Author: vinodkone
Date: Thu Jul 30 17:12:19 2015
New Revision: 1693459
URL: http://svn.apache.org/r1693459
Log:
Website update.
Modified:
mesos/site/publish/documentation/authorization/index.html
mesos/site/publish/documentation/committers/index.html
mesos/site/publish/documentation/getting-started/index.html
mesos/site/publish/documentation/index.html
mesos/site/publish/documentation/latest/authorization/index.html
mesos/site/publish/documentation/latest/committers/index.html
mesos/site/publish/documentation/latest/getting-started/index.html
mesos/site/publish/documentation/latest/index.html
mesos/site/publish/documentation/latest/mesos-ssl/index.html
mesos/site/publish/documentation/latest/operational-guide/index.html
mesos/site/publish/documentation/latest/oversubscription/index.html
mesos/site/publish/documentation/latest/reconciliation/index.html
mesos/site/publish/documentation/latest/release-guide/index.html
mesos/site/publish/documentation/latest/upgrades/index.html
mesos/site/publish/documentation/mesos-ssl/index.html
mesos/site/publish/documentation/operational-guide/index.html
mesos/site/publish/documentation/oversubscription/index.html
mesos/site/publish/documentation/reconciliation/index.html
mesos/site/publish/documentation/release-guide/index.html
mesos/site/publish/documentation/upgrades/index.html
mesos/site/publish/gettingstarted/index.html
mesos/site/publish/sitemap.xml
mesos/site/source/documentation/latest.html.md
mesos/site/source/documentation/latest/authorization.md
mesos/site/source/documentation/latest/committers.md
mesos/site/source/documentation/latest/getting-started.md
mesos/site/source/documentation/latest/mesos-ssl.md
mesos/site/source/documentation/latest/operational-guide.md
mesos/site/source/documentation/latest/oversubscription.md
mesos/site/source/documentation/latest/reconciliation.md
mesos/site/source/documentation/latest/release-guide.md
mesos/site/source/documentation/latest/upgrades.md
Modified: mesos/site/publish/documentation/authorization/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/authorization/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/authorization/index.html (original)
+++ mesos/site/publish/documentation/authorization/index.html Thu Jul 30
17:12:19 2015
@@ -139,7 +139,7 @@
<p>Similarly, when a framework launches a task(s), “run_tasks”
ACLs are checked to see if the framework (<code>FrameworkInfo.principal</code>)
is authorized to run the task/executor as the given <code>user</code>. If not
authorized, the launch is rejected and the framework gets a TASK_LOST.</p>
-<p>In the same vein, when a user/principal attempts to shutdown a framework
through the “/shutdown” HTTP endpoint on the master,
“shutdown_frameworks” ACLs are checked to see if the
<code>principal</code> is authorized to shutdown the given framework. If not
authorized, the shutdown is rejected and the user receives an
<code>Unauthorized</code> HTTP response.</p>
+<p>In the same vein, when a user/principal attempts to shutdown a framework
through the “/teardown” HTTP endpoint on the master,
“shutdown_frameworks” ACLs are checked to see if the
<code>principal</code> is authorized to shutdown the given framework. If not
authorized, the shutdown is rejected and the user receives an
<code>Unauthorized</code> HTTP response.</p>
<p>There are couple of important things to note:</p>
@@ -239,7 +239,7 @@
]
}
</code></pre></li>
-<li><p>Only <code>ops</code> principal can shutdown any frameworks through
“/shutdown” HTTP endpoint.</p>
+<li><p>Only <code>ops</code> principal can shutdown any frameworks through
“/teardown” HTTP endpoint.</p>
<pre><code> {
"permissive" : false,
Modified: mesos/site/publish/documentation/committers/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/committers/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/committers/index.html (original)
+++ mesos/site/publish/documentation/committers/index.html Thu Jul 30 17:12:19
2015
@@ -83,9 +83,15 @@
<div class="col-md-8">
<h1>Committers</h1>
+<p>An Apache Mesos committer is a contributor who has been given write access
to the Apache Mesos code repository and related Apache infrastructure. In the
Mesos project, each committer is also a voting member of the PMC.</p>
+
+<h2>Becoming a committer</h2>
+
+<p>Every new committer has to be proposed by a current committer and then
voted in by the members of the Mesos PMC. For details about this process and
for candidate requirements see the general <a
href="https://community.apache.org/newcommitter.html";>Apache guidelines for
assessing new candidates for committership</a>. Candidates prepare for their
nomination as committer by contributing to the Mesos project and its community,
by acting according to the <a href="http://theapacheway.com";>Apache Way</a>,
and by generally following the path <a
href="https://community.apache.org/contributors/";>from contributor to
committer</a> for Apache projects. Specifically for the Mesos project, you can
make use of the <a
href="https://community.apache.org/committer-candidate-checklist/";>Apache Mesos
Committer Candidate Checklist</a> for suggestions of what kind of contributions
and demonstrated behaviors can be instrumental, and to keep track of your
progress.</p>
+
<h2>Current Committers</h2>
-<p>We’d like to thank the following committers to the Apache Mesos
project who have helped get the project to where it is today. Committers are
voted on by members of the Mesos PMC. This list might be stale, the canonical
list is located on <a
href="http://people.apache.org/committers-by-project.html#mesos";>Apache’s
website</a>.</p>
+<p>We’d like to thank the following committers to the Apache Mesos
project who have helped get the project to where it is today. This list might
be stale, the canonical list is located on <a
href="http://people.apache.org/committers-by-project.html#mesos";>Apache’s
website</a>.</p>
<table class="table table-hover table-condensed">
<thead>
Modified: mesos/site/publish/documentation/getting-started/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/getting-started/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/getting-started/index.html (original)
+++ mesos/site/publish/documentation/getting-started/index.html Thu Jul 30
17:12:19 2015
@@ -90,8 +90,8 @@
<ol>
<li><p>Download the latest stable release from <a
href="http://mesos.apache.org/downloads/";>Apache</a>
(<strong><em>Recommended</em></strong>)</p>
-<pre><code> $ wget http://www.apache.org/dist/mesos/0.22.1/mesos-0.22.1.tar.gz
- $ tar -zxf mesos-0.22.1.tar.gz
+<pre><code> $ wget http://www.apache.org/dist/mesos/0.23.0/mesos-0.23.0.tar.gz
+ $ tar -zxf mesos-0.23.0.tar.gz
</code></pre></li>
<li><p>Clone the Mesos git <a
href="https://git-wip-us.apache.org/repos/asf/mesos.git";>repository</a>
