You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by mp...@apache.org on 2016/02/23 05:13:51 UTC
svn commit: r1731785 [1/3] - in /mesos/site/publish: ./ blog/ documentation/
documentation/authentication/ documentation/authorization/
documentation/configuration/ documentation/fetcher/
documentation/getting-started/ documentation/high-availability-f...
Author: mpark
Date: Tue Feb 23 04:13:50 2016
New Revision: 1731785
URL: http://svn.apache.org/viewvc?rev=1731785&view=rev
Log:
Updated the website for 0.27.1 release.
Modified:
mesos/site/publish/blog/feed.xml
mesos/site/publish/blog/index.html
mesos/site/publish/documentation/authentication/index.html
mesos/site/publish/documentation/authorization/index.html
mesos/site/publish/documentation/configuration/index.html
mesos/site/publish/documentation/fetcher/index.html
mesos/site/publish/documentation/getting-started/index.html
mesos/site/publish/documentation/high-availability-framework-guide/index.html
mesos/site/publish/documentation/index.html
mesos/site/publish/documentation/latest/authentication/index.html
mesos/site/publish/documentation/latest/authorization/index.html
mesos/site/publish/documentation/latest/configuration/index.html
mesos/site/publish/documentation/latest/endpoints/master/create-volumes/index.html
mesos/site/publish/documentation/latest/endpoints/master/destroy-volumes/index.html
mesos/site/publish/documentation/latest/endpoints/master/reserve/index.html
mesos/site/publish/documentation/latest/endpoints/master/state.json/index.html
mesos/site/publish/documentation/latest/endpoints/master/state/index.html
mesos/site/publish/documentation/latest/endpoints/master/unreserve/index.html
mesos/site/publish/documentation/latest/endpoints/slave/state.json/index.html
mesos/site/publish/documentation/latest/endpoints/slave/state/index.html
mesos/site/publish/documentation/latest/fetcher/index.html
mesos/site/publish/documentation/latest/getting-started/index.html
mesos/site/publish/documentation/latest/high-availability-framework-guide/index.html
mesos/site/publish/documentation/latest/index.html
mesos/site/publish/documentation/latest/maintenance/index.html
mesos/site/publish/documentation/latest/network-monitoring/index.html
mesos/site/publish/documentation/latest/operational-guide/index.html
mesos/site/publish/documentation/latest/persistent-volume/index.html
mesos/site/publish/documentation/latest/presentations/index.html
mesos/site/publish/documentation/latest/release-guide/index.html
mesos/site/publish/documentation/latest/reservation/index.html
mesos/site/publish/documentation/latest/roles/index.html
mesos/site/publish/documentation/maintenance/index.html
mesos/site/publish/documentation/network-monitoring/index.html
mesos/site/publish/documentation/operational-guide/index.html
mesos/site/publish/documentation/persistent-volume/index.html
mesos/site/publish/documentation/presentations/index.html
mesos/site/publish/documentation/release-guide/index.html
mesos/site/publish/documentation/reservation/index.html
mesos/site/publish/documentation/roles/index.html
mesos/site/publish/downloads/index.html
mesos/site/publish/gettingstarted/index.html
mesos/site/publish/index.html
mesos/site/publish/sitemap.xml
Modified: mesos/site/publish/blog/feed.xml
URL: http://svn.apache.org/viewvc/mesos/site/publish/blog/feed.xml?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/blog/feed.xml (original)
+++ mesos/site/publish/blog/feed.xml Tue Feb 23 04:13:50 2016
@@ -4,7 +4,91 @@
<id>http://mesos.apache.org/blog</id>
<link href="http://mesos.apache.org/blog" />
<link href="http://mesos.apache.org/blog/feed.xml" rel="self"/>
- <updated>2016-02-02T00:00:00Z</updated>
+ <updated>2016-02-22T00:00:00Z</updated>
+
+ <entry>
+ <id>http://mesos.apache.org/blog/mesos-0-27-1-released/</id>
+ <link href="/blog/mesos-0-27-1-released/" />
+ <title>
+ Apache Mesos 0.27.1 Released
+ </title>
+ <updated>2016-02-22T00:00:00Z</updated>
+ <author>
+ <name>Michael Park</name>
+ </author>
+ <content type="html">
+ <p>The latest Mesos release, 0.27.1, is now available for <a href="http://mesos.apache.org/downloads">download</a>.
+This release includes fixes and improvements for: reconnection logic for Zookeeper client, <code>/state</code> endpoint and <code>systemd</code> integration.</p>
+
+<ul>
+<li><a href="https://issues.apache.org/jira/browse/MESOS-4546">MESOS-4546</a> - Mesos Agents needs to re-resolve hosts in zk string on leader change / failure to connect.</li>
+<li><a href="https://issues.apache.org/jira/browse/MESOS-4582">MESOS-4582</a> - state.json serving duplicate &ldquo;active&rdquo; fields.</li>
+<li><a href="https://issues.apache.org/jira/browse/MESOS-3007">MESOS-3007</a> - Support systemd with Mesos.</li>
+</ul>
+
+
+<p>Full release notes are available in the release <a href="https://git-wip-us.apache.org/repos/asf?p=mesos.git;a=blob_plain;f=CHANGELOG;hb=0.27.1">CHANGELOG</a>.</p>
+
+<h3>Upgrades</h3>
+
+<p>Rolling upgrades from a Mesos 0.27.0 cluster to Mesos 0.27.1 are straightforward.
+Please refer to the <a href="http://mesos.apache.org/documentation/latest/upgrades/">upgrade guide</a> for detailed information on upgrading to Mesos 0.27.1.</p>
+
+<h3>Try it out</h3>
+
+<p>We encourage you to try out this release and let us know what you think.
+If you run into any issues, please let us know on the <a href="https://mesos.apache.org/community">user mailing list and IRC</a>.</p>
+
+<h3>Thanks!</h3>
+
+<p>Thanks to the 8 contributors who made 0.27.1 possible:</p>
+
+<p>Jie Yu, Joerg Shad, Joris Van Remoortere, Joseph Wu, Kapil Arya, Michael Park, Neil Conway, Shuai Lin</p>
+
+ </content>
+ </entry>
+
+ <entry>
+ <id>http://mesos.apache.org/blog/mesoscon-2016-cfp-is-now-open/</id>
+ <link href="/blog/mesoscon-2016-cfp-is-now-open/" />
+ <title>
+ MesosCon 2016 CFP is now open!
+ </title>
+ <updated>2016-02-12T00:00:00Z</updated>
+ <author>
+ <name>Michael Park</name>
+ </author>
+ <content type="html">
+ <p>MesosCon North America 2016 will be held in Denver, CO on June 1-2, 2016.</p>
+
+<p>Talk submissions, sponsorship opportunities, and early-bird registration are now open for the conference.</p>
+
+<h2>Speak at MesosCon</h2>
+
+<p>Several formats are being accepted for speaking proposals, including:
+Presentations, Panels, Keynotes and Lightning Talks.
+Submissions are being accepted through <strong>March 9, 2016</strong>.</p>
+
+<p>You can take a look at <a href="https://www.youtube.com/playlist?list=PLVjgeV_avap2arug3vIz8c6l72rvh9poV">MesosCon 2015 list of talks</a>
+for ideas. If you&rsquo;re unsure about your proposal, or want some feedback or advice in general,
+please don&rsquo;t hesitate to reach out to the <a href="https://mail-archives.apache.org/mod_mbox/mesos-dev">mesos-dev</a> mailing list.
