You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Gilbert Song (JIRA)" <ji...@apache.org> on 2016/11/01 22:48:58 UTC
[jira] [Commented] (MESOS-6526) `mesos-containerizer launch
--environment` exposes executor env vars in `ps`.
[ https://issues.apache.org/jira/browse/MESOS-6526?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15626929#comment-15626929 ]
Gilbert Song commented on MESOS-6526:
-------------------------------------
Thanks [~xujyan], could you elaborate a little bit about serializing the executor env var into {MESOS_EXECUTOR_ENVIRONMENT}? Isn't it still exposed to 'ps'?
> `mesos-containerizer launch --environment` exposes executor env vars in `ps`.
> -----------------------------------------------------------------------------
>
> Key: MESOS-6526
> URL: https://issues.apache.org/jira/browse/MESOS-6526
> Project: Mesos
> Issue Type: Bug
> Components: containerization
> Affects Versions: 1.1.0
> Reporter: Yan Xu
> Priority: Critical
>
> With MESOS-6323, the helper {{mesos-containerizer launch}} takes a `--environment` flag for the env vars used by the executor. This is unpleasant because its a common practice that people use env vars to hide configs that are sensitive and now it's visible to non-root users on the host with a {{ps}} command.
> Given that we want to separate the environments of {{mesos-containerizer launch}} and the executor itself, perhaps we can just package and serialize the executor env vars in one env var {{MESOS_EXECUTOR_ENVIRONMENT}} and pass that to {{mesos-containerizer launch}} which could then get it through a flag the usual way.
> In general Mesos should do more to protect env vars but I'll file separate issues for them.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)