(<strong><em>Advanced Users Only</em></strong>)</p>
Modified: mesos/site/publish/documentation/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/index.html (original)
+++ mesos/site/publish/documentation/index.html Thu Jul 30 17:12:19 2015
@@ -107,6 +107,7 @@
<li><a href="/documentation/latest/network-monitoring/">Network Monitoring and
Isolation</a></li>
<li><a href="/documentation/latest/slave-recovery/">Slave Recovery</a> for
doing seamless upgrades.</li>
<li><a href="/documentation/latest/tools/">Tools</a> for setting up and
running a Mesos cluster.</li>
+<li><a href="/documentation/latest/mesos-ssl/">SSL</a> for enabling and
enforcing SSL communication.</li>
</ul>
Modified: mesos/site/publish/documentation/latest/authorization/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/authorization/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/authorization/index.html (original)
+++ mesos/site/publish/documentation/latest/authorization/index.html Thu Jul 30
17:12:19 2015
@@ -139,7 +139,7 @@
<p>Similarly, when a framework launches a task(s), “run_tasks”
ACLs are checked to see if the framework (<code>FrameworkInfo.principal</code>)
is authorized to run the task/executor as the given <code>user</code>. If not
authorized, the launch is rejected and the framework gets a TASK_LOST.</p>
-<p>In the same vein, when a user/principal attempts to shutdown a framework
through the “/shutdown” HTTP endpoint on the master,
“shutdown_frameworks” ACLs are checked to see if the
<code>principal</code> is authorized to shutdown the given framework. If not
authorized, the shutdown is rejected and the user receives an
<code>Unauthorized</code> HTTP response.</p>
+<p>In the same vein, when a user/principal attempts to shutdown a framework
through the “/teardown” HTTP endpoint on the master,
“shutdown_frameworks” ACLs are checked to see if the
<code>principal</code> is authorized to shutdown the given framework. If not
authorized, the shutdown is rejected and the user receives an
<code>Unauthorized</code> HTTP response.</p>
<p>There are couple of important things to note:</p>
@@ -239,7 +239,7 @@
]
}
</code></pre></li>
-<li><p>Only <code>ops</code> principal can shutdown any frameworks through
“/shutdown” HTTP endpoint.</p>
+<li><p>Only <code>ops</code> principal can shutdown any frameworks through
“/teardown” HTTP endpoint.</p>
<pre><code> {
"permissive" : false,
Modified: mesos/site/publish/documentation/latest/committers/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/committers/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/committers/index.html (original)
+++ mesos/site/publish/documentation/latest/committers/index.html Thu Jul 30
17:12:19 2015
@@ -83,9 +83,15 @@
<div class="col-md-8">
<h1>Committers</h1>
+<p>An Apache Mesos committer is a contributor who has been given write access
to the Apache Mesos code repository and related Apache infrastructure. In the
Mesos project, each committer is also a voting member of the PMC.</p>
+
+<h2>Becoming a committer</h2>
+
+<p>Every new committer has to be proposed by a current committer and then
voted in by the members of the Mesos PMC. For details about this process and
for candidate requirements see the general <a
href="https://community.apache.org/newcommitter.html";>Apache guidelines for
assessing new candidates for committership</a>. Candidates prepare for their
nomination as committer by contributing to the Mesos project and its community,
by acting according to the <a href="http://theapacheway.com";>Apache Way</a>,
and by generally following the path <a
href="https://community.apache.org/contributors/";>from contributor to
committer</a> for Apache projects. Specifically for the Mesos project, you can
make use of the <a
href="https://community.apache.org/committer-candidate-checklist/";>Apache Mesos
Committer Candidate Checklist</a> for suggestions of what kind of contributions
and demonstrated behaviors can be instrumental, and to keep track of your
progress.</p>
+
<h2>Current Committers</h2>
-<p>We’d like to thank the following committers to the Apache Mesos
project who have helped get the project to where it is today. Committers are
voted on by members of the Mesos PMC. This list might be stale, the canonical
list is located on <a
href="http://people.apache.org/committers-by-project.html#mesos";>Apache’s
website</a>.</p>
+<p>We’d like to thank the following committers to the Apache Mesos
project who have helped get the project to where it is today. This list might
be stale, the canonical list is located on <a
href="http://people.apache.org/committers-by-project.html#mesos";>Apache’s
website</a>.</p>
<table class="table table-hover table-condensed">
<thead>
Modified: mesos/site/publish/documentation/latest/getting-started/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/getting-started/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/getting-started/index.html
(original)
+++ mesos/site/publish/documentation/latest/getting-started/index.html Thu Jul
30 17:12:19 2015
@@ -90,8 +90,8 @@
<ol>
<li><p>Download the latest stable release from <a
href="http://mesos.apache.org/downloads/";>Apache</a>
(<strong><em>Recommended</em></strong>)</p>
-<pre><code> $ wget http://www.apache.org/dist/mesos/0.22.1/mesos-0.22.1.tar.gz
- $ tar -zxf mesos-0.22.1.tar.gz
+<pre><code> $ wget http://www.apache.org/dist/mesos/0.23.0/mesos-0.23.0.tar.gz
+ $ tar -zxf mesos-0.23.0.tar.gz
</code></pre></li>
<li><p>Clone the Mesos git <a
href="https://git-wip-us.apache.org/repos/asf/mesos.git";>repository</a>
(<strong><em>Advanced Users Only</em></strong>)</p>
Modified: mesos/site/publish/documentation/latest/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/index.html (original)
+++ mesos/site/publish/documentation/latest/index.html Thu Jul 30 17:12:19 2015
@@ -107,6 +107,7 @@
<li><a href="/documentation/latest/network-monitoring/">Network Monitoring and
Isolation</a></li>
<li><a href="/documentation/latest/slave-recovery/">Slave Recovery</a> for
doing seamless upgrades.</li>
<li><a href="/documentation/latest/tools/">Tools</a> for setting up and
running a Mesos cluster.</li>
+<li><a href="/documentation/latest/mesos-ssl/">SSL</a> for enabling and
enforcing SSL communication.</li>
</ul>
Modified: mesos/site/publish/documentation/latest/mesos-ssl/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/mesos-ssl/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/mesos-ssl/index.html (original)
+++ mesos/site/publish/documentation/latest/mesos-ssl/index.html Thu Jul 30
17:12:19 2015
@@ -85,7 +85,7 @@
<p>There is currently only one implementation of the <a
href="https://github.com/apache/mesos/blob/master/3rdparty/libprocess/include/process/socket.hpp";>libprocess
socket interface</a> that supports SSL. This implementation uses <a
