You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by Carlos Sanchez <ca...@apache.org> on 2015/09/17 12:55:03 UTC
Re: SSL in Mesos 0.23
I got back to SSL and made some progress, SSL is enabled now (I think
I needed to export the variables in /etc/default/mesos)
but I got 2 new problems (described in more detail in
https://gist.github.com/carlossg/64c9f8050d637f51c77c )
#1 slaves can't connect to master over SSL, master refuses connection
with: Error (26): unsupported certificate purpose
but slave cert has what I believe are correct certificate purposes, are they ?
openssl x509 -in /etc/mesos/tiger.crt -noout -purpose
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
#2 can't connect to master if cert validation is enabled with
SSL_VALIDATE_CERT=true or SSL_REQUIRE_CERT=true
Tried enabling all protocols and no luck, also set the hostname
correctly to ensure ssl works fine (is name matching actually required
for the mesos slaves?)
If SSL_VALIDATE_CERT=false and SSL_REQUIRE_CERT=false and I don't
provide cert in the curl call it connects fine, so server certificate
seems to be correct
Master running with
/usr/sbin/mesos-master --zk=zk://zk:xxxxxx@10.16.2.1:2181/mesos
--port=5050 --log_dir=/var/log/mesos --authenticate=true
--authenticate_slaves=true --credentials=/etc/mesos/credentials
--hostname=tiger-jdoe-controller-1.tiger.acme.net --quorum=1
--work_dir=/var/lib/mesos
Tried with curl
curl -v --cacert /etc/mesos/rootCA.pem --key
/home/ubuntu/tiger-client.key.pem --cert
/home/ubuntu/tiger-client.cert.pem
https://tiger-jdoe-controller-1.tiger.acme.net:5050/master/state.json
ubuntu 14.04.3 curl 7.35.0
* Hostname was NOT found in DNS cache
* Trying 127.0.0.1...
* Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port 5050 (#0)
* successfully set certificate verify locations:
* CAfile: /etc/mesos/rootCA.pem
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
* subject: C=US; O=acme; OU=Tiger; CN=tiger-jdoe-controller-1.tiger.acme.net
* start date: 2015-09-16 18:28:30 GMT
* expire date: 2025-09-13 18:28:30 GMT
* common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
* issuer: C=US; ST=CA; O=acme; OU=Tiger
* SSL certificate verify ok.
> GET /master/state.json HTTP/1.1
> User-Agent: curl/7.35.0
> Host: tiger-jdoe-controller-1.tiger.acme.net:5050
> Accept: */*
>
* Empty reply from server
* Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact
curl: (52) Empty reply from server
Seems there is an issue with curl debug log in older curl versions so
I tried with newer ones
ubuntu:wily curl 7.43.0 ends in a similar way
* Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port 5050 (#0)
* found 1 certificates in /etc/mesos/rootCA.pem
* found 748 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
* server certificate verification OK
* server certificate status verification SKIPPED
* common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
* server certificate expiration date OK
* server certificate activation date OK
* certificate public key: RSA
* certificate version: #3
* subject: C=US,O=acme,OU=Tiger,CN=tiger-jdoe-controller-1.tiger.acme.net
* start date: Wed, 16 Sep 2015 18:28:30 GMT
* expire date: Sat, 13 Sep 2025 18:28:30 GMT
* issuer: C=US,ST=CA,O=acme,OU=Tiger
* compression: NULL
* ALPN, server did not agree to a protocol
> GET /master/state.json HTTP/1.1
> Host: tiger-jdoe-controller-1.tiger.acme.net:5050
> User-Agent: curl/7.43.0
> Accept: */*
>
* GnuTLS recv error (-110): The TLS connection was non-properly terminated.
* Closing connection 0
curl: (56) GnuTLS recv error (-110): The TLS connection was
non-properly terminated.
curl 7.42.1 from appropriate/curl same thing
* Empty reply from server
* Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact
curl: (52) Empty reply from server
The detailed logs are at https://gist.github.com/carlossg/64c9f8050d637f51c77c
Thanks in advance
On Wed, Aug 26, 2015 at 3:25 AM, Joris Van Remoortere
<jo...@mesosphere.io> wrote:
> @Carlos
> Mesosphere currently doesn't build packages with ssl enabled.
>
> On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <ca...@apache.org> wrote:
>>
>> Hi Joris,
>>
>> I did build from sources, following instructions in
>> http://mesos.apache.org/gettingstarted/
>>
>> Is the mesosphere binary compiled with libevent and ssl enabled as
>> mentioned previously? would make debugging easier if I don't have to rebuild
>>
>>
>>
>> On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere
>> <jo...@mesosphere.io> wrote:
>>>
>>> @carlos
>>> Are you building 0.23.0 from source?
>>> Just so we don't miss anything: Can you make sure to run ./bootstrap, and
>>> build in a clean directory with your configuration similar to this:
>>>
>>> ../configure --enable-libevent --enable-ssl
>>>
>>> Here is the document I am using as a reference
>>>
>>> When you start up a master, if you just specify SSL_ENABLED=true it
>>> should error out and notify you that other required flags such as
>>> SSL_KEY_FILE are not provided. Can you verify this? If that is not
>>> happening, then the 2 options are:
>>> 1. Your environment variables are not making it to the binary: See Jeff
>>> Schroeder's comments
>>> 2. The binary is not actually the one you expect. Double check the
>>> checksum with the binary you built after configuring with SSL.
>>>
>>>
>>>
>>> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <ca...@apache.org>
>>> wrote:
>>>>
>>>> looking forward to it, thanks!
>>>> running out of ideas here on what am I doing wrong
>>>>
>>>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <ma...@mesosphere.io>
>>>> wrote:
>>>> > FYI - Joris is out this week, he'll be probably able to get back to
>>>> > you
>>>> > early next (modulo MesosCon craziness :)
>>>> >
>>>> > Marco Massenzio
>>>> > Distributed Systems Engineer
>>>> >
>>>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <ca...@apache.org>
>>>> > wrote:
>>>> >>
>>>> >> no suggestions?
>>>> >>
>>>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <vi...@apache.org>
>>>> >> wrote:
>>>> >> > @joris, can you help out here?
>>>> >> >
>>>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <ca...@apache.org>
>>>> >> > wrote:
>>>> >> >>
>>>> >> >> I have tried to enable SSL with no success, even compiling from
>>>> >> >> source
>>>> >> >> with the ssl flags --enable-libevent --enable-ssl
>>>> >> >>
>>>> >> >> export SSL_ENABLED=true
>>>> >> >> export SSL_SUPPORT_DOWNGRADE=false
>>>> >> >> export SSL_REQUIRE_CERT=true
>>>> >> >> export SSL_CERT_FILE=/etc/mesos/...
>>>> >> >> export SSL_KEY_FILE=/etc/mesos/...
>>>> >> >> export SSL_CA_FILE=/etc/mesos/...
>>>> >> >>
>>>> >> >>
>>>> >> >> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master
>>>> >> >> --work_dir="/var/lib/mesos"
>>>> >> >>
>>>> >> >> Port 5050 is still served as plain http, no SSL
>>>> >> >>
>>>> >> >> Nothing about ssl shows up in the logs, any ideas?
>>>> >> >>
>>>> >> >> Thanks
>>>> >> >>
>>>> >> >>
>>>> >> >> >
>>>> >> >> > From: Dharmit Shah <sh...@gmail.com>
>>>> >> >> > To: user@mesos.apache.org
>>>> >> >> > Cc:
>>>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530
>>>> >> >> > Subject: Re: SSL in Mesos 0.23
>>>> >> >> > Hi Jeff,
>>>> >> >> >
>>>> >> >> > Thanks for the suggestion.
>>>> >> >> >
>>>> >> >> > I modified the systemd service file to use
>>>> >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave`
>>>> >> >> > as
>>>> >> >> > environment files for master and slave services respectively. In
>>>> >> >> > these
>>>> >> >> > files, I specified the environment variables that I used to
>>>> >> >> > specify
>>>> >> >> > on
>>>> >> >> > the command line.
