Getting secure data into Docker containers

[Hussein Elgridly <hu...@broadinstitute.org>]

Aurorans,

We have some secure data (think login credentials) that we need to access
from inside a Docker container launched by Aurora. I'm trying to figure out
the best approach for getting them inside the container, since baking them
into the image is a can of worms I don't want to open.

The ideal solution would be to put the creds on the Mesos slaves and then
mount them on the container, but Aurora doesn't have the means to do this
yet. If the answer is "wait a week and AURORA-1107 will be done", then
great; but if not, anyone have any ideas?

Thanks,
Hussein Elgridly
Senior Software Engineer, DSDE
The Broad Institute of MIT and Harvard

Re: Getting secure data into Docker containers

[Steve Niemitz <st...@tellapart.com>]

I was planning on starting both mount and network mode support either next
week or the week after.  (Probably network mode support first).

However, based on the feedback from Bill, I think I might start with his
suggestion in the ticket, and allow static mounts specified to the
scheduler.  This would also lay the framework for per-job mounts, but with
less of a security concern.

On Wed, Feb 18, 2015 at 5:06 PM, Bill Farner <wf...@apache.org> wrote:

> Mounts is the most lo fi approach that comes to mind.  I'd be in support of
> patches to satisfy (part of) AURORA-1107 to fulfill this need (which would
> hopefully be distinct from another perspective on AURORA-1107 in which
> end-users of Aurora can request arbitrary mounts).
>
> -=Bill
>
> On Wed, Feb 18, 2015 at 1:19 PM, Hussein Elgridly <
> hussein@broadinstitute.org> wrote:
>
> > Aurorans,
> >
> > We have some secure data (think login credentials) that we need to access
> > from inside a Docker container launched by Aurora. I'm trying to figure
> out
> > the best approach for getting them inside the container, since baking
> them
> > into the image is a can of worms I don't want to open.
> >
> > The ideal solution would be to put the creds on the Mesos slaves and then
> > mount them on the container, but Aurora doesn't have the means to do this
> > yet. If the answer is "wait a week and AURORA-1107 will be done", then
> > great; but if not, anyone have any ideas?
> >
> > Thanks,
> > Hussein Elgridly
> > Senior Software Engineer, DSDE
> > The Broad Institute of MIT and Harvard
> >
>

Re: Getting secure data into Docker containers

[Bill Farner <wf...@apache.org>]

Mounts is the most lo fi approach that comes to mind.  I'd be in support of
patches to satisfy (part of) AURORA-1107 to fulfill this need (which would
hopefully be distinct from another perspective on AURORA-1107 in which
end-users of Aurora can request arbitrary mounts).

-=Bill

On Wed, Feb 18, 2015 at 1:19 PM, Hussein Elgridly <
hussein@broadinstitute.org> wrote:

> Aurorans,
>
> We have some secure data (think login credentials) that we need to access
> from inside a Docker container launched by Aurora. I'm trying to figure out
> the best approach for getting them inside the container, since baking them
> into the image is a can of worms I don't want to open.
>
> The ideal solution would be to put the creds on the Mesos slaves and then
> mount them on the container, but Aurora doesn't have the means to do this
> yet. If the answer is "wait a week and AURORA-1107 will be done", then
> great; but if not, anyone have any ideas?
>
> Thanks,
> Hussein Elgridly
> Senior Software Engineer, DSDE
> The Broad Institute of MIT and Harvard
>