href="https://github.com/libevent/libevent";>libevent</a>. Specifically it
relies on the <code>libevent-openssl</code> library that wraps
<code>openssl</code>.</p>
-<p>After building <code>Mesos 0.23.0</code> from source, assuming you have
installed the required <a href="#Dependencies">Dependencies</a>, you can modify
your configure line to enable SSL as follows:</p>
+<p>After building Mesos 0.23.0 from source, assuming you have installed the
required <a href="#Dependencies">Dependencies</a>, you can modify your
configure line to enable SSL as follows:</p>
<pre><code>../configure --enable-libevent --enable-ssl
</code></pre>
@@ -94,96 +94,96 @@
<p>Once you have successfully built and installed your new binaries, here are
the environment variables that are applicable to the <code>Master</code>,
<code>Slave</code>, <code>Framework Scheduler/Executor</code>, or any
<code>libprocess process</code>:</p>
-<h5>SSL_ENABLED=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLED=(false|0,true|1) [default=false|0]</h4>
<p>Turn on or off SSL. When it is turned off it is the equivalent of default
mesos with libevent as the backing for events. All sockets default to the
non-SSL implementation. When it is turned on, the default configuration for
sockets is SSL. This means outgoing connections will use SSL, and incoming
connections will be expected to speak SSL as well. None of the below flags are
relevant if SSL is not enabled.</p>
-<h5>SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]</h4>
-<p>Control whether or not non-SSL connections can be established. If this is
enabled <strong>on the accepting side</strong>, then the accepting side will
downgrade to a non-SSL socket if the connecting side is attempting to
communicate via non-SSL. (e.g. http). See <a href="#Upgrading">Upgrading Your
Cluster</a> for more details.</p>
+<p>Control whether or not non-SSL connections can be established. If this is
enabled <strong>on the accepting side</strong>, then the accepting side will
downgrade to a non-SSL socket if the connecting side is attempting to
communicate via non-SSL. (e.g. HTTP). See <a href="#Upgrading">Upgrading Your
Cluster</a> for more details.</p>
-<h5>SSL_CERT_FILE=(path to certificate)</h5>
+<h4>SSL_CERT_FILE=(path to certificate)</h4>
-<p>The location of the certificate this binary will present.</p>
+<p>The location of the certificate that will be presented.</p>
-<h5>SSL_KEY_FILE=(path to key)</h5>
+<h4>SSL_KEY_FILE=(path to key)</h4>
<p>The location of the private key used by OpenSSL.</p>
-<h5>SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]</h4>
<p>Control whether certificates are verified when presented. If this is false,
even when a certificate is presented, it will not be verified. When
<code>SSL_REQUIRE_CERT</code> is true, <code>SSL_VERIFY_CERT</code> is
overridden and all certificates will be verified <em>and</em> required.</p>
-<h5>SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]</h4>
<p>Enforce that certificates must be presented by connecting clients. This
means all connections (including tools hitting endpoints) must present valid
certificates in order to establish a connection.</p>
-<h5>SSL_VERIFY_DEPTH=(4) [default=4]</h5>
+<h4>SSL_VERIFY_DEPTH=(N) [default=4]</h4>
<p>The maximum depth used to verify certificates. The default is 4. See the
OpenSSL documentation or contact your system administrator to learn why you may
want to change this.</p>
-<h5>SSL_CA_DIR=(path to CA directory)</h5>
+<h4>SSL_CA_DIR=(path to CA directory)</h4>
<p>The directory used to find the certificate authority / authorities. You can
specify <code>SSL_CA_DIR</code> or <code>SSL_CA_FILE</code> depending on how
you want to restrict your certificate authorization.</p>
-<h5>SSL_CA_FILE=(path to CA file)</h5>
+<h4>SSL_CA_FILE=(path to CA file)</h4>
<p>The file used to find the certificate authority. You can specify
<code>SSL_CA_DIR</code> or <code>SSL_CA_FILE</code> depending on how you want
to restrict your certificate authorization.</p>
-<h5>SSL_CIPHERS=(accepted ciphers separated by ‘:’)
[default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]</h5>
+<h4>SSL_CIPHERS=(accepted ciphers separated by ‘:’)
[default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]</h4>
<p>A list of <code>:</code>-separated ciphers. Use these if you want to
restrict or open up the accepted ciphers for OpenSSL. Read the OpenSSL
documentation or contact your system administrators to see whether you want to
override the default values.</p>
-<h5>SSL_ENABLE_SSL_V2=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]</h4>
-<h5>SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]</h5>
-
-<p>The above switches enable / disable the specified protocols. By default
only TLS V1.2 is enabled. The mentality here is to restrict security by
default, and force users to open it up explicitly. Many older version of the
protocols have known vulnerabilities, so only enable these if you understand
the risks fully.</p>
+<p>The above switches enable / disable the specified protocols. By default
only TLS V1.2 is enabled. SSL V2 is always disabled; there is no switch to
enable it. The mentality here is to restrict security by default, and force
users to open it up explicitly. Many older version of the protocols have known
vulnerabilities, so only enable these if you fully understand the risks.
+<em>SSLv2 is disabled completely because modern versions of OpenSSL disable it
using multiple compile time configuration options.</em></p>
<h1><a name="Dependencies"></a>Dependencies</h1>
<h3>libevent</h3>
-<p>We require the OpenSSL support from libevent. The suggested version of
libevent is <a
href="https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable";><code>2.0.22-stable</code></a>.
As new releases come out we will try to maintain compatibility.
-~~~
-// For example, on OSX:
+<p>We require the OpenSSL support from libevent. The suggested version of
libevent is <a
href="https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable";><code>2.0.22-stable</code></a>.
As new releases come out we will try to maintain compatibility.</p>
+
+<pre><code>// For example, on OSX:
brew install libevent
-~~~</p>
+</code></pre>
<h3>OpenSSL</h3>
<p>We require <a href="https://github.com/openssl/openssl";>OpenSSL</a>. There
are multiple branches of OpenSSL that are being maintained by the community.
Since security requires being vigilant, we recommend reading the release notes
for the current releases of OpenSSL and deciding on a version within your
organization based on your security needs. Mesos is not too deeply dependent on
specific OpenSSL versions, so there is room for you to make security decisions
as an organization.
-Please ensure the <code>event2</code> and <code>openssl</code> headers are
available for building mesos.