>>>> >> >> >
>>>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for pids
>>>> >> >> > of
>>>> >> >> > master and slave services, I see the environment variables that
>>>> >> >> > I set
>>>> >> >> > in the /etc/sysconfig/<environment-file>.
>>>> >> >> >
>>>> >> >> > Now that it looks like I have started the master and slave
>>>> >> >> > services
>>>> >> >> > with SSL enabled, how do I really confirm that communication
>>>> >> >> > between
>>>> >> >> > master and slaves is really happening over SSL?
>>>> >> >> >
>>>> >> >> > Also, how do I enable SSL communication for a framework like
>>>> >> >> > Marathon?
>>>> >> >> >
>>>> >> >> > Regards,
>>>> >> >> > Dharmit.
>>>> >> >> >
>>>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder
>>>> >> >> > <je...@computer.org> wrote:
>>>> >> >> > > The sudo command defaults to envreset (look for that in the
>>>> >> >> > > man
>>>> >> >> > > page)
>>>> >> >> > > which
>>>> >> >> > > strips all env variables sans a select few. I'd almost bet
>>>> >> >> > > that
>>>> >> >> > > your
>>>> >> >> > > SSL_*
>>>> >> >> > > variables are not present and were not passed to the slave.
>>>> >> >> > > Just
>>>> >> >> > > sudo
>>>> >> >> > > -i and
>>>> >> >> > > start the slaves *as root* without sudo. There is no benefit
>>>> >> >> > > to
>>>> >> >> > > starting
>>>> >> >> > > them with sudo. You can verify what I'm saying with something
>>>> >> >> > > along
>>>> >> >> > > the
>>>> >> >> > > lines of:
>>>> >> >> > >
>>>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_
>>>> >> >> > >
>>>> >> >> > >
>>>> >> >> > > On Friday, August 7, 2015, Dharmit Shah
>>>> >> >> > > <sh...@gmail.com>
>>>> >> >> > > wrote:
>>>> >> >> > >>
>>>> >> >> > >> Hello again,
>>>> >> >> > >>
>>>> >> >> > >> Thanks for your responses. I will share what I tried after
>>>> >> >> > >> your
>>>> >> >> > >> suggestions.
>>>> >> >> > >>
>>>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd
>>>> >> >> > >> /usr/sbin/mesos-slave`
>>>> >> >> > >> returned similar output as one suggested by Craig. So, I
>>>> >> >> > >> guess,
>>>> >> >> > >> the
>>>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right?
>>>> >> >> > >>
>>>> >> >> > >> 2. I created SSL private key and cert on one system in my
>>>> >> >> > >> cluster
>>>> >> >> > >> by
>>>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of
>>>> >> >> > >> SSL is
>>>> >> >> > >> limited.
>>>> >> >> > >>
>>>> >> >> > >> 3. Next, I copied the key and cert to all three mesos-master
>>>> >> >> > >> nodes
>>>> >> >> > >> and
>>>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided
>>>> >> >> > >> only
>>>> >> >> > >> with
>>>> >> >> > >> the cert and not the private key? Whereas all master nodes
>>>> >> >> > >> may
>>>> >> >> > >> have
>>>> >> >> > >> the private key and cert both. Or am I understanding SSL
>>>> >> >> > >> incorrectly
>>>> >> >> > >> here?
>>>> >> >> > >>
>>>> >> >> > >> 4. After copying the cert and key, I started the mesos-master
>>>> >> >> > >> service
>>>> >> >> > >> on master nodes with below command:
>>>> >> >> > >>
>>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key
>>>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181,172.19.10.193:2181/mesos
>>>> >> >> > >> --port=5050 --log_dir=/var/log/mesos
>>>> >> >> > >> --acls=file:///root/acls.json
>>>> >> >> > >> --credentials=/home/isys/mesos --quorum=2
>>>> >> >> > >> --work_dir=/var/lib/mesos
>>>> >> >> > >>
>>>> >> >> > >> I check web UI and things look good. I am not completely sure
>>>> >> >> > >> if
>>>> >> >> > >> "https" should have worked for mesos web UI but, it didn't.
>>>> >> >> > >>
>>>> >> >> > >> 5. Next, I start slave nodes with below command:
>>>> >> >> > >>
>>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt
>>>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181,172.19.10.193:2181/mesos
>>>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos
>>>> >> >> > >> --executor_registration_timeout=15mins
>>>> >> >> > >>
>>>> >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated"
>>>> >> >> > >> mode.
>>>> >> >> > >> So
>>>> >> >> > >> far so good. I am still wondering how I should verify if
>>>> >> >> > >> communication
>>>> >> >> > >> is happening over SSL.
>>>> >> >> > >>
>>>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave
>>>> >> >> > >> node and
>>>> >> >> > >> started it without SSL using `systemctl start mesos-slave`. I
>>>> >> >> > >> was
>>>> >> >> > >> expecting it to not get into "Activated" state on Mesos web
>>>> >> >> > >> UI but
>>>> >> >> > >> it
>>>> >> >> > >> did. So, I think SSL is not configured properly by me.
>>>> >> >> > >>
>>>> >> >> > >> I am attaching logs from the master nodes. These logs were
>>>> >> >> > >> generated
>>>> >> >> > >> after starting masters with command specified in point 4.
>>>> >> >> > >>
>>>> >> >> > >> Let me know if I am doing something wrong or if you need more
>>>> >> >> > >> logs
>>>> >> >> > >> or
>>>> >> >> > >> need me to execute some specific commands.
>>>> >> >> > >>
>>>> >> >> > >> [1]
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >>
>>>> >> >> > >> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
>>>> >> >> > >>
>>>> >> >> > >> Regards,
>>>> >> >> > >> Dharmit.
>>>> >> >> > >>
>>>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park
>>>> >> >> > >> <mc...@gmail.com>
>>>> >> >> > >> wrote:
>>>> >> >> > >> > Hi Dharmit,
>>>> >> >> > >> >
>>>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have
>>>> >> >> > >> > SSL
>>>> >> >> > >> > enabled or
>>>> >> >> > >> > not,
>>>> >> >> > >> > although based on Craig's observation it looks like it is.
>>>> >> >> > >> >
>>>> >> >> > >> > I think the correct way to enable SSL is to set the
>>>> >> >> > >> > SSL_ENABLED
>>>> >> >> > >> > environment
>>>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of
>>>> >> >> > >> > course,
>>>> >> >> > >> > along
>>>> >> >> > >> > with
>>>> >> >> > >> > the rest of the SSL_ environment variables.
>>>> >> >> > >> >
>>>> >> >> > >> > e.g. SSL_ENABLED=true
>>>> >> >> > >> > SSL_KEY_FILE=<path-to-your-private-key>
>>>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master
>>>> >> >> > >> > <master-flags>
>>>> >> >> > >> >
>>>> >> >> > >> > MPark.
>>>> >> >> > >> >
>>>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w
>>>> >> >> > >> > <co...@gmail.com>
>>>> >> >> > >> > wrote:
>>>> >> >> > >> >>
>>>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 using
>>>> >> >> > >> >> mesos
>>>> >> >> > >> >> 0.23
>>>> >> >> > >> >> from
>>>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and
>>>> >> >> > >> >> "libssl.so.10"
>>>> >> >> > >> >>
>>>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder
>>>> >> >> > >> >> <je...@computer.org> wrote:
>>>> >> >> > >> >>>
>>>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave
>>>> >> >> > >> >>> binaries? I
>>>> >> >> > >> >>> believe
>>>> >> >> > >> >>> you *should* see openssl libraries in the output if those
>>>> >> >> > >> >>> packages are
>>>> >> >> > >> >>> configured using --enable-ssl.
>>>> >> >> > >> >>>
>>>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah
>>>> >> >> > >> >>> <sh...@gmail.com>
>>>> >> >> > >> >>> wrote:
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> Hello,
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere
>>>> >> >> > >> >>>> website
>>>> >> >> > >> >>>> [1]. I
>>>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of
>>>> >> >> > >> >>>> packages,
>>>> >> >> > >> >>>> I
>>>> >> >> > >> >>>> went
>>>> >> >> > >> >>>> with Mesosphere provided repositories.
