You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ji...@apache.org on 2016/07/20 22:16:44 UTC
[1/4] mesos git commit: Updated upgrades.md about deprecated SSL env
variables.
Repository: mesos
Updated Branches:
refs/heads/1.0.x c3128a58a -> 34ba5f417
Updated upgrades.md about deprecated SSL env variables.
Review: https://reviews.apache.org/r/50267
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/34ba5f41
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/34ba5f41
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/34ba5f41
Branch: refs/heads/1.0.x
Commit: 34ba5f41737ac7319aad2c8e97998744fb8318c4
Parents: 3551932
Author: Jie Yu <yu...@gmail.com>
Authored: Wed Jul 20 14:58:50 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Jul 20 15:15:43 2016 -0700
----------------------------------------------------------------------
docs/upgrades.md | 5 +++++
1 file changed, 5 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/34ba5f41/docs/upgrades.md
----------------------------------------------------------------------
diff --git a/docs/upgrades.md b/docs/upgrades.md
index 431e6b3..1c871c4 100644
--- a/docs/upgrades.md
+++ b/docs/upgrades.md
@@ -62,6 +62,7 @@ We categorize the changes as follows:
<li>D <a href="#1-0-x-credentials-file">credential(s) (plain text format)</a></li>
<li>C <a href="#1-0-x-slave">Slave to Agent rename</a></li>
<li>R <a href="#1-0-x-workdir">work_dir default value</a></li>
+ <li>D <a href="#1-0-x-deprecated-ssl-env-variables">SSL environment variables</a></li>
</ul>
</td>
<td style="word-wrap: break-word; overflow-wrap: break-word;"><!--Framework API-->
@@ -176,6 +177,10 @@ We categorize the changes as follows:
## Upgrading from 0.28.x to 1.0.x ##
+<a name="1-0-x-deprecated-ssl-env-variables"</a>
+
+* Prior to Mesos 1.0, environment variables prefixed by `SSL_` are used to control libprocess SSL support. However, it was found that those environment variables may collide with some libraries or programs (e.g., openssl, curl). From Mesos 1.0, `SSL_*` environment variables are deprecated in favor of the corresponding `LIBPROCESS_SSL_*` variables.
+
<a name="1-0-x-persistent-volume-ownership"</a>
* Prior to Mesos 1.0, Mesos agent recursively changes the ownership of the persistent volumes every time they are mounted to a container. From Mesos 1.0, this behavior has been changed. Mesos agent will do a _non-recursive_ change of ownership of the persistent volumes.
[4/4] mesos git commit: Used LIBPROCESS_SSL_ instead of SSL_ as the
prefix for ssl support.
Posted by ji...@apache.org.
Used LIBPROCESS_SSL_ instead of SSL_ as the prefix for ssl support.
Review: https://reviews.apache.org/r/50257
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/05cc040c
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/05cc040c
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/05cc040c
Branch: refs/heads/1.0.x
Commit: 05cc040c46421498ee23004dc4e2a93c91a3a080
Parents: c3128a5
Author: Jie Yu <yu...@gmail.com>
Authored: Wed Jul 20 11:52:52 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Jul 20 15:15:43 2016 -0700
----------------------------------------------------------------------
.../libprocess/include/process/ssl/gtest.hpp | 28 +--
3rdparty/libprocess/src/openssl.cpp | 55 +++--
3rdparty/libprocess/src/openssl.hpp | 30 +--
3rdparty/libprocess/src/process.cpp | 4 +-
3rdparty/libprocess/src/tests/ssl_client.cpp | 9 +-
3rdparty/libprocess/src/tests/ssl_tests.cpp | 235 ++++++++++---------
6 files changed, 197 insertions(+), 164 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/include/process/ssl/gtest.hpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/include/process/ssl/gtest.hpp b/3rdparty/libprocess/include/process/ssl/gtest.hpp
index a929cc9..83778bb 100644
--- a/3rdparty/libprocess/include/process/ssl/gtest.hpp
+++ b/3rdparty/libprocess/include/process/ssl/gtest.hpp
@@ -115,20 +115,20 @@ protected:
{
// This unsets all the SSL environment variables. Necessary for
// ensuring a clean starting slate between tests.
