High Availability Mesos and Zookeeper Security

[Douglas Nelson <it...@gmail.com>]

I was wondering how others are securing ZooKeeper on top of Mesos.

I'm running Mesos in HA mode on 3 AWS EC2 instances. A number of external
machines are set up as Mesos agents and SSL/authentication is enabled on
both ends (for Mesos and its frameworks). But to use HA mode the agents
have to communicate with ZK directly (and my ZK registry stores secure
information).

Is the recommended route to use an alpha version of ZK to enable SSL? Also,
does this play nicely with a Mesos agent's "master" flag? Any help would be
appreciated!

Re: High Availability Mesos and Zookeeper Security

[Joseph Wu <jo...@mesosphere.io>]

Enabling SSL on Zookeeper will likely not work, as the Zookeeper C library
(which Mesos uses to talk to Zookeeper) does not contain any concept of
SSL.  If they added SSL support to the C library in that alpha version, you
would need to bump the library in the Mesos code and rebuild, possibly with
other code changes.

On Wed, Dec 28, 2016 at 2:33 PM, Douglas Nelson <it...@gmail.com> wrote:

> I was wondering how others are securing ZooKeeper on top of Mesos.
>
> I'm running Mesos in HA mode on 3 AWS EC2 instances. A number of external
> machines are set up as Mesos agents and SSL/authentication is enabled on
> both ends (for Mesos and its frameworks). But to use HA mode the agents
> have to communicate with ZK directly (and my ZK registry stores secure
> information).
>
> Is the recommended route to use an alpha version of ZK to enable SSL?
> Also, does this play nicely with a Mesos agent's "master" flag? Any help
> would be appreciated!
>