mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Yan Xu (JIRA)" <>
Subject [jira] [Created] (MESOS-6526) `mesos-containerizer launch --environment` exposes executor env vars in `ps`.
Date Tue, 01 Nov 2016 22:31:58 GMT
Yan Xu created MESOS-6526:

             Summary: `mesos-containerizer launch --environment` exposes executor env vars
in `ps`.
                 Key: MESOS-6526
             Project: Mesos
          Issue Type: Bug
          Components: containerization
    Affects Versions: 1.1.0
            Reporter: Yan Xu
            Priority: Critical

With MESOS-6323, the helper {{mesos-containerizer launch}} takes a `--environment` flag for
the env vars used by the executor. This is unpleasant because its a common practice that people
use env vars to hide configs that are sensitive and not it's visible to non-root users on
the host with a {{ps}} command.

Given that we want to separate the environments of {{mesos-containerizer launch}} and the
executor itself, perhaps we can just package and serialize the executor env vars in one env
var {{MESOS_EXECUTOR_ENVIRONMENT}} and pass that to {{mesos-containerizer launch}} which could
then get it through a flag the usual way. 

In general Mesos should do more to protect env vars but I'll file separate issues for them.

This message was sent by Atlassian JIRA

View raw message