-~~~
-// For example, on OSX:
+Please ensure the <code>event2</code> and <code>openssl</code> headers are
available for building mesos.</p>
+
+<pre><code>// For example, on OSX:
brew install openssl
-~~~</p>
+</code></pre>
<h1><a name="Upgrading"></a>Upgrading Your Cluster</h1>
<p><em>There is no SSL specific requirement for upgrading different components
in a specific order.</em></p>
-<p>The recommended strategy is to restart all your components to enable SSL
with downgrades support enabled. Once all components have SSL enabled, then do
a second restart of all your components to disable downgrades. This strategy
will allow each component to be restarted independently at your own convenience
with no time restrictions. It will also allow you to try SSL in a subset of
your cluster. <em>Please note:</em> While different components in your cluster
are serving SSL vs non-SSL traffic, any relative links in the WebUI may be
broken. Please see the <a href="#WebUI">WebUI</a> section for details. Here are
sample commands for upgrading your cluster:
-~~~
-// Restart each component with downgrade support (master, slave, framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables
you may choose> <your-component (e.g. bin/master.sh)> <your-flags></p>
-
-<p>// Restart each component WITHOUT downgrade support (master, slave,
framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables
you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
-~~~
-The end state is a cluster that is only communicating with SSL.</p>
+<p>The recommended strategy is to restart all your components to enable SSL
with downgrades support enabled. Once all components have SSL enabled, then do
a second restart of all your components to disable downgrades. This strategy
will allow each component to be restarted independently at your own convenience
with no time restrictions. It will also allow you to try SSL in a subset of
your cluster. <strong>NOTE:</strong> While different components in your cluster
are serving SSL vs non-SSL traffic, any relative links in the WebUI may be
broken. Please see the <a href="#WebUI">WebUI</a> section for details. Here are
sample commands for upgrading your cluster:</p>
+
+<pre><code>// Restart each component with downgrade support (master, slave,
framework):
+SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment
variables you may choose> <your-component (e.g. bin/master.sh)>
<your-flags>
+
+// Restart each component WITHOUT downgrade support (master, slave, framework):
+SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment
variables you may choose> <your-component (e.g. bin/master.sh)>
<your-flags>
+</code></pre>
+
+<p>The end state is a cluster that is only communicating with SSL.</p>
-<p><em>Please note:</em> Any tools you may use that communicate with your
components must be able to talk SSL, or they will be denied. You may choose to
maintain <code>SSL_SUPPORT_DOWNGRADE=true</code> for some time as you upgrade
your internal tooling. The advantage of <code>SSL_SUPPORT_DOWNGRADE=true</code>
is that all components that speak SSL will do so, while other components may
still communicate over insecure channels.</p>
+<p><strong>NOTE:</strong> Any tools you may use that communicate with your
components must be able to speak SSL, or they will be denied. You may choose to
maintain <code>SSL_SUPPORT_DOWNGRADE=true</code> for some time as you upgrade
your internal tooling. The advantage of <code>SSL_SUPPORT_DOWNGRADE=true</code>
is that all components that speak SSL will do so, while other components may
still communicate over insecure channels.</p>
<h1><a name="WebUI"></a>WebUI</h1>
-<p>The default Mesos WebUI uses relative links. Some of these links transition
between endpoints served by the master and slaves. The WebUI currently does not
have enough information to change the ‘http’ vs ‘https’
links based on whether the target endpoint is currently being served by an
SSL-enabled binary. This may cause certain links in the WebUI to be broken when
a cluster is in a transition state between SSL and non-SSL. Any tools that hit
these endpoints will still be able to access them as long as they hit the
endpoint using the right protocol, or the SSL_SUPPORT_DOWNGRADE option is set
to true.</p>
+<p>The default Mesos WebUI uses relative links. Some of these links transition
between endpoints served by the master and slaves. The WebUI currently does not
have enough information to change the ‘http’ vs ‘https’
links based on whether the target endpoint is currently being served by an
SSL-enabled binary. This may cause certain links in the WebUI to be broken when
a cluster is in a transition state between SSL and non-SSL. Any tools that hit
these endpoints will still be able to access them as long as they hit the
endpoint using the right protocol, or the <code>SSL_SUPPORT_DOWNGRADE</code>
option is set to true.</p>
<h3>Certificates</h3>
Modified: mesos/site/publish/documentation/latest/operational-guide/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/operational-guide/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/operational-guide/index.html
(original)
+++ mesos/site/publish/documentation/latest/operational-guide/index.html Thu
Jul 30 17:12:19 2015
@@ -150,6 +150,17 @@
<p>To increase the quorum by N, repeat this process to increment the quorum
size N times.</p>
+<p>NOTE: Currently, moving out of a single master setup requires wiping the
replicated log
+state and starting fresh. This will wipe all persistent data (e.g. slaves,
maintenance
+information, quota information, etc). To move from 1 master to 3 masters:</p>
+
+<ol>
+<li>Stop the standalone master.</li>
+<li>Remove the replicated log data (<code>replicated_log</code> under the
<code>--work_dir</code>).</li>
+<li>Start the original master and two new masters with
<code>--quorum=2</code></li>
+</ol>
+
+
<h3>Decreasing the quorum size</h3>
<p>The following steps indicate how to decrement the quorum size, using 5 -> 3
masters as an example (quorum size 3 -> 2):</p>
Modified: mesos/site/publish/documentation/latest/oversubscription/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/oversubscription/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/oversubscription/index.html
(original)
+++ mesos/site/publish/documentation/latest/oversubscription/index.html Thu Jul
30 17:12:19 2015
@@ -81,9 +81,7 @@
<p>See our <a href="/community/">community</a> page for more
details.</p>
</div>
<div class="col-md-8">
- <p>— layout: documentation —</p>
-
-<h1>Oversubscription</h1>
+ <h1>Oversubscription</h1>
<p>High-priority user-facing services are typically provisioned on large
clusters
for peak load and unexpected load spikes. Hence, for most of time, the
@@ -136,7 +134,7 @@ resources such as cpu shares, bandwidth,
the regular launchTasks() API. To safe-guard frameworks that are not
designed to deal with preemption, only frameworks registering with the
<code>REVOCABLE_RESOURCES</code> capability set in its framework info will
receive offers
-with revocable resources. Further more, recovable resources cannot be
+with revocable resources. Further more, revocable resources cannot be
dynamically reserved and persistent volumes should not be created on revocable
disk resources.</li>
</ul>
@@ -187,8 +185,8 @@ instructions how to configure Mesos for
<h3>Launching tasks using revocable resources</h3>
-<p>Launching tasks using recovable resources is done through the existing
-<code>launchTasks</code> API. Revocable resources will have the
<code>recovable</code> field set. See
+<p>Launching tasks using revocable resources is done through the existing
+<code>launchTasks</code> API. Revocable resources will have the
<code>revocable</code> field set. See
below for an example offer with regular and revocable resources.</p>
<pre><code class="{.json}">{
@@ -392,7 +390,7 @@ between these corrections is controlled
<p>In the example above, a fixed amount of 14 cpus will be offered as revocable
resources.</p>
-<p>To select custom a resource estimator and QoS controller, please refer to
the
+<p>To install a custom resource estimator and QoS controller, please refer to
the
<a href="/documentation/latest/modules/">modules documentation</a>.</p>
</div>
Modified: mesos/site/publish/documentation/latest/reconciliation/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/reconciliation/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/reconciliation/index.html (original)
+++ mesos/site/publish/documentation/latest/reconciliation/index.html Thu Jul
30 17:12:19 2015
@@ -124,6 +124,18 @@ task state reconciliation.</p>
<h2>Task Reconciliation</h2>
+<p>Mesos provides two forms of reconciliation:</p>
+
+<ul>
+<li>“Explicit” reconciliation: the scheduler sends some of its
non-terminal
+tasks and the master responds with the latest state for each task, if
+possible.</li>
+<li>“Implicit” reconciliation: the scheduler sends an empty list
of tasks
+and the master responds with the latest state for all currently known
+non-terminal tasks.</li>
+</ul>
+
+
<p><strong>Tasks must be reconciled explicitly by the framework after a
failure.</strong></p>
<p>This is because the scheduler driver does not persist any task information.
