You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2017/08/18 17:50:56 UTC
[2/2] mesos-site git commit: Updated the website built from mesos
SHA: 4c71ba1.
Updated the website built from mesos SHA: 4c71ba1.
Project: http://git-wip-us.apache.org/repos/asf/mesos-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos-site/commit/7f3eab90
Tree: http://git-wip-us.apache.org/repos/asf/mesos-site/tree/7f3eab90
Diff: http://git-wip-us.apache.org/repos/asf/mesos-site/diff/7f3eab90
Branch: refs/heads/asf-site
Commit: 7f3eab90378d67d949436d528c9e4c9fd1720aff
Parents: b4af79f
Author: jenkins <bu...@apache.org>
Authored: Fri Aug 18 17:50:53 2017 +0000
Committer: jenkins <bu...@apache.org>
Committed: Fri Aug 18 17:50:53 2017 +0000
----------------------------------------------------------------------
content/documentation/configuration/index.html | 49 +
content/documentation/index.html | 1 +
.../latest/configuration/index.html | 49 +
.../endpoints/master/frameworks/index.html | 2 +-
.../slave/api/v1/resource_provider/index.html | 2 +-
content/documentation/latest/index.html | 1 +
content/documentation/latest/secrets/index.html | 299 +
content/documentation/secrets/index.html | 299 +
content/sitemap.xml | 8378 +++++++++---------
9 files changed, 4893 insertions(+), 4187 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/configuration/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/configuration/index.html b/content/documentation/configuration/index.html
index 84cf5c2..9c4e96f 100644
--- a/content/documentation/configuration/index.html
+++ b/content/documentation/configuration/index.html
@@ -323,6 +323,33 @@ Cannot be used in conjunction with <code>--ip</code>.
</tr>
<tr>
<td>
+ --ip6=VALUE
+ </td>
+ <td>
+IPv6 address to listen on. This cannot be used in conjunction
+with <code>--ip6_discovery_command</code>.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+ </td>
+</tr>
+<tr>
+ <td>
+ --ip6_discovery_command=VALUE
+ </td>
+ <td>
+Optional IPv6 discovery binary: if set, it is expected to emit
+the IPv6 address on which Mesos will try to bind when IPv6 socket
+support is enabled in Mesos.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+ </td>
+</tr>
+<tr>
+ <td>
--modules=VALUE
</td>
<td>
@@ -1766,6 +1793,16 @@ terminations may occur.
<td>
Parent directory for fetcher cache directories
(one subdirectory per agent). (default: /tmp/mesos/fetch)
+
+Directory for the fetcher cache. The agent will clear this directory
+on startup. It is recommended to set this value to a separate volume
+for several reasons:
+<ul>
+<li> The cache directories are transient and not meant to be
+ backed up. Upon restarting the agent, the cache is always empty. </li>
+<li> The cache and container sandboxes can potentially interfere with
+ each other when occupying a shared space (i.e. disk contention). </li>
+</ul>
</td>
</tr>
<tr>
@@ -2190,6 +2227,18 @@ state as possible is recovered.
</tr>
<tr>
<td>
+ --secret_resolver=VALUE
+ </td>
+ <td>
+The name of the secret resolver module to use for resolving
+environment and file-based secrets. If this flag is not specified,
+the default behavior is to resolve value-based secrets and error on
+reference-based secrets.
+ </td>
+</tr>
+
+<tr>
+ <td>
--[no-]switch_user
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/index.html b/content/documentation/index.html
index 5e33eb3..9870c4f 100644
--- a/content/documentation/index.html
+++ b/content/documentation/index.html
@@ -155,6 +155,7 @@
<li><a href="/documentation/latest/./monitoring/">Monitoring</a></li>
<li><a href="/documentation/latest/./operational-guide/">Operational Guide</a></li>
<li><a href="/documentation/latest/./roles/">Roles</a></li>
+<li><a href="/documentation/latest/./secrets/">Secrets</a> for managing secrets within Mesos.</li>
<li><a href="/documentation/latest/./ssl/">SSL</a> for enabling and enforcing SSL communication.</li>
<li><a href="/documentation/latest/./nested-container-and-task-group/">Nested Container and Task Group (Pod)</a></li>
<li><a href="/documentation/latest/./tools/">Tools</a> for setting up and running a Mesos cluster.</li>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/configuration/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/configuration/index.html b/content/documentation/latest/configuration/index.html
index 02c75f2..46335ba 100644
--- a/content/documentation/latest/configuration/index.html
+++ b/content/documentation/latest/configuration/index.html
@@ -323,6 +323,33 @@ Cannot be used in conjunction with <code>--ip</code>.
