The Apache Software Foundation.
+          <p>
+        </div>
+      </div><!-- /.container -->
+    </div><!-- /.footer -->
+
+    <!-- JS -->
+    <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+    <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+  </body>
+</html>


Mime
View raw message