You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@mesos.apache.org by Gilbert Song <gi...@apache.org> on 2019/08/14 20:42:31 UTC

Re: Provisioning containers with configuration file via sandbox mount or copy via entrypoint.sh

It depends on how do you want to manage the configuration files for your
containers - dynamic or static.

   - Dynamic
      - Fetch via URI - you probably do not need your application
      entrypoint to fetch. Instead Mesos and marathon supports fetching URIs to
      your container sandbox.
      http://mesos.apache.org/documentation/latest/fetcher/
      - Pass into the container as a file based secret if it is sensitive.

      http://mesos.apache.org/documentation/latest/secrets/#file-based-secrets
      - Environment Variable.
   - Static
      - Host_path volume - mounting a host path or file into your container.

      http://mesos.apache.org/documentation/latest/container-volume/#host_path-volume-source
      - Build it in your container image if those configurations are not
      expected to be changed.

> Furthermore this page[1] says the sandbox is considered read only, yet
the stdout and stderr are located there???
I think the document
<http://mesos.apache.org/documentation/latest/sandbox/#using-the-sandbox> means
that sandbox is not expected to be touched by any 3rd party software or
people *other than* Mesos, executor and task/application.

-Gilbert

On Sun, Jul 21, 2019 at 3:22 AM Marc Roos <M....@f1-outsourcing.eu> wrote:

>
>
> What would be the adviced way to add a configuration file to a container
> being used at startup. I am now fetching the files and then create an
> entrypoint.sh that copies this from the sandbox.
>
> Creating these custom entrypoints.sh is cumbersome. I thought about
> mounting the path's of the sandbox in the container but don't have good
> example to get this working[0]. Furthermore this page[1] says the
> sandbox is considered read only, yet the stdout and stderr are located
> there???
>
> Is there a (security) advantage copying files from the sandbox at
> startup or just use a mount point?
>
> [0]
> https://www.mail-archive.com/user@mesos.apache.org/msg10445.html
>
> [1]
> http://mesos.apache.org/documentation/latest/sandbox/
>

RE: Provisioning containers with configuration file via sandbox mount or copy via entrypoint.sh

Posted by Marc Roos <M....@f1-outsourcing.eu>.

 
Hi Gilbert, thanks for the detailed reply, this secrets is very 
interesting. 


>	*	Fetch via URI - you probably do not need your application 
entrypoint to fetch. Instead Mesos > and marathon supports fetching URIs 
to your container sandbox.
>		http://mesos.apache.org/documentation/latest/fetcher/

This fetching is what I am doing now. I have containers with a default 
configuration file. But when I need updates I am fetching with something 
like this. 

 "fetch": [
    { "uri": "file:///mnt/docker-images/haproxy.cfg",
      "executable": false,
      "extract": false,
      "cache": false,
      "destPath": "haproxy.cfg" },
    { "uri": "file:///mnt/docker-images/xxxx.crt",
      "executable": false,
      "extract": false,
      "cache": false,
      "destPath": "xxxx.crt" }
  ],

But this file goes into the sandbox directory /mnt/sandbox, I just 
wonder why it can't go directly to the 'container rootfs'?

This is what I now have to do in the entrypoint.sh

if [ ! -z "${MESOS_SANDBOX}" ] && [ -f "${MESOS_SANDBOX}/haproxy.cfg" ]



-----Original Message-----
To: user
Subject: Re: Provisioning containers with configuration file via sandbox 
mount or copy via entrypoint.sh

It depends on how do you want to manage the configuration files for your 
containers - dynamic or static.

*	Dynamic

	*	Fetch via URI - you probably do not need your application 
entrypoint to fetch. Instead Mesos and marathon supports fetching URIs 
to your container sandbox.
		http://mesos.apache.org/documentation/latest/fetcher/
		
	*	Pass into the container as a file based secret if it is 
sensitive.
		
http://mesos.apache.org/documentation/latest/secrets/#file-based-secrets
		
	*	Environment Variable.

*	Static

	*	Host_path volume - mounting a host path or file into your 
container.
		
http://mesos.apache.org/documentation/latest/container-volume/#host_path-volume-source
		
	*	Build it in your container image if those configurations are 
not expected to be changed.

> Furthermore this page[1] says the sandbox is considered read only, yet 
the stdout and stderr are located there???
I think the document 
<http://mesos.apache.org/documentation/latest/sandbox/#using-the-sandbox>  means that sandbox is not expected to be touched by any 3rd party software or people other than Mesos, executor and task/application.

-Gilbert

On Sun, Jul 21, 2019 at 3:22 AM Marc Roos <M....@f1-outsourcing.eu> 
wrote:




	What would be the adviced way to add a configuration file to a 
container 
	being used at startup. I am now fetching the files and then create 
an 
	entrypoint.sh that copies this from the sandbox. 
	
	Creating these custom entrypoints.sh is cumbersome. I thought about 

	mounting the path's of the sandbox in the container but don't have 
good 
	example to get this working[0]. Furthermore this page[1] says the 
	sandbox is considered read only, yet the stdout and stderr are 
located 
	there???
	
	Is there a (security) advantage copying files from the sandbox at 
	startup or just use a mount point?
	
	[0]
	https://www.mail-archive.com/user@mesos.apache.org/msg10445.html
	
	[1]
	http://mesos.apache.org/documentation/latest/sandbox/