+We&rsquo;ll be happy to help out! Further details are available on the <a href="http://events.linuxfoundation.org/events/mesoscon/program/cfp">CFP website</a>.</p>
+
+<p>All submissions for MesosCon North America will also be considered for the upcoming MesosCon Europe and China events (details to be announced shortly).</p>
+
+<h2>Sponsor MesosCon</h2>
+
+<p>The <a href="http://events.linuxfoundation.org/events/mesoscon/sponsors">sponsorship prospectus for MesosCon</a> is now available,
+including several opportunities with limited availability.</p>
+
+<h2>Attend MesosCon</h2>
+
+<p><a href="http://events.linuxfoundation.org/events/mesoscon/attend/register">Early-Bird registration</a> is open through April 22nd!</p>
+
+<p>We look forward to seeing you at MesosCon North America, as well as MesosCon Europe and MesosCon China taking place later this year!</p>
+
+ </content>
+ </entry>
<entry>
<id>http://mesos.apache.org/blog/mesos-0-27-0-released/</id>
Modified: mesos/site/publish/blog/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/blog/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/blog/index.html (original)
+++ mesos/site/publish/blog/index.html Tue Feb 23 04:13:50 2016
@@ -76,6 +76,16 @@
<div class="col-md-9">
<article>
+ <h2><a href="/blog/mesos-0-27-1-released/">Apache Mesos 0.27.1 Released</a></h2>
+ <p><em>Posted by Michael Park, February 22, 2016</em></p>
+ </article>
+
+ <article>
+ <h2><a href="/blog/mesoscon-2016-cfp-is-now-open/">MesosCon 2016 CFP is now open!</a></h2>
+ <p><em>Posted by Michael Park, February 12, 2016</em></p>
+ </article>
+
+ <article>
<h2><a href="/blog/mesos-0-27-0-released/">Apache Mesos 0.27.0 Released</a></h2>
<p><em>Posted by Kapil Arya, February 2, 2016</em></p>
</article>
Modified: mesos/site/publish/documentation/authentication/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/authentication/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/authentication/index.html (original)
+++ mesos/site/publish/documentation/authentication/index.html Tue Feb 23 04:13:50 2016
@@ -83,66 +83,116 @@
<div class="col-md-8">
<h1>Authentication</h1>
-<p>Mesos 0.15.0 added support for framework authentication, and 0.19.0 added slave authentication. Authentication permits only trusted entities to interact with the Mesos cluster.</p>
-
-<p>Authentication is used by Mesos in three ways:</p>
+<p>Authentication permits only trusted entities to interact with a Mesos cluster. Authentication is used by Mesos in three ways:</p>
<ol>
-<li>Require that frameworks must be authenticated in order to register with the master.</li>
-<li>Require that slaves must be authenticated in order to offer resources to the master.</li>
-<li>To restrict access to the /teardown endpoint.</li>
+<li>To require that frameworks be authenticated in order to register with the master.</li>
+<li>To require that slaves be authenticated in order to register with the master.</li>
+<li>To require that operators be authenticated to use certain <a href="/documentation/latest/./endpoints/">HTTP endpoints</a>, such as <code>/teardown</code>.</li>
</ol>
-<h2>How Does It Work?</h2>
-
-<p>Mesos uses the <a href="http://asg.web.cmu.edu/sasl/">Cyrus SASL library</a> to implement authentication. SASL is a very flexible authentication framework that allows two endpoints to authenticate with each other and also has support for various authentication mechanisms (ANONYMOUS, PLAIN, CRAM-MD5, GSSAPI etc). Currently, Mesos provides support for CRAM-MD5 authentication, but users can provide their own authentication modules. CRAM-MD5 makes use of a <strong>principal</strong> and <strong>secret</strong> pair, with the principal representing the framework’s identity. Note that this is different from the framework <em>user</em>, which is the account used by the executor to run tasks, and the <em>role</em> which is used to determine what resources frameworks can use.</p>
+<p>Authentication is disabled by default. When authentication is enabled, operators
+can configure Mesos to either use the default authentication module or to use a
+<em>custom</em> authentication module.</p>
+
+<p>The default Mesos authentication module uses the
+<a href="http://asg.web.cmu.edu/sasl/">Cyrus SASL</a> library. SASL is a flexible
+framework that allows two endpoints to authenticate with each other using a
+variety of methods. By default, Mesos uses
+<a href="https://en.wikipedia.org/wiki/CRAM-MD5">CRAM-MD5</a> authentication.</p>
+
+<h2>Credentials, Principals, and Secrets</h2>
+
+<p>When using the default CRAM-MD5 authentication method, an entity that wants to
+authenticate with Mesos must provide a <em>credential</em>, which consists of a
+<em>principal</em> and a <em>secret</em>. The principal is the identity that the entity would
+like to use; the secret is an arbitrary string that is used to verify that
+identity. Principals are similar to user names, while secrets are similar to
+passwords.</p>
+
+<p>Principals are used primarily for authentication and
+<a href="/documentation/latest/./authorization/">authorization</a>; note that a principal is different from a
+framework’s <em>user</em>, which is the operating system account used by the slave to
+run executors, and a framework’s <em><a href="/documentation/latest/./roles/">role</a></em>, which is used to determine
+which resources a framework can use.</p>
<h2>Configuration</h2>
-<p>The <a href="/documentation/latest/./configuration/">configuration options</a> that are used by the authentication mechanism are as follows:</p>
+<p>Authentication is configured by specifying command-line flags when starting the
+Mesos master and slave processes. For more information, refer to the
+<a href="/documentation/latest/./configuration/">configuration</a> documentation.</p>
-<h3>Masters</h3>
+<h3>Master</h3>
<ul>
-<li>–[no-]authenticate - If authenticate is ‘true’ only authenticated frameworks are allowed to register. If ‘false’ unauthenticated frameworks are also allowed to register.</li>
-<li>–[no-]authenticate_slaves - If ‘true’ only authenticated slaves are allowed to register. If ‘false’ unauthenticated slaves are also allowed to register.</li>
-<li>–authenticators - Specifies which authenticator module to use. The default is crammd5, but additional modules can be added with the –modules option.</li>
-<li>–credentials - The path to the text file which contains a list (either plain text or JSON) of accepted credentials. This may be optional depending on the authenticator being used. However, if specified, the credentials will be valid for the /teardown endpoint regardless of which authenticator is used.</li>
+<li><p><code>--[no-]authenticate</code> - If <code>true</code>, only authenticated frameworks are allowed
+to register. If <code>false</code> (the default), unauthenticated frameworks are also
+allowed to register.</p></li>
+<li><p><code>--[no-]authenticate_http</code> - If <code>true</code>, authentication is required to make
+HTTP requests to the HTTP endpoints that support authentication. If <code>false</code>
+(the default), all endpoints can be used without authentication.</p></li>
+<li><p><code>--[no-]authenticate_slaves</code> - If <code>true</code>, only authenticated slaves are
+allowed to register. If <code>false</code> (the default), unauthenticated slaves are also
+allowed to register.</p></li>
+<li><p><code>--authenticators</code> - Specifies which authenticator module to use. The default
+is <code>crammd5</code>, but additional modules can be added using the <code>--modules</code>
+option.</p></li>
+<li><p><code>--credentials</code> - The path to a text file which contains a list (in plaintext
+or JSON format) of accepted credentials. This may be optional depending on
+the authenticator being used.</p></li>
</ul>
-<h3>Slaves</h3>
+<h3>Slave</h3>
<ul>
-<li>–authenticatee - Analog to the master –authenticators option to specify what module to use. Defaults to crammd5.</li>
-<li>–credential - Just like the master –credentials option, except only one credential is allowed, since this credential is used to identify the slave to the master.</li>
+<li><p><code>--authenticatee</code> - Analog to the master’s <code>--authenticators</code> option to
+specify what module to use. Defaults to <code>crammd5</code>.</p></li>
+<li><p><code>--credential</code> - Just like the master’s <code>--credentials</code> option except that
+only one credential is allowed. This credential is used to identify the slave
+to the master.</p></li>
</ul>
+<h3>Framework</h3>
+
+<p>If framework authentication is enabled, each framework must be configured to
+supply authentication credentials when registering with the Mesos master. How to
+configure this differs between frameworks; consult your framework’s
+documentation for more information.</p>
+
+<p>As a framework developer, supporting authentication is straightforward: the
+scheduler driver handles the details of authentication when a <code>Credential</code>
+object is passed to its constructor. To enable <a href="/documentation/latest/./authorization/">authorization</a>
+based on the authenticated principal, the framework developer should also copy
+the <code>Credential.principal</code> into <code>FrameworkInfo.principal</code> when registering.</p>
+
<h2>CRAM-MD5 Example</h2>
<ol>
-<li><p>First, create a credentials file for the masters, the contents of which should look like this:</p>
+<li><p>Create the master’s credentials file with the following content:</p>
<pre><code> principal1 secret1
principal2 secret2
</code></pre></li>
-<li><p>Now, start the master process using your credentials file (assuming the file is ~/credentials):</p>
+<li><p>Start the master using the credentials file (assuming the file is <code>~/credentials</code>):</p>
<pre><code> ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos --authenticate --authenticate_slaves --credentials=~/credentials
</code></pre></li>
-<li><p>Now create another file with a single credential in it (~/slave_credential):</p>
+<li><p>Create another file with a single credential in it (<code>~/slave_credential</code>):</p>
<pre><code> principal1 secret1
</code></pre></li>
-<li><p>That file will be used to identify the slave process. Start the slave:</p>
+<li><p>Start the slave:</p>
-<pre><code>./bin/mesos-slave.sh --master=127.0.0.1:5050 --credential=~/slave_credential
+<pre><code> ./bin/mesos-slave.sh --master=127.0.0.1:5050 --credential=~/slave_credential
</code></pre></li>
-<li><p>Your new slave should have now successfully authenticated with the master. With these settings, any framework that you’d like to use must also authenticate against the Mesos master. The method of configuring framework authentication may vary by framework, but is simple to implement as the scheduler driver will handle authentication when a Credential object is passed to its constructor. You can test out framework authentication using the test framework provided with Mesos as follows:</p>
+<li><p>Your new slave should have now successfully authenticated with the master.</p></li>
+<li><p>You can test out framework authentication using one of the test frameworks
+provided with Mesos as follows:</p>
-<pre><code>MESOS_AUTHENTICATE=true DEFAULT_PRINCIPAL=principal2 DEFAULT_SECRET=secret2 ./src/test-framework --master=127.0.0.1:5050
+<pre><code> MESOS_AUTHENTICATE=true DEFAULT_PRINCIPAL=principal2 DEFAULT_SECRET=secret2 ./src/test-framework --master=127.0.0.1:5050