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL
>>>> >> >> > >> >>>> capabilities,
>>>> >> >> > >> >>>> I
>>>> >> >> > >> >>>> believe
>>>> >> >> > >> >>>> it is possible to have communication between the master,
>>>> >> >> > >> >>>> slaves
>>>> >> >> > >> >>>> and
>>>> >> >> > >> >>>> frameworks be secured by SSL. Am I right?
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> I would like to set it up in my environment. I am using
>>>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`.
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> The official Mesos documentation on the topic [2]
>>>> >> >> > >> >>>> illustrates
>>>> >> >> > >> >>>> how
>>>> >> >> > >> >>>> things can be setup when building Mesos from source.
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> I would like to know if Mesos package shipped by
>>>> >> >> > >> >>>> Mesosphere
>>>> >> >> > >> >>>> repo
>>>> >> >> > >> >>>> has
>>>> >> >> > >> >>>> this feature or not yet? I tried setting
>>>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master
>>>> >> >> > >> >>>> nodes.
>>>> >> >> > >> >>>> But
>>>> >> >> > >> >>>> restarting `mesos-master` service failed stating that
>>>> >> >> > >> >>>> option
>>>> >> >> > >> >>>> `ssl_enabled` is unknown.
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> Thanks for your help!
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> [1]
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> http://open.mesosphere.com/getting-started/datacenter/install/
>>>> >> >> > >> >>>> [2]
>>>> >> >> > >> >>>> http://mesos.apache.org/documentation/latest/mesos-ssl/
>>>> >> >> > >> >>>>
>>>> >> >> > >> >>>> Regards,
>>>> >> >> > >> >>>> Dharmit.
>>>> >> >> > >> >>>
>>>> >> >> > >> >>>
>>>> >> >> > >> >>>
>>>> >> >> > >> >>>
>>>> >> >> > >> >>> --
>>>> >> >> > >> >>> Jeff Schroeder
>>>> >> >> > >> >>>
>>>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix.
>>>> >> >> > >> >>> http://www.digitalprognosis.com
>>>> >> >> > >> >>
>>>> >> >> > >> >>
>>>> >> >> > >> >>
>>>> >> >> > >> >>
>>>> >> >> > >> >> --
>>>> >> >> > >> >>
>>>> >> >> > >> >> https://github.com/mindscratch
>>>> >> >> > >> >> https://www.google.com/+CraigWickesser
>>>> >> >> > >> >> https://twitter.com/mind_scratch
>>>> >> >> > >> >> https://twitter.com/craig_links
>>>> >> >> > >
>>>> >> >> > >
>>>> >> >> > >
>>>> >> >> > > --
>>>> >> >> > > Text by Jeff, typos by iPhone
>>>> >> >> >
>>>> >> >> >
>>>> >> >
>>>> >> >
>>>> >
>>>> >
>>>
>>>
>>
>
Re: SSL in Mesos 0.23
Posted by Benjamin Mahler <be...@gmail.com>.
+joris
On Thu, Sep 17, 2015 at 6:44 AM, tommy xiao <xi...@gmail.com> wrote:
> read many more report on SSL。 does it mean currently the mesos can't
> support ssl interconn?
>
> 2015-09-17 18:55 GMT+08:00 Carlos Sanchez <ca...@apache.org>:
>
>> I got back to SSL and made some progress, SSL is enabled now (I think
>> I needed to export the variables in /etc/default/mesos)
>> but I got 2 new problems (described in more detail in
>> https://gist.github.com/carlossg/64c9f8050d637f51c77c )
>>
>> #1 slaves can't connect to master over SSL, master refuses connection
>> with: Error (26): unsupported certificate purpose
>>
>> but slave cert has what I believe are correct certificate purposes, are
>> they ?
>>
>> openssl x509 -in /etc/mesos/tiger.crt -noout -purpose
>> Certificate purposes:
>> SSL client : Yes
>> SSL client CA : No
>> SSL server : Yes
>> SSL server CA : No
>> Netscape SSL server : Yes
>> Netscape SSL server CA : No
>> S/MIME signing : No
>> S/MIME signing CA : No
>> S/MIME encryption : No
>> S/MIME encryption CA : No
>> CRL signing : No
>> CRL signing CA : No
>> Any Purpose : Yes
>> Any Purpose CA : Yes
>> OCSP helper : Yes
>> OCSP helper CA : No
>> Time Stamp signing : No
>> Time Stamp signing CA : No
>>
>> #2 can't connect to master if cert validation is enabled with
>> SSL_VALIDATE_CERT=true or SSL_REQUIRE_CERT=true
>> Tried enabling all protocols and no luck, also set the hostname
>> correctly to ensure ssl works fine (is name matching actually required
>> for the mesos slaves?)
>> If SSL_VALIDATE_CERT=false and SSL_REQUIRE_CERT=false and I don't
>> provide cert in the curl call it connects fine, so server certificate
>> seems to be correct
>>
>> Master running with
>> /usr/sbin/mesos-master --zk=zk://zk:xxxxxx@10.16.2.1:2181/mesos
>> --port=5050 --log_dir=/var/log/mesos --authenticate=true
>> --authenticate_slaves=true --credentials=/etc/mesos/credentials
>> --hostname=tiger-jdoe-controller-1.tiger.acme.net --quorum=1
>> --work_dir=/var/lib/mesos
>>
>> Tried with curl
>>
>> curl -v --cacert /etc/mesos/rootCA.pem --key
>> /home/ubuntu/tiger-client.key.pem --cert
>> /home/ubuntu/tiger-client.cert.pem
>> https://tiger-jdoe-controller-1.tiger.acme.net:5050/master/state.json
>>
>>
>> ubuntu 14.04.3 curl 7.35.0
>>
>> * Hostname was NOT found in DNS cache
>> * Trying 127.0.0.1...
>> * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port
>> 5050 (#0)
>> * successfully set certificate verify locations:
>> * CAfile: /etc/mesos/rootCA.pem
>> CApath: /etc/ssl/certs
>> * SSLv3, TLS handshake, Client hello (1):
>> * SSLv3, TLS handshake, Server hello (2):
>> * SSLv3, TLS handshake, CERT (11):
>> * SSLv3, TLS handshake, Request CERT (13):
>> * SSLv3, TLS handshake, Server finished (14):
>> * SSLv3, TLS handshake, CERT (11):
>> * SSLv3, TLS handshake, Client key exchange (16):
>> * SSLv3, TLS handshake, CERT verify (15):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSLv3, TLS change cipher, Client hello (1):
>> * SSLv3, TLS handshake, Finished (20):
>> * SSL connection using AES128-SHA
>> * Server certificate:
>> * subject: C=US; O=acme; OU=Tiger; CN=
>> tiger-jdoe-controller-1.tiger.acme.net
>> * start date: 2015-09-16 18:28:30 GMT
>> * expire date: 2025-09-13 18:28:30 GMT
>> * common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
>> * issuer: C=US; ST=CA; O=acme; OU=Tiger
>> * SSL certificate verify ok.
