mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qian Zhang <zhq527...@gmail.com>
Subject Re: Questions about secret handling in Mesos
Date Sat, 21 Apr 2018 00:05:09 GMT
> When the secret is first downloaded on the mesos agent, it will be stored
as "root" on the tmpfs/ramfs before being mounted in the container ramfs.

It seems the secret is not stored on the tmpfs/ramfs on the agent host, we
just write it into a file
<https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L281>
under the agent's runtime directory, and then move it into the ramfs
<https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L260:L267>
in the container when the container is launched.


Regards,
Qian Zhang

On Fri, Apr 20, 2018 at 2:47 PM, Gilbert Song <gilbert@apache.org> wrote:

> IIUC, your assumptions are all correct.
>
> @Kapil, could you please confirm? Maybe we could improve the document at
> the next Docathon.
>
> Gilbert
>
> On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li <zhitaoli.cs@gmail.com> wrote:
>
>> Hello,
>>
>> We at Uber plan to use volume/secret isolator to send secrets from Uber
>> framework to Mesos agent.
>>
>> For this purpose, we are referring to these documents:
>>
>>    - File based secrets design doc
>>    <https://docs.google.com/document/d/18raiiUfxTh-JBvjd6RyHe_
>> TOScY87G_bMi5zBzMZmpc/edit#>
>>    and slides
>>    <http://schd.ws/hosted_files/mesosconasia2017/70/Secrets%20
>> Management%20in%20Mesos.pdf>
>>    .
>>    - Apache Mesos secrets documentation
>>    <http://mesos.apache.org/documentation/latest/secrets/>
>>
>> Could you please confirm that the following assumptions are correct?
>>
>>    - Mesos agent and master will never log the secret data at any logging
>>    level;
>>    - Mesos agent and master will never expose the secret data as part of
>>    any API response;
>>    - Mesos agent and master will never store the secret in any persistent
>>    storage, but only on tmpfs or ramfs;
>>    - When the secret is first downloaded on the mesos agent, it will be
>>    stored as "root" on the tmpfs/ramfs before being mounted in the
>> container
>>    ramfs.
>>
>> If above assumptions are true, then I would like to see them documented in
>> this as part of the Apache Mesos secrets documentation
>> <http://mesos.apache.org/documentation/latest/secrets/>. Otherwise, we'd
>> like to have a design discussion with maintainer of the isolator.
>>
>> We appreciate your help regarding this. Thanks!
>>
>> Regards,
>> Aditya And Zhitao
>>
>
>

Mime
View raw message