You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by me...@apache.org on 2016/03/13 12:08:34 UTC

[2/2] mesos git commit: Documented how to make executors work with SSL.

Documented how to make executors work with SSL.

Review: https://reviews.apache.org/r/44620/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/477b9ab8
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/477b9ab8
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/477b9ab8

Branch: refs/heads/master
Commit: 477b9ab8ac18c2c66b5e83f98716dbe56c7ce93e
Parents: 37eff33
Author: Jan Schlicht <ja...@mesosphere.io>
Authored: Sun Mar 13 00:41:02 2016 -0800
Committer: Adam B <ad...@mesosphere.io>
Committed: Sun Mar 13 00:52:24 2016 -0800

----------------------------------------------------------------------
 docs/ssl.md | 2 ++
 1 file changed, 2 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/477b9ab8/docs/ssl.md
----------------------------------------------------------------------
diff --git a/docs/ssl.md b/docs/ssl.md
index 3de2a3e..6c5aec3 100644
--- a/docs/ssl.md
+++ b/docs/ssl.md
@@ -98,6 +98,8 @@ SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true SSL_KEY_FILE=<path-to-your-private-k
 // Restart each component WITHOUT downgrade support (master, slave, framework):
 SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false SSL_KEY_FILE=<path-to-your-private-key> SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
 ~~~
+You need to make sure that executors are able to access the SSL environment variables and the files these variables are referring to. Executors can be provided with the environment variables by specifying them in `CommandInfo.environment` or by using the slave's `--executor_environment_variables` command line flag. If the slave and the executors are running in separate containers, `ContainerInfo.volumes` can be used to provide SSL files from the host to the executor's container.
+
 The end state is a cluster that is only communicating with SSL.
 
 __NOTE:__ Any tools you may use that communicate with your components must be able to speak SSL, or they will be denied. You may choose to maintain `SSL_SUPPORT_DOWNGRADE=true` for some time as you upgrade your internal tooling. The advantage of `SSL_SUPPORT_DOWNGRADE=true` is that all components that speak SSL will do so, while other components may still communicate over insecure channels.