>> > GET /master/state.json HTTP/1.1
>> > User-Agent: curl/7.35.0
>> > Host: tiger-jdoe-controller-1.tiger.acme.net:5050
>> > Accept: */*
>> >
>> * Empty reply from server
>> * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left
>> intact
>> curl: (52) Empty reply from server
>>
>>
>> Seems there is an issue with curl debug log in older curl versions so
>> I tried with newer ones
>>
>> ubuntu:wily curl 7.43.0 ends in a similar way
>>
>> * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port
>> 5050 (#0)
>> * found 1 certificates in /etc/mesos/rootCA.pem
>> * found 748 certificates in /etc/ssl/certs
>> * ALPN, offering http/1.1
>> * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
>> * server certificate verification OK
>> * server certificate status verification SKIPPED
>> * common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
>> * server certificate expiration date OK
>> * server certificate activation date OK
>> * certificate public key: RSA
>> * certificate version: #3
>> * subject: C=US,O=acme,OU=Tiger,CN=
>> tiger-jdoe-controller-1.tiger.acme.net
>> * start date: Wed, 16 Sep 2015 18:28:30 GMT
>> * expire date: Sat, 13 Sep 2025 18:28:30 GMT
>> * issuer: C=US,ST=CA,O=acme,OU=Tiger
>> * compression: NULL
>> * ALPN, server did not agree to a protocol
>> > GET /master/state.json HTTP/1.1
>> > Host: tiger-jdoe-controller-1.tiger.acme.net:5050
>> > User-Agent: curl/7.43.0
>> > Accept: */*
>> >
>> * GnuTLS recv error (-110): The TLS connection was non-properly
>> terminated.
>> * Closing connection 0
>> curl: (56) GnuTLS recv error (-110): The TLS connection was
>> non-properly terminated.
>>
>> curl 7.42.1 from appropriate/curl same thing
>>
>> * Empty reply from server
>> * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left
>> intact
>> curl: (52) Empty reply from server
>>
>> The detailed logs are at
>> https://gist.github.com/carlossg/64c9f8050d637f51c77c
>>
>> Thanks in advance
>>
>> On Wed, Aug 26, 2015 at 3:25 AM, Joris Van Remoortere
>> <jo...@mesosphere.io> wrote:
>> > @Carlos
>> > Mesosphere currently doesn't build packages with ssl enabled.
>> >
>> > On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <ca...@apache.org>
>> wrote:
>> >>
>> >> Hi Joris,
>> >>
>> >> I did build from sources, following instructions in
>> >> http://mesos.apache.org/gettingstarted/
>> >>
>> >> Is the mesosphere binary compiled with libevent and ssl enabled as
>> >> mentioned previously? would make debugging easier if I don't have to
>> rebuild
>> >>
>> >>
>> >>
>> >> On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere
>> >> <jo...@mesosphere.io> wrote:
>> >>>
>> >>> @carlos
>> >>> Are you building 0.23.0 from source?
>> >>> Just so we don't miss anything: Can you make sure to run ./bootstrap,
>> and
>> >>> build in a clean directory with your configuration similar to this:
>> >>>
>> >>> ../configure --enable-libevent --enable-ssl
>> >>>
>> >>> Here is the document I am using as a reference
>> >>>
>> >>> When you start up a master, if you just specify SSL_ENABLED=true it
>> >>> should error out and notify you that other required flags such as
>> >>> SSL_KEY_FILE are not provided. Can you verify this? If that is not
>> >>> happening, then the 2 options are:
>> >>> 1. Your environment variables are not making it to the binary: See
>> Jeff
>> >>> Schroeder's comments
>> >>> 2. The binary is not actually the one you expect. Double check the
>> >>> checksum with the binary you built after configuring with SSL.
>> >>>
>> >>>
>> >>>
>> >>> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <ca...@apache.org>
>> >>> wrote:
>> >>>>
>> >>>> looking forward to it, thanks!
>> >>>> running out of ideas here on what am I doing wrong
>> >>>>
>> >>>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <
>> marco@mesosphere.io>
>> >>>> wrote:
>> >>>> > FYI - Joris is out this week, he'll be probably able to get back to
>> >>>> > you
>> >>>> > early next (modulo MesosCon craziness :)
>> >>>> >
>> >>>> > Marco Massenzio
>> >>>> > Distributed Systems Engineer
>> >>>> >
>> >>>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <carlos@apache.org
>> >
>> >>>> > wrote:
>> >>>> >>
>> >>>> >> no suggestions?
>> >>>> >>
>> >>>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <vinodkone@apache.org
>> >
>> >>>> >> wrote:
>> >>>> >> > @joris, can you help out here?
>> >>>> >> >
>> >>>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <
>> carlos@apache.org>
>> >>>> >> > wrote:
>> >>>> >> >>
>> >>>> >> >> I have tried to enable SSL with no success, even compiling from
>> >>>> >> >> source
>> >>>> >> >> with the ssl flags --enable-libevent --enable-ssl
>> >>>> >> >>
>> >>>> >> >> export SSL_ENABLED=true
>> >>>> >> >> export SSL_SUPPORT_DOWNGRADE=false
>> >>>> >> >> export SSL_REQUIRE_CERT=true
>> >>>> >> >> export SSL_CERT_FILE=/etc/mesos/...
>> >>>> >> >> export SSL_KEY_FILE=/etc/mesos/...
>> >>>> >> >> export SSL_CA_FILE=/etc/mesos/...
>> >>>> >> >>
>> >>>> >> >>
>> >>>> >> >>
>> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master
>> >>>> >> >> --work_dir="/var/lib/mesos"
>> >>>> >> >>
>> >>>> >> >> Port 5050 is still served as plain http, no SSL
>> >>>> >> >>
>> >>>> >> >> Nothing about ssl shows up in the logs, any ideas?
>> >>>> >> >>
>> >>>> >> >> Thanks
>> >>>> >> >>
>> >>>> >> >>
>> >>>> >> >> >
>> >>>> >> >> > From: Dharmit Shah <sh...@gmail.com>
>> >>>> >> >> > To: user@mesos.apache.org
>> >>>> >> >> > Cc:
>> >>>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530
>> >>>> >> >> > Subject: Re: SSL in Mesos 0.23
>> >>>> >> >> > Hi Jeff,
>> >>>> >> >> >
>> >>>> >> >> > Thanks for the suggestion.
>> >>>> >> >> >
>> >>>> >> >> > I modified the systemd service file to use
>> >>>> >> >> > `/etc/sysconfig/mesos-master` and
>> `/etc/sysconfig/mesos-slave`
>> >>>> >> >> > as
>> >>>> >> >> > environment files for master and slave services
>> respectively. In
>> >>>> >> >> > these
>> >>>> >> >> > files, I specified the environment variables that I used to
>> >>>> >> >> > specify
>> >>>> >> >> > on
>> >>>> >> >> > the command line.
>> >>>> >> >> >
>> >>>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for
>> pids
>> >>>> >> >> > of
>> >>>> >> >> > master and slave services, I see the environment variables
>> that
>> >>>> >> >> > I set
>> >>>> >> >> > in the /etc/sysconfig/<environment-file>.
>> >>>> >> >> >
>> >>>> >> >> > Now that it looks like I have started the master and slave
>> >>>> >> >> > services
>> >>>> >> >> > with SSL enabled, how do I really confirm that communication
>> >>>> >> >> > between
>> >>>> >> >> > master and slaves is really happening over SSL?
>> >>>> >> >> >
>> >>>> >> >> > Also, how do I enable SSL communication for a framework like
>> >>>> >> >> > Marathon?
>> >>>> >> >> >
>> >>>> >> >> > Regards,
>> >>>> >> >> > Dharmit.
>> >>>> >> >> >
>> >>>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder
>> >>>> >> >> > <je...@computer.org> wrote:
>> >>>> >> >> > > The sudo command defaults to envreset (look for that in the
>> >>>> >> >> > > man
>> >>>> >> >> > > page)
>> >>>> >> >> > > which
>> >>>> >> >> > > strips all env variables sans a select few. I'd almost bet
>> >>>> >> >> > > that
>> >>>> >> >> > > your
>> >>>> >> >> > > SSL_*
>> >>>> >> >> > > variables are not present and were not passed to the slave.