</code></pre></li>
</ol>
Modified: mesos/site/publish/documentation/authorization/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/authorization/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/authorization/index.html (original)
+++ mesos/site/publish/documentation/authorization/index.html Tue Feb 23 04:13:50 2016
@@ -165,12 +165,28 @@
</ol>
+<h2>Role vs. Principal</h2>
+
+<p>A principal identifies an entity (i.e., a framework or an operator) that interacts with Mesos. A role, on the other hand, is used to associate resources with frameworks in various ways. A useful, if not entirely precise, analogy can be made with user management in the Unix world: principals correspond to usernames, while roles approximately correspond to groups. For more information about roles, see the <a href="/documentation/latest/./roles/">role documentation</a>.</p>
+
+<p>In a real-world organization, principals and roles might be used to represent various individuals or groups; for example, principals could correspond to people responsible for particular frameworks, while roles could correspond to departments within the organization which run frameworks on the cluster. To illustrate this point, consider a company that wants to allocate datacenter resources amongst multiple departments, one of which is the accounting department. Here is a possible scenario in which the accounting department launches a Mesos framework and then attempts to destroy a persistent volume:</p>
+
+<ul>
+<li>An accountant launches their framework, which authenticates with the Mesos master using its <code>principal</code> and <code>secret</code>. Here, let the framework principal be <code>payroll-framework</code>; this principal represents the trusted identity of the framework.</li>
+<li>The framework now sends a registration message to the master. This message includes a <code>FrameworkInfo</code> object containing a <code>principal</code> and a <code>role</code>; in this case, it will use the role <code>accounting</code>. The principal in this message must be <code>payroll-framework</code>, to match the one used by the framework for authentication.</li>
+<li>The master looks through its ACLs to see if it has a <code>RegisterFramework</code> ACL which authorizes the principal <code>payroll-framework</code> to register with the <code>accounting</code> role. It does find such an ACL, so the framework registers successfully. Now that the framework belongs to the <code>accounting</code> role, any <a href="/documentation/latest/./roles/">weights</a>, <a href="/documentation/latest/./reservation/">reservations</a>, <a href="/documentation/latest/./persistent-volume/">persistent volumes</a>, or <a href="/documentation/latest/./quota/">quota</a> associated with the accounting department’s role will apply. This allows operators to control the resource consumption of this department.</li>
+<li>Suppose the framework has created a persistent volume on a slave which it now wishes to destroy. The framework sends an <code>ACCEPT</code> call containing an offer operation which will <code>DESTROY</code> the persistent volume.</li>
+<li>However, datacenter operators have decided that they don’t want the accounting frameworks to delete volumes. Rather, the operators will manually remove the accounting department’s persistent volumes to ensure that no important financial data is deleted accidentally. To accomplish this, they have set a <code>DestroyVolume</code> ACL which asserts that the principal <code>payroll-framework</code> can destroy volumes created by a <code>creator_principal</code> of <code>NONE</code>; in other words, this framework cannot destroy persistent volumes, so the operation will be refused.</li>
+</ul>
+
+
<h2>Examples</h2>
<ol>
-<li><p>Frameworks <code>foo</code> and <code>bar</code> can run tasks as user <code>alice</code>.</p>
+<li><p>Principals <code>foo</code> and <code>bar</code> can run tasks as the agent operating system user <code>alice</code> and no other user. No other principals can run tasks.</p>
<pre><code> {
+ "permissive": false,
"run_tasks": [
{
"principals": { "values": ["foo", "bar"] },
@@ -179,44 +195,45 @@
]
}
</code></pre></li>
-<li><p>Any framework can run tasks as user <code>guest</code>.</p>
+<li><p>Principal <code>foo</code> can run tasks only as the agent operating system user <code>guest</code> and no other user. Any other principal (or framework without a principal) can run tasks as any user.</p>
<pre><code> {
"run_tasks": [
{
- "principals": { "type": "ANY" },
+ "principals": { "values": ["foo"] },
"users": { "values": ["guest"] }
+ },
+ {
+ "principals": { "values": ["foo"] },
+ "users": { "type": "NONE" }
}
]
}
</code></pre></li>
-<li><p>No framework can run tasks as <code>root</code>.</p>
+<li><p>Any principal can run tasks as the agent operating system user <code>guest</code>. Tasks cannot be run as any other user.</p>
<pre><code> {
+ "permissive": false,
"run_tasks": [
{
- "principals": { "type": "NONE" },
- "users": { "values": ["root"] }
+ "principals": { "type": "ANY" },
+ "users": { "values": ["guest"] }
}
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can run tasks only as user <code>guest</code> and no other user.</p>
+<li><p>No principal can run tasks as the agent operating system user <code>root</code>. Any principal (or framework without a principal) can run tasks as any other user.</p>
<pre><code> {
"run_tasks": [
{
- "principals": { "values": ["foo"] },
- "users": { "values": ["guest"] }
- },
- {
- "principals": { "values": ["foo"] },
- "users": { "type": "NONE" }
+ "principals": { "type": "NONE" },
+ "users": { "values": ["root"] }
}
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can register with the <code>analytics</code> and <code>ads</code> roles.</p>
+<li><p>Principal <code>foo</code> can register frameworks with the <code>analytics</code> and <code>ads</code> roles and no other role. Any other principal (or framework without a principal) can register frameworks with any role.</p>
<pre><code> {
"register_frameworks": [
@@ -227,11 +244,19 @@
"roles": {
"values": ["analytics", "ads"]
}
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "roles": {
+ "type": "NONE"
+ }
}
]
}
</code></pre></li>
-<li><p>Only framework <code>foo</code> and no one else can register with the <code>analytics</code> role.</p>
+<li><p>Only principal <code>foo</code> and no one else can register frameworks with the <code>analytics</code> role. Any other principal (or framework without a principal) can register frameworks with any other role.</p>
<pre><code> {
"register_frameworks": [
@@ -254,7 +279,7 @@
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can only register with the <code>analytics</code> role but no other roles. Also, no other framework can register with any roles or run tasks.</p>
+<li><p>Principal <code>foo</code> can register frameworks with the <code>analytics</code> role and no other role. No other principal can register frameworks with any role, including <code>*</code>.</p>
<pre><code> {
"permissive": false,
@@ -270,7 +295,7 @@
]
}
</code></pre></li>
-<li><p>The <code>ops</code> principal can teardown any framework using the “/teardown” HTTP endpoint. No other framework can register with any roles or run tasks.</p>
+<li><p>The <code>ops</code> principal can teardown any framework using the “/teardown” HTTP endpoint. No other principal can teardown any frameworks.</p>
<pre><code> {
"permissive": false,
@@ -286,6 +311,149 @@
]
}
</code></pre></li>
+<li><p>The principal <code>foo</code> can reserve any resources, and no other principal can reserve resources.</p>
+
+<pre><code> {
+ "permissive": false,
+ "reserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "resources": {
+ "type": "ANY"
+ }
+ }
+ ]
+ }
+</code></pre></li>
+<li><p>The principal <code>foo</code> cannot reserve any resources, and any other principal (or framework without a principal) can reserve resources.</p>
+
+<pre><code>{
+ "reserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "resources": {
+ "type": "NONE"
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can unreserve resources reserved by itself and by the principal <code>bar</code>. The principal <code>bar</code>, however, can only unreserve its own resources. No other principals can unreserve resources.</p>
+
+<pre><code>{
+ "permissive": false,
+ "unreserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "reserver_principals": {
+ "values": ["foo", "bar"]
+ }
+ },
+ {
+ "principals": {
+ "values": ["bar"]
+ },
+ "reserver_principals": {
+ "values": ["bar"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can create persistent volumes, and no other principal can create persistent volumes.</p>
+
+<pre><code>{
+ "permissive": false,
+ "create_volumes": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "volume_types": {
+ "type": "ANY"
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can destroy volumes created by itself and by the principal <code>bar</code>. The principal <code>bar</code>, however, can only destroy its own volumes. No other principals can destroy volumes.</p>
+
+<pre><code>{
+ "permissive": false,
+ "destroy_volumes": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "creator_principals": {
+ "values": ["foo", "bar"]
+ }
+ },
+ {
+ "principals": {
+ "values": ["bar"]
+ },
+ "creator_principals": {
+ "values": ["bar"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>ops</code> can set quota for any role. The principal <code>foo</code>, however, can only set quota for <code>foo-role</code>. No other principals can set quota.</p>
+
+<pre><code>{
+ "permissive": false,
+ "set_quotas": [
+ {
+ "principals": {
+ "values": ["ops"]
+ },
+ "roles": {
+ "type": "ANY"
+ }
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "roles": {
+ "values": ["foo-role"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>ops</code> can remove quota which was set by any principal. The principal <code>foo</code>, however, can only remove quota which was set by itself. No other principals can remove quota.</p>
+
+<pre><code>{
+ "permissive": false,
+ "remove_quotas": [
+ {
+ "principals": {
+ "values": ["ops"]
+ },
+ "quota_principals": {
+ "type": "ANY"
+ }
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "quota_principals": {
+ "values": ["foo"]
+ }
+ }
+ ]
+}
+</code></pre></li>
</ol>
Modified: mesos/site/publish/documentation/configuration/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/configuration/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/configuration/index.html (original)
+++ mesos/site/publish/documentation/configuration/index.html Tue Feb 23 04:13:50 2016
@@ -630,8 +630,8 @@ Currently there is no support for multip
--[no-]log_auto_initialize
</td>
<td>
-Whether to automatically initialize the replicated log used for the
-registry. If this is set to false, the log has to be manually
+Whether to automatically initialize the [replicated log](/documentation/latest/./replicated-log-internals/)
+used for the registry. If this is set to false, the log has to be manually
initialized when used for the very first time. (default: true)
</td>
</tr>
@@ -1002,6 +1002,15 @@ swap instead of just memory. (default: f
</tr>
<tr>
<td>
+ --cgroups_net_cls_primary_handle
+ </td>
+ <td>
+A non-zero, 16-bit handle of the form `0xAAAA`. This will be used as
+the primary handle for the net_cls cgroup.
