[jira] [Commented] (MESOS-7886) Add master hook for setting environment variables

Mon, 14 Aug 2017 11:42:27 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16126195#comment-16126195
 ] 

Joseph Wu commented on MESOS-7886:
----------------------------------

Security-wise, logging isn't the only concern.  But it is the most talked-about 
concern (because it is easy to spot).  Environment variables can usually be 
inspected by anyone that has access to the box, including other tasks on the 
box.  If you run docker tasks, environment variables can be seen in the {{ps 
aux}} output, as they are passed in via the command line (MESOS-6951).

Business-logic-wise, some of the concern is with maintaining or updating the 
hook itself.  It sounds like less work to update a set of three/five masters 
when you update the hook, but updating masters is actually more disruptive than 
a rolling restart of hundreds/thousands of agents :)


> Add master hook for setting environment variables
> -------------------------------------------------
>
>                 Key: MESOS-7886
>                 URL: https://issues.apache.org/jira/browse/MESOS-7886
>             Project: Mesos
>          Issue Type: Improvement
>          Components: modules
>            Reporter: Matthew Mead-Briggs
>
> At Yelp we're planning to integrate our secret store with our platform as a 
> service which runs on Mesos.
> I was hoping to write a module to "inject" environment variables on the 
> master side but the necessary hook doesn't currently exist. Such a hook 
> already exists on the slave side. However, for this integration that would 
> require me to give all the agents access to the secret store and I'd much 
> prefer to limit this to the master side.
> There is already a hook for adding labels:
> https://github.com/apache/mesos/blob/72752fc6deb8ebcbfbd5448dc599ef3774339d31/include/mesos/hook.hpp#L44-L48
> So it seems it should be pretty easy to add one for setting environment 
> variables too? I had a crack the other day but although I got my code to 
> compile something was not working at runtime (note: I'm not a C++ dev). Is 
> there any reason why we wouldn't want such a hook? If anyone can confirm that 
> it's a sane thing to add then I'd be happy to spend some time trying to get 
> it working (although I may need some help)!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to