mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joris Van Remoortere <jo...@mesosphere.io>
Subject Re: SSL in Mesos 0.23
Date Tue, 25 Aug 2015 18:55:48 GMT
@Dharmit

If you want to be really sure that the communication is happening over SSL,
you can use a packet sniffing tool like wireshark, or depending on your
operating system you can dump the packet streams directly to a file. For
example TCP dump.
Another thing you can do is to try and hit the HTTP endpoints from curl
using http as opposed to https.

Remember that if you have SSL_SUPPORT_DOWNGRADE=true you should be able to
connect even without SSL. If it is false (the default) you will not be able
to connect.

On Mon, Aug 10, 2015 at 4:43 AM, Dharmit Shah <shahdharmit@gmail.com> wrote:

> Hi Jeff,
>
> Thanks for the suggestion.
>
> I modified the systemd service file to use
> `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave` as
> environment files for master and slave services respectively. In these
> files, I specified the environment variables that I used to specify on
> the command line.
>
> Now if I check `strings /proc/<pid>/environ | grep SSL` for pids of
> master and slave services, I see the environment variables that I set
> in the /etc/sysconfig/<environment-file>.
>
> Now that it looks like I have started the master and slave services
> with SSL enabled, how do I really confirm that communication between
> master and slaves is really happening over SSL?
>
> Also, how do I enable SSL communication for a framework like Marathon?
>
> Regards,
> Dharmit.
>
> On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder
> <jeffschroeder@computer.org> wrote:
> > The sudo command defaults to envreset (look for that in the man page)
> which
> > strips all env variables sans a select few. I'd almost bet that your
> SSL_*
> > variables are not present and were not passed to the slave. Just sudo -i
> and
> > start the slaves *as root* without sudo. There is no benefit to starting
> > them with sudo. You can verify what I'm saying with something along the
> > lines of:
> >
> > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_
> >
> >
> > On Friday, August 7, 2015, Dharmit Shah <shahdharmit@gmail.com> wrote:
> >>
> >> Hello again,
> >>
> >> Thanks for your responses. I will share what I tried after your
> >> suggestions.
> >>
> >> 1. `ldd /usr/sbin/mesos-master` and `ldd /usr/sbin/mesos-slave`
> >> returned similar output as one suggested by Craig. So, I guess, the
> >> Mesosphere repo binaries have SSL enabled. Right?
> >>
> >> 2. I created SSL private key and cert on one system in my cluster by
> >> referring this guide on DO [1]. Admittedly, my knowledge of SSL is
> >> limited.
> >>
> >> 3. Next, I copied the key and cert to all three mesos-master nodes and
> >> four mesos-slave nodes. Shouldn't slave nodes be provided only with
> >> the cert and not the private key? Whereas all master nodes may have
> >> the private key and cert both. Or am I understanding SSL incorrectly
> >> here?
> >>
> >> 4. After copying the cert and key, I started the mesos-master service
> >> on master nodes with below command:
> >>
> >>     $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key
> >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master
> >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181,
> 172.19.10.193:2181/mesos
> >> --port=5050 --log_dir=/var/log/mesos --acls=file:///root/acls.json
> >> --credentials=/home/isys/mesos --quorum=2 --work_dir=/var/lib/mesos
> >>
> >> I check web UI and things look good. I am not completely sure if
> >> "https" should have worked for mesos web UI but, it didn't.
> >>
> >> 5. Next, I start slave nodes with below command:
> >>
> >>   $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt
> >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave
> >>
> >> --master=zk://172.19.10.111:2181,172.19.10.112:2181,
> 172.19.10.193:2181/mesos
> >> --log_dir=/var/log/mesos --containerizers=docker,mesos
> >> --executor_registration_timeout=15mins
> >>