@@ -160,29 +172,41 @@ slaves that are transitioning between st
<h3>Algorithm</h3>
-<p>The technique for performing reconciliation should reconcile all
non-terminal
-tasks, until an update is received for each task, using exponential
backoff:</p>
+<p>This technique for explicit reconciliation reconciles all non-terminal
tasks,
+until an update is received for each task, using exponential backoff to retry
+tasks that remain unreconciled. Retries are needed because the master
temporarily
+may not be able to reply for a particular task. For example, during master
+failover the master must re-register all of the slaves to rebuild its
+set of known tasks (this process can take minutes for large clusters, and
+is bounded by the <code>--slave_reregister_timeout</code> flag on the
master).</p>
+
+<p>Steps:</p>
<ol>
<li>let <code>start = now()</code></li>
<li>let <code>remaining = { T in tasks | T is non-terminal }</code></li>
<li>Perform reconciliation: <code>reconcile(remaining)</code></li>
<li>Wait for status updates to arrive (use truncated exponential backoff). For
each update, note the time of arrival.</li>
-<li>let <code>remaining = { T in remaining | T.last_update_arrival() <
start }</code></li>
+<li>let <code>remaining = { T ϵ remaining | T.last_update_arrival() <
start }</code></li>
<li>If <code>remaining</code> is non-empty, go to 3.</li>
</ol>
<p>This reconciliation algorithm <strong>must</strong> be run after each
(re-)registration.</p>
+<p>Implicit reconciliation (passing an empty list) should also be used
+periodically, as a defense against data loss in the framework. Unless a
+strict registry is in use on the master, its possible for tasks to resurrect
+from a LOST state (without a strict registry the master does not enforce
+slave removal across failovers). When an unknown task is encountered, the
+scheduler should kill or recover the task.</p>
+
<p>Notes:</p>
<ul>
<li>When waiting for updates to arrive, <strong>use a truncated exponential
backoff</strong>.
This will avoid a snowball effect in the case of the driver or master being
backed up.</li>
-<li>Implicit reconciliation (passing an empty list) can also be used
-periodically, As a defense against data loss in the framework.</li>
<li>It is beneficial to ensure that only 1 reconciliation is in progress at a
time, to avoid a snowball effect in the face of many re-registrations.
If another reconciliation should be started while one is in-progress,
Modified: mesos/site/publish/documentation/latest/release-guide/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/release-guide/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/release-guide/index.html (original)
+++ mesos/site/publish/documentation/latest/release-guide/index.html Thu Jul 30
17:12:19 2015
@@ -256,6 +256,7 @@ for details on how to build and publish
<pre><code> $ svn co https://svn.apache.org/repos/asf/mesos/site mesos-site
</code></pre></li>
<li><p>Write a blog post announcing the new release and its features and major
bug fixes.</p></li>
+<li><p>Update the Getting Started guide to use the latest release
link.</p></li>
</ol>
Modified: mesos/site/publish/documentation/latest/upgrades/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/latest/upgrades/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/latest/upgrades/index.html (original)
+++ mesos/site/publish/documentation/latest/upgrades/index.html Thu Jul 30
17:12:19 2015
@@ -87,6 +87,10 @@
<h2>Upgrading from 0.22.x to 0.23.x</h2>
+<p><strong>NOTE</strong> The ‘stats.json’ endpoints for masters
and slaves have been removed. Please use the ‘metrics/snapshot’
endpoints instead.</p>
+
+<p><strong>NOTE</strong> The ‘/master/shutdown’ endpoint is
deprecated in favor of the new ‘/master/teardown’ endpoint.</p>
+
<p><strong>NOTE</strong> In order to enable decorator modules to remove
metadata (environment variables or labels), we changed the meaning of the
return value for decorator hooks in Mesos 0.23.0. Please refer to the modules
documentation for more details.</p>
<p><strong>NOTE</strong> Slave ping timeouts are now configurable on the
master via <code>--slave_ping_timeout</code> and
<code>--max_slave_ping_timeouts</code>. Slaves should be upgraded to 0.23.x
before changing these flags.</p>
Modified: mesos/site/publish/documentation/mesos-ssl/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/mesos-ssl/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/mesos-ssl/index.html (original)
+++ mesos/site/publish/documentation/mesos-ssl/index.html Thu Jul 30 17:12:19
2015
@@ -85,7 +85,7 @@
<p>There is currently only one implementation of the <a
href="https://github.com/apache/mesos/blob/master/3rdparty/libprocess/include/process/socket.hpp";>libprocess
socket interface</a> that supports SSL. This implementation uses <a
href="https://github.com/libevent/libevent";>libevent</a>. Specifically it
relies on the <code>libevent-openssl</code> library that wraps
<code>openssl</code>.</p>
-<p>After building <code>Mesos 0.23.0</code> from source, assuming you have
installed the required <a href="#Dependencies">Dependencies</a>, you can modify
your configure line to enable SSL as follows:</p>
+<p>After building Mesos 0.23.0 from source, assuming you have installed the
required <a href="#Dependencies">Dependencies</a>, you can modify your
configure line to enable SSL as follows:</p>
<pre><code>../configure --enable-libevent --enable-ssl
</code></pre>
@@ -94,96 +94,96 @@
<p>Once you have successfully built and installed your new binaries, here are
the environment variables that are applicable to the <code>Master</code>,
<code>Slave</code>, <code>Framework Scheduler/Executor</code>, or any
<code>libprocess process</code>:</p>
-<h5>SSL_ENABLED=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLED=(false|0,true|1) [default=false|0]</h4>
<p>Turn on or off SSL. When it is turned off it is the equivalent of default
mesos with libevent as the backing for events. All sockets default to the
non-SSL implementation. When it is turned on, the default configuration for
