Hi folks, We want to raise a discussion here, seeking suggestions about passing credentials in a secure way. This relates to the JIRA MESOS-4938 <https://issues.apache.org/jira/browse/MESOS-4938>, supporting docker private registry authentication in unified containerizer. In fact, this problem is not limited to docker registry. For instance, how can we support CommandInfo.URIs that need credentials?
For the docker registry problem, credentials have to be included when communicating with the docker auth server. We have two options here: Option 1: Passing credentials in protobuf Image::Docker. Pros: This means supporting per-container docker registry, which is robust because different registry can be reached by an agent, configurable by users. Cons: So SSL has to be enabled to encrypt the communication between master and slave to prevent credentials from being seen by others. We also need to make sure we don’t expose credentials in any endpoint. Option 2: Passing credentials as an agent flag. Pros: Not necessary to be SSL enabled. Cons: No per-container registry support (imagine a multi-tenant cluster). Some background: How does docker containerizer solve this issue? In docker containerizer, we ask the framework to specify a URI for their task/executor that points to the .dockercfg(now ~/.docker/config.json) which contains the user and password information. The .dockercfg will be saved in the sandbox by the fetcher. When we call docker pull, we set the $HOME env for the subprocess to point to the sandbox so that the docker client can pick up that .dockercfg when pulling images. Any comment/advice will be absolutely welcome! Thanks, Gilbert/Jie
