> On March 23, 2017, 1:15 a.m., Alexander Rukletsov wrote: > > If you can't use the env file to pass task's env to the docker client, and > > can't prefix task's env var names to avoid collision with docker client's > > env vars, the only way to pass task's vars IIUC is to use `-e` flag and set > > *both* `name` and `value`.
Yes, very unfortunate. I am now reverting back to the use of `-e KEY=VALUE`. Additionally using `VLOG` to at least prevent sensitive data from being logged to users. This leaves the leak via `ps` which we can not address until `Secrets` are properly propagated into all codepaths. Once that is done, we can actually partially go back to this `-e KEY` approach at least for the sensitive data which we do not need for the CLI but only for the container - conflicts should not be an issue then. - Till ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/57846/#review169822 ----------------------------------------------------------- On March 22, 2017, 7:57 p.m., Till Toenshoff wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/57846/ > ----------------------------------------------------------- > > (Updated March 22, 2017, 7:57 p.m.) > > > Review request for mesos, Adam B, Alexander Rukletsov, Gilbert Song, James > DeFelice, Jie Yu, and Joseph Wu. > > > Bugs: MESOS-6951 > https://issues.apache.org/jira/browse/MESOS-6951 > > > Repository: mesos > > > Description > ------- > > see summary. > > > Diffs > ----- > > src/docker/docker.cpp 44fbde8e8a2c6c957af7339b4fb9479af7f21ff7 > > > Diff: https://reviews.apache.org/r/57846/diff/1/ > > > Testing > ------- > > make check & sudo ./bin/mesos-tests.sh > > Functional testing - running `ps` while docker test active to confirm we do > not leak values to the commandline; > > ``` > /usr/bin/docker-current -H unix:///var/run/docker.sock run --cpu-shares 1024 > --memory 536870912 -e MESOS_CONTAINER_NAME -e MESOS_SANDBOX -v > /tmp/DockerContainerizerTest_ROOT_DOCKER_KillOrphanContainers_r7ImX7:/mnt/mesos/sandbox > --net host > ``` > > Further functional testing on variables containing linefeeds in progress... > > > Thanks, > > Till Toenshoff > >