sockets is SSL. This means outgoing connections will use SSL, and incoming
connections will be expected to speak SSL as well. None of the below flags are
relevant if SSL is not enabled.</p>
-<h5>SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_SUPPORT_DOWNGRADE=(false|0,true|1) [default=false|0]</h4>
-<p>Control whether or not non-SSL connections can be established. If this is
enabled <strong>on the accepting side</strong>, then the accepting side will
downgrade to a non-SSL socket if the connecting side is attempting to
communicate via non-SSL. (e.g. http). See <a href="#Upgrading">Upgrading Your
Cluster</a> for more details.</p>
+<p>Control whether or not non-SSL connections can be established. If this is
enabled <strong>on the accepting side</strong>, then the accepting side will
downgrade to a non-SSL socket if the connecting side is attempting to
communicate via non-SSL. (e.g. HTTP). See <a href="#Upgrading">Upgrading Your
Cluster</a> for more details.</p>
-<h5>SSL_CERT_FILE=(path to certificate)</h5>
+<h4>SSL_CERT_FILE=(path to certificate)</h4>
-<p>The location of the certificate this binary will present.</p>
+<p>The location of the certificate that will be presented.</p>
-<h5>SSL_KEY_FILE=(path to key)</h5>
+<h4>SSL_KEY_FILE=(path to key)</h4>
<p>The location of the private key used by OpenSSL.</p>
-<h5>SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_VERIFY_CERT=(false|0,true|1) [default=false|0]</h4>
<p>Control whether certificates are verified when presented. If this is false,
even when a certificate is presented, it will not be verified. When
<code>SSL_REQUIRE_CERT</code> is true, <code>SSL_VERIFY_CERT</code> is
overridden and all certificates will be verified <em>and</em> required.</p>
-<h5>SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_REQUIRE_CERT=(false|0,true|1) [default=false|0]</h4>
<p>Enforce that certificates must be presented by connecting clients. This
means all connections (including tools hitting endpoints) must present valid
certificates in order to establish a connection.</p>
-<h5>SSL_VERIFY_DEPTH=(4) [default=4]</h5>
+<h4>SSL_VERIFY_DEPTH=(N) [default=4]</h4>
<p>The maximum depth used to verify certificates. The default is 4. See the
OpenSSL documentation or contact your system administrator to learn why you may
want to change this.</p>
-<h5>SSL_CA_DIR=(path to CA directory)</h5>
+<h4>SSL_CA_DIR=(path to CA directory)</h4>
<p>The directory used to find the certificate authority / authorities. You can
specify <code>SSL_CA_DIR</code> or <code>SSL_CA_FILE</code> depending on how
you want to restrict your certificate authorization.</p>
-<h5>SSL_CA_FILE=(path to CA file)</h5>
+<h4>SSL_CA_FILE=(path to CA file)</h4>
<p>The file used to find the certificate authority. You can specify
<code>SSL_CA_DIR</code> or <code>SSL_CA_FILE</code> depending on how you want
to restrict your certificate authorization.</p>
-<h5>SSL_CIPHERS=(accepted ciphers separated by ‘:’)
[default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]</h5>
+<h4>SSL_CIPHERS=(accepted ciphers separated by ‘:’)
[default=AES128-SHA:AES256-SHA:RC4-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA]</h4>
<p>A list of <code>:</code>-separated ciphers. Use these if you want to
restrict or open up the accepted ciphers for OpenSSL. Read the OpenSSL
documentation or contact your system administrators to see whether you want to
override the default values.</p>
-<h5>SSL_ENABLE_SSL_V2=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_SSL_V3=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_TLS_V1_0=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]</h4>
-<h5>SSL_ENABLE_TLS_V1_1=(false|0,true|1) [default=false|0]</h5>
+<h4>SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]</h4>
-<h5>SSL_ENABLE_TLS_V1_2=(false|0,true|1) [default=true|1]</h5>
-
-<p>The above switches enable / disable the specified protocols. By default
only TLS V1.2 is enabled. The mentality here is to restrict security by
default, and force users to open it up explicitly. Many older version of the
protocols have known vulnerabilities, so only enable these if you understand
the risks fully.</p>
+<p>The above switches enable / disable the specified protocols. By default
only TLS V1.2 is enabled. SSL V2 is always disabled; there is no switch to
enable it. The mentality here is to restrict security by default, and force
users to open it up explicitly. Many older version of the protocols have known
vulnerabilities, so only enable these if you fully understand the risks.
+<em>SSLv2 is disabled completely because modern versions of OpenSSL disable it
using multiple compile time configuration options.</em></p>
<h1><a name="Dependencies"></a>Dependencies</h1>
<h3>libevent</h3>
-<p>We require the OpenSSL support from libevent. The suggested version of
libevent is <a
href="https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable";><code>2.0.22-stable</code></a>.
As new releases come out we will try to maintain compatibility.
-~~~
-// For example, on OSX:
+<p>We require the OpenSSL support from libevent. The suggested version of
libevent is <a
href="https://github.com/libevent/libevent/releases/tag/release-2.0.22-stable";><code>2.0.22-stable</code></a>.
As new releases come out we will try to maintain compatibility.</p>
+
+<pre><code>// For example, on OSX:
brew install libevent
-~~~</p>
+</code></pre>
<h3>OpenSSL</h3>
<p>We require <a href="https://github.com/openssl/openssl";>OpenSSL</a>. There
are multiple branches of OpenSSL that are being maintained by the community.
Since security requires being vigilant, we recommend reading the release notes
for the current releases of OpenSSL and deciding on a version within your
organization based on your security needs. Mesos is not too deeply dependent on
specific OpenSSL versions, so there is room for you to make security decisions
as an organization.
-Please ensure the <code>event2</code> and <code>openssl</code> headers are
available for building mesos.