</tr>
<tr>
<td>
+ --ip6=VALUE
+ </td>
+ <td>
+IPv6 address to listen on. This cannot be used in conjunction
+with <code>--ip6_discovery_command</code>.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+ </td>
+</tr>
+<tr>
+ <td>
+ --ip6_discovery_command=VALUE
+ </td>
+ <td>
+Optional IPv6 discovery binary: if set, it is expected to emit
+the IPv6 address on which Mesos will try to bind when IPv6 socket
+support is enabled in Mesos.
+<p/>
+NOTE: Currently Mesos doesn't listen on IPv6 sockets and hence
+this IPv6 address is only used to advertise IPv6 addresses for
+containers running on the host network.
+ </td>
+</tr>
+<tr>
+ <td>
--modules=VALUE
</td>
<td>
@@ -1766,6 +1793,16 @@ terminations may occur.
<td>
Parent directory for fetcher cache directories
(one subdirectory per agent). (default: /tmp/mesos/fetch)
+
+Directory for the fetcher cache. The agent will clear this directory
+on startup. It is recommended to set this value to a separate volume
+for several reasons:
+<ul>
+<li> The cache directories are transient and not meant to be
+ backed up. Upon restarting the agent, the cache is always empty. </li>
+<li> The cache and container sandboxes can potentially interfere with
+ each other when occupying a shared space (i.e. disk contention). </li>
+</ul>
</td>
</tr>
<tr>
@@ -2190,6 +2227,18 @@ state as possible is recovered.
</tr>
<tr>
<td>
+ --secret_resolver=VALUE
+ </td>
+ <td>
+The name of the secret resolver module to use for resolving
+environment and file-based secrets. If this flag is not specified,
+the default behavior is to resolve value-based secrets and error on
+reference-based secrets.
+ </td>
+</tr>
+
+<tr>
+ <td>
--[no-]switch_user
</td>
<td>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/endpoints/master/frameworks/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/endpoints/master/frameworks/index.html b/content/documentation/latest/endpoints/master/frameworks/index.html
index 0fea18a..81e1947 100644
--- a/content/documentation/latest/endpoints/master/frameworks/index.html
+++ b/content/documentation/latest/endpoints/master/frameworks/index.html
@@ -138,7 +138,7 @@ found.</p>
<p>Query parameters:</p>
-<blockquote><pre><code> framework_id=VALUE The ID of the framework returned (when no framework ID specified, all frameworks will be returned).
+<blockquote><pre><code> framework_id=VALUE The ID of the framework returned (if no framework ID is specified, all frameworks will be returned).