+ </td>
+</tr>
+<tr>
+ <td>
--cgroups_root=VALUE
</td>
<td>
@@ -1180,7 +1189,7 @@ Timeout in seconds for pulling images fr
<td>
The default url for pulling Docker images. It could either be a Docker
registry server url (i.e: <code>https://registry.docker.io</code>), or a local
-path (i.e: <code>file:///tmp/docker/images</code>) in which Docker image archives
+path (i.e: <code>/tmp/docker/images</code>) in which Docker image archives
(result of <code>docker save</code>) are stored. (default: https://registry-1.docker.io)
</td>
</tr>
@@ -1585,6 +1594,18 @@ therefore the flag currently does not ex
</tr>
<tr>
<td>
+ --[no-]systemd_enable_support
+ </td>
+ <td>
+Top level control of systemd support. When enabled, features such as
+executor life-time extension are enabled unless there is an explicit
+flag to disable these (see other flags). This should be enabled when
+the agent is launched as a systemd unit.
+(default: true)
+ </td>
+</tr>
+<tr>
+ <td>
--systemd_runtime_directory=VALUE
</td>
<td>
@@ -1700,6 +1721,16 @@ each container. This flag is used for th
isolator. (default: false)
</td>
</tr>
+<tr>
+ <td>
+ --[no-]network_enable_snmp_statistics
+ </td>
+ <td>
+Whether to collect SNMP statistics details (e.g., TCPRetransSegs) for
+each container. This flag is used for the 'network/port_mapping'
+isolator. (default: false)
+ </td>
+</tr>
</table>
Modified: mesos/site/publish/documentation/fetcher/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/fetcher/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/fetcher/index.html (original)
+++ mesos/site/publish/documentation/fetcher/index.html Tue Feb 23 04:13:50 2016
@@ -290,7 +290,7 @@ unspecified. Do not use any cache featur
doubts!</p>
<p>To mitigate this problem, cache files that have been found to be larger than
-expected are deleted immediately after downloading and and delivering the
+expected are deleted immediately after downloading and delivering the
requested content to the sandbox. Thus exceeding total capacity at least
does not accumulate over subsequent fetcher runs.</p>
Modified: mesos/site/publish/documentation/getting-started/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/getting-started/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/getting-started/index.html (original)
+++ mesos/site/publish/documentation/getting-started/index.html Tue Feb 23 04:13:50 2016
@@ -89,8 +89,8 @@
<p>1. Download the latest stable release from <a href="http://mesos.apache.org/downloads/">Apache</a> (<strong><em>Recommended</em></strong>)</p>
-<pre><code>$ wget http://www.apache.org/dist/mesos/0.27.0/mesos-0.27.0.tar.gz
-$ tar -zxf mesos-0.27.0.tar.gz
+<pre><code>$ wget http://www.apache.org/dist/mesos/0.27.1/mesos-0.27.1.tar.gz
+$ tar -zxf mesos-0.27.1.tar.gz
</code></pre>
<p>2. Clone the Mesos git <a href="https://git-wip-us.apache.org/repos/asf/mesos.git">repository</a> (<strong><em>Advanced Users Only</em></strong>)</p>
Modified: mesos/site/publish/documentation/high-availability-framework-guide/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/high-availability-framework-guide/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/high-availability-framework-guide/index.html (original)
+++ mesos/site/publish/documentation/high-availability-framework-guide/index.html Tue Feb 23 04:13:50 2016
@@ -138,9 +138,9 @@ might see a status update for the first
action. Scheduler authors should be aware of this possibility and program
accordingly.</p></li>
<li><p>Mesos actually provides ordered (but unreliable) message delivery between
-any two pair of processes: for example, if a framework sends messages M1 and
-M2 to the master, the master might receive no messages, just M1, just M2, or
-M1 followed by M2 – it will <em>not</em> receive M2 followed by M1.</p></li>
+any pair of processes: for example, if a framework sends messages M1 and M2
+to the master, the master might receive no messages, just M1, just M2, or M1
+followed by M2 – it will <em>not</em> receive M2 followed by M1.</p></li>
<li><p>As a convenience for framework authors, Mesos provides reliable delivery of
task status updates. The agent persists task status updates to disk and then
forwards them to the master. The master sends status updates to the
@@ -191,8 +191,22 @@ coordination service like <a href="https
or <a href="https://github.com/coreos/etcd">etcd</a>. Consult the documentation of the
coordination system you are using for more information on how to correctly
implement leader election.</p></li>
-<li><p>After electing a new leading scheduler, the new leader needs to ensure that
-its local state is consistent with the current state of the cluster. For
+<li><p>After electing a new leading scheduler, the new leader should reconnect to
+the Mesos master. When registering with the master, the framework should set
+the <code>id</code> field in its <code>FrameworkInfo</code> to the ID that was assigned to the
+failed scheduler instance. This ensures that the master will recognize that
+the connection does not start a new session, but rather continues (and
+replaces) the session used by the failed scheduler instance.</p>
+
+<blockquote><p>NOTE: When the old scheduler leader disconnects from the master, by default
+ the master will immediately kill all the tasks and executors associated with
+ the failed framework. For a typical production framework, this default
+ behavior is very undesirable! To avoid this, highly available frameworks
+ should set the <code>failover_timeout</code> field in their <code>FrameworkInfo</code> to a
+ generous value. To avoid accidental destruction of tasks in production
+ environments, many frameworks use a <code>failover_timeout</code> of 1 week or more.</p></blockquote></li>
+<li><p>After connecting to the Mesos master, the new leading scheduler should ensure
+that its local state is consistent with the current state of the cluster. For
example, suppose that the previous leading scheduler attempted to launch a
new task and then immediately failed. The task might have launched
successfully, at which point the newly elected leader will begin to receive
@@ -201,7 +215,7 @@ strongly consistent distributed data sto
and pending tasks. In fact, the same coordination service that is used for
leader election (such as ZooKeeper or etcd) can often be used for this
purpose. Some Mesos frameworks (such as Apache Aurora) use the Mesos
-replicated log for this purpose.</p>
+<a href="/documentation/latest/./replicated-log-internals/">replicated log</a> for this purpose.</p>
<ul>
<li><p>The data store should be used to record the actions that the scheduler
@@ -293,63 +307,76 @@ in the task specification.</li>
<h2>Dealing with Partitioned or Failed Agents</h2>
-<p>The Mesos master keeps track of the availability and health of the registered agents
-by 2 different mechanisms.</p>
+<p>The Mesos master tracks the availability and health of the registered agents
+using two different mechanisms:</p>
-<p> 1) State of a persistent TCP connection to the agent.</p>
+<ol>
+<li><p>The state of a persistent TCP connection between the master and the agent.</p></li>
+<li><p>Health checks via periodic ping messages to the agent which are expected to
+be responded with pongs (this behavior is controlled by the
+<code>--slave_ping_timeout</code> and <code>--max_slave_ping_timeouts</code> master flags).</p></li>
+</ol>
-<p> 2) Health checks via periodic ping messages to the agent which are expected to be responded with pongs
- (this behavior is controlled by the <code>--slave_ping_timeout</code> and <code>--max_slave_ping_timeouts</code> master flags).</p>
-<p>If the persistent TCP connection to the agent breaks or the agent fails health checks, the master decides
-that the agent has failed and takes steps to remove it from the cluster. Specifically:</p>
+<p>If the persistent TCP connection to the agent breaks or the agent fails health
+checks, the master decides that the agent has failed and takes steps to remove
+it from the cluster. Specifically:</p>
<ul>
-<li><p>If the TCP connection breaks, the agent is considered disconnected. The semantics when a registered
-agent gets disconnected are as follows for each framework running on that agent:</p>
+<li><p>If the TCP connection breaks, the agent is considered disconnected. The
+semantics when a registered agent gets disconnected are as follows for each
+framework running on that agent:</p>
<ul>
-<li><p>If the framework is <a href="/documentation/latest/./slave-recovery/">checkpointing</a>: No immediate action is taken. The agent is
-given a chance to reconnect until health checks time out.</p></li>
-<li><p>If the framework is not-checkpointing: All the framework’s tasks and executors are considered lost. Master
-immediately sends <code>TASK_LOST</code> status updates for the tasks. These updates are not delivered reliably to the
-scheduler (see NOTE below). The agent is given a chance to reconnect until health checks timeout.</p></li>
+<li><p>If the framework is <a href="/documentation/latest/./slave-recovery/">checkpointing</a>: no immediate action
+is taken. The agent is given a chance to reconnect until health checks time
+out.</p></li>
+<li><p>If the framework is not checkpointing: all the framework’s tasks and
+executors are considered lost. The master immediately sends <code>TASK_LOST</code>
+status updates for the tasks. These updates are not delivered reliably to
+the scheduler (see NOTE below). The agent is given a chance to reconnect
+until health checks timeout.</p></li>
</ul>
</li>
-<li><p>If the agent fails health checks it is scheduled for removal. The removals can be rate limited by the master
-(see <code>---slave_removal_rate_limit</code> master flag) to avoid removing a slew of slaves at once (e.g., during a
