Hi Aditya, Yeah, you are right. `hostSecretPath` is a sub-directory under agent's runtime dir, and the default value of agent's runtime dir is `/var/run/mesos` which is a tmpfs. So the secret is written to tmpfs on agent host.
Regards, Qian Zhang On Sat, Apr 21, 2018 at 8:19 AM, Aditya Bhave <adity...@uber.com> wrote: > Hi Qian, > > Secret is written to file at hostSecretPath which is derived like this: > > const string hostSecretPath = path::join(flags.runtime_dir, SECRET_DIR, > stringify(id::UUID::random())); > Also, > const string hostSecretTmpDir = path::join(flags.runtime_dir, SECRET_DIR); > Is the hostSecretTmpDir not located on tmpfs? The dir name alludes to > this. > > Thanks, > -Aditya > > On Fri, Apr 20, 2018 at 5:05 PM, Qian Zhang <zhq527...@gmail.com> wrote: > >> > When the secret is first downloaded on the mesos agent, it will be >> stored as "root" on the tmpfs/ramfs before being mounted in the container >> ramfs. >> >> It seems the secret is not stored on the tmpfs/ramfs on the agent host, >> we just write it into a file >> <https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L281> >> under the agent's runtime directory, and then move it into the ramfs >> <https://github.com/apache/mesos/blob/1.5.0/src/slave/containerizer/mesos/isolators/volume/secret.cpp#L260:L267> >> in the container when the container is launched. >> >> >> Regards, >> Qian Zhang >> >> On Fri, Apr 20, 2018 at 2:47 PM, Gilbert Song <gilb...@apache.org> wrote: >> >>> IIUC, your assumptions are all correct. >>> >>> @Kapil, could you please confirm? Maybe we could improve the document at >>> the next Docathon. >>> >>> Gilbert >>> >>> On Thu, Apr 19, 2018 at 10:57 AM, Zhitao Li <zhitaoli...@gmail.com> >>> wrote: >>> >>>> Hello, >>>> >>>> We at Uber plan to use volume/secret isolator to send secrets from Uber >>>> framework to Mesos agent. >>>> >>>> For this purpose, we are referring to these documents: >>>> >>>> - File based secrets design doc >>>> <https://docs.google.com/document/d/18raiiUfxTh-JBvjd6RyHe_ >>>> TOScY87G_bMi5zBzMZmpc/edit#> >>>> and slides >>>> <http://schd.ws/hosted_files/mesosconasia2017/70/Secrets%20 >>>> Management%20in%20Mesos.pdf> >>>> . >>>> - Apache Mesos secrets documentation >>>> <http://mesos.apache.org/documentation/latest/secrets/> >>>> >>>> Could you please confirm that the following assumptions are correct? >>>> >>>> - Mesos agent and master will never log the secret data at any >>>> logging >>>> level; >>>> - Mesos agent and master will never expose the secret data as part of >>>> any API response; >>>> - Mesos agent and master will never store the secret in any >>>> persistent >>>> storage, but only on tmpfs or ramfs; >>>> - When the secret is first downloaded on the mesos agent, it will be >>>> stored as "root" on the tmpfs/ramfs before being mounted in the >>>> container >>>> ramfs. >>>> >>>> If above assumptions are true, then I would like to see them documented >>>> in >>>> this as part of the Apache Mesos secrets documentation >>>> <http://mesos.apache.org/documentation/latest/secrets/>. Otherwise, >>>> we'd >>>> like to have a design discussion with maintainer of the isolator. >>>> >>>> We appreciate your help regarding this. Thanks! >>>> >>>> Regards, >>>> Aditya And Zhitao >>>> >>> >>> >> >
