[jira] [Commented] (MESOS-7886) Add master hook for setting environment variables

[Matthew Mead-Briggs (JIRA)]

    [ 
https://issues.apache.org/jira/browse/MESOS-7886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16127266#comment-16127266
 ] 

Matthew Mead-Briggs commented on MESOS-7886:
--------------------------------------------

Ah yes, I had thought about the command line issue when I spotted that the 
docker executor just passes "-e blah" to the docker run command. Luckily, linux 
gives us some options to hide the command line args: 
https://www.linux-dev.org/2012/09/hide-process-information-for-other-users/

That said, I think it isn't too bad for a compromised agent to give up all the 
secrets of the tasks running on it. Compared to giving the agent permission to 
fetch/decrypt any secret for any task that it needs to start. That's the real 
reason I want to pursue the master based decryption option.

Maintaining the hook is certainly a concern, I'm expecting to have to build and 
test it against each Mesos release. I guess you are also concerned about 
maintaining it in the Mesos code base itself? i.e. if the way TaskInfo/Env vars 
are handled changes then you may have to update the hook code?

> Add master hook for setting environment variables
> -------------------------------------------------
>
>                 Key: MESOS-7886
>                 URL: https://issues.apache.org/jira/browse/MESOS-7886
>             Project: Mesos
>          Issue Type: Improvement
>          Components: modules
>            Reporter: Matthew Mead-Briggs
>
> At Yelp we're planning to integrate our secret store with our platform as a 
> service which runs on Mesos.
> I was hoping to write a module to "inject" environment variables on the 
> master side but the necessary hook doesn't currently exist. Such a hook 
> already exists on the slave side. However, for this integration that would 
> require me to give all the agents access to the secret store and I'd much 
> prefer to limit this to the master side.
> There is already a hook for adding labels:
> https://github.com/apache/mesos/blob/72752fc6deb8ebcbfbd5448dc599ef3774339d31/include/mesos/hook.hpp#L44-L48
> So it seems it should be pretty easy to add one for setting environment 
> variables too? I had a crack the other day but although I got my code to 
> compile something was not working at runtime (note: I'm not a C++ dev). Is 
> there any reason why we wouldn't want such a hook? If anyone can confirm that 
> it's a sane thing to add then I'd be happy to spend some time trying to get 
> it working (although I may need some help)!



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)