- os::unsetenv("SSL_ENABLED");
- os::unsetenv("SSL_SUPPORT_DOWNGRADE");
- os::unsetenv("SSL_CERT_FILE");
- os::unsetenv("SSL_KEY_FILE");
- os::unsetenv("SSL_VERIFY_CERT");
- os::unsetenv("SSL_REQUIRE_CERT");
- os::unsetenv("SSL_VERIFY_DEPTH");
- os::unsetenv("SSL_CA_DIR");
- os::unsetenv("SSL_CA_FILE");
- os::unsetenv("SSL_CIPHERS");
- os::unsetenv("SSL_ENABLE_SSL_V3");
- os::unsetenv("SSL_ENABLE_TLS_V1_0");
- os::unsetenv("SSL_ENABLE_TLS_V1_1");
- os::unsetenv("SSL_ENABLE_TLS_V1_2");
+ os::unsetenv("LIBPROCESS_SSL_ENABLED");
+ os::unsetenv("LIBPROCESS_SSL_SUPPORT_DOWNGRADE");
+ os::unsetenv("LIBPROCESS_SSL_CERT_FILE");
+ os::unsetenv("LIBPROCESS_SSL_KEY_FILE");
+ os::unsetenv("LIBPROCESS_SSL_VERIFY_CERT");
+ os::unsetenv("LIBPROCESS_SSL_REQUIRE_CERT");
+ os::unsetenv("LIBPROCESS_SSL_VERIFY_DEPTH");
+ os::unsetenv("LIBPROCESS_SSL_CA_DIR");
+ os::unsetenv("LIBPROCESS_SSL_CA_FILE");
+ os::unsetenv("LIBPROCESS_SSL_CIPHERS");
+ os::unsetenv("LIBPROCESS_SSL_ENABLE_SSL_V3");
+ os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_0");
+ os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_1");
+ os::unsetenv("LIBPROCESS_SSL_ENABLE_TLS_V1_2");
// Copy the given map into the clean slate.
foreachpair (
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/src/openssl.cpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/openssl.cpp b/3rdparty/libprocess/src/openssl.cpp
index 63916ff..a73313b 100644
--- a/3rdparty/libprocess/src/openssl.cpp
+++ b/3rdparty/libprocess/src/openssl.cpp
@@ -19,6 +19,7 @@
#include <openssl/ssl.h>
#include <openssl/x509v3.h>
+#include <map>
#include <mutex>
#include <string>
#include <thread>
@@ -26,7 +27,10 @@
#include <process/once.hpp>
#include <stout/flags.hpp>
+#include <stout/os.hpp>
+#include <stout/strings.hpp>
+using std::map;
using std::ostringstream;
using std::string;
@@ -288,12 +292,32 @@ void reinitialize()
// change environment variables and call `reinitialize`.
*ssl_flags = Flags();
- // Load all the flags prefixed by SSL_ from the environment. See
- // comment at top of openssl.hpp for a full list.
- Try<flags::Warnings> load = ssl_flags->load("SSL_");
+ // Load all the flags prefixed by LIBPROCESS_SSL_ from the
+ // environment. See comment at top of openssl.hpp for a full list.
+ //
+ // NOTE: We used to look for environment variables prefixed by SSL_.
+ // To be backward compatible, for each environment variable prefixed
+ // by SSL_, we generate the corresponding LIBPROCESS_SSL_ version.
+ // See details in MESOS-5863.
+ map<string, string> environments = os::environment();
+ foreachpair (const string& key, const string& value, environments) {
+ if (strings::startsWith(key, "SSL_")) {
+ const string new_key = "LIBPROCESS_" + key;
+ if (environments.count(new_key) == 0) {
+ os::setenv(new_key, value);
+ } else if (environments[new_key] != value) {
+ LOG(WARNING) << "Mismatched SSL environment variables: "
+ << key << "=" << value << ", "
+ << new_key << "=" << environments[new_key];
+ }
+ }
+ }
+
+ Try<flags::Warnings> load = ssl_flags->load("LIBPROCESS_SSL_");
if (load.isError()) {
EXIT(EXIT_FAILURE)
- << "Failed to load flags from environment variables (prefixed by SSL_):"
+ << "Failed to load flags from environment variables "
+ << "prefixed by LIBPROCESS_SSL_ or SSL_ (deprecated):"
<< load.error();
}
@@ -377,34 +401,36 @@ void reinitialize()
// Now do some validation of the flags/environment variables.
if (ssl_flags->key_file.isNone()) {
- EXIT(EXIT_FAILURE) << "SSL requires key! NOTE: Set path with SSL_KEY_FILE";
+ EXIT(EXIT_FAILURE)
+ << "SSL requires key! NOTE: Set path with LIBPROCESS_SSL_KEY_FILE";
}
if (ssl_flags->cert_file.isNone()) {
EXIT(EXIT_FAILURE)
- << "SSL requires certificate! NOTE: Set path with SSL_CERT_FILE";
+ << "SSL requires certificate! NOTE: Set path with "
+ << "LIBPROCESS_SSL_CERT_FILE";
}
if (ssl_flags->ca_file.isNone()) {
VLOG(2) << "CA file path is unspecified! NOTE: "
- << "Set CA file path with SSL_CA_FILE=<filepath>";
+ << "Set CA file path with LIBPROCESS_SSL_CA_FILE=<filepath>";
}
if (ssl_flags->ca_dir.isNone()) {
VLOG(2) << "CA directory path unspecified! NOTE: "
- << "Set CA directory path with SSL_CA_DIR=<dirpath>";
+ << "Set CA directory path with LIBPROCESS_SSL_CA_DIR=<dirpath>";
}
if (!ssl_flags->verify_cert) {
VLOG(2) << "Will not verify peer certificate!\n"
- << "NOTE: Set SSL_VERIFY_CERT=1 to enable peer certificate "
- << "verification";
+ << "NOTE: Set LIBPROCESS_SSL_VERIFY_CERT=1 to enable "
+ << "peer certificate verification";
}
if (!ssl_flags->require_cert) {
VLOG(2) << "Will only verify peer certificate if presented!\n"
- << "NOTE: Set SSL_REQUIRE_CERT=1 to require peer certificate "
- << "verification";
+ << "NOTE: Set LIBPROCESS_SSL_REQUIRE_CERT=1 to require "
+ << "peer certificate verification";
}
if (ssl_flags->verify_ipadd) {
@@ -416,8 +442,9 @@ void reinitialize()
// Requiring a certificate implies that is should be verified.