-network partition event).</p></li>
-<li><p>Once it is time to remove an agent, the master marks it as “removed” in the master’s durable state (this
-will survive master failover). If an agent marked as “removed” attempts to reconnect to the
-master (e.g., after network partition is restored), the connection attempt will be refused
-and the agent asked to shutdown. A shutting down agent shuts down all running tasks and executors,
-but any persistent volumes and dynamic reservations are still preserved.</p>
+<li><p>If the agent fails health checks it is scheduled for removal. The removals can
+be rate limited by the master (see <code>---slave_removal_rate_limit</code> master flag)
+to avoid removing a slew of slaves at once (e.g., during a network partition).</p></li>
+<li><p>Once it is time to remove an agent, the master marks it as “removed” in the
+master’s durable state (this will survive master failover). If an agent marked
+as “removed” attempts to reconnect to the master (e.g., after a network
+partition is healed), the connection attempt will be refused and the agent
+will be asked to shutdown. The agent will then shutdown all running tasks and
+executors, but any persistent volumes and dynamic reservations will be
+preserved.</p>
<ul>
<li>To allow the removed agent node to rejoin the cluster, a new <code>mesos-slave</code>
-process can be started. This will ensure the agent receives a new agent ID and register with master
-possibly with previously created persistent volumes and dynamic reservations. In effect, the agent will
-be treated as a newly joined agent.</li>
+process can be started. This will ensure the agent will receive a new agent
+ID. The agent can then register with the master, and can also retain any
+previously created persistent volumes and dynamic reservations. In effect,
+the agent will be treated as a newly joined agent.</li>
</ul>
</li>
-<li><p>For each agent that is marked “removed” the scheduler receives a <code>slaveLost</code> callback and <code>TASK_LOST</code> status
-updates for each task that was running on the agent</p>
-
-<blockquote><p>NOTE: Neither the callback nor the updates are reliably delivered by the master. For example if
- the master or scheduler fails over or there is a network connection issue during the delivery
- of these messages, they will not be resent.</p></blockquote></li>
+<li><p>For each agent that is marked “removed”, the scheduler receives a <code>slaveLost</code>
+callback. The scheduler will also receive <code>TASK_LOST</code> status updates for each
+task that was running on a removed agent.</p>
+
+<blockquote><p>NOTE: Neither the callback nor the updates are reliably delivered by the
+ master. For example, if the master or scheduler fails over or there is a
+ network connectivity issue during the delivery of these messages, they will
+ not be resent.</p></blockquote></li>
</ul>
-<p>Typically, frameworks respond to this situation by scheduling new copies of the
-tasks that were running on the lost agent. This should be done with caution,
-however: it is possible that the lost agent is still alive, but is partitioned
-from the master and is unable to communicate with it. Depending on the nature of
-the network partition, tasks on the agent might still be able to communicate
-with external clients or other hosts in the cluster. Frameworks can take steps
-to prevent this (e.g., by having tasks connect to ZooKeeper and cease operation
-if their ZooKeeper session expires), but Mesos leaves such details to framework
-authors.</p>
+<p>Typically, frameworks respond to failed or partitioned agents by scheduling new
+copies of the tasks that were running on the lost agent. This should be done
+with caution, however: it is possible that the lost agent is still alive, but is
+partitioned from the master and is unable to communicate with it. Depending on
+the nature of the network partition, tasks on the agent might still be able to
+communicate with external clients or other hosts in the cluster. Frameworks can
+take steps to prevent this (e.g., by having tasks connect to ZooKeeper and cease
+operation if their ZooKeeper session expires), but Mesos leaves such details to
+framework authors.</p>
<h2>Dealing with Partitioned or Failed Masters</h2>
@@ -369,14 +396,6 @@ previous leading master has failed and c
framework has successfully reregistered with the new leading master, the
<code>reregistered</code> scheduler callback will be invoked.</p>
-<p>When a highly available framework scheduler initially connects to the master, it
-should set the <code>failover_timeout</code> field in its <code>FrameworkInfo</code>. This specifies
-how long the master will wait for a framework to reconnect after a failover
-before the framework’s state is garbage-collected and any running tasks
-associated with the framework are killed. It is recommended that frameworks set
-a generous <code>failover_timeout</code> (e.g., 1 week) to avoid their tasks being killed
-unintentionally.</p>
-
<h3>Agent Reregistration</h3>
<p>During the period after a new master has been elected but before a given agent
Modified: mesos/site/publish/documentation/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/index.html (original)
+++ mesos/site/publish/documentation/index.html Tue Feb 23 04:13:50 2016
@@ -132,8 +132,10 @@
<li><a href="/documentation/latest/./networking-for-mesos-managed-containers/">Networking for Mesos-managed Containers</a></li>
<li><a href="/documentation/latest/./oversubscription/">Oversubscription</a> for how to configure Mesos to take advantage of unused resources to launch “best-effort” tasks.</li>
<li><a href="/documentation/latest/./persistent-volume/">Persistent Volume</a> for how to allow tasks to access persistent storage resources.</li>
+<li><a href="/documentation/latest/./multiple-disk/">Multiple Disks</a> for how to to allow tasks to use multiple isolated disk resources.</li>
<li><a href="/documentation/latest/./quota/">Quota</a> for how to configure Mesos to provide guaranteed resource allocations for use by a role.</li>
<li><a href="/documentation/latest/./reservation/">Reservation</a> for how operators and frameworks can reserve resources on individual agents for use by a role.</li>
+<li><a href="/documentation/latest/./replicated-log-internals/">Replicated Log</a> for information on the Mesos replicated log.</li>
</ul>
Modified: mesos/site/publish/documentation/latest/authentication/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/authentication/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/authentication/index.html (original)
+++ mesos/site/publish/documentation/latest/authentication/index.html Tue Feb 23 04:13:50 2016
@@ -83,66 +83,116 @@
<div class="col-md-8">
<h1>Authentication</h1>
-<p>Mesos 0.15.0 added support for framework authentication, and 0.19.0 added slave authentication. Authentication permits only trusted entities to interact with the Mesos cluster.</p>
-
-<p>Authentication is used by Mesos in three ways:</p>
+<p>Authentication permits only trusted entities to interact with a Mesos cluster. Authentication is used by Mesos in three ways:</p>
<ol>
-<li>Require that frameworks must be authenticated in order to register with the master.</li>
-<li>Require that slaves must be authenticated in order to offer resources to the master.</li>
-<li>To restrict access to the /teardown endpoint.</li>
+<li>To require that frameworks be authenticated in order to register with the master.</li>
+<li>To require that slaves be authenticated in order to register with the master.</li>
+<li>To require that operators be authenticated to use certain <a href="/documentation/latest/./endpoints/">HTTP endpoints</a>, such as <code>/teardown</code>.</li>
</ol>
-<h2>How Does It Work?</h2>
-
-<p>Mesos uses the <a href="http://asg.web.cmu.edu/sasl/">Cyrus SASL library</a> to implement authentication. SASL is a very flexible authentication framework that allows two endpoints to authenticate with each other and also has support for various authentication mechanisms (ANONYMOUS, PLAIN, CRAM-MD5, GSSAPI etc). Currently, Mesos provides support for CRAM-MD5 authentication, but users can provide their own authentication modules. CRAM-MD5 makes use of a <strong>principal</strong> and <strong>secret</strong> pair, with the principal representing the framework’s identity. Note that this is different from the framework <em>user</em>, which is the account used by the executor to run tasks, and the <em>role</em> which is used to determine what resources frameworks can use.</p>
+<p>Authentication is disabled by default. When authentication is enabled, operators
+can configure Mesos to either use the default authentication module or to use a
+<em>custom</em> authentication module.</p>
+
+<p>The default Mesos authentication module uses the
+<a href="http://asg.web.cmu.edu/sasl/">Cyrus SASL</a> library. SASL is a flexible
+framework that allows two endpoints to authenticate with each other using a
+variety of methods. By default, Mesos uses
+<a href="https://en.wikipedia.org/wiki/CRAM-MD5">CRAM-MD5</a> authentication.</p>
+
+<h2>Credentials, Principals, and Secrets</h2>
+
+<p>When using the default CRAM-MD5 authentication method, an entity that wants to
+authenticate with Mesos must provide a <em>credential</em>, which consists of a
+<em>principal</em> and a <em>secret</em>. The principal is the identity that the entity would
+like to use; the secret is an arbitrary string that is used to verify that
+identity. Principals are similar to user names, while secrets are similar to
+passwords.</p>
+
+<p>Principals are used primarily for authentication and
+<a href="/documentation/latest/./authorization/">authorization</a>; note that a principal is different from a