</code></pre></blockquote>
<h3>AUTHENTICATION</h3>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html b/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
index 3234403..3078712 100644
--- a/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
+++ b/content/documentation/latest/endpoints/slave/api/v1/resource_provider/index.html
@@ -124,7 +124,7 @@
<h3>TL;DR;</h3>
-<p>Endpoint for the Local Resource Provider HTTP API.</p>
+<p>Endpoint for the local resource provider HTTP API.</p>
<h3>DESCRIPTION</h3>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/index.html b/content/documentation/latest/index.html
index 1c1513c..1273427 100644
--- a/content/documentation/latest/index.html
+++ b/content/documentation/latest/index.html
@@ -155,6 +155,7 @@
<li><a href="/documentation/latest/./monitoring/">Monitoring</a></li>
<li><a href="/documentation/latest/./operational-guide/">Operational Guide</a></li>
<li><a href="/documentation/latest/./roles/">Roles</a></li>
+<li><a href="/documentation/latest/./secrets/">Secrets</a> for managing secrets within Mesos.</li>
<li><a href="/documentation/latest/./ssl/">SSL</a> for enabling and enforcing SSL communication.</li>
<li><a href="/documentation/latest/./nested-container-and-task-group/">Nested Container and Task Group (Pod)</a></li>
<li><a href="/documentation/latest/./tools/">Tools</a> for setting up and running a Mesos cluster.</li>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/latest/secrets/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/secrets/index.html b/content/documentation/latest/secrets/index.html
new file mode 100644
index 0000000..2f539f4
--- /dev/null
+++ b/content/documentation/latest/secrets/index.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Apache Mesos - Secrets Handling</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <meta property="og:locale" content="en_US"/>
+ <meta property="og:type" content="website"/>
+ <meta property="og:title" content="Apache Mesos"/>
+ <meta property="og:site_name" content="Apache Mesos"/>
+ <meta property="og:url" content="http://mesos.apache.org/"/>
+ <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta property="og:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <meta name="twitter:card" content="summary"/>
+ <meta name="twitter:site" content="@ApacheMesos"/>
+ <meta name="twitter:title" content="Apache Mesos"/>
+ <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta name="twitter:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+ <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+ <link href="../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
+
+
+
+ <!-- Google Analytics Magic -->
+ <script type="text/javascript">
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-20226872-1']);
+ _gaq.push(['_setDomainName', 'apache.org']);
+ _gaq.push(['_trackPageview']);
+
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+ </script>
+
+ </head>
+ <body>
+ <!-- magical breadcrumbs -->
+ <div class="topnav">
+ <div class="container">
+ <ul class="breadcrumb">
+ <li>
+ <div class="dropdown">
+ <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
+ <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+ <li><a href="http://www.apache.org">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </div>
+ </li>
+
+ <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+
+
+ <li><a href="/documentation
+/">Documentation
+</a></li>
+
+
+ </ul><!-- /.breadcrumb -->
+ </div><!-- /.container -->
+ </div><!-- /.topnav -->
+
+ <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
+ </div><!-- /.navbar-header -->
+
+ <div class="navbar-collapse collapse" id="mesos-menu">
+ <ul class="nav navbar-nav navbar-right">
+ <li><a href="/gettingstarted/">Getting Started</a></li>
+ <li><a href="/blog/">Blog</a></li>
+ <li><a href="/documentation/latest/">Documentation</a></li>
+ <li><a href="/downloads/">Downloads</a></li>
+ <li><a href="/community/">Community</a></li>
+ </ul>
+ </div><!-- /#mesos-menu -->
+ </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+ <div class="container">
+ <div class="row-fluid">
+ <div class="col-md-4">
+ <h4>If you're new to Mesos</h4>
+ <p>See the <a href="/gettingstarted/">getting started</a> page for more
+ information about downloading, building, and deploying Mesos.</p>
+
+ <h4>If you'd like to get involved or you're looking for support</h4>
+ <p>See our <a href="/community/">community</a> page for more details.</p>
+ </div>
+ <div class="col-md-8">
+ <h1>Secrets</h1>
+
+<p>Starting 1.4.0 release, Mesos allows tasks to populate environment variables and
+file volumes with secret contents that are retrieved using a secret-resolver
+interface. It also allows specifying image-pull secrets for private container
+registry. This allows users to avoid exposing critical secrets in task
+definitions. Secrets are fetched/resolved using a secret-resolver module (see
+below).</p>
+
+<p>NOTE: Secrets are only supported for Mesos containerizer and not for the Docker
+containerizer.</p>
+
+<h2>Secrets Message</h2>
+
+<p>Secrets can be specified using the following protobuf message:</p>
+
+<pre><code>message Secret {
+ enum Type {
+ UNKNOWN = 0;
+ REFERENCE = 1;
+ VALUE = 2;
+ }
+
+ message Reference {
+ required string name = 1;
+ optional string key = 2;
+ }
+
+ message Value {
+ required bytes data = 1;
+ }
+
+ optional Type type = 1;
+
+ optional Reference reference = 2;
+ optional Value value = 3;
+}
+</code></pre>
+
+<p>Secrets can be of type <code>reference</code> or <code>value</code> (only one of <code>reference</code> and <code>value</code> must be set).
