You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@mesos.apache.org by Paul Bell <ar...@gmail.com> on 2015/10/05 19:04:51 UTC

Securing executors

Hi All,

I am running an nmap port scan on a Mesos agent node and noticed nmap
reporting an open TCP port at 50577.

Poking around some, I discovered exactly 5 mesos-docker-executor processes,
one for each of my 5 Docker containers, and each with an open listen port:

root     14131  3617  0 10:39 ?        00:00:17 mesos-docker-executor
--container=mesos-20151002-172703-2450482247-5050-3014-S0.5563c65a-e33e-4287-8ce4-b2aa8116aa95
--docker=/usr/local/ecxmcc/weaveShim --help=false
--mapped_directory=/mnt/mesos/sandbox
--sandbox_directory=/tmp/mesos/slaves/20151002-172703-2450482247-5050-3014-S0/frameworks/20151002-172703-2450482247-5050-3014-0000/executors/postgres.ea2954fd-6b6e-11e5-8bef-56847afe9799/runs/5563c65a-e33e-4287-8ce4-b2aa8116aa95
--stop_timeout=15secs

I suppose that all of this is unsurprising. But I know of at least one big
customer who will without delay run Nmap or Nessus against my clustered
deployment.

So I am wondering what the best practices approach is to securing these
open ports.

Thanks for your help.

-Paul

Re: Securing executors

Posted by Adam Bordelon <ad...@mesosphere.io>.

Paul, yes encryption is a possibility since Mesos 0.23. See
http://mesos.apache.org/documentation/latest/mesos-ssl/
I believe you can also select which listener port you want to use by
specifying LIBPROCESS_PORT in the executor's environment.

On Tue, Oct 6, 2015 at 6:59 AM, Paul Bell <ar...@gmail.com> wrote:

> Thanks, Alexander; I will check out the vid.
>
> I kind of assumed that this port was used for exactly the purpose you
> mention.
>
> Is TLS a possibility here?
>
> -Paul
>
> On Tue, Oct 6, 2015 at 8:15 AM, Alexander Rojas <al...@mesosphere.io>
> wrote:
>
>> Hi Paul,
>>
>> I can refer you to the talk given by Adam Bordelon at MesosCon
>> https://www.youtube.com/watch?v=G3sn1OLYDOE
>>
>> If you want to the short answer, the solution is to put a firewall around
>> your cluster.
>>
>> On a closer look on the port, it is the one used for message passing
>> between the mesas-docker-executor and other mesos components.
>>
>>
>> On 05 Oct 2015, at 19:04, Paul Bell <ar...@gmail.com> wrote:
>>
>> Hi All,
>>
>> I am running an nmap port scan on a Mesos agent node and noticed nmap
>> reporting an open TCP port at 50577.
>>
>> Poking around some, I discovered exactly 5 mesos-docker-executor
>> processes, one for each of my 5 Docker containers, and each with an open
>> listen port:
>>
>> root     14131  3617  0 10:39 ?        00:00:17 mesos-docker-executor
>> --container=mesos-20151002-172703-2450482247-5050-3014-S0.5563c65a-e33e-4287-8ce4-b2aa8116aa95
>> --docker=/usr/local/ecxmcc/weaveShim --help=false
>> --mapped_directory=/mnt/mesos/sandbox
>> --sandbox_directory=/tmp/mesos/slaves/20151002-172703-2450482247-5050-3014-S0/frameworks/20151002-172703-2450482247-5050-3014-0000/executors/postgres.ea2954fd-6b6e-11e5-8bef-56847afe9799/runs/5563c65a-e33e-4287-8ce4-b2aa8116aa95
>> --stop_timeout=15secs
>>
>> I suppose that all of this is unsurprising. But I know of at least one
>> big customer who will without delay run Nmap or Nessus against my clustered
>> deployment.
>>
>> So I am wondering what the best practices approach is to securing these
>> open ports.
>>
>> Thanks for your help.
>>
>> -Paul
>>
>>
>>
>>
>>
>

Re: Securing executors

Posted by Paul Bell <ar...@gmail.com>.

