> When the secret is first downloaded on the mesos agent, it will be stored as "root" on the tmpfs/ramfs before being mounted in the container ramfs.
It seems the secret is not stored on the tmpfs/ramfs on the agent host, we just write it into a file <https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L281> under the agent's runtime directory, and then move it into the ramfs <https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L260:L267> in the container when the container is launched. Regards, Qian Zhang On Fri, Apr 20, 2018 at 2:47 PM, Gilbert Song <gilb...@apache.org> wrote: > IIUC, your assumptions are all correct. > > @Kapil, could you please confirm? Maybe we could improve the document at > the next Docathon. > > Gilbert > > On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li <zhitaoli...@gmail.com> wrote: > >> Hello, >> >> We at Uber plan to use volume/secret isolator to send secrets from Uber >> framework to Mesos agent. >> >> For this purpose, we are referring to these documents: >> >> - File based secrets design doc >> <https://docs.google.com/document/d/18raiiUfxTh-JBvjd6RyHe_ >> TOScY87G_bMi5zBzMZmpc/edit#> >> and slides >> <http://schd.ws/hosted_files/mesosconasia2017/70/Secrets%20 >> Management%20in%20Mesos.pdf> >> . >> - Apache Mesos secrets documentation >> <http://mesos.apache.org/documentation/latest/secrets/> >> >> Could you please confirm that the following assumptions are correct? >> >> - Mesos agent and master will never log the secret data at any logging >> level; >> - Mesos agent and master will never expose the secret data as part of >> any API response; >> - Mesos agent and master will never store the secret in any persistent >> storage, but only on tmpfs or ramfs; >> - When the secret is first downloaded on the mesos agent, it will be >> stored as "root" on the tmpfs/ramfs before being mounted in the >> container >> ramfs. >> >> If above assumptions are true, then I would like to see them documented in >> this as part of the Apache Mesos secrets documentation >> <http://mesos.apache.org/documentation/latest/secrets/>. Otherwise, we'd >> like to have a design discussion with maintainer of the isolator. >> >> We appreciate your help regarding this. Thanks! >> >> Regards, >> Aditya And Zhitao >> > >