+A secret reference can be used by modules to refer to a secret stored in a secure back-end.
+The <code>key</code> field can be used to reference a single value within a secret containing arbitrary key-value pairs.</p>
+
+<p>For example, given a back-end secret store with a secret named “/my/secret” containing the following key-value pairs:</p>
+
+<pre><code>{
+ "username": "my-user",
+ "password": "my-password
+}
+</code></pre>
+
+<p>The username could be referred to in a <code>Secret</code> by specifying “my/secret” for the <code>name</code> and “username” for the <code>key</code>.</p>
+
+<p>Secret also supports pass-by-value where the value of a secret can be directly
+passed in the message.</p>
+
+<h2>Environment-based Secrets</h2>
+
+<p>Environment variables can either be traditional value-based or secret-based. For
+the latter, one can specify a secret as part of environment definition as shown
+in the following example:</p>
+
+<pre><code>{
+ "variables" : [
+ {
+ "name": "MY_SECRET_ENV",
+ "type": "SECRET",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret",
+ "key": "username"
+ }
+ }
+ },
+ {
+ "name": "MY_NORMAL_ENV",
+ "value": "foo"
+ }
+ ]
+}
+</code></pre>
+
+<h2>File-based Secrets</h2>
+
+<p>A new <code>volume/secret</code> isolator is available to create secret-based files inside
+the task container. To use a secret, one can specify a new volume as follows:</p>
+
+<pre><code>{
+ "mode": "RW",
+ "container_path": "path/to/secret/file",
+ "source":
+ {
+ "type": "SECRET",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret",
+ "key": "username"
+ }
+ }
+ }
+}
+</code></pre>
+
+<p>This will create a tmpfs-based file mount in the container at “path/to/secret/file” which will contain the secret text fetched from the back-end secret store.</p>
+
+<p>The <code>volume/secret</code> isolator is not enabled by default. To enable it, it must be specified in <code>--isolator=volume/secret</code> agent flag.</p>
+
+<h2>Image-pull Secrets</h2>
+
+<p>Currently, image-pull secrets only support Docker images for Mesos
+containerizer. Appc images are not supported.
+One can store Docker config containing credentials to authenticate with Docker registry in the secret store.
+The secret is expected to be a Docker config file in JSON format with UTF-8 character encoding.
+The secret can then be referenced in the <code>Image</code> protobuf as follows:</p>
+
+<pre><code>{
+ "type": "DOCKER",
+ "docker":
+ message Docker {
+ "name": "<REGISTRY_HOST>/path/to/image",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret/docker/config"
+ }
+ }
+ }
+}
+</code></pre>
+
+<h2>SecretResolver Module</h2>
+
+<p>The SecretResolver module is called from Mesos agent to fetch/resolve any image-pull, environment-based, or file-based secrets. (See <a href="/documentation/latest/./modules/">Mesos Modules</a> for more information on using Mesos modules).</p>
+
+<pre><code>class SecretResolver
+{
+ virtual process::Future<Secret::Value> resolve(const Secret& secret) const;
+};
+</code></pre>
+
+<p>The default implementation simply resolves value-based Secrets. A custom secret-resolver module can be specified using the <code>--secret_resolver=<module-name></code> agent flag.</p>
+
+ </div>
+</div>
+
+ </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+ <!-- footer -->
+ <div class="footer">
+ <div class="container">
+ <div class="col-md-4 social-blk">
+ <span class="social">
+ <a href="https://twitter.com/ApacheMesos"
+ class="twitter-follow-button"
+ data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+ class="twitter-hashtag-button"
+ data-size="large"
+ data-related="ApacheMesos">Tweet #mesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ </span>
+ </div>
+
+ <div class="col-md-8 trademark">
+ <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
+ Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
+ <p>
+ </div>
+ </div><!-- /.container -->
+ </div><!-- /.footer -->
+
+ <!-- JS -->
+ <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+ <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/7f3eab90/content/documentation/secrets/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/secrets/index.html b/content/documentation/secrets/index.html
