You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@mesos.apache.org by Gilbert Song <gi...@apache.org> on 2019/08/14 20:42:31 UTC
Re: Provisioning containers with configuration file via sandbox mount
or copy via entrypoint.sh
It depends on how do you want to manage the configuration files for your
containers - dynamic or static.
- Dynamic
- Fetch via URI - you probably do not need your application
entrypoint to fetch. Instead Mesos and marathon supports fetching URIs to
your container sandbox.
http://mesos.apache.org/documentation/latest/fetcher/
- Pass into the container as a file based secret if it is sensitive.
http://mesos.apache.org/documentation/latest/secrets/#file-based-secrets
- Environment Variable.
- Static
- Host_path volume - mounting a host path or file into your container.
http://mesos.apache.org/documentation/latest/container-volume/#host_path-volume-source
- Build it in your container image if those configurations are not
expected to be changed.
> Furthermore this page[1] says the sandbox is considered read only, yet
the stdout and stderr are located there???
I think the document
<http://mesos.apache.org/documentation/latest/sandbox/#using-the-sandbox> means
that sandbox is not expected to be touched by any 3rd party software or
people *other than* Mesos, executor and task/application.
-Gilbert
On Sun, Jul 21, 2019 at 3:22 AM Marc Roos <M....@f1-outsourcing.eu> wrote:
>
>
> What would be the adviced way to add a configuration file to a container
> being used at startup. I am now fetching the files and then create an
> entrypoint.sh that copies this from the sandbox.
>
> Creating these custom entrypoints.sh is cumbersome. I thought about
> mounting the path's of the sandbox in the container but don't have good
> example to get this working[0]. Furthermore this page[1] says the
> sandbox is considered read only, yet the stdout and stderr are located
> there???
>
> Is there a (security) advantage copying files from the sandbox at
> startup or just use a mount point?
>
> [0]
> https://www.mail-archive.com/user@mesos.apache.org/msg10445.html
>
> [1]
> http://mesos.apache.org/documentation/latest/sandbox/
>
RE: Provisioning containers with configuration file via sandbox mount or copy via entrypoint.sh
Posted by Marc Roos <M....@f1-outsourcing.eu>.
Hi Gilbert, thanks for the detailed reply, this secrets is very
interesting.
> * Fetch via URI - you probably do not need your application
entrypoint to fetch. Instead Mesos > and marathon supports fetching URIs
to your container sandbox.
> http://mesos.apache.org/documentation/latest/fetcher/
This fetching is what I am doing now. I have containers with a default
configuration file. But when I need updates I am fetching with something
like this.
"fetch": [
{ "uri": "file:///mnt/docker-images/haproxy.cfg",
"executable": false,
"extract": false,
"cache": false,
"destPath": "haproxy.cfg" },
{ "uri": "file:///mnt/docker-images/xxxx.crt",
"executable": false,
"extract": false,
"cache": false,
"destPath": "xxxx.crt" }
],
But this file goes into the sandbox directory /mnt/sandbox, I just
wonder why it can't go directly to the 'container rootfs'?
This is what I now have to do in the entrypoint.sh
if [ ! -z "${MESOS_SANDBOX}" ] && [ -f "${MESOS_SANDBOX}/haproxy.cfg" ]
-----Original Message-----
To: user
Subject: Re: Provisioning containers with configuration file via sandbox
mount or copy via entrypoint.sh
It depends on how do you want to manage the configuration files for your
containers - dynamic or static.
* Dynamic
* Fetch via URI - you probably do not need your application
entrypoint to fetch. Instead Mesos and marathon supports fetching URIs
to your container sandbox.
http://mesos.apache.org/documentation/latest/fetcher/
* Pass into the container as a file based secret if it is
sensitive.
http://mesos.apache.org/documentation/latest/secrets/#file-based-secrets
* Environment Variable.
* Static
* Host_path volume - mounting a host path or file into your
container.
http://mesos.apache.org/documentation/latest/container-volume/#host_path-volume-source
* Build it in your container image if those configurations are
not expected to be changed.
> Furthermore this page[1] says the sandbox is considered read only, yet
the stdout and stderr are located there???
I think the document
<http://mesos.apache.org/documentation/latest/sandbox/#using-the-sandbox> means that sandbox is not expected to be touched by any 3rd party software or people other than Mesos, executor and task/application.
-Gilbert
On Sun, Jul 21, 2019 at 3:22 AM Marc Roos <M....@f1-outsourcing.eu>
wrote:
What would be the adviced way to add a configuration file to a
container
being used at startup. I am now fetching the files and then create
an
entrypoint.sh that copies this from the sandbox.
Creating these custom entrypoints.sh is cumbersome. I thought about
mounting the path's of the sandbox in the container but don't have
good
example to get this working[0]. Furthermore this page[1] says the
sandbox is considered read only, yet the stdout and stderr are
located
there???
Is there a (security) advantage copying files from the sandbox at
startup or just use a mount point?
[0]
https://www.mail-archive.com/user@mesos.apache.org/msg10445.html
[1]
http://mesos.apache.org/documentation/latest/sandbox/