>> >>>> >> >> > > Just
>> >>>> >> >> > > sudo
>> >>>> >> >> > > -i and
>> >>>> >> >> > > start the slaves *as root* without sudo. There is no
>> benefit
>> >>>> >> >> > > to
>> >>>> >> >> > > starting
>> >>>> >> >> > > them with sudo. You can verify what I'm saying with
>> something
>> >>>> >> >> > > along
>> >>>> >> >> > > the
>> >>>> >> >> > > lines of:
>> >>>> >> >> > >
>> >>>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_
>> >>>> >> >> > >
>> >>>> >> >> > >
>> >>>> >> >> > > On Friday, August 7, 2015, Dharmit Shah
>> >>>> >> >> > > <sh...@gmail.com>
>> >>>> >> >> > > wrote:
>> >>>> >> >> > >>
>> >>>> >> >> > >> Hello again,
>> >>>> >> >> > >>
>> >>>> >> >> > >> Thanks for your responses. I will share what I tried after
>> >>>> >> >> > >> your
>> >>>> >> >> > >> suggestions.
>> >>>> >> >> > >>
>> >>>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd
>> >>>> >> >> > >> /usr/sbin/mesos-slave`
>> >>>> >> >> > >> returned similar output as one suggested by Craig. So, I
>> >>>> >> >> > >> guess,
>> >>>> >> >> > >> the
>> >>>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right?
>> >>>> >> >> > >>
>> >>>> >> >> > >> 2. I created SSL private key and cert on one system in my
>> >>>> >> >> > >> cluster
>> >>>> >> >> > >> by
>> >>>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge
>> of
>> >>>> >> >> > >> SSL is
>> >>>> >> >> > >> limited.
>> >>>> >> >> > >>
>> >>>> >> >> > >> 3. Next, I copied the key and cert to all three
>> mesos-master
>> >>>> >> >> > >> nodes
>> >>>> >> >> > >> and
>> >>>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided
>> >>>> >> >> > >> only
>> >>>> >> >> > >> with
>> >>>> >> >> > >> the cert and not the private key? Whereas all master nodes
>> >>>> >> >> > >> may
>> >>>> >> >> > >> have
>> >>>> >> >> > >> the private key and cert both. Or am I understanding SSL
>> >>>> >> >> > >> incorrectly
>> >>>> >> >> > >> here?
>> >>>> >> >> > >>
>> >>>> >> >> > >> 4. After copying the cert and key, I started the
>> mesos-master
>> >>>> >> >> > >> service
>> >>>> >> >> > >> on master nodes with below command:
>> >>>> >> >> > >>
>> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key
>> >>>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181,
>> 172.19.10.193:2181/mesos
>> >>>> >> >> > >> --port=5050 --log_dir=/var/log/mesos
>> >>>> >> >> > >> --acls=file:///root/acls.json
>> >>>> >> >> > >> --credentials=/home/isys/mesos --quorum=2
>> >>>> >> >> > >> --work_dir=/var/lib/mesos
>> >>>> >> >> > >>
>> >>>> >> >> > >> I check web UI and things look good. I am not completely
>> sure
>> >>>> >> >> > >> if
>> >>>> >> >> > >> "https" should have worked for mesos web UI but, it
>> didn't.
>> >>>> >> >> > >>
>> >>>> >> >> > >> 5. Next, I start slave nodes with below command:
>> >>>> >> >> > >>
>> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt
>> >>>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181,
>> 172.19.10.193:2181/mesos
>> >>>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos
>> >>>> >> >> > >> --executor_registration_timeout=15mins
>> >>>> >> >> > >>
>> >>>> >> >> > >> Mesos web UI reported four mesos-slave nodes in
>> "Activated"
>> >>>> >> >> > >> mode.
>> >>>> >> >> > >> So
>> >>>> >> >> > >> far so good. I am still wondering how I should verify if
>> >>>> >> >> > >> communication
>> >>>> >> >> > >> is happening over SSL.
>> >>>> >> >> > >>
>> >>>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave
>> >>>> >> >> > >> node and
>> >>>> >> >> > >> started it without SSL using `systemctl start
>> mesos-slave`. I
>> >>>> >> >> > >> was
>> >>>> >> >> > >> expecting it to not get into "Activated" state on Mesos
>> web
>> >>>> >> >> > >> UI but
>> >>>> >> >> > >> it
>> >>>> >> >> > >> did. So, I think SSL is not configured properly by me.
>> >>>> >> >> > >>
>> >>>> >> >> > >> I am attaching logs from the master nodes. These logs were
>> >>>> >> >> > >> generated
>> >>>> >> >> > >> after starting masters with command specified in point 4.
>> >>>> >> >> > >>
>> >>>> >> >> > >> Let me know if I am doing something wrong or if you need
>> more
>> >>>> >> >> > >> logs
>> >>>> >> >> > >> or
>> >>>> >> >> > >> need me to execute some specific commands.
>> >>>> >> >> > >>
>> >>>> >> >> > >> [1]
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> >>>> >> >> > >>
>> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
>> >>>> >> >> > >>
>> >>>> >> >> > >> Regards,
>> >>>> >> >> > >> Dharmit.
>> >>>> >> >> > >>
>> >>>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park
>> >>>> >> >> > >> <mc...@gmail.com>
>> >>>> >> >> > >> wrote:
>> >>>> >> >> > >> > Hi Dharmit,
>> >>>> >> >> > >> >
>> >>>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have
>> >>>> >> >> > >> > SSL
>> >>>> >> >> > >> > enabled or
>> >>>> >> >> > >> > not,
>> >>>> >> >> > >> > although based on Craig's observation it looks like it
>> is.
>> >>>> >> >> > >> >
>> >>>> >> >> > >> > I think the correct way to enable SSL is to set the
>> >>>> >> >> > >> > SSL_ENABLED
>> >>>> >> >> > >> > environment
>> >>>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of
>> >>>> >> >> > >> > course,
>> >>>> >> >> > >> > along
>> >>>> >> >> > >> > with
>> >>>> >> >> > >> > the rest of the SSL_ environment variables.
>> >>>> >> >> > >> >
>> >>>> >> >> > >> > e.g. SSL_ENABLED=true
>> >>>> >> >> > >> > SSL_KEY_FILE=<path-to-your-private-key>
>> >>>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master
>> >>>> >> >> > >> > <master-flags>
>> >>>> >> >> > >> >
>> >>>> >> >> > >> > MPark.
>> >>>> >> >> > >> >
>> >>>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w
>> >>>> >> >> > >> > <co...@gmail.com>
>> >>>> >> >> > >> > wrote:
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7
>> using
>> >>>> >> >> > >> >> mesos
>> >>>> >> >> > >> >> 0.23
>> >>>> >> >> > >> >> from
>> >>>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and
>> >>>> >> >> > >> >> "libssl.so.10"
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder
>> >>>> >> >> > >> >> <je...@computer.org> wrote:
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave
>> >>>> >> >> > >> >>> binaries? I
>> >>>> >> >> > >> >>> believe
>> >>>> >> >> > >> >>> you *should* see openssl libraries in the output if
>> those
>> >>>> >> >> > >> >>> packages are
>> >>>> >> >> > >> >>> configured using --enable-ssl.
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah
>> >>>> >> >> > >> >>> <sh...@gmail.com>
>> >>>> >> >> > >> >>> wrote:
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> Hello,
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> I followed Mesos cluster setup guide on the
>> Mesosphere
>> >>>> >> >> > >> >>>> website
>> >>>> >> >> > >> >>>> [1]. I
>> >>>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of
>> >>>> >> >> > >> >>>> packages,
>> >>>> >> >> > >> >>>> I
>> >>>> >> >> > >> >>>> went
>> >>>> >> >> > >> >>>> with Mesosphere provided repositories.
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL
>> >>>> >> >> > >> >>>> capabilities,
>> >>>> >> >> > >> >>>> I
>> >>>> >> >> > >> >>>> believe
>> >>>> >> >> > >> >>>> it is possible to have communication between the
>> master,
>> >>>> >> >> > >> >>>> slaves
>> >>>> >> >> > >> >>>> and
>> >>>> >> >> > >> >>>> frameworks be secured by SSL. Am I right?
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> I would like to set it up in my environment. I am
>> using
>> >>>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`.
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> The official Mesos documentation on the topic [2]
>> >>>> >> >> > >> >>>> illustrates
>> >>>> >> >> > >> >>>> how
>> >>>> >> >> > >> >>>> things can be setup when building Mesos from source.