> >> Mesos web UI reported four mesos-slave nodes in "Activated" mode. So
> >> far so good. I am still wondering how I should verify if communication
> >> is happening over SSL.
> >>
> >> 6. To check if SSL is indeed working, I stopped one slave node and
> >> started it without SSL using `systemctl start mesos-slave`. I was
> >> expecting it to not get into "Activated" state on Mesos web UI but it
> >> did. So, I think SSL is not configured properly by me.
> >>
> >> I am attaching logs from the master nodes. These logs were generated
> >> after starting masters with command specified in point 4.
> >>
> >> Let me know if I am doing something wrong or if you need more logs or
> >> need me to execute some specific commands.
> >>
> >> [1]
> >>
> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
> >>
> >> Regards,
> >> Dharmit.
> >>
> >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park <mcypark@gmail.com> wrote:
> >> > Hi Dharmit,
> >> >
> >> > I'm not certain whether the Mesosphere deb packages have SSL enabled
> or
> >> > not,
> >> > although based on Craig's observation it looks like it is.
> >> >
> >> > I think the correct way to enable SSL is to set the SSL_ENABLED
> >> > environment
> >> > variable, rather than /etc/mesos-master/ssl_enabled. Of course, along
> >> > with
> >> > the rest of the SSL_ environment variables.
> >> >
> >> > e.g. SSL_ENABLED=true SSL_KEY_FILE=<path-to-your-private-key>
> >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master <master-flags>
> >> >
> >> > MPark.
> >> >
> >> > On Thu, Aug 6, 2015 at 9:30 AM craig w <codecraig@gmail.com> wrote:
> >> >>
> >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 using mesos 0.23
> >> >> from
> >> >> mesosphere repo) and I see "libssl.3.so" and "libssl.so.10"
> >> >>
> >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder
> >> >> <jeffschroeder@computer.org> wrote:
> >> >>>
> >> >>> Can you run ldd on the mesos-master or mesos-slave binaries? I
> believe
> >> >>> you *should* see openssl libraries in the output if those packages
> are
> >> >>> configured using --enable-ssl.
> >> >>>
> >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah <shahdharmit@gmail.com
> >
> >> >>> wrote:
> >> >>>>
> >> >>>> Hello,
> >> >>>>
> >> >>>> I followed Mesos cluster setup guide on the Mesosphere website
> [1]. I
> >> >>>> set it up on a CentOS 7 system. For installation of packages,
I
> went
> >> >>>> with Mesosphere provided repositories.
> >> >>>>
> >> >>>> Now that Mesos 0.23 has been released with SSL capabilities,
I
> >> >>>> believe
> >> >>>> it is possible to have communication between the master, slaves
and
> >> >>>> frameworks be secured by SSL. Am I right?
> >> >>>>
> >> >>>> I would like to set it up in my environment. I am using
> >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`.
> >> >>>>
> >> >>>> The official Mesos documentation on the topic [2] illustrates
how
> >> >>>> things can be setup when building Mesos from source.
> >> >>>>
> >> >>>> I would like to know if Mesos package shipped by Mesosphere
repo
> has
> >> >>>> this feature or not yet? I tried setting
> >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master nodes.
But
> >> >>>> restarting `mesos-master` service failed stating that option
> >> >>>> `ssl_enabled` is unknown.
> >> >>>>
> >> >>>> Thanks for your help!
> >> >>>>
> >> >>>> [1] http://open.mesosphere.com/getting-started/datacenter/install/
> >> >>>> [2] http://mesos.apache.org/documentation/latest/mesos-ssl/
> >> >>>>
> >> >>>> Regards,
> >> >>>> Dharmit.
> >> >>>
> >> >>>
> >> >>>
> >> >>>
> >> >>> --
> >> >>> Jeff Schroeder
> >> >>>
> >> >>> Don't drink and derive, alcohol and analysis don't mix.
> >> >>> http://www.digitalprognosis.com
> >> >>
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >>
> >> >> https://github.com/mindscratch
> >> >> https://www.google.com/+CraigWickesser
> >> >> https://twitter.com/mind_scratch
> >> >> https://twitter.com/craig_links
> >
> >
> >
> > --
> > Text by Jeff, typos by iPhone
>

Mime
View raw message