-~~~
-// For example, on OSX:
+Please ensure the <code>event2</code> and <code>openssl</code> headers are
available for building mesos.</p>
+
+<pre><code>// For example, on OSX:
brew install openssl
-~~~</p>
+</code></pre>
<h1><a name="Upgrading"></a>Upgrading Your Cluster</h1>
<p><em>There is no SSL specific requirement for upgrading different components
in a specific order.</em></p>
-<p>The recommended strategy is to restart all your components to enable SSL
with downgrades support enabled. Once all components have SSL enabled, then do
a second restart of all your components to disable downgrades. This strategy
will allow each component to be restarted independently at your own convenience
with no time restrictions. It will also allow you to try SSL in a subset of
your cluster. <em>Please note:</em> While different components in your cluster
are serving SSL vs non-SSL traffic, any relative links in the WebUI may be
broken. Please see the <a href="#WebUI">WebUI</a> section for details. Here are
sample commands for upgrading your cluster:
-~~~
-// Restart each component with downgrade support (master, slave, framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables
you may choose> <your-component (e.g. bin/master.sh)> <your-flags></p>
-
-<p>// Restart each component WITHOUT downgrade support (master, slave,
framework):
-SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment variables
you may choose> <your-component (e.g. bin/master.sh)> <your-flags>
-~~~
-The end state is a cluster that is only communicating with SSL.</p>
+<p>The recommended strategy is to restart all your components to enable SSL
with downgrades support enabled. Once all components have SSL enabled, then do
a second restart of all your components to disable downgrades. This strategy
will allow each component to be restarted independently at your own convenience
with no time restrictions. It will also allow you to try SSL in a subset of
your cluster. <strong>NOTE:</strong> While different components in your cluster
are serving SSL vs non-SSL traffic, any relative links in the WebUI may be
broken. Please see the <a href="#WebUI">WebUI</a> section for details. Here are
sample commands for upgrading your cluster:</p>
+
+<pre><code>// Restart each component with downgrade support (master, slave,
framework):
+SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=true
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment
variables you may choose> <your-component (e.g. bin/master.sh)>
<your-flags>
+
+// Restart each component WITHOUT downgrade support (master, slave, framework):
+SSL_ENABLED=true SSL_SUPPORT_DOWNGRADE=false
SSL_KEY_FILE=<path-to-your-private-key>
SSL_CERT_FILE=<path-to-your-certificate> <Any other SSL_* environment
variables you may choose> <your-component (e.g. bin/master.sh)>
<your-flags>
+</code></pre>
+
+<p>The end state is a cluster that is only communicating with SSL.</p>
-<p><em>Please note:</em> Any tools you may use that communicate with your
components must be able to talk SSL, or they will be denied. You may choose to
maintain <code>SSL_SUPPORT_DOWNGRADE=true</code> for some time as you upgrade
your internal tooling. The advantage of <code>SSL_SUPPORT_DOWNGRADE=true</code>
is that all components that speak SSL will do so, while other components may
still communicate over insecure channels.</p>
+<p><strong>NOTE:</strong> Any tools you may use that communicate with your
components must be able to speak SSL, or they will be denied. You may choose to
maintain <code>SSL_SUPPORT_DOWNGRADE=true</code> for some time as you upgrade
your internal tooling. The advantage of <code>SSL_SUPPORT_DOWNGRADE=true</code>
is that all components that speak SSL will do so, while other components may
still communicate over insecure channels.</p>
<h1><a name="WebUI"></a>WebUI</h1>
-<p>The default Mesos WebUI uses relative links. Some of these links transition
between endpoints served by the master and slaves. The WebUI currently does not
have enough information to change the ‘http’ vs ‘https’
links based on whether the target endpoint is currently being served by an
SSL-enabled binary. This may cause certain links in the WebUI to be broken when
a cluster is in a transition state between SSL and non-SSL. Any tools that hit
these endpoints will still be able to access them as long as they hit the
endpoint using the right protocol, or the SSL_SUPPORT_DOWNGRADE option is set
to true.</p>
+<p>The default Mesos WebUI uses relative links. Some of these links transition
between endpoints served by the master and slaves. The WebUI currently does not
have enough information to change the ‘http’ vs ‘https’
links based on whether the target endpoint is currently being served by an
SSL-enabled binary. This may cause certain links in the WebUI to be broken when
a cluster is in a transition state between SSL and non-SSL. Any tools that hit
these endpoints will still be able to access them as long as they hit the
endpoint using the right protocol, or the <code>SSL_SUPPORT_DOWNGRADE</code>
option is set to true.</p>
<h3>Certificates</h3>
Modified: mesos/site/publish/documentation/operational-guide/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/operational-guide/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/operational-guide/index.html (original)
+++ mesos/site/publish/documentation/operational-guide/index.html Thu Jul 30
17:12:19 2015
@@ -150,6 +150,17 @@
<p>To increase the quorum by N, repeat this process to increment the quorum
size N times.</p>
+<p>NOTE: Currently, moving out of a single master setup requires wiping the
replicated log
+state and starting fresh. This will wipe all persistent data (e.g. slaves,
maintenance
+information, quota information, etc). To move from 1 master to 3 masters:</p>
+
+<ol>
+<li>Stop the standalone master.</li>
+<li>Remove the replicated log data (<code>replicated_log</code> under the
<code>--work_dir</code>).</li>
+<li>Start the original master and two new masters with
<code>--quorum=2</code></li>
+</ol>
+
+
<h3>Decreasing the quorum size</h3>
<p>The following steps indicate how to decrement the quorum size, using 5 -> 3
masters as an example (quorum size 3 -> 2):</p>
Modified: mesos/site/publish/documentation/oversubscription/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/oversubscription/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/oversubscription/index.html (original)
+++ mesos/site/publish/documentation/oversubscription/index.html Thu Jul 30
17:12:19 2015
@@ -81,9 +81,7 @@
<p>See our <a href="/community/">community</a> page for more
details.</p>
</div>
<div class="col-md-8">
- <p>— layout: documentation —</p>
-
-<h1>Oversubscription</h1>
+ <h1>Oversubscription</h1>
<p>High-priority user-facing services are typically provisioned on large
clusters
for peak load and unexpected load spikes. Hence, for most of time, the
@@ -136,7 +134,7 @@ resources such as cpu shares, bandwidth,
the regular launchTasks() API. To safe-guard frameworks that are not
designed to deal with preemption, only frameworks registering with the
<code>REVOCABLE_RESOURCES</code> capability set in its framework info will
receive offers
-with revocable resources. Further more, recovable resources cannot be
+with revocable resources. Further more, revocable resources cannot be
dynamically reserved and persistent volumes should not be created on revocable
disk resources.</li>
</ul>
@@ -187,8 +185,8 @@ instructions how to configure Mesos for
<h3>Launching tasks using revocable resources</h3>
-<p>Launching tasks using recovable resources is done through the existing
-<code>launchTasks</code> API. Revocable resources will have the
<code>recovable</code> field set. See
+<p>Launching tasks using revocable resources is done through the existing
+<code>launchTasks</code> API. Revocable resources will have the
<code>revocable</code> field set. See
below for an example offer with regular and revocable resources.</p>
<pre><code class="{.json}">{
@@ -392,7 +390,7 @@ between these corrections is controlled
<p>In the example above, a fixed amount of 14 cpus will be offered as revocable
resources.</p>
-<p>To select custom a resource estimator and QoS controller, please refer to
the
+<p>To install a custom resource estimator and QoS controller, please refer to
the
<a href="/documentation/latest/modules/">modules documentation</a>.</p>
</div>
Modified: mesos/site/publish/documentation/reconciliation/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/reconciliation/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/reconciliation/index.html (original)
+++ mesos/site/publish/documentation/reconciliation/index.html Thu Jul 30
17:12:19 2015
@@ -124,6 +124,18 @@ task state reconciliation.</p>
<h2>Task Reconciliation</h2>
+<p>Mesos provides two forms of reconciliation:</p>
+
+<ul>
+<li>“Explicit” reconciliation: the scheduler sends some of its
non-terminal
+tasks and the master responds with the latest state for each task, if
+possible.</li>
+<li>“Implicit” reconciliation: the scheduler sends an empty list
of tasks
+and the master responds with the latest state for all currently known
+non-terminal tasks.</li>
+</ul>
+
+
<p><strong>Tasks must be reconciled explicitly by the framework after a
failure.</strong></p>
<p>This is because the scheduler driver does not persist any task information.