Thanks, Alexander; I will check out the vid.

I kind of assumed that this port was used for exactly the purpose you
mention.

Is TLS a possibility here?

-Paul

On Tue, Oct 6, 2015 at 8:15 AM, Alexander Rojas <al...@mesosphere.io>
wrote:

> Hi Paul,
>
> I can refer you to the talk given by Adam Bordelon at MesosCon
> https://www.youtube.com/watch?v=G3sn1OLYDOE
>
> If you want to the short answer, the solution is to put a firewall around
> your cluster.
>
> On a closer look on the port, it is the one used for message passing
> between the mesas-docker-executor and other mesos components.
>
>
> On 05 Oct 2015, at 19:04, Paul Bell <ar...@gmail.com> wrote:
>
> Hi All,
>
> I am running an nmap port scan on a Mesos agent node and noticed nmap
> reporting an open TCP port at 50577.
>
> Poking around some, I discovered exactly 5 mesos-docker-executor
> processes, one for each of my 5 Docker containers, and each with an open
> listen port:
>
> root     14131  3617  0 10:39 ?        00:00:17 mesos-docker-executor
> --container=mesos-20151002-172703-2450482247-5050-3014-S0.5563c65a-e33e-4287-8ce4-b2aa8116aa95
> --docker=/usr/local/ecxmcc/weaveShim --help=false
> --mapped_directory=/mnt/mesos/sandbox
> --sandbox_directory=/tmp/mesos/slaves/20151002-172703-2450482247-5050-3014-S0/frameworks/20151002-172703-2450482247-5050-3014-0000/executors/postgres.ea2954fd-6b6e-11e5-8bef-56847afe9799/runs/5563c65a-e33e-4287-8ce4-b2aa8116aa95
> --stop_timeout=15secs
>
> I suppose that all of this is unsurprising. But I know of at least one big
> customer who will without delay run Nmap or Nessus against my clustered
> deployment.
>
> So I am wondering what the best practices approach is to securing these
> open ports.
>
> Thanks for your help.
>
> -Paul
>
>
>
>
>

Re: Securing executors

Posted by Alexander Rojas <al...@mesosphere.io>.

Hi Paul,

I can refer you to the talk given by Adam Bordelon at MesosCon https://www.youtube.com/watch?v=G3sn1OLYDOE <https://www.youtube.com/watch?v=G3sn1OLYDOE> 

If you want to the short answer, the solution is to put a firewall around your cluster.

On a closer look on the port, it is the one used for message passing between the mesas-docker-executor and other mesos components.


> On 05 Oct 2015, at 19:04, Paul Bell <ar...@gmail.com> wrote:
> 
> Hi All,
> 
> I am running an nmap port scan on a Mesos agent node and noticed nmap reporting an open TCP port at 50577.
> 
> Poking around some, I discovered exactly 5 mesos-docker-executor processes, one for each of my 5 Docker containers, and each with an open listen port:
> 
> root     14131  3617  0 10:39 ?        00:00:17 mesos-docker-executor --container=mesos-20151002-172703-2450482247-5050-3014-S0.5563c65a-e33e-4287-8ce4-b2aa8116aa95 --docker=/usr/local/ecxmcc/weaveShim --help=false --mapped_directory=/mnt/mesos/sandbox --sandbox_directory=/tmp/mesos/slaves/20151002-172703-2450482247-5050-3014-S0/frameworks/20151002-172703-2450482247-5050-3014-0000/executors/postgres.ea2954fd-6b6e-11e5-8bef-56847afe9799/runs/5563c65a-e33e-4287-8ce4-b2aa8116aa95 --stop_timeout=15secs
> 
> I suppose that all of this is unsurprising. But I know of at least one big customer who will without delay run Nmap or Nessus against my clustered deployment.
> 
> So I am wondering what the best practices approach is to securing these open ports. 
> 
> Thanks for your help.
> 
> -Paul
> 
> 
>