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> I would like to know if Mesos package shipped by
>> >>>> >> >> > >> >>>> Mesosphere
>> >>>> >> >> > >> >>>> repo
>> >>>> >> >> > >> >>>> has
>> >>>> >> >> > >> >>>> this feature or not yet? I tried setting
>> >>>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master
>> >>>> >> >> > >> >>>> nodes.
>> >>>> >> >> > >> >>>> But
>> >>>> >> >> > >> >>>> restarting `mesos-master` service failed stating that
>> >>>> >> >> > >> >>>> option
>> >>>> >> >> > >> >>>> `ssl_enabled` is unknown.
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> Thanks for your help!
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> [1]
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>>
>> http://open.mesosphere.com/getting-started/datacenter/install/
>> >>>> >> >> > >> >>>> [2]
>> >>>> >> >> > >> >>>>
>> http://mesos.apache.org/documentation/latest/mesos-ssl/
>> >>>> >> >> > >> >>>>
>> >>>> >> >> > >> >>>> Regards,
>> >>>> >> >> > >> >>>> Dharmit.
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>> --
>> >>>> >> >> > >> >>> Jeff Schroeder
>> >>>> >> >> > >> >>>
>> >>>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't
>> mix.
>> >>>> >> >> > >> >>> http://www.digitalprognosis.com
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >> --
>> >>>> >> >> > >> >>
>> >>>> >> >> > >> >> https://github.com/mindscratch
>> >>>> >> >> > >> >> https://www.google.com/+CraigWickesser
>> >>>> >> >> > >> >> https://twitter.com/mind_scratch
>> >>>> >> >> > >> >> https://twitter.com/craig_links
>> >>>> >> >> > >
>> >>>> >> >> > >
>> >>>> >> >> > >
>> >>>> >> >> > > --
>> >>>> >> >> > > Text by Jeff, typos by iPhone
>> >>>> >> >> >
>> >>>> >> >> >
>> >>>> >> >
>> >>>> >> >
>> >>>> >
>> >>>> >
>> >>>
>> >>>
>> >>
>> >
>>
>
>
>
> --
> Deshi Xiao
> Twitter: xds2000
> E-mail: xiaods(AT)gmail.com
>
Re: SSL in Mesos 0.23
Posted by tommy xiao <xi...@gmail.com>.
read many more report on SSL。 does it mean currently the mesos can't
support ssl interconn?
2015-09-17 18:55 GMT+08:00 Carlos Sanchez <ca...@apache.org>:
> I got back to SSL and made some progress, SSL is enabled now (I think
> I needed to export the variables in /etc/default/mesos)
> but I got 2 new problems (described in more detail in
> https://gist.github.com/carlossg/64c9f8050d637f51c77c )
>
> #1 slaves can't connect to master over SSL, master refuses connection
> with: Error (26): unsupported certificate purpose
>
> but slave cert has what I believe are correct certificate purposes, are
> they ?
>
> openssl x509 -in /etc/mesos/tiger.crt -noout -purpose
> Certificate purposes:
> SSL client : Yes
> SSL client CA : No
> SSL server : Yes
> SSL server CA : No
> Netscape SSL server : Yes
> Netscape SSL server CA : No
> S/MIME signing : No
> S/MIME signing CA : No
> S/MIME encryption : No
> S/MIME encryption CA : No
> CRL signing : No
> CRL signing CA : No
> Any Purpose : Yes
> Any Purpose CA : Yes
> OCSP helper : Yes
> OCSP helper CA : No
> Time Stamp signing : No
> Time Stamp signing CA : No
>
> #2 can't connect to master if cert validation is enabled with
> SSL_VALIDATE_CERT=true or SSL_REQUIRE_CERT=true
> Tried enabling all protocols and no luck, also set the hostname
> correctly to ensure ssl works fine (is name matching actually required
> for the mesos slaves?)
> If SSL_VALIDATE_CERT=false and SSL_REQUIRE_CERT=false and I don't
> provide cert in the curl call it connects fine, so server certificate
> seems to be correct
>
> Master running with
> /usr/sbin/mesos-master --zk=zk://zk:xxxxxx@10.16.2.1:2181/mesos
> --port=5050 --log_dir=/var/log/mesos --authenticate=true
> --authenticate_slaves=true --credentials=/etc/mesos/credentials
> --hostname=tiger-jdoe-controller-1.tiger.acme.net --quorum=1
> --work_dir=/var/lib/mesos
>
> Tried with curl
>
> curl -v --cacert /etc/mesos/rootCA.pem --key
> /home/ubuntu/tiger-client.key.pem --cert
> /home/ubuntu/tiger-client.cert.pem
> https://tiger-jdoe-controller-1.tiger.acme.net:5050/master/state.json
>
>
> ubuntu 14.04.3 curl 7.35.0
>
> * Hostname was NOT found in DNS cache
> * Trying 127.0.0.1...
> * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port
> 5050 (#0)
> * successfully set certificate verify locations:
> * CAfile: /etc/mesos/rootCA.pem
> CApath: /etc/ssl/certs
> * SSLv3, TLS handshake, Client hello (1):
> * SSLv3, TLS handshake, Server hello (2):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Request CERT (13):
> * SSLv3, TLS handshake, Server finished (14):
> * SSLv3, TLS handshake, CERT (11):
> * SSLv3, TLS handshake, Client key exchange (16):
> * SSLv3, TLS handshake, CERT verify (15):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSLv3, TLS change cipher, Client hello (1):
> * SSLv3, TLS handshake, Finished (20):
> * SSL connection using AES128-SHA
> * Server certificate:
> * subject: C=US; O=acme; OU=Tiger; CN=
> tiger-jdoe-controller-1.tiger.acme.net
> * start date: 2015-09-16 18:28:30 GMT
> * expire date: 2025-09-13 18:28:30 GMT
> * common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
> * issuer: C=US; ST=CA; O=acme; OU=Tiger
> * SSL certificate verify ok.
> > GET /master/state.json HTTP/1.1
> > User-Agent: curl/7.35.0
> > Host: tiger-jdoe-controller-1.tiger.acme.net:5050
> > Accept: */*
> >
> * Empty reply from server
> * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact
> curl: (52) Empty reply from server
>
>
> Seems there is an issue with curl debug log in older curl versions so
> I tried with newer ones
>
> ubuntu:wily curl 7.43.0 ends in a similar way
>
> * Connected to tiger-jdoe-controller-1.tiger.acme.net (127.0.0.1) port
> 5050 (#0)
> * found 1 certificates in /etc/mesos/rootCA.pem
> * found 748 certificates in /etc/ssl/certs
> * ALPN, offering http/1.1
> * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1
> * server certificate verification OK
> * server certificate status verification SKIPPED
> * common name: tiger-jdoe-controller-1.tiger.acme.net (matched)
> * server certificate expiration date OK
> * server certificate activation date OK
> * certificate public key: RSA
> * certificate version: #3
> * subject: C=US,O=acme,OU=Tiger,CN=
> tiger-jdoe-controller-1.tiger.acme.net
> * start date: Wed, 16 Sep 2015 18:28:30 GMT
> * expire date: Sat, 13 Sep 2025 18:28:30 GMT
> * issuer: C=US,ST=CA,O=acme,OU=Tiger
> * compression: NULL
> * ALPN, server did not agree to a protocol
> > GET /master/state.json HTTP/1.1
> > Host: tiger-jdoe-controller-1.tiger.acme.net:5050
> > User-Agent: curl/7.43.0
> > Accept: */*
> >
> * GnuTLS recv error (-110): The TLS connection was non-properly terminated.
> * Closing connection 0
> curl: (56) GnuTLS recv error (-110): The TLS connection was
> non-properly terminated.