@@ -160,29 +172,41 @@ slaves that are transitioning between st
<h3>Algorithm</h3>
-<p>The technique for performing reconciliation should reconcile all
non-terminal
-tasks, until an update is received for each task, using exponential
backoff:</p>
+<p>This technique for explicit reconciliation reconciles all non-terminal
tasks,
+until an update is received for each task, using exponential backoff to retry
+tasks that remain unreconciled. Retries are needed because the master
temporarily
+may not be able to reply for a particular task. For example, during master
+failover the master must re-register all of the slaves to rebuild its
+set of known tasks (this process can take minutes for large clusters, and
+is bounded by the <code>--slave_reregister_timeout</code> flag on the
master).</p>
+
+<p>Steps:</p>
<ol>
<li>let <code>start = now()</code></li>
<li>let <code>remaining = { T in tasks | T is non-terminal }</code></li>
<li>Perform reconciliation: <code>reconcile(remaining)</code></li>
<li>Wait for status updates to arrive (use truncated exponential backoff). For
each update, note the time of arrival.</li>
-<li>let <code>remaining = { T in remaining | T.last_update_arrival() <
start }</code></li>
+<li>let <code>remaining = { T ϵ remaining | T.last_update_arrival() <
start }</code></li>
<li>If <code>remaining</code> is non-empty, go to 3.</li>
</ol>
<p>This reconciliation algorithm <strong>must</strong> be run after each
(re-)registration.</p>
+<p>Implicit reconciliation (passing an empty list) should also be used
+periodically, as a defense against data loss in the framework. Unless a
+strict registry is in use on the master, its possible for tasks to resurrect
+from a LOST state (without a strict registry the master does not enforce
+slave removal across failovers). When an unknown task is encountered, the
+scheduler should kill or recover the task.</p>
+
<p>Notes:</p>
<ul>
<li>When waiting for updates to arrive, <strong>use a truncated exponential
backoff</strong>.
This will avoid a snowball effect in the case of the driver or master being
backed up.</li>
-<li>Implicit reconciliation (passing an empty list) can also be used
-periodically, As a defense against data loss in the framework.</li>
<li>It is beneficial to ensure that only 1 reconciliation is in progress at a
time, to avoid a snowball effect in the face of many re-registrations.
If another reconciliation should be started while one is in-progress,
Modified: mesos/site/publish/documentation/release-guide/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/release-guide/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/release-guide/index.html (original)
+++ mesos/site/publish/documentation/release-guide/index.html Thu Jul 30
17:12:19 2015
@@ -256,6 +256,7 @@ for details on how to build and publish
<pre><code> $ svn co https://svn.apache.org/repos/asf/mesos/site mesos-site
</code></pre></li>
<li><p>Write a blog post announcing the new release and its features and major
bug fixes.</p></li>
+<li><p>Update the Getting Started guide to use the latest release
link.</p></li>
</ol>
Modified: mesos/site/publish/documentation/upgrades/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/documentation/upgrades/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/documentation/upgrades/index.html (original)
+++ mesos/site/publish/documentation/upgrades/index.html Thu Jul 30 17:12:19
2015
@@ -87,6 +87,10 @@
<h2>Upgrading from 0.22.x to 0.23.x</h2>
+<p><strong>NOTE</strong> The ‘stats.json’ endpoints for masters
and slaves have been removed. Please use the ‘metrics/snapshot’
endpoints instead.</p>
+
+<p><strong>NOTE</strong> The ‘/master/shutdown’ endpoint is
deprecated in favor of the new ‘/master/teardown’ endpoint.</p>
+
<p><strong>NOTE</strong> In order to enable decorator modules to remove
metadata (environment variables or labels), we changed the meaning of the
return value for decorator hooks in Mesos 0.23.0. Please refer to the modules
documentation for more details.</p>
<p><strong>NOTE</strong> Slave ping timeouts are now configurable on the
master via <code>--slave_ping_timeout</code> and
<code>--max_slave_ping_timeouts</code>. Slaves should be upgraded to 0.23.x
before changing these flags.</p>
Modified: mesos/site/publish/gettingstarted/index.html
URL:
http://svn.apache.org/viewvc/mesos/site/publish/gettingstarted/index.html?rev=1693459&r1=1693458&r2=1693459&view=diff
==============================================================================
--- mesos/site/publish/gettingstarted/index.html (original)
+++ mesos/site/publish/gettingstarted/index.html Thu Jul 30 17:12:19 2015
@@ -90,8 +90,8 @@
<ol>
<li><p>Download the latest stable release from <a
href="http://mesos.apache.org/downloads/";>Apache</a>
(<strong><em>Recommended</em></strong>)</p>
-<pre><code> $ wget http://www.apache.org/dist/mesos/0.22.1/mesos-0.22.1.tar.gz
- $ tar -zxf mesos-0.22.1.tar.gz
+<pre><code> $ wget http://www.apache.org/dist/mesos/0.23.0/mesos-0.23.0.tar.gz
+ $ tar -zxf mesos-0.23.0.tar.gz
</code></pre></li>
<li><p>Clone the Mesos git <a
href="https://git-wip-us.apache.org/repos/asf/mesos.git";>repository</a>
(<strong><em>Advanced Users Only</em></strong>)</p>