new file mode 100644
index 0000000..36d245c
--- /dev/null
+++ b/content/documentation/secrets/index.html
@@ -0,0 +1,299 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Apache Mesos - Secrets Handling</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <meta property="og:locale" content="en_US"/>
+ <meta property="og:type" content="website"/>
+ <meta property="og:title" content="Apache Mesos"/>
+ <meta property="og:site_name" content="Apache Mesos"/>
+ <meta property="og:url" content="http://mesos.apache.org/"/>
+ <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta property="og:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <meta name="twitter:card" content="summary"/>
+ <meta name="twitter:site" content="@ApacheMesos"/>
+ <meta name="twitter:title" content="Apache Mesos"/>
+ <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta name="twitter:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+ <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+ <link href="../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
+
+
+
+ <!-- Google Analytics Magic -->
+ <script type="text/javascript">
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-20226872-1']);
+ _gaq.push(['_setDomainName', 'apache.org']);
+ _gaq.push(['_trackPageview']);
+
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+ </script>
+
+ </head>
+ <body>
+ <!-- magical breadcrumbs -->
+ <div class="topnav">
+ <div class="container">
+ <ul class="breadcrumb">
+ <li>
+ <div class="dropdown">
+ <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
+ <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+ <li><a href="http://www.apache.org">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </div>
+ </li>
+
+ <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+
+
+ <li><a href="/documentation
+/">Documentation
+</a></li>
+
+
+ </ul><!-- /.breadcrumb -->
+ </div><!-- /.container -->
+ </div><!-- /.topnav -->
+
+ <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
+ </div><!-- /.navbar-header -->
+
+ <div class="navbar-collapse collapse" id="mesos-menu">
+ <ul class="nav navbar-nav navbar-right">
+ <li><a href="/gettingstarted/">Getting Started</a></li>
+ <li><a href="/blog/">Blog</a></li>
+ <li><a href="/documentation/latest/">Documentation</a></li>
+ <li><a href="/downloads/">Downloads</a></li>
+ <li><a href="/community/">Community</a></li>
+ </ul>
+ </div><!-- /#mesos-menu -->
+ </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+ <div class="container">
+ <div class="row-fluid">
+ <div class="col-md-4">
+ <h4>If you're new to Mesos</h4>
+ <p>See the <a href="/gettingstarted/">getting started</a> page for more
+ information about downloading, building, and deploying Mesos.</p>
+
+ <h4>If you'd like to get involved or you're looking for support</h4>
+ <p>See our <a href="/community/">community</a> page for more details.</p>
+ </div>
+ <div class="col-md-8">
+ <h1>Secrets</h1>
+
+<p>Starting 1.4.0 release, Mesos allows tasks to populate environment variables and
+file volumes with secret contents that are retrieved using a secret-resolver
+interface. It also allows specifying image-pull secrets for private container
+registry. This allows users to avoid exposing critical secrets in task
+definitions. Secrets are fetched/resolved using a secret-resolver module (see
+below).</p>
+
+<p>NOTE: Secrets are only supported for Mesos containerizer and not for the Docker
+containerizer.</p>
+
+<h2>Secrets Message</h2>
+
+<p>Secrets can be specified using the following protobuf message:</p>
+
+<pre><code>message Secret {
+ enum Type {
+ UNKNOWN = 0;
+ REFERENCE = 1;
+ VALUE = 2;
+ }
+
+ message Reference {
+ required string name = 1;
+ optional string key = 2;
+ }
+
+ message Value {
+ required bytes data = 1;
+ }
+
+ optional Type type = 1;
+
+ optional Reference reference = 2;
+ optional Value value = 3;
+}
+</code></pre>
+
+<p>Secrets can be of type <code>reference</code> or <code>value</code> (only one of <code>reference</code> and <code>value</code> must be set).