>
> curl 7.42.1 from appropriate/curl same thing
>
> * Empty reply from server
> * Connection #0 to host tiger-jdoe-controller-1.tiger.acme.net left intact
> curl: (52) Empty reply from server
>
> The detailed logs are at
> https://gist.github.com/carlossg/64c9f8050d637f51c77c
>
> Thanks in advance
>
> On Wed, Aug 26, 2015 at 3:25 AM, Joris Van Remoortere
> <jo...@mesosphere.io> wrote:
> > @Carlos
> > Mesosphere currently doesn't build packages with ssl enabled.
> >
> > On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <ca...@apache.org>
> wrote:
> >>
> >> Hi Joris,
> >>
> >> I did build from sources, following instructions in
> >> http://mesos.apache.org/gettingstarted/
> >>
> >> Is the mesosphere binary compiled with libevent and ssl enabled as
> >> mentioned previously? would make debugging easier if I don't have to
> rebuild
> >>
> >>
> >>
> >> On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere
> >> <jo...@mesosphere.io> wrote:
> >>>
> >>> @carlos
> >>> Are you building 0.23.0 from source?
> >>> Just so we don't miss anything: Can you make sure to run ./bootstrap,
> and
> >>> build in a clean directory with your configuration similar to this:
> >>>
> >>> ../configure --enable-libevent --enable-ssl
> >>>
> >>> Here is the document I am using as a reference
> >>>
> >>> When you start up a master, if you just specify SSL_ENABLED=true it
> >>> should error out and notify you that other required flags such as
> >>> SSL_KEY_FILE are not provided. Can you verify this? If that is not
> >>> happening, then the 2 options are:
> >>> 1. Your environment variables are not making it to the binary: See Jeff
> >>> Schroeder's comments
> >>> 2. The binary is not actually the one you expect. Double check the
> >>> checksum with the binary you built after configuring with SSL.
> >>>
> >>>
> >>>
> >>> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <ca...@apache.org>
> >>> wrote:
> >>>>
> >>>> looking forward to it, thanks!
> >>>> running out of ideas here on what am I doing wrong
> >>>>
> >>>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <marco@mesosphere.io
> >
> >>>> wrote:
> >>>> > FYI - Joris is out this week, he'll be probably able to get back to
> >>>> > you
> >>>> > early next (modulo MesosCon craziness :)
> >>>> >
> >>>> > Marco Massenzio
> >>>> > Distributed Systems Engineer
> >>>> >
> >>>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <ca...@apache.org>
> >>>> > wrote:
> >>>> >>
> >>>> >> no suggestions?
> >>>> >>
> >>>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <vi...@apache.org>
> >>>> >> wrote:
> >>>> >> > @joris, can you help out here?
> >>>> >> >
> >>>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <
> carlos@apache.org>
> >>>> >> > wrote:
> >>>> >> >>
> >>>> >> >> I have tried to enable SSL with no success, even compiling from
> >>>> >> >> source
> >>>> >> >> with the ssl flags --enable-libevent --enable-ssl
> >>>> >> >>
> >>>> >> >> export SSL_ENABLED=true
> >>>> >> >> export SSL_SUPPORT_DOWNGRADE=false
> >>>> >> >> export SSL_REQUIRE_CERT=true
> >>>> >> >> export SSL_CERT_FILE=/etc/mesos/...
> >>>> >> >> export SSL_KEY_FILE=/etc/mesos/...
> >>>> >> >> export SSL_CA_FILE=/etc/mesos/...
> >>>> >> >>
> >>>> >> >>
> >>>> >> >>
> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master
> >>>> >> >> --work_dir="/var/lib/mesos"
> >>>> >> >>
> >>>> >> >> Port 5050 is still served as plain http, no SSL
> >>>> >> >>
> >>>> >> >> Nothing about ssl shows up in the logs, any ideas?
> >>>> >> >>
> >>>> >> >> Thanks
> >>>> >> >>
> >>>> >> >>
> >>>> >> >> >
> >>>> >> >> > From: Dharmit Shah <sh...@gmail.com>
> >>>> >> >> > To: user@mesos.apache.org
> >>>> >> >> > Cc:
> >>>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530
> >>>> >> >> > Subject: Re: SSL in Mesos 0.23
> >>>> >> >> > Hi Jeff,
> >>>> >> >> >
> >>>> >> >> > Thanks for the suggestion.
> >>>> >> >> >
> >>>> >> >> > I modified the systemd service file to use
> >>>> >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave`
> >>>> >> >> > as
> >>>> >> >> > environment files for master and slave services respectively.
> In
> >>>> >> >> > these
> >>>> >> >> > files, I specified the environment variables that I used to
> >>>> >> >> > specify
> >>>> >> >> > on
> >>>> >> >> > the command line.
> >>>> >> >> >
> >>>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for
> pids
> >>>> >> >> > of
> >>>> >> >> > master and slave services, I see the environment variables
> that
> >>>> >> >> > I set
> >>>> >> >> > in the /etc/sysconfig/<environment-file>.
> >>>> >> >> >
> >>>> >> >> > Now that it looks like I have started the master and slave
> >>>> >> >> > services
> >>>> >> >> > with SSL enabled, how do I really confirm that communication
> >>>> >> >> > between
> >>>> >> >> > master and slaves is really happening over SSL?
> >>>> >> >> >
> >>>> >> >> > Also, how do I enable SSL communication for a framework like
> >>>> >> >> > Marathon?
> >>>> >> >> >
> >>>> >> >> > Regards,
> >>>> >> >> > Dharmit.
> >>>> >> >> >
> >>>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder
> >>>> >> >> > <je...@computer.org> wrote:
> >>>> >> >> > > The sudo command defaults to envreset (look for that in the
> >>>> >> >> > > man
> >>>> >> >> > > page)
> >>>> >> >> > > which
> >>>> >> >> > > strips all env variables sans a select few. I'd almost bet
> >>>> >> >> > > that
> >>>> >> >> > > your
> >>>> >> >> > > SSL_*
> >>>> >> >> > > variables are not present and were not passed to the slave.
> >>>> >> >> > > Just
> >>>> >> >> > > sudo
> >>>> >> >> > > -i and
> >>>> >> >> > > start the slaves *as root* without sudo. There is no benefit
> >>>> >> >> > > to
> >>>> >> >> > > starting
> >>>> >> >> > > them with sudo. You can verify what I'm saying with
> something
> >>>> >> >> > > along
> >>>> >> >> > > the
> >>>> >> >> > > lines of:
> >>>> >> >> > >
> >>>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_
> >>>> >> >> > >
> >>>> >> >> > >
> >>>> >> >> > > On Friday, August 7, 2015, Dharmit Shah
> >>>> >> >> > > <sh...@gmail.com>
> >>>> >> >> > > wrote:
> >>>> >> >> > >>
> >>>> >> >> > >> Hello again,
> >>>> >> >> > >>
> >>>> >> >> > >> Thanks for your responses. I will share what I tried after
> >>>> >> >> > >> your
> >>>> >> >> > >> suggestions.
> >>>> >> >> > >>
> >>>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd
> >>>> >> >> > >> /usr/sbin/mesos-slave`
> >>>> >> >> > >> returned similar output as one suggested by Craig. So, I
> >>>> >> >> > >> guess,
> >>>> >> >> > >> the
> >>>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right?
> >>>> >> >> > >>
> >>>> >> >> > >> 2. I created SSL private key and cert on one system in my
> >>>> >> >> > >> cluster
> >>>> >> >> > >> by
> >>>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of
> >>>> >> >> > >> SSL is
> >>>> >> >> > >> limited.
> >>>> >> >> > >>
> >>>> >> >> > >> 3. Next, I copied the key and cert to all three
> mesos-master
> >>>> >> >> > >> nodes
> >>>> >> >> > >> and
> >>>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided
> >>>> >> >> > >> only
> >>>> >> >> > >> with
> >>>> >> >> > >> the cert and not the private key? Whereas all master nodes
> >>>> >> >> > >> may
> >>>> >> >> > >> have
> >>>> >> >> > >> the private key and cert both. Or am I understanding SSL
> >>>> >> >> > >> incorrectly
> >>>> >> >> > >> here?