+framework’s <em>user</em>, which is the operating system account used by the slave to
+run executors, and a framework’s <em><a href="/documentation/latest/./roles/">role</a></em>, which is used to determine
+which resources a framework can use.</p>
<h2>Configuration</h2>
-<p>The <a href="/documentation/latest/./configuration/">configuration options</a> that are used by the authentication mechanism are as follows:</p>
+<p>Authentication is configured by specifying command-line flags when starting the
+Mesos master and slave processes. For more information, refer to the
+<a href="/documentation/latest/./configuration/">configuration</a> documentation.</p>
-<h3>Masters</h3>
+<h3>Master</h3>
<ul>
-<li>–[no-]authenticate - If authenticate is ‘true’ only authenticated frameworks are allowed to register. If ‘false’ unauthenticated frameworks are also allowed to register.</li>
-<li>–[no-]authenticate_slaves - If ‘true’ only authenticated slaves are allowed to register. If ‘false’ unauthenticated slaves are also allowed to register.</li>
-<li>–authenticators - Specifies which authenticator module to use. The default is crammd5, but additional modules can be added with the –modules option.</li>
-<li>–credentials - The path to the text file which contains a list (either plain text or JSON) of accepted credentials. This may be optional depending on the authenticator being used. However, if specified, the credentials will be valid for the /teardown endpoint regardless of which authenticator is used.</li>
+<li><p><code>--[no-]authenticate</code> - If <code>true</code>, only authenticated frameworks are allowed
+to register. If <code>false</code> (the default), unauthenticated frameworks are also
+allowed to register.</p></li>
+<li><p><code>--[no-]authenticate_http</code> - If <code>true</code>, authentication is required to make
+HTTP requests to the HTTP endpoints that support authentication. If <code>false</code>
+(the default), all endpoints can be used without authentication.</p></li>
+<li><p><code>--[no-]authenticate_slaves</code> - If <code>true</code>, only authenticated slaves are
+allowed to register. If <code>false</code> (the default), unauthenticated slaves are also
+allowed to register.</p></li>
+<li><p><code>--authenticators</code> - Specifies which authenticator module to use. The default
+is <code>crammd5</code>, but additional modules can be added using the <code>--modules</code>
+option.</p></li>
+<li><p><code>--credentials</code> - The path to a text file which contains a list (in plaintext
+or JSON format) of accepted credentials. This may be optional depending on
+the authenticator being used.</p></li>
</ul>
-<h3>Slaves</h3>
+<h3>Slave</h3>
<ul>
-<li>–authenticatee - Analog to the master –authenticators option to specify what module to use. Defaults to crammd5.</li>
-<li>–credential - Just like the master –credentials option, except only one credential is allowed, since this credential is used to identify the slave to the master.</li>
+<li><p><code>--authenticatee</code> - Analog to the master’s <code>--authenticators</code> option to
+specify what module to use. Defaults to <code>crammd5</code>.</p></li>
+<li><p><code>--credential</code> - Just like the master’s <code>--credentials</code> option except that
+only one credential is allowed. This credential is used to identify the slave
+to the master.</p></li>
</ul>
+<h3>Framework</h3>
+
+<p>If framework authentication is enabled, each framework must be configured to
+supply authentication credentials when registering with the Mesos master. How to
+configure this differs between frameworks; consult your framework’s
+documentation for more information.</p>
+
+<p>As a framework developer, supporting authentication is straightforward: the
+scheduler driver handles the details of authentication when a <code>Credential</code>
+object is passed to its constructor. To enable <a href="/documentation/latest/./authorization/">authorization</a>
+based on the authenticated principal, the framework developer should also copy
+the <code>Credential.principal</code> into <code>FrameworkInfo.principal</code> when registering.</p>
+
<h2>CRAM-MD5 Example</h2>
<ol>
-<li><p>First, create a credentials file for the masters, the contents of which should look like this:</p>
+<li><p>Create the master’s credentials file with the following content:</p>
<pre><code> principal1 secret1
principal2 secret2
</code></pre></li>
-<li><p>Now, start the master process using your credentials file (assuming the file is ~/credentials):</p>
+<li><p>Start the master using the credentials file (assuming the file is <code>~/credentials</code>):</p>
<pre><code> ./bin/mesos-master.sh --ip=127.0.0.1 --work_dir=/var/lib/mesos --authenticate --authenticate_slaves --credentials=~/credentials
</code></pre></li>
-<li><p>Now create another file with a single credential in it (~/slave_credential):</p>
+<li><p>Create another file with a single credential in it (<code>~/slave_credential</code>):</p>
<pre><code> principal1 secret1
</code></pre></li>
-<li><p>That file will be used to identify the slave process. Start the slave:</p>
+<li><p>Start the slave:</p>
-<pre><code>./bin/mesos-slave.sh --master=127.0.0.1:5050 --credential=~/slave_credential
+<pre><code> ./bin/mesos-slave.sh --master=127.0.0.1:5050 --credential=~/slave_credential
</code></pre></li>
-<li><p>Your new slave should have now successfully authenticated with the master. With these settings, any framework that you’d like to use must also authenticate against the Mesos master. The method of configuring framework authentication may vary by framework, but is simple to implement as the scheduler driver will handle authentication when a Credential object is passed to its constructor. You can test out framework authentication using the test framework provided with Mesos as follows:</p>
+<li><p>Your new slave should have now successfully authenticated with the master.</p></li>
+<li><p>You can test out framework authentication using one of the test frameworks
+provided with Mesos as follows:</p>
-<pre><code>MESOS_AUTHENTICATE=true DEFAULT_PRINCIPAL=principal2 DEFAULT_SECRET=secret2 ./src/test-framework --master=127.0.0.1:5050
+<pre><code> MESOS_AUTHENTICATE=true DEFAULT_PRINCIPAL=principal2 DEFAULT_SECRET=secret2 ./src/test-framework --master=127.0.0.1:5050
</code></pre></li>
</ol>
Modified: mesos/site/publish/documentation/latest/authorization/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/authorization/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/authorization/index.html (original)
+++ mesos/site/publish/documentation/latest/authorization/index.html Tue Feb 23 04:13:50 2016
@@ -165,12 +165,28 @@
</ol>
+<h2>Role vs. Principal</h2>
+
+<p>A principal identifies an entity (i.e., a framework or an operator) that interacts with Mesos. A role, on the other hand, is used to associate resources with frameworks in various ways. A useful, if not entirely precise, analogy can be made with user management in the Unix world: principals correspond to usernames, while roles approximately correspond to groups. For more information about roles, see the <a href="/documentation/latest/./roles/">role documentation</a>.</p>
+
+<p>In a real-world organization, principals and roles might be used to represent various individuals or groups; for example, principals could correspond to people responsible for particular frameworks, while roles could correspond to departments within the organization which run frameworks on the cluster. To illustrate this point, consider a company that wants to allocate datacenter resources amongst multiple departments, one of which is the accounting department. Here is a possible scenario in which the accounting department launches a Mesos framework and then attempts to destroy a persistent volume:</p>
+
+<ul>
+<li>An accountant launches their framework, which authenticates with the Mesos master using its <code>principal</code> and <code>secret</code>. Here, let the framework principal be <code>payroll-framework</code>; this principal represents the trusted identity of the framework.</li>
+<li>The framework now sends a registration message to the master. This message includes a <code>FrameworkInfo</code> object containing a <code>principal</code> and a <code>role</code>; in this case, it will use the role <code>accounting</code>. The principal in this message must be <code>payroll-framework</code>, to match the one used by the framework for authentication.</li>
+<li>The master looks through its ACLs to see if it has a <code>RegisterFramework</code> ACL which authorizes the principal <code>payroll-framework</code> to register with the <code>accounting</code> role. It does find such an ACL, so the framework registers successfully. Now that the framework belongs to the <code>accounting</code> role, any <a href="/documentation/latest/./roles/">weights</a>, <a href="/documentation/latest/./reservation/">reservations</a>, <a href="/documentation/latest/./persistent-volume/">persistent volumes</a>, or <a href="/documentation/latest/./quota/">quota</a> associated with the accounting department’s role will apply. This allows operators to control the resource consumption of this department.</li>
+<li>Suppose the framework has created a persistent volume on a slave which it now wishes to destroy. The framework sends an <code>ACCEPT</code> call containing an offer operation which will <code>DESTROY</code> the persistent volume.</li>
+<li>However, datacenter operators have decided that they don’t want the accounting frameworks to delete volumes. Rather, the operators will manually remove the accounting department’s persistent volumes to ensure that no important financial data is deleted accidentally. To accomplish this, they have set a <code>DestroyVolume</code> ACL which asserts that the principal <code>payroll-framework</code> can destroy volumes created by a <code>creator_principal</code> of <code>NONE</code>; in other words, this framework cannot destroy persistent volumes, so the operation will be refused.</li>
