Re: Questions about secret handling in Mesos

2018-05-11 Thread Zhitao Li
Hi Vinod, I filed a task https://issues.apache.org/jira/browse/MESOS-8909 for this. If we can agree that this is something worth pursing, I'll try to post some ideas on whether there is an efficient way to do it. On Thu, Apr 26, 2018 at 3:32 PM, Vinod Kone wrote: > We do

Re: Questions about secret handling in Mesos

2018-04-26 Thread Vinod Kone
We do direct protobuf to JSON conversion for our API endpoints and I don't think we do any special case logic for `Secret` type in that conversion. So `value` based secrets will have their value show up in v1 (and likely v0) API endpoints. On Mon, Apr 23, 2018 at 9:25 AM, Zhitao Li

Re: Questions about secret handling in Mesos

2018-04-23 Thread Zhitao Li
Hi Alexander, We discovered that in our own testing thus do not plan to use the environment variable. For the `volume/secret` case, I believe it's possible to be careful enough so we do not log that, so it's more about whether we want to promise that. What do you think? On Mon, Apr 23, 2018 at

Re: Questions about secret handling in Mesos

2018-04-23 Thread Alexander Rojas
Hey Zhitao, I sadly have to tell you that the first assumption is not correct. If you use environment based secrets, docker and verbose mode, they will get printed (see this patch https://reviews.apache.org/r/57846/ ). The reason is that the docker command

Re: Questions about secret handling in Mesos

2018-04-21 Thread Lawrence Rau
doesn’t seem a great place for a secret; depending on how the host is handling swap and your tolerance for risk of leakage via ram content recovery. ..larry > On Apr 21, 2018, at 9:02 AM, Qian Zhang wrote: > > Hi Aditya, > > Yeah, you are right. `hostSecretPath` is a

Re: Questions about secret handling in Mesos

2018-04-21 Thread Qian Zhang
Hi Aditya, Yeah, you are right. `hostSecretPath` is a sub-directory under agent's runtime dir, and the default value of agent's runtime dir is `/var/run/mesos` which is a tmpfs. So the secret is written to tmpfs on agent host. Regards, Qian Zhang On Sat, Apr 21, 2018 at 8:19 AM, Aditya Bhave

Re: Questions about secret handling in Mesos

2018-04-20 Thread Qian Zhang
> When the secret is first downloaded on the mesos agent, it will be stored as "root" on the tmpfs/ramfs before being mounted in the container ramfs. It seems the secret is not stored on the tmpfs/ramfs on the agent host, we just write it into a file

Re: Questions about secret handling in Mesos

2018-04-20 Thread Gilbert Song
IIUC, your assumptions are all correct. @Kapil, could you please confirm? Maybe we could improve the document at the next Docathon. Gilbert On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li wrote: > Hello, > > We at Uber plan to use volume/secret isolator to send secrets from

Questions about secret handling in Mesos

2018-04-19 Thread Zhitao Li
Hello, We at Uber plan to use volume/secret isolator to send secrets from Uber framework to Mesos agent. For this purpose, we are referring to these documents: - File based secrets design doc and