[jira] [Created] (MESOS-8909) Scrubbing value secret from HTTP responses

2018-05-11 Thread Zhitao Li (JIRA) 
Zhitao Li created MESOS-8909:


 Summary: Scrubbing value secret from HTTP responses
 Key: MESOS-8909
 URL: https://issues.apache.org/jira/browse/MESOS-8909
 Project: Mesos
  Issue Type: Task
  Components: security
Reporter: Zhitao Li


Mesos supports a value based secret. However, I believe some HTTP endpoints and 
v1 operator responses could leak this information.

The goal here is to make sure these endpoints do not leak the information.

We did some