ssl_flags->verify_cert = true;
- VLOG(2) << "SSL_REQUIRE_CERT implies peer certificate verification.\n"
- << "SSL_VERIFY_CERT set to true";
+ VLOG(2) << "LIBPROCESS_SSL_REQUIRE_CERT implies "
+ << "peer certificate verification.\n"
+ << "LIBPROCESS_SSL_VERIFY_CERT set to true";
}
// Initialize OpenSSL if we've been asked to do verification of peer
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/src/openssl.hpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/openssl.hpp b/3rdparty/libprocess/src/openssl.hpp
index 68f8897..f33614c 100644
--- a/3rdparty/libprocess/src/openssl.hpp
+++ b/3rdparty/libprocess/src/openssl.hpp
@@ -57,21 +57,21 @@ const Flags& flags();
// crypto library in order to support multi-threading. The global
// context gets initialized using the environment variables:
//
-// SSL_ENABLED=(false|0,true|1)
-// SSL_SUPPORT_DOWNGRADE=(false|0,true|1)
-// SSL_CERT_FILE=(path to certificate)
-// SSL_KEY_FILE=(path to key)
-// SSL_VERIFY_CERT=(false|0,true|1)
-// SSL_REQUIRE_CERT=(false|0,true|1)
-// SSL_VERIFY_IPADD=(false|0,true|1)
-// SSL_VERIFY_DEPTH=(4)
-// SSL_CA_DIR=(path to CA directory)
-// SSL_CA_FILE=(path to CA file)
-// SSL_CIPHERS=(accepted ciphers separated by ':')
-// SSL_ENABLE_SSL_V3=(false|0,true|1)
-// SSL_ENABLE_TLS_V1_0=(false|0,true|1)
-// SSL_ENABLE_TLS_V1_1=(false|0,true|1)
-// SSL_ENABLE_TLS_V1_2=(false|0,true|1)
+// LIBPROCESS_SSL_ENABLED=(false|0,true|1)
+// LIBPROCESS_SSL_SUPPORT_DOWNGRADE=(false|0,true|1)
+// LIBPROCESS_SSL_CERT_FILE=(path to certificate)
+// LIBPROCESS_SSL_KEY_FILE=(path to key)
+// LIBPROCESS_SSL_VERIFY_CERT=(false|0,true|1)
+// LIBPROCESS_SSL_REQUIRE_CERT=(false|0,true|1)
+// LIBPROCESS_SSL_VERIFY_IPADD=(false|0,true|1)
+// LIBPROCESS_SSL_VERIFY_DEPTH=(4)
+// LIBPROCESS_SSL_CA_DIR=(path to CA directory)
+// LIBPROCESS_SSL_CA_FILE=(path to CA file)
+// LIBPROCESS_SSL_CIPHERS=(accepted ciphers separated by ':')
+// LIBPROCESS_SSL_ENABLE_SSL_V3=(false|0,true|1)
+// LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1)
+// LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1)
+// LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1)
//
// TODO(benh): When/If we need to support multiple contexts in the
// same process, for example for Server Name Indication (SNI), then
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/src/process.cpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/process.cpp b/3rdparty/libprocess/src/process.cpp
index 9a31702..7e8bebe 100644
--- a/3rdparty/libprocess/src/process.cpp
+++ b/3rdparty/libprocess/src/process.cpp
@@ -874,8 +874,8 @@ bool initialize(
signal(SIGPIPE, SIG_IGN);
#ifdef USE_SSL_SOCKET
- // Notify users of the 'SSL_SUPPORT_DOWNGRADE' flag that this
- // setting allows insecure connections.