> >>>> >> >> > >>
> >>>> >> >> > >> 4. After copying the cert and key, I started the
> mesos-master
> >>>> >> >> > >> service
> >>>> >> >> > >> on master nodes with below command:
> >>>> >> >> > >>
> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key
> >>>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181,
> 172.19.10.193:2181/mesos
> >>>> >> >> > >> --port=5050 --log_dir=/var/log/mesos
> >>>> >> >> > >> --acls=file:///root/acls.json
> >>>> >> >> > >> --credentials=/home/isys/mesos --quorum=2
> >>>> >> >> > >> --work_dir=/var/lib/mesos
> >>>> >> >> > >>
> >>>> >> >> > >> I check web UI and things look good. I am not completely
> sure
> >>>> >> >> > >> if
> >>>> >> >> > >> "https" should have worked for mesos web UI but, it didn't.
> >>>> >> >> > >>
> >>>> >> >> > >> 5. Next, I start slave nodes with below command:
> >>>> >> >> > >>
> >>>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt
> >>>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181,
> 172.19.10.193:2181/mesos
> >>>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos
> >>>> >> >> > >> --executor_registration_timeout=15mins
> >>>> >> >> > >>
> >>>> >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated"
> >>>> >> >> > >> mode.
> >>>> >> >> > >> So
> >>>> >> >> > >> far so good. I am still wondering how I should verify if
> >>>> >> >> > >> communication
> >>>> >> >> > >> is happening over SSL.
> >>>> >> >> > >>
> >>>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave
> >>>> >> >> > >> node and
> >>>> >> >> > >> started it without SSL using `systemctl start
> mesos-slave`. I
> >>>> >> >> > >> was
> >>>> >> >> > >> expecting it to not get into "Activated" state on Mesos web
> >>>> >> >> > >> UI but
> >>>> >> >> > >> it
> >>>> >> >> > >> did. So, I think SSL is not configured properly by me.
> >>>> >> >> > >>
> >>>> >> >> > >> I am attaching logs from the master nodes. These logs were
> >>>> >> >> > >> generated
> >>>> >> >> > >> after starting masters with command specified in point 4.
> >>>> >> >> > >>
> >>>> >> >> > >> Let me know if I am doing something wrong or if you need
> more
> >>>> >> >> > >> logs
> >>>> >> >> > >> or
> >>>> >> >> > >> need me to execute some specific commands.
> >>>> >> >> > >>
> >>>> >> >> > >> [1]
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >>
> >>>> >> >> > >>
> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs
> >>>> >> >> > >>
> >>>> >> >> > >> Regards,
> >>>> >> >> > >> Dharmit.
> >>>> >> >> > >>
> >>>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park
> >>>> >> >> > >> <mc...@gmail.com>
> >>>> >> >> > >> wrote:
> >>>> >> >> > >> > Hi Dharmit,
> >>>> >> >> > >> >
> >>>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have
> >>>> >> >> > >> > SSL
> >>>> >> >> > >> > enabled or
> >>>> >> >> > >> > not,
> >>>> >> >> > >> > although based on Craig's observation it looks like it
> is.
> >>>> >> >> > >> >
> >>>> >> >> > >> > I think the correct way to enable SSL is to set the
> >>>> >> >> > >> > SSL_ENABLED
> >>>> >> >> > >> > environment
> >>>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of
> >>>> >> >> > >> > course,
> >>>> >> >> > >> > along
> >>>> >> >> > >> > with
> >>>> >> >> > >> > the rest of the SSL_ environment variables.
> >>>> >> >> > >> >
> >>>> >> >> > >> > e.g. SSL_ENABLED=true
> >>>> >> >> > >> > SSL_KEY_FILE=<path-to-your-private-key>
> >>>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master
> >>>> >> >> > >> > <master-flags>
> >>>> >> >> > >> >
> >>>> >> >> > >> > MPark.
> >>>> >> >> > >> >
> >>>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w
> >>>> >> >> > >> > <co...@gmail.com>
> >>>> >> >> > >> > wrote:
> >>>> >> >> > >> >>
> >>>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7
> using
> >>>> >> >> > >> >> mesos
> >>>> >> >> > >> >> 0.23
> >>>> >> >> > >> >> from
> >>>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and
> >>>> >> >> > >> >> "libssl.so.10"
> >>>> >> >> > >> >>
> >>>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder
> >>>> >> >> > >> >> <je...@computer.org> wrote:
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave
> >>>> >> >> > >> >>> binaries? I
> >>>> >> >> > >> >>> believe
> >>>> >> >> > >> >>> you *should* see openssl libraries in the output if
> those
> >>>> >> >> > >> >>> packages are
> >>>> >> >> > >> >>> configured using --enable-ssl.
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah
> >>>> >> >> > >> >>> <sh...@gmail.com>
> >>>> >> >> > >> >>> wrote:
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> Hello,
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere
> >>>> >> >> > >> >>>> website
> >>>> >> >> > >> >>>> [1]. I
> >>>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of
> >>>> >> >> > >> >>>> packages,
> >>>> >> >> > >> >>>> I
> >>>> >> >> > >> >>>> went
> >>>> >> >> > >> >>>> with Mesosphere provided repositories.
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL
> >>>> >> >> > >> >>>> capabilities,
> >>>> >> >> > >> >>>> I
> >>>> >> >> > >> >>>> believe
> >>>> >> >> > >> >>>> it is possible to have communication between the
> master,
> >>>> >> >> > >> >>>> slaves
> >>>> >> >> > >> >>>> and
> >>>> >> >> > >> >>>> frameworks be secured by SSL. Am I right?
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> I would like to set it up in my environment. I am
> using
> >>>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`.
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> The official Mesos documentation on the topic [2]
> >>>> >> >> > >> >>>> illustrates
> >>>> >> >> > >> >>>> how
> >>>> >> >> > >> >>>> things can be setup when building Mesos from source.
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> I would like to know if Mesos package shipped by
> >>>> >> >> > >> >>>> Mesosphere
> >>>> >> >> > >> >>>> repo
> >>>> >> >> > >> >>>> has
> >>>> >> >> > >> >>>> this feature or not yet? I tried setting
> >>>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master
> >>>> >> >> > >> >>>> nodes.
> >>>> >> >> > >> >>>> But
> >>>> >> >> > >> >>>> restarting `mesos-master` service failed stating that
> >>>> >> >> > >> >>>> option
> >>>> >> >> > >> >>>> `ssl_enabled` is unknown.
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> Thanks for your help!
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> [1]
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>>
> http://open.mesosphere.com/getting-started/datacenter/install/
> >>>> >> >> > >> >>>> [2]
> >>>> >> >> > >> >>>>
> http://mesos.apache.org/documentation/latest/mesos-ssl/
> >>>> >> >> > >> >>>>
> >>>> >> >> > >> >>>> Regards,
> >>>> >> >> > >> >>>> Dharmit.
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>> --
> >>>> >> >> > >> >>> Jeff Schroeder
> >>>> >> >> > >> >>>
> >>>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix.
> >>>> >> >> > >> >>> http://www.digitalprognosis.com
> >>>> >> >> > >> >>
> >>>> >> >> > >> >>
> >>>> >> >> > >> >>
> >>>> >> >> > >> >>
> >>>> >> >> > >> >> --
> >>>> >> >> > >> >>
> >>>> >> >> > >> >> https://github.com/mindscratch
> >>>> >> >> > >> >> https://www.google.com/+CraigWickesser
> >>>> >> >> > >> >> https://twitter.com/mind_scratch
> >>>> >> >> > >> >> https://twitter.com/craig_links
> >>>> >> >> > >
> >>>> >> >> > >
> >>>> >> >> > >
> >>>> >> >> > > --
> >>>> >> >> > > Text by Jeff, typos by iPhone
> >>>> >> >> >
> >>>> >> >> >
> >>>> >> >
> >>>> >> >
> >>>> >
> >>>> >
> >>>
> >>>
> >>
> >
>
--
Deshi Xiao
Twitter: xds2000
E-mail: xiaods(AT)gmail.com