+</ul>
+
+
<h2>Examples</h2>
<ol>
-<li><p>Frameworks <code>foo</code> and <code>bar</code> can run tasks as user <code>alice</code>.</p>
+<li><p>Principals <code>foo</code> and <code>bar</code> can run tasks as the agent operating system user <code>alice</code> and no other user. No other principals can run tasks.</p>
<pre><code> {
+ "permissive": false,
"run_tasks": [
{
"principals": { "values": ["foo", "bar"] },
@@ -179,44 +195,45 @@
]
}
</code></pre></li>
-<li><p>Any framework can run tasks as user <code>guest</code>.</p>
+<li><p>Principal <code>foo</code> can run tasks only as the agent operating system user <code>guest</code> and no other user. Any other principal (or framework without a principal) can run tasks as any user.</p>
<pre><code> {
"run_tasks": [
{
- "principals": { "type": "ANY" },
+ "principals": { "values": ["foo"] },
"users": { "values": ["guest"] }
+ },
+ {
+ "principals": { "values": ["foo"] },
+ "users": { "type": "NONE" }
}
]
}
</code></pre></li>
-<li><p>No framework can run tasks as <code>root</code>.</p>
+<li><p>Any principal can run tasks as the agent operating system user <code>guest</code>. Tasks cannot be run as any other user.</p>
<pre><code> {
+ "permissive": false,
"run_tasks": [
{
- "principals": { "type": "NONE" },
- "users": { "values": ["root"] }
+ "principals": { "type": "ANY" },
+ "users": { "values": ["guest"] }
}
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can run tasks only as user <code>guest</code> and no other user.</p>
+<li><p>No principal can run tasks as the agent operating system user <code>root</code>. Any principal (or framework without a principal) can run tasks as any other user.</p>
<pre><code> {
"run_tasks": [
{
- "principals": { "values": ["foo"] },
- "users": { "values": ["guest"] }
- },
- {
- "principals": { "values": ["foo"] },
- "users": { "type": "NONE" }
+ "principals": { "type": "NONE" },
+ "users": { "values": ["root"] }
}
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can register with the <code>analytics</code> and <code>ads</code> roles.</p>
+<li><p>Principal <code>foo</code> can register frameworks with the <code>analytics</code> and <code>ads</code> roles and no other role. Any other principal (or framework without a principal) can register frameworks with any role.</p>
<pre><code> {
"register_frameworks": [
@@ -227,11 +244,19 @@
"roles": {
"values": ["analytics", "ads"]
}
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "roles": {
+ "type": "NONE"
+ }
}
]
}
</code></pre></li>
-<li><p>Only framework <code>foo</code> and no one else can register with the <code>analytics</code> role.</p>
+<li><p>Only principal <code>foo</code> and no one else can register frameworks with the <code>analytics</code> role. Any other principal (or framework without a principal) can register frameworks with any other role.</p>
<pre><code> {
"register_frameworks": [
@@ -254,7 +279,7 @@
]
}
</code></pre></li>
-<li><p>Framework <code>foo</code> can only register with the <code>analytics</code> role but no other roles. Also, no other framework can register with any roles or run tasks.</p>
+<li><p>Principal <code>foo</code> can register frameworks with the <code>analytics</code> role and no other role. No other principal can register frameworks with any role, including <code>*</code>.</p>
<pre><code> {
"permissive": false,
@@ -270,7 +295,7 @@
]
}
</code></pre></li>
-<li><p>The <code>ops</code> principal can teardown any framework using the “/teardown” HTTP endpoint. No other framework can register with any roles or run tasks.</p>
+<li><p>The <code>ops</code> principal can teardown any framework using the “/teardown” HTTP endpoint. No other principal can teardown any frameworks.</p>
<pre><code> {
"permissive": false,
@@ -286,6 +311,149 @@
]
}
</code></pre></li>
+<li><p>The principal <code>foo</code> can reserve any resources, and no other principal can reserve resources.</p>
+
+<pre><code> {
+ "permissive": false,
+ "reserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "resources": {
+ "type": "ANY"
+ }
+ }
+ ]
+ }
+</code></pre></li>
+<li><p>The principal <code>foo</code> cannot reserve any resources, and any other principal (or framework without a principal) can reserve resources.</p>
+
+<pre><code>{
+ "reserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "resources": {
+ "type": "NONE"
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can unreserve resources reserved by itself and by the principal <code>bar</code>. The principal <code>bar</code>, however, can only unreserve its own resources. No other principals can unreserve resources.</p>
+
+<pre><code>{
+ "permissive": false,
+ "unreserve_resources": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "reserver_principals": {
+ "values": ["foo", "bar"]
+ }
+ },
+ {
+ "principals": {
+ "values": ["bar"]
+ },
+ "reserver_principals": {
+ "values": ["bar"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can create persistent volumes, and no other principal can create persistent volumes.</p>
+
+<pre><code>{
+ "permissive": false,
+ "create_volumes": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "volume_types": {
+ "type": "ANY"
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>foo</code> can destroy volumes created by itself and by the principal <code>bar</code>. The principal <code>bar</code>, however, can only destroy its own volumes. No other principals can destroy volumes.</p>
+
+<pre><code>{
+ "permissive": false,
+ "destroy_volumes": [
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "creator_principals": {
+ "values": ["foo", "bar"]
+ }
+ },
+ {
+ "principals": {
+ "values": ["bar"]
+ },
+ "creator_principals": {
+ "values": ["bar"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>ops</code> can set quota for any role. The principal <code>foo</code>, however, can only set quota for <code>foo-role</code>. No other principals can set quota.</p>
+
+<pre><code>{
+ "permissive": false,
+ "set_quotas": [
+ {
+ "principals": {
+ "values": ["ops"]
+ },
+ "roles": {
+ "type": "ANY"
+ }
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "roles": {
+ "values": ["foo-role"]
+ }
+ }
+ ]
+}
+</code></pre></li>
+<li><p>The principal <code>ops</code> can remove quota which was set by any principal. The principal <code>foo</code>, however, can only remove quota which was set by itself. No other principals can remove quota.</p>
+
+<pre><code>{
+ "permissive": false,
+ "remove_quotas": [
+ {
+ "principals": {
+ "values": ["ops"]
+ },
+ "quota_principals": {
+ "type": "ANY"
+ }
+ },
+ {
+ "principals": {
+ "values": ["foo"]
+ },
+ "quota_principals": {
+ "values": ["foo"]
+ }
+ }
+ ]
+}
+</code></pre></li>
</ol>
Modified: mesos/site/publish/documentation/latest/configuration/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/configuration/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/configuration/index.html (original)
+++ mesos/site/publish/documentation/latest/configuration/index.html Tue Feb 23 04:13:50 2016
@@ -630,8 +630,8 @@ Currently there is no support for multip
--[no-]log_auto_initialize
</td>
<td>
-Whether to automatically initialize the replicated log used for the
-registry. If this is set to false, the log has to be manually
+Whether to automatically initialize the [replicated log](/documentation/latest/./replicated-log-internals/)
+used for the registry. If this is set to false, the log has to be manually
initialized when used for the very first time. (default: true)
</td>
</tr>
@@ -1002,6 +1002,15 @@ swap instead of just memory. (default: f
</tr>
<tr>
<td>
+ --cgroups_net_cls_primary_handle
+ </td>
+ <td>
+A non-zero, 16-bit handle of the form `0xAAAA`. This will be used as
+the primary handle for the net_cls cgroup.
+ </td>
+</tr>
+<tr>
+ <td>
--cgroups_root=VALUE
</td>
<td>
@@ -1180,7 +1189,7 @@ Timeout in seconds for pulling images fr
<td>
The default url for pulling Docker images. It could either be a Docker
registry server url (i.e: <code>https://registry.docker.io</code>), or a local
-path (i.e: <code>file:///tmp/docker/images</code>) in which Docker image archives
+path (i.e: <code>/tmp/docker/images</code>) in which Docker image archives
(result of <code>docker save</code>) are stored. (default: https://registry-1.docker.io)
</td>
</tr>
@@ -1585,6 +1594,18 @@ therefore the flag currently does not ex
</tr>
<tr>
<td>
+ --[no-]systemd_enable_support
+ </td>
+ <td>
+Top level control of systemd support. When enabled, features such as
+executor life-time extension are enabled unless there is an explicit
+flag to disable these (see other flags). This should be enabled when
+the agent is launched as a systemd unit.
+(default: true)
+ </td>
+</tr>
+<tr>
+ <td>
--systemd_runtime_directory=VALUE
</td>
<td>
@@ -1700,6 +1721,16 @@ each container. This flag is used for th
isolator. (default: false)
</td>
</tr>
+<tr>
+ <td>
+ --[no-]network_enable_snmp_statistics
+ </td>
+ <td>
+Whether to collect SNMP statistics details (e.g., TCPRetransSegs) for
+each container. This flag is used for the 'network/port_mapping'
+isolator. (default: false)
+ </td>
+</tr>
</table>
Modified: mesos/site/publish/documentation/latest/endpoints/master/create-volumes/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/create-volumes/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/create-volumes/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/create-volumes/index.html Tue Feb 23 04:13:50 2016
@@ -95,8 +95,11 @@
<h3>DESCRIPTION</h3>
-<p>Returns 200 OK if volume creation was successful.