+ // Notify users of the 'LIBPROCESS_SSL_SUPPORT_DOWNGRADE' flag that
+ // this setting allows insecure connections.
if (network::openssl::flags().support_downgrade) {
LOG(WARNING) <<
"Failed SSL connections will be downgraded to a non-SSL socket";
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/src/tests/ssl_client.cpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/tests/ssl_client.cpp b/3rdparty/libprocess/src/tests/ssl_client.cpp
index 6b43cfc..dffd9ff 100644
--- a/3rdparty/libprocess/src/tests/ssl_client.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_client.cpp
@@ -45,8 +45,9 @@ using std::string;
/**
* The flags that control the test SSL client behavior.
*
- * These flags augment the environment variables prefixed by 'SSL_'
- * that are introduced by @see process::network::openssl::Flags.
+ * These flags augment the environment variables prefixed by
+ * 'LIBPROCESS_SSL_' that are introduced by @see
+ * process::network::openssl::Flags.
*/
class Flags : public virtual flags::FlagsBase
{
@@ -56,8 +57,8 @@ public:
add(&Flags::use_ssl,
"use_ssl",
"Whether to try and connect using an SSL based socket. This is "
- "separate from whether SSL_ENABLED is set. We use this for "
- "testing failure cases.",
+ "separate from whether LIBPROCESS_SSL_ENABLED is set. We use "
+ "this for testing failure cases.",
true);
add(&Flags::data,
http://git-wip-us.apache.org/repos/asf/mesos/blob/05cc040c/3rdparty/libprocess/src/tests/ssl_tests.cpp
----------------------------------------------------------------------
diff --git a/3rdparty/libprocess/src/tests/ssl_tests.cpp b/3rdparty/libprocess/src/tests/ssl_tests.cpp
index 72432ec..a5ac039 100644
--- a/3rdparty/libprocess/src/tests/ssl_tests.cpp
+++ b/3rdparty/libprocess/src/tests/ssl_tests.cpp
@@ -110,7 +110,7 @@ INSTANTIATE_TEST_CASE_P(SSLVerifyIPAdd,
// Ensure that we can't create an SSL socket when SSL is not enabled.
TEST(SSL, Disabled)
{
- os::setenv("SSL_ENABLED", "false");
+ os::setenv("LIBPROCESS_SSL_ENABLED", "false");
openssl::reinitialize();
EXPECT_ERROR(Socket::create(Socket::SSL));
}
@@ -120,13 +120,13 @@ TEST(SSL, Disabled)
// process.
TEST_P(SSLTest, BasicSameProcess)
{
- os::setenv("SSL_ENABLED", "true");
- os::setenv("SSL_KEY_FILE", key_path().string());
- os::setenv("SSL_CERT_FILE", certificate_path().string());
- os::setenv("SSL_REQUIRE_CERT", "true");
- os::setenv("SSL_CA_DIR", os::getcwd());
- os::setenv("SSL_CA_FILE", certificate_path().string());
- os::setenv("SSL_VERIFY_IPADD", GetParam());
+ os::setenv("LIBPROCESS_SSL_ENABLED", "true");
+ os::setenv("LIBPROCESS_SSL_KEY_FILE", key_path().string());
+ os::setenv("LIBPROCESS_SSL_CERT_FILE", certificate_path().string());
+ os::setenv("LIBPROCESS_SSL_REQUIRE_CERT", "true");
+ os::setenv("LIBPROCESS_SSL_CA_DIR", os::getcwd());
+ os::setenv("LIBPROCESS_SSL_CA_FILE", certificate_path().string());
+ os::setenv("LIBPROCESS_SSL_VERIFY_IPADD", GetParam());
openssl::reinitialize();
@@ -180,15 +180,15 @@ TEST_P(SSLTest, BasicSameProcess)
TEST_F(SSLTest, SSLSocket)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}},
server.get(),
true);
ASSERT_SOME(client);
@@ -209,15 +209,15 @@ TEST_F(SSLTest, SSLSocket)
TEST_F(SSLTest, NonSSLSocket)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}},
server.get(),
false);
ASSERT_SOME(client);
@@ -231,23 +231,24 @@ TEST_F(SSLTest, NonSSLSocket)
// Ensure that a certificate that was not generated using the
// certificate authority is still allowed to communicate as long as
-// the SSL_VERIFY_CERT and SSL_REQUIRE_CERT flags are disabled.
+// the LIBPROCESS_SSL_VERIFY_CERT and LIBPROCESS_SSL_REQUIRE_CERT
+// flags are disabled.
TEST_F(SSLTest, NoVerifyBadCA)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_VERIFY_CERT", "false"},
- {"SSL_REQUIRE_CERT", "false"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_VERIFY_CERT", "false"},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "false"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", scrap_key_path().string()},
- {"SSL_CERT_FILE", scrap_certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"},
- {"SSL_CA_FILE", certificate_path().string()}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_CA_FILE", certificate_path().string()}},
server.get(),
true);
ASSERT_SOME(client);
@@ -265,21 +266,21 @@ TEST_F(SSLTest, NoVerifyBadCA)
// Ensure that a certificate that was not generated using the
// certificate authority is NOT allowed to communicate when the
-// SSL_REQUIRE_CERT flag is enabled.
