You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by John Webb <we...@hotmail.com> on 2015/06/04 18:42:46 UTC
Mesos Security Recommendations
All,
I'm looking for some recommendations on how to encrypt Mesos Slave & Framework communication to the Mesos Master until Mesos v0.23 is released which will include SSL support. I'm concerned about having the slave & framework user/password being sent across our network in clear text.
I would especially like to hear from people who actually running Mesos in production environment.
Thanks,John Webb
Re: Mesos Security Recommendations
Posted by Vinod Kone <vi...@gmail.com>.
On Thu, Jun 4, 2015 at 5:12 PM, John Sirois <jo...@gmail.com> wrote:
> Its not a design doc, but the issue breakdown spells out much:
> https://issues.apache.org/jira/browse/MESOS-910
>
Joris will be sending out a doc soon (O(week))!
Re: Mesos Security Recommendations
Posted by John Sirois <jo...@gmail.com>.
On Thu, Jun 4, 2015 at 5:58 PM, Kevin Sweeney <ke...@apache.org> wrote:
> Jeff, have you succfessfully run stunnel with a Mesos cluster? I'd
> anticipate it to be a bit difficult due to the way that slaves dynamically
> discover masters via zookeeper. If I remember correctly, with stunnel you
> need to configure all the tunnels beforehand, which would mean that every
> master would need to enumerate every possible slave beforehand, and
> vice-versa.
>
> IMO that fairly severely limits the reliability of the system.
>
> By the way, is there a design doc for how TLS between slave and master is
> going to be implemented in 0.23.0?
>
Its not a design doc, but the issue breakdown spells out much:
https://issues.apache.org/jira/browse/MESOS-910
>
> On Thu, Jun 4, 2015 at 4:30 PM, Jeff Schroeder <jeffschroeder@computer.org
> > wrote:
>
>> For securing insecure network communication you can use something like
>> stunnel, then point the app at the local stunnel. It would be a fair bit of
>> hoops to configure it all with any your config management system, but is
>> totally doable.
>>
>>
>> On Thursday, June 4, 2015, John Webb <we...@hotmail.com> wrote:
>>
>>> All,
>>>
>>> I'm looking for some recommendations on how to encrypt Mesos Slave &
>>> Framework communication to the Mesos Master until Mesos v0.23 is released
>>> which will include SSL support. I'm concerned about having the slave &
>>> framework user/password being sent across our network in clear text.
>>>
>>> I would especially like to hear from people who actually running Mesos
>>> in production environment.
>>>
>>> Thanks,
>>> John Webb
>>>
>>
>>
>> --
>> Text by Jeff, typos by iPhone
>>
>
>
Re: Mesos Security Recommendations
Posted by Kevin Sweeney <ke...@apache.org>.
Jeff, have you succfessfully run stunnel with a Mesos cluster? I'd
anticipate it to be a bit difficult due to the way that slaves dynamically
discover masters via zookeeper. If I remember correctly, with stunnel you
need to configure all the tunnels beforehand, which would mean that every
master would need to enumerate every possible slave beforehand, and
vice-versa.
IMO that fairly severely limits the reliability of the system.
By the way, is there a design doc for how TLS between slave and master is
going to be implemented in 0.23.0?
On Thu, Jun 4, 2015 at 4:30 PM, Jeff Schroeder <je...@computer.org>
wrote:
> For securing insecure network communication you can use something like
> stunnel, then point the app at the local stunnel. It would be a fair bit of
> hoops to configure it all with any your config management system, but is
> totally doable.
>
>
> On Thursday, June 4, 2015, John Webb <we...@hotmail.com> wrote:
>
>> All,
>>
>> I'm looking for some recommendations on how to encrypt Mesos Slave &
>> Framework communication to the Mesos Master until Mesos v0.23 is released
>> which will include SSL support. I'm concerned about having the slave &
>> framework user/password being sent across our network in clear text.
>>
>> I would especially like to hear from people who actually running Mesos in
>> production environment.
>>
>> Thanks,
>> John Webb
>>
>
>
> --
> Text by Jeff, typos by iPhone
>
Re: Mesos Security Recommendations
Posted by Jeff Schroeder <je...@computer.org>.
For securing insecure network communication you can use something like
stunnel, then point the app at the local stunnel. It would be a fair bit of
hoops to configure it all with any your config management system, but is
totally doable.
On Thursday, June 4, 2015, John Webb <we...@hotmail.com> wrote:
> All,
>
> I'm looking for some recommendations on how to encrypt Mesos Slave &
> Framework communication to the Mesos Master until Mesos v0.23 is released
> which will include SSL support. I'm concerned about having the slave &
> framework user/password being sent across our network in clear text.
>
> I would especially like to hear from people who actually running Mesos in
> production environment.
>
> Thanks,
> John Webb
>
--
Text by Jeff, typos by iPhone