-Please provide “slaveId” and “volumes” values designating
+<p>Returns 200 OK if the request was accepted. This does not
+imply that the volume was created successfully: volume
+creation is done asynchronously and may fail.</p>
+
+<p>Please provide “slaveId” and “volumes” values designating
the volumes to be created.</p>
</div>
Modified: mesos/site/publish/documentation/latest/endpoints/master/destroy-volumes/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/destroy-volumes/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/destroy-volumes/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/destroy-volumes/index.html Tue Feb 23 04:13:50 2016
@@ -95,8 +95,11 @@
<h3>DESCRIPTION</h3>
-<p>Returns 200 OK if volume deletion was successful.
-Please provide “slaveId” and “volumes” values designating
+<p>Returns 200 OK if the request was accepted. This does not
+imply that the volume was destroyed successfully: volume
+destruction is done asynchronously and may fail.</p>
+
+<p>Please provide “slaveId” and “volumes” values designating
the volumes to be destroyed.</p>
</div>
Modified: mesos/site/publish/documentation/latest/endpoints/master/reserve/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/reserve/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/reserve/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/reserve/index.html Tue Feb 23 04:13:50 2016
@@ -95,8 +95,11 @@
<h3>DESCRIPTION</h3>
-<p>Returns 200 OK if resource reservation was successful.
-Please provide “slaveId” and “resources” values designating
+<p>Returns 200 OK if the request was accepted. This does not
+imply that the requested resources have been reserved successfully:
+resource reservation is done asynchronously and may fail.</p>
+
+<p>Please provide “slaveId” and “resources” values designating
the resources to be reserved.</p>
</div>
Modified: mesos/site/publish/documentation/latest/endpoints/master/state.json/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/state.json/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/state.json/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/state.json/index.html Tue Feb 23 04:13:50 2016
@@ -98,6 +98,75 @@
<p>This endpoint shows information about the frameworks, tasks,
executors and slaves running in the cluster as a JSON object.</p>
+<p>Example (<strong>Note</strong>: this is not exhaustive):</p>
+
+<pre><code>{
+ "version" : "0.28.0",
+ "git_sha" : "9d5889b5a265849886a533965f4aefefd1fbd103",
+ "git_branch" : "refs/heads/master",
+ "git_tag" : "0.28.0",
+ "build_date" : "2016-02-15 10:00:28",
+ "build_time" : 1455559228,
+ "build_user" : "mesos-user",
+ "start_time" : 1455643643.42422,
+ "elected_time" : 1455643643.43457,
+ "id" : "b5eac2c5-609b-4ca1-a352-61941702fc9e",
+ "pid" : "master@127.0.0.1:5050",
+ "hostname" : "localhost",
+ "activated_slaves" : 0,
+ "deactivated_slaves" : 0,
+ "cluster" : "test-cluster",
+ "leader" : "master@127.0.0.1:5050",
+ "log_dir" : "/var/log",
+ "external_log_file" : "mesos.log",
+ "flags" : {
+ "framework_sorter" : "drf",
+ "authenticate" : "false",
+ "logbufsecs" : "0",
+ "initialize_driver_logging" : "true",
+ "work_dir" : "/var/lib/mesos",
+ "http_authenticators" : "basic",
+ "authorizers" : "local",
+ "slave_reregister_timeout" : "10mins",
+ "logging_level" : "INFO",
+ "help" : "false",
+ "root_submissions" : "true",
+ "ip" : "127.0.0.1",
+ "user_sorter" : "drf",
+ "version" : "false",
+ "max_slave_ping_timeouts" : "5",
+ "slave_ping_timeout" : "15secs",
+ "registry_store_timeout" : "20secs",
+ "max_completed_frameworks" : "50",
+ "quiet" : "false",
+ "allocator" : "HierarchicalDRF",
+ "hostname_lookup" : "true",
+ "authenticators" : "crammd5",
+ "max_completed_tasks_per_framework" : "1000",
+ "registry" : "replicated_log",
+ "registry_strict" : "false",
+ "log_auto_initialize" : "true",
+ "authenticate_slaves" : "false",
+ "registry_fetch_timeout" : "1mins",
+ "allocation_interval" : "1secs",
+ "authenticate_http" : "false",
+ "port" : "5050",
+ "zk_session_timeout" : "10secs",
+ "recovery_slave_removal_limit" : "100%",
+ "webui_dir" : "/path/to/mesos/build/../src/webui",
+ "cluster" : "mycluster",
+ "leader" : "master@127.0.0.1:5050",
+ "log_dir" : "/var/log",
+ "external_log_file" : "mesos.log"
+ },
+ "slaves" : [],
+ "frameworks" : [],
+ "completed_frameworks" : [],
+ "orphan_tasks" : [],
+ "unregistered_frameworks" : []
+}
+</code></pre>
+
</div>
</div>
Modified: mesos/site/publish/documentation/latest/endpoints/master/state/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/state/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/state/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/state/index.html Tue Feb 23 04:13:50 2016
@@ -98,6 +98,75 @@
<p>This endpoint shows information about the frameworks, tasks,
executors and slaves running in the cluster as a JSON object.</p>
+<p>Example (<strong>Note</strong>: this is not exhaustive):</p>
+
+<pre><code>{
+ "version" : "0.28.0",
+ "git_sha" : "9d5889b5a265849886a533965f4aefefd1fbd103",
+ "git_branch" : "refs/heads/master",
+ "git_tag" : "0.28.0",
+ "build_date" : "2016-02-15 10:00:28",
+ "build_time" : 1455559228,
+ "build_user" : "mesos-user",
+ "start_time" : 1455643643.42422,
+ "elected_time" : 1455643643.43457,
+ "id" : "b5eac2c5-609b-4ca1-a352-61941702fc9e",
+ "pid" : "master@127.0.0.1:5050",
+ "hostname" : "localhost",
+ "activated_slaves" : 0,
+ "deactivated_slaves" : 0,
+ "cluster" : "test-cluster",
+ "leader" : "master@127.0.0.1:5050",
+ "log_dir" : "/var/log",
+ "external_log_file" : "mesos.log",
+ "flags" : {
+ "framework_sorter" : "drf",
+ "authenticate" : "false",
+ "logbufsecs" : "0",
+ "initialize_driver_logging" : "true",
+ "work_dir" : "/var/lib/mesos",
+ "http_authenticators" : "basic",
+ "authorizers" : "local",
+ "slave_reregister_timeout" : "10mins",
+ "logging_level" : "INFO",
+ "help" : "false",
+ "root_submissions" : "true",
+ "ip" : "127.0.0.1",
+ "user_sorter" : "drf",
+ "version" : "false",
+ "max_slave_ping_timeouts" : "5",
+ "slave_ping_timeout" : "15secs",
+ "registry_store_timeout" : "20secs",
+ "max_completed_frameworks" : "50",
+ "quiet" : "false",
+ "allocator" : "HierarchicalDRF",
+ "hostname_lookup" : "true",
+ "authenticators" : "crammd5",
+ "max_completed_tasks_per_framework" : "1000",
+ "registry" : "replicated_log",
+ "registry_strict" : "false",
+ "log_auto_initialize" : "true",
+ "authenticate_slaves" : "false",
+ "registry_fetch_timeout" : "1mins",
+ "allocation_interval" : "1secs",
+ "authenticate_http" : "false",
+ "port" : "5050",
+ "zk_session_timeout" : "10secs",
+ "recovery_slave_removal_limit" : "100%",
+ "webui_dir" : "/path/to/mesos/build/../src/webui",
+ "cluster" : "mycluster",
+ "leader" : "master@127.0.0.1:5050",
+ "log_dir" : "/var/log",
+ "external_log_file" : "mesos.log"
+ },
+ "slaves" : [],
+ "frameworks" : [],
+ "completed_frameworks" : [],
+ "orphan_tasks" : [],
+ "unregistered_frameworks" : []
+}
+</code></pre>
+
</div>
</div>
Modified: mesos/site/publish/documentation/latest/endpoints/master/unreserve/index.html
URL: http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/endpoints/master/unreserve/index.html?rev=1731785&r1=1731784&r2=1731785&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/endpoints/master/unreserve/index.html (original)
+++ mesos/site/publish/documentation/latest/endpoints/master/unreserve/index.html Tue Feb 23 04:13:50 2016
@@ -95,8 +95,11 @@
<h3>DESCRIPTION</h3>
-<p>Returns 200 OK if resource unreservation was successful.
-Please provide “slaveId” and “resources” values designating
+<p>Returns 200 OK if the request was accepted. This does not
+imply that the requested resources have been unreserved successfully:
+resource unreservation is done asynchronously and may fail.</p>
+
+<p>Please provide “slaveId” and “resources” values designating
the resources to be unreserved.</p>
</div>