+// LIBPROCESS_SSL_REQUIRE_CERT flag is enabled.
TEST_F(SSLTest, RequireBadCA)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", scrap_key_path().string()},
- {"SSL_CERT_FILE", scrap_certificate_path().string()},
- {"SSL_REQUIRE_CERT", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "false"}},
server.get(),
true);
ASSERT_SOME(client);
@@ -293,21 +294,21 @@ TEST_F(SSLTest, RequireBadCA)
// Ensure that a certificate that was not generated using the
// certificate authority is NOT allowed to communicate when the
-// SSL_VERIFY_CERT flag is enabled.
+// LIBPROCESS_SSL_VERIFY_CERT flag is enabled.
TEST_F(SSLTest, VerifyBadCA)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_VERIFY_CERT", "true"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_VERIFY_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", scrap_key_path().string()},
- {"SSL_CERT_FILE", scrap_certificate_path().string()},
- {"SSL_REQUIRE_CERT", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", scrap_key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", scrap_certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "false"}},
server.get(),
true);
ASSERT_SOME(client);
@@ -320,22 +321,24 @@ TEST_F(SSLTest, VerifyBadCA)
// Ensure that a certificate that WAS generated using the certificate
-// authority is NOT allowed to communicate when the SSL_VERIFY_CERT
-// flag is enabled.
+// authority IS allowed to communicate when the
+// LIBPROCESS_SSL_VERIFY_CERT flag is enabled.
TEST_F(SSLTest, VerifyCertificate)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_VERIFY_CERT", "true"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_VERIFY_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}},
server.get(),
true);
ASSERT_SOME(client);
@@ -352,24 +355,26 @@ TEST_F(SSLTest, VerifyCertificate)
// Ensure that a certificate that WAS generated using the certificate
-// authority is NOT allowed to communicate when the SSL_REQUIRE_CERT
-// flag is enabled.
+// authority IS allowed to communicate when the
+// LIBPROCESS_SSL_REQUIRE_CERT flag is enabled.
TEST_P(SSLTest, RequireCertificate)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"},
- {"SSL_VERIFY_IPADD", GetParam()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_IPADD", GetParam()}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"},
- {"SSL_VERIFY_IPADD", GetParam()}},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_CA_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"},
+ {"LIBPROCESS_SSL_VERIFY_IPADD", GetParam()}},
server.get(),
true);
ASSERT_SOME(client);
@@ -390,11 +395,11 @@ static const vector<string> protocols = {
// OpenSSL can be compiled with SSLV3 disabled completely, so we
// conditionally test for this protocol.
#ifndef OPENSSL_NO_SSL3
- "SSL_ENABLE_SSL_V3",
+ "LIBPROCESS_SSL_ENABLE_SSL_V3",
#endif
- "SSL_ENABLE_TLS_V1_0",
- "SSL_ENABLE_TLS_V1_1",
- "SSL_ENABLE_TLS_V1_2"
+ "LIBPROCESS_SSL_ENABLE_TLS_V1_0",
+ "LIBPROCESS_SSL_ENABLE_TLS_V1_1",
+ "LIBPROCESS_SSL_ENABLE_TLS_V1_2"
};
@@ -412,16 +417,16 @@ TEST_F(SSLTest, ProtocolMismatch)
// Set up the default server environment variables.
map<string, string> server_environment = {
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}
};
// Set up the default client environment variables.
map<string, string> client_environment = {
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
};
// Disable all protocols except for the one we're testing.
@@ -471,15 +476,15 @@ TEST_F(SSLTest, ProtocolMismatch)
TEST_F(SSLTest, ValidDowngrade)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_SUPPORT_DOWNGRADE", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "false"}},
server.get(),
false);
ASSERT_SOME(client);
@@ -500,15 +505,15 @@ TEST_F(SSLTest, ValidDowngrade)
TEST_F(SSLTest, NoValidDowngrade)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_SUPPORT_DOWNGRADE", "false"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()},
- {"SSL_REQUIRE_CERT", "true"}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "false"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()},
+ {"LIBPROCESS_SSL_REQUIRE_CERT", "true"}});
ASSERT_SOME(server);
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "false"}},
server.get(),
false);
ASSERT_SOME(client);
@@ -530,10 +535,10 @@ TEST_F(SSLTest, ValidDowngradeEachProtocol)
// Set up the default server environment variables.
map<string, string> server_environment = {
- {"SSL_ENABLED", "true"},
- {"SSL_SUPPORT_DOWNGRADE", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}
};
// Disable all protocols except for the one we're testing.
@@ -549,7 +554,7 @@ TEST_F(SSLTest, ValidDowngradeEachProtocol)
// Launch the client with a POLL socket.
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "false"}},
server.get(),
false);
ASSERT_SOME(client);
@@ -577,10 +582,10 @@ TEST_F(SSLTest, NoValidDowngradeEachProtocol)
// Set up the default server environment variables.
map<string, string> server_environment = {
- {"SSL_ENABLED", "true"},
- {"SSL_SUPPORT_DOWNGRADE", "false"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_SUPPORT_DOWNGRADE", "false"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}
};
// Disable all protocols except for the one we're testing.
@@ -596,7 +601,7 @@ TEST_F(SSLTest, NoValidDowngradeEachProtocol)
// Launch the client with a POLL socket.
Try<Subprocess> client = launch_client({
- {"SSL_ENABLED", "false"}},
+ {"LIBPROCESS_SSL_ENABLED", "false"}},
server.get(),
false);
ASSERT_SOME(client);
@@ -613,9 +618,9 @@ TEST_F(SSLTest, NoValidDowngradeEachProtocol)
TEST_F(SSLTest, PeerAddress)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
const Try<Socket> client_create = Socket::create(Socket::SSL);
@@ -650,9 +655,9 @@ TEST_F(SSLTest, PeerAddress)
TEST_F(SSLTest, HTTPSGet)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
ASSERT_SOME(server.get().address());
@@ -690,9 +695,9 @@ TEST_F(SSLTest, HTTPSGet)
TEST_F(SSLTest, HTTPSPost)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
ASSERT_SOME(server.get().address());
@@ -734,9 +739,9 @@ TEST_F(SSLTest, HTTPSPost)
TEST_F(SSLTest, SilentSocket)
{
Try<Socket> server = setup_server({
- {"SSL_ENABLED", "true"},
- {"SSL_KEY_FILE", key_path().string()},
- {"SSL_CERT_FILE", certificate_path().string()}});
+ {"LIBPROCESS_SSL_ENABLED", "true"},
+ {"LIBPROCESS_SSL_KEY_FILE", key_path().string()},
+ {"LIBPROCESS_SSL_CERT_FILE", certificate_path().string()}});
ASSERT_SOME(server);
ASSERT_SOME(server->address());
[2/4] mesos git commit: Updated the document about SSL env variables.
Posted by ji...@apache.org.
Updated the document about SSL env variables.
Review: https://reviews.apache.org/r/50262
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/a1584621
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/a1584621
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/a1584621
Branch: refs/heads/1.0.x
Commit: a15846210ccad97c3d1ba44578e978567b9c4456
Parents: 05cc040
Author: Jie Yu <yu...@gmail.com>
Authored: Wed Jul 20 13:58:10 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Jul 20 15:15:43 2016 -0700
----------------------------------------------------------------------
docs/ssl.md | 48 +++++++++++++++++++++++++-----------------------
1 file changed, 25 insertions(+), 23 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/a1584621/docs/ssl.md
----------------------------------------------------------------------
diff --git a/docs/ssl.md b/docs/ssl.md
index 64f63b7..2f7d928 100644
--- a/docs/ssl.md
+++ b/docs/ssl.md
@@ -21,13 +21,15 @@ Before building Mesos 0.23.0 from source, assuming you have installed the requir
# Running
Once you have successfully built and installed your new binaries, here are the environment variables that are applicable to the `Master`, `Agent`, `Framework Scheduler/Executor`, or any `libprocess process`:
-#### SSL_ENABLED=(false|0,true|1) [default=false|0]
-Turn on or off SSL. When it is turned off it is the equivalent of default mesos with libevent as the backing for events. All sockets default to the non-SSL implementation. When it is turned on, the default configuration for sockets is SSL. This means outgoing connections will use SSL, and incoming connections will be expected to speak SSL as well. None of the below flags are relevant if SSL is not enabled. If SSL is enabled, `SSL_CERT_FILE` and `SSL_KEY_FILE` must be supplied.
+NOTE: Prior to 1.0, the SSL related environment variables used to be prefixed by `SSL_`. However, we found that they may collide with other programs and lead to unexpected results (e.g., openssl, see [MESOS-5863](https://issues.apache.org/jira/browse/MESOS-5863) for details). To be backward compatible, we accept environment variables prefixed by both `SSL_` or `LIBPROCESS_SSL_`. New users should use the `LIBPROCESS_SSL_` version.
-#### SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_ENABLED=(false|0,true|1) [default=false|0]
+Turn on or off SSL. When it is turned off it is the equivalent of default mesos with libevent as the backing for events. All sockets default to the non-SSL implementation. When it is turned on, the default configuration for sockets is SSL. This means outgoing connections will use SSL, and incoming connections will be expected to speak SSL as well. None of the below flags are relevant if SSL is not enabled. If SSL is enabled, `LIBPROCESS_SSL_CERT_FILE` and `LIBPROCESS_SSL_KEY_FILE` must be supplied.
+
+#### LIBPROCESS_SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]
Control whether or not non-SSL connections can be established. If this is enabled __on the accepting side__, then the accepting side will downgrade to a non-SSL socket if the connecting side is attempting to communicate via non-SSL. (e.g. HTTP). See [Upgrading Your Cluster](#Upgrading) for more details.
-#### SSL_KEY_FILE=(path to key)
+#### LIBPROCESS_SSL_KEY_FILE=(path to key)
The location of the private key used by OpenSSL.
~~~
@@ -35,7 +37,7 @@ The location of the private key used by OpenSSL.
openssl genrsa -des3 -f4 -passout pass:some_password -out key.pem 4096
~~~
-#### SSL_CERT_FILE=(path to certificate)
+#### LIBPROCESS_SSL_CERT_FILE=(path to certificate)
The location of the certificate that will be presented.
~~~
@@ -43,31 +45,31 @@ The location of the certificate that will be presented.
openssl req -new -x509 -passin pass:some_password -days 365 -key key.pem -out cert.pem
~~~
-#### SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]
-Control whether certificates are verified when presented. If this is false, even when a certificate is presented, it will not be verified. When `SSL_REQUIRE_CERT` is true, `SSL_VERIFY_CERT` is overridden and all certificates will be verified _and_ required.
+#### LIBPROCESS_SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]
+Control whether certificates are verified when presented. If this is false, even when a certificate is presented, it will not be verified. When `LIBPROCESS_SSL_REQUIRE_CERT` is true, `LIBPROCESS_SSL_VERIFY_CERT` is overridden and all certificates will be verified _and_ required.
-#### SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]
Enforce that certificates must be presented by connecting clients. This means all connections (including tools hitting endpoints) must present valid certificates in order to establish a connection.
-#### SSL_VERIFY_DEPTH=(N) [default=4]
+#### LIBPROCESS_SSL_VERIFY_DEPTH=(N) [default=4]
The maximum depth used to verify certificates. The default is 4. See the OpenSSL documentation or contact your system administrator to learn why you may want to change this.
-#### SSL_VERIFY_IPADD=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_VERIFY_IPADD=(false|0,true|1) [default=false|0]
Enable IP address verification in the certificate subject alternative name extension. When set to `true` the peer certificate verification will additionally use the IP address of a peer connection. When a hostname of the peer as well as its IP address are available, the validation will succeed when either the hostname or the IP match.
-#### SSL_CA_DIR=(path to CA directory)
-The directory used to find the certificate authority / authorities. You can specify `SSL_CA_DIR` or `SSL_CA_FILE` depending on how you want to restrict your certificate authorization.
+#### LIBPROCESS_SSL_CA_DIR=(path to CA directory)
+The directory used to find the certificate authority / authorities. You can specify `LIBPROCESS_SSL_CA_DIR` or `LIBPROCESS_SSL_CA_FILE` depending on how you want to restrict your certificate authorization.
-#### SSL_CA_FILE=(path to CA file)
-The file used to find the certificate authority. You can specify `SSL_CA_DIR` or `SSL_CA_FILE` depending on how you want to restrict your certificate authorization.
+#### LIBPROCESS_SSL_CA_FILE=(path to CA file)
+The file used to find the certificate authority. You can specify `LIBPROCESS_SSL_CA_DIR` or `LIBPROCESS_SSL_CA_FILE` depending on how you want to restrict your certificate authorization.
-#### SSL_CIPHERS=(accepted ciphers separated by ':') [default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]
+#### LIBPROCESS_SSL_CIPHERS=(accepted ciphers separated by ':') [default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]
A list of `:`-separated ciphers. Use these if you want to restrict or open up the accepted ciphers for OpenSSL. Read the OpenSSL documentation or contact your system administrators to see whether you want to override the default values.
-#### SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]
-#### SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]
-#### SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]
-#### SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]
+#### LIBPROCESS_SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]
+#### LIBPROCESS_SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]
The above switches enable / disable the specified protocols. By default only TLS V1.2 is enabled. SSL V2 is always disabled; there is no switch to enable it. The mentality here is to restrict security by default, and force users to open it up explicitly. Many older version of the protocols have known vulnerabilities, so only enable these if you fully understand the risks.
_SSLv2 is disabled completely because modern versions of OpenSSL disable it using multiple compile time configuration options._
#<a name="Dependencies"></a>Dependencies
@@ -96,19 +98,19 @@ The recommended strategy is to restart all your components to enable SSL with do
~~~
// Restart each component with downgrade support (master, agent, framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true SSL_KEY_FILE=<path-to-your-private-key> SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
+LIBPROCESS_SSL_ENABLED=true LIBPROCESS_SSL_SUPPORT_DOWNGRADE=true LIBPROCESS_SSL_KEY_FILE=<path-to-your-private-key> LIBPROCESS_SSL_CERT_FILE=<path-to-your-certificate> <Any other LIBPROCESS_SSL_* environment variables you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
// Restart each component WITHOUT downgrade support (master, agent, framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false SSL_KEY_FILE=<path-to-your-private-key> SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
+LIBPROCESS_SSL_ENABLED=true LIBPROCESS_SSL_SUPPORT_DOWNGRADE=false LIBPROCESS_SSL_KEY_FILE=<path-to-your-private-key> LIBPROCESS_SSL_CERT_FILE=<path-to-your-certificate> <Any other LIBPROCESS_SSL_* environment variables you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
~~~
Executors must be able to access the SSL environment variables and the files referred to by those variables. Environment variables can be provided to an executor by specifying `CommandInfo.environment` or by using the agent's `--executor_environment_variables` command line flag. If the agent and the executor are running in separate containers, `ContainerInfo.volumes` can be used to mount SSL files from the host into the executor's container.
The end state is a cluster that is only communicating with SSL.
-__NOTE:__ Any tools you may use that communicate with your components must be able to speak SSL, or they will be denied. You may choose to maintain `SSL_SUPPORT_DOWNGRADE=true` for some time as you upgrade your internal tooling. The advantage of `SSL_SUPPORT_DOWNGRADE=true` is that all components that speak SSL will do so, while other components may still communicate over insecure channels.
+__NOTE:__ Any tools you may use that communicate with your components must be able to speak SSL, or they will be denied. You may choose to maintain `LIBPROCESS_SSL_SUPPORT_DOWNGRADE=true` for some time as you upgrade your internal tooling. The advantage of `LIBPROCESS_SSL_SUPPORT_DOWNGRADE=true` is that all components that speak SSL will do so, while other components may still communicate over insecure channels.
# <a name="WebUI"></a>WebUI
-The default Mesos WebUI uses relative links. Some of these links transition between endpoints served by the master and agents. The WebUI currently does not have enough information to change the 'http' vs 'https' links based on whether the target endpoint is currently being served by an SSL-enabled binary. This may cause certain links in the WebUI to be broken when a cluster is in a transition state between SSL and non-SSL. Any tools that hit these endpoints will still be able to access them as long as they hit the endpoint using the right protocol, or the `SSL_SUPPORT_DOWNGRADE` option is set to true.
+The default Mesos WebUI uses relative links. Some of these links transition between endpoints served by the master and agents. The WebUI currently does not have enough information to change the 'http' vs 'https' links based on whether the target endpoint is currently being served by an SSL-enabled binary. This may cause certain links in the WebUI to be broken when a cluster is in a transition state between SSL and non-SSL. Any tools that hit these endpoints will still be able to access them as long as they hit the endpoint using the right protocol, or the `LIBPROCESS_SSL_SUPPORT_DOWNGRADE` option is set to true.
__NOTE:__ Frameworks with their own WebUI will need to add HTTPS support separately.
[3/4] mesos git commit: Updated 1.0 CHANGELOG about an SSL fix.
Posted by ji...@apache.org.
Updated 1.0 CHANGELOG about an SSL fix.
Review: https://reviews.apache.org/r/50265
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3551932e
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3551932e
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3551932e
Branch: refs/heads/1.0.x
Commit: 3551932edb4433f64b94b81ad0b361d0538a951e
Parents: a158462
Author: Jie Yu <yu...@gmail.com>
Authored: Wed Jul 20 14:37:43 2016 -0700
Committer: Jie Yu <yu...@gmail.com>
Committed: Wed Jul 20 15:15:43 2016 -0700
----------------------------------------------------------------------
CHANGELOG | 4 ++++
1 file changed, 4 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/3551932e/CHANGELOG
----------------------------------------------------------------------
diff --git a/CHANGELOG b/CHANGELOG
index fa866b2..e4f91cb 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -141,6 +141,9 @@ Deprecations:
* [MESOS-5666] - Deprecated camel cased `taskInfo` and `executorInfo` in
isolator `ContainerConfig`.
+ * [MESOS-5863] - Deprecated `SSL_*` environment variables used by libprocess
+ SSL support in favor of using `LIBPROCESS_SSL_*`.
+
Additional API Changes:
* [MESOS-4580] - Returning `202` (Accepted) for /reserve and related endpoints.
@@ -408,6 +411,7 @@ All Issues:
* [MESOS-5794] - Agent's /containers endpoint should skip terminated executors.
* [MESOS-5799] - docker::inspect() may get wrong output when a docker container is not in "running" state
* [MESOS-5806] - CNI isolator should prepare network related /etc/* files for containers using host mode but specify container images
+ * [MESOS-5863] - Enabling SSL causes fetcher fail to fetch from HTTPS sites.
** Documentation
* [MESOS-4381] - Improve upgrade compatibility documentation.