Re: Questions about secret handling in Mesos

2018-04-21 Thread Lawrence Rau 
doesn’t seem a great place for a secret; depending on how the host is handling 
swap and your tolerance for risk of leakage via ram content recovery.

..larry

> On Apr 21, 2018, at 9:02 AM, Qian Zhang  wrote:
> 
> Hi Aditya,
> 
> Yeah, you are right. `hostSecretPath` is a sub-directory under agent's 
> runtime dir, and the default value of agent's runtime dir is `/var/run/mesos` 
> which is a tmpfs. So the secret is written to tmpfs on agent host.
> 
> 
> Regards,
> Qian Zhang
> 
> On Sat, Apr 21, 2018 at 8:19 AM, Aditya Bhave  > wrote:
> Hi Qian,
> 
> Secret is written to file at hostSecretPath which is derived like this:
> 
> const string hostSecretPath = path::join(flags.runtime_dir, SECRET_DIR, 
> stringify(id::UUID::random()));
> Also,
>   const string hostSecretTmpDir = path::join(flags.runtime_dir, SECRET_DIR);
> Is the hostSecretTmpDir not located on tmpfs? The dir name alludes to this.
> 
> Thanks,
> -Aditya
> 
> On Fri, Apr 20, 2018 at 5:05 PM, Qian Zhang  > wrote:
> > When the secret is first downloaded on the mesos agent, it will be stored 
> > as "root" on the tmpfs/ramfs before being mounted in the container ramfs.
> 
> It seems the secret is not stored on the tmpfs/ramfs on the agent host, we 
> just write it into a file 
> 
>  under the agent's runtime directory, and then move it into the ramfs 
> 
>  in the container when the container is launched.
> 
> 
> Regards,
> Qian Zhang
> 
> On Fri, Apr 20, 2018 at 2:47 PM, Gilbert Song  > wrote:
> IIUC, your assumptions are all correct.
> 
> @Kapil, could you please confirm? Maybe we could improve the document at the 
> next Docathon.
> 
> Gilbert
> 
> On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li  > wrote:
> Hello,
> 
> We at Uber plan to use volume/secret isolator to send secrets from Uber
> framework to Mesos agent.
> 
> For this purpose, we are referring to these documents:
> 
>- File based secrets design doc
>
>   
> >
>and slides
>
>   
> >
>.
>- Apache Mesos secrets documentation
> >
> 
> Could you please confirm that the following assumptions are correct?
> 
>- Mesos agent and master will never log the secret data at any logging
>level;
>- Mesos agent and master will never expose the secret data as part of
>any API response;
>- Mesos agent and master will never store the secret in any persistent
>storage, but only on tmpfs or ramfs;
>- When the secret is first downloaded on the mesos agent, it will be
>stored as "root" on the tmpfs/ramfs before being mounted in the container
>ramfs.
> 
> If above assumptions are true, then I would like to see them documented in
> this as part of the Apache Mesos secrets documentation
>  >. Otherwise, we'd
> like to have a design discussion with maintainer of the isolator.
> 
> We appreciate your help regarding this. Thanks!
> 
> Regards,
> Aditya And Zhitao
> 
> 
> 
>

Re: Questions about secret handling in Mesos

2018-04-21 Thread Qian Zhang 
Hi Aditya,

Yeah, you are right. `hostSecretPath` is a sub-directory under agent's
runtime dir, and the default value of agent's runtime dir is `/var/run/mesos`
which is a tmpfs. So the secret is written to tmpfs on agent host.


Regards,
Qian Zhang

On Sat, Apr 21, 2018 at 8:19 AM, Aditya Bhave  wrote:

> Hi Qian,
>
> Secret is written to file at hostSecretPath which is derived like this:
>
> const string hostSecretPath = path::join(flags.runtime_dir, SECRET_DIR,
> stringify(id::UUID::random()));
> Also,
> const string hostSecretTmpDir = path::join(flags.runtime_dir, SECRET_DIR);
> Is the hostSecretTmpDir not located on tmpfs? The dir name alludes to
> this.
>
> Thanks,
> -Aditya
>
> On Fri, Apr 20, 2018 at 5:05 PM, Qian Zhang  wrote:
>
>> > When the secret is first downloaded on the mesos agent, it will be
>> stored as "root" on the tmpfs/ramfs before being mounted in the container
>> ramfs.
>>
>> It seems the secret is not stored on the tmpfs/ramfs on the agent host,
>> we just write it into a file
>> 
>> under the agent's runtime directory, and then move it into the ramfs
>> 
>> in the container when the container is launched.
>>
>>
>> Regards,
>> Qian Zhang
>>
>> On Fri, Apr 20, 2018 at 2:47 PM, Gilbert Song  wrote:
>>
>>> IIUC, your assumptions are all correct.
>>>
>>> @Kapil, could you please confirm? Maybe we could improve the document at
>>> the next Docathon.
>>>
>>> Gilbert
>>>
>>> On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li 
>>> wrote:
>>>
 Hello,

 We at Uber plan to use volume/secret isolator to send secrets from Uber
 framework to Mesos agent.

 For this purpose, we are referring to these documents:

- File based secrets design doc

and slides

.
- Apache Mesos secrets documentation


 Could you please confirm that the following assumptions are correct?

- Mesos agent and master will never log the secret data at any
 logging
level;
- Mesos agent and master will never expose the secret data as part of
any API response;
- Mesos agent and master will never store the secret in any
 persistent
storage, but only on tmpfs or ramfs;
- When the secret is first downloaded on the mesos agent, it will be
stored as "root" on the tmpfs/ramfs before being mounted in the
 container
ramfs.

 If above assumptions are true, then I would like to see them documented
 in
 this as part of the Apache Mesos secrets documentation
 . Otherwise,
 we'd
 like to have a design discussion with maintainer of the isolator.

 We appreciate your help regarding this. Thanks!

 Regards,
 Aditya And Zhitao

>>>
>>>
>>
>