You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by qi...@apache.org on 2019/09/16 00:42:39 UTC

[mesos] 02/02: Added the Mesos 1.9.0 release blog post.

This is an automated email from the ASF dual-hosted git repository.

qianzhang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/mesos.git

commit f99ffab06694dcfcf62bf7250c56690a25d4d912
Author: Qian Zhang <zh...@gmail.com>
AuthorDate: Tue Sep 10 14:13:32 2019 +0800

    Added the Mesos 1.9.0 release blog post.
---
 .../source/blog/2019-09-05-mesos-1-9-0-released.md | 75 ++++++++++++++++++++++
 1 file changed, 75 insertions(+)

diff --git a/site/source/blog/2019-09-05-mesos-1-9-0-released.md b/site/source/blog/2019-09-05-mesos-1-9-0-released.md
new file mode 100644
index 0000000..a556e4b
--- /dev/null
+++ b/site/source/blog/2019-09-05-mesos-1-9-0-released.md
@@ -0,0 +1,75 @@
+---
+layout: post
+title: "Apache Mesos 1.9: Agent Draining, Quota Limit and Security Improvements"
+permalink: /blog/mesos-1-9-0-released/
+published: true
+post_author:
+  display_name: Qian Zhang & Gilbert Song
+tags: Release
+---
+
+We are excited to announce that Apache Mesos 1.9.0 is now available for [download](/downloads). Please take a look at what's new in this release!
+
+# New Features and Improvements
+
+## Agent Draining
+
+Automatic agent draining was added to allow operators to prepare agent nodes for maintenance without requiring schedulers to implement support for the feature. Since the pre-existing maintenance primitives offered by Mesos require that schedulers make changes, some operators have had difficulty using them effectively in clusters containing frameworks which have not done so. When automatic draining is initiated on an agent, all tasks are gracefully killed, and operators can monitor the ma [...]
+
+Agent deactivation and reactivation primitives were also added to the master API, allowing operators to stop and resume offers from particular agents. Used in concert with framework-specific APIs, this new functionality enables operators to perform manual draining of agent nodes in cases where greater control is desired.
+
+## Resource Management
+
+Prior to Mesos 1.9, the quota related APIs only exposed quota "guarantees" which ensured a minimum amount of resources would be available to a role. Setting guarantees also set implicit quota limits. In Mesos 1.9.0, quota limits are now exposed directly.
+
+* Quota guarantees are now deprecated in favor of using only quota limits. Enforcement of quota guarantees required that Mesos holds back enough resources to meet all of the unsatisfied quota guarantees. Since Mesos is moving towards an optimistic offer model (to improve multi-role / multi- scheduler scalability, see MESOS-1607), it will become no longer possible to enforce quota guarantees by holding back resources. In such a model, quota limits are simple to enforce, but quota guarante [...]
+
+* For these reasons, quota guarantees, while still functional in Mesos 1.9, are now deprecated. A combination of limits and priority based preemption will be simpler in an optimistic offer model.
+
+## Containerization
+
+A number of containerization-related improvements have landed in Mesos 1.9.0:
+
+* The Mesos containerizer now supports configurable IPC namespace and /dev/shm. Container can be configured to have a private IPC namespace and /dev/shm or share them from its parent, and the size of its private /dev/shm is also configurable.
+
+* A new `/containerizer/debug` HTTP endpoint has been added. This endpoint exposes debug information for the Mesos containerizer. At the moment, it returns a list of pending operations related to isolators and launchers.
+
+* A new Linux NNP (No New Privs) isolator has been added to the Mesos Containerizer. The isolator allows configuration of the [no_new_privs](https://www.kernel.org/doc/Documentation/prctl/no_new_privs.txt) flag for launched containers. The `no_new_privs` flag disables the ability of container tasks to acquire additional privileges by means of executing a child process e.g. through invocation of `setuid` or `setgid` programs. The flag is configurable on the agent and provides additional d [...]
+
+* A new `--docker_ignore_runtime` flag has been added. This causes the agent to ignore any runtime configuration present in Docker images.
+
+* The Mesos containerizer now includes ephemeral overlayfs storage in the task disk quota as well as sandbox storage.
+
+## Improved Security for TLS Connections
+
+Since Mesos 0.23, Mesos had support for using TLS [1] to encrypt the communication to and from Mesos components - the same protocol that secures `https`, `smtps`, and many others. Roughly speaking, every time a TLS client connects to a TLS server, that server will present a certificate signed by a trusted certificate authority which is used to verify the identity of the server.
+
+In Mesos, this behaviour is controlled by the environment variables `LIBPROCESS_SSL_VERIFY_CERT` and `LIBPROCESS_SSL_REQUIRE_CERT`. The former would do the cryptographic verification **if** a certificate was supplied, and the latter would reject all connections where no certificate was presented. This may sound straightforward, but this behaviour has proven challenging for Mesos operators, with many leaving TLS verification disabled in practice. The reason for that is that Mesos componen [...]
+
+Enabling server certificate validation in this scenario had the effect of requiring **all** incoming connections to present valid client certificates. This put an additional burden on operators to build infrastructure to distribute valid client certificates to all users of Mesos endpoints.
+
+With Mesos 1.9, we updated the semantics of both flags to be more aligned with the needs of Mesos operators:
+
+* `LIBPROCESS_SSL_VERIFY_CERT` now only applies to *server certificates*, which are always required for TLS connections. If it is set to true, the server certificate is verified for all outgoing connections.
+
+* `LIBPROCESS_SSL_REQUIRE_CERT` now only applies to *client certificates*: If it is set to true, all incoming connections must present a valid client certificate.
+
+By switching to the OpenSSL-provided API for hostname validation [2], we are able to improve security and make the behaviour more uniform across different platforms. We were also able to eliminate reverse DNS lookups while establishing a connection which improves reliability and performance.
+
+[1] https://en.wikipedia.org/wiki/Transport_Layer_Security
+
+[2] http://mesos.apache.org/documentation/latest/ssl/#libprocess_ssl_hostname_validation_scheme-legacy-openssl-default
+
+# Upgrade
+
+Upgrades from Mesos 1.8.0 to Mesos 1.9.0 should be straightforward. Please refer to the [upgrade guide](http://mesos.apache.org/documentation/latest/upgrades/) for detailed information on upgrading to Mesos 1.9.0.
+
+# Community
+
+Inspired by the work that went into this release? Want to get involved? Have feedback? We'd love to hear from you! Join a [working group](http://mesos.apache.org/community/#working-groups) or start a conversation in the [community](http://mesos.apache.org/community/)!
+
+# Thank you!
+
+Thanks to the 28 contributors who made Mesos 1.9.0 possible:
+
+Alexander Rukletsov, Andrei Budnik, Andrei Sekretenko, Armand Grillet, Bartosz Galek, Benjamin Bannier, Benjamin Mahler, Benno Evers, Bilal Amarni, Chun-Hung Hsiao, Gastón Kleiman, Gilbert Song, Greg Mann, Hans Beck, Jacob Janco, James Peach, James Wright, Jan Schlicht, Joseph Wu, Meng Zhu, Pavel Kirillov, Qian Zhang, Stéphane Cottin, Till Toenshoff, Tomasz Janiszewski, Vinod Kone, Zhitao Li, Fei Long