+A secret reference can be used by modules to refer to a secret stored in a secure back-end.
+The <code>key</code> field can be used to reference a single value within a secret containing arbitrary key-value pairs.</p>
+
+<p>For example, given a back-end secret store with a secret named “/my/secret” containing the following key-value pairs:</p>
+
+<pre><code>{
+ "username": "my-user",
+ "password": "my-password
+}
+</code></pre>
+
+<p>The username could be referred to in a <code>Secret</code> by specifying “my/secret” for the <code>name</code> and “username” for the <code>key</code>.</p>
+
+<p>Secret also supports pass-by-value where the value of a secret can be directly
+passed in the message.</p>
+
+<h2>Environment-based Secrets</h2>
+
+<p>Environment variables can either be traditional value-based or secret-based. For
+the latter, one can specify a secret as part of environment definition as shown
+in the following example:</p>
+
+<pre><code>{
+ "variables" : [
+ {
+ "name": "MY_SECRET_ENV",
+ "type": "SECRET",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret",
+ "key": "username"
+ }
+ }
+ },
+ {
+ "name": "MY_NORMAL_ENV",
+ "value": "foo"
+ }
+ ]
+}
+</code></pre>
+
+<h2>File-based Secrets</h2>
+
+<p>A new <code>volume/secret</code> isolator is available to create secret-based files inside
+the task container. To use a secret, one can specify a new volume as follows:</p>
+
+<pre><code>{
+ "mode": "RW",
+ "container_path": "path/to/secret/file",
+ "source":
+ {
+ "type": "SECRET",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret",
+ "key": "username"
+ }
+ }
+ }
+}
+</code></pre>
+
+<p>This will create a tmpfs-based file mount in the container at “path/to/secret/file” which will contain the secret text fetched from the back-end secret store.</p>
+
+<p>The <code>volume/secret</code> isolator is not enabled by default. To enable it, it must be specified in <code>--isolator=volume/secret</code> agent flag.</p>
+
+<h2>Image-pull Secrets</h2>
+
+<p>Currently, image-pull secrets only support Docker images for Mesos
+containerizer. Appc images are not supported.
+One can store Docker config containing credentials to authenticate with Docker registry in the secret store.
+The secret is expected to be a Docker config file in JSON format with UTF-8 character encoding.
+The secret can then be referenced in the <code>Image</code> protobuf as follows:</p>
+
+<pre><code>{
+ "type": "DOCKER",
+ "docker":
+ message Docker {
+ "name": "<REGISTRY_HOST>/path/to/image",
+ "secret": {
+ "type": "REFERENCE",
+ "reference": {
+ "name": "/my/secret/docker/config"
+ }
+ }
+ }
+}
+</code></pre>
+
+<h2>SecretResolver Module</h2>
+
+<p>The SecretResolver module is called from Mesos agent to fetch/resolve any image-pull, environment-based, or file-based secrets. (See <a href="/documentation/latest/./modules/">Mesos Modules</a> for more information on using Mesos modules).</p>
+
+<pre><code>class SecretResolver
+{
+ virtual process::Future<Secret::Value> resolve(const Secret& secret) const;
+};
+</code></pre>
+
+<p>The default implementation simply resolves value-based Secrets. A custom secret-resolver module can be specified using the <code>--secret_resolver=<module-name></code> agent flag.</p>
+
+ </div>
+</div>
+
+ </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+ <!-- footer -->
+ <div class="footer">
+ <div class="container">
+ <div class="col-md-4 social-blk">
+ <span class="social">
+ <a href="https://twitter.com/ApacheMesos"
+ class="twitter-follow-button"
+ data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+ class="twitter-hashtag-button"
+ data-size="large"
+ data-related="ApacheMesos">Tweet #mesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ </span>
+ </div>
+
+ <div class="col-md-8 trademark">
+ <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
+ Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
+ <p>
+ </div>
+ </div><!-- /.container -->
+ </div><!-- /.footer -->
+
+ <!-- JS -->
+ <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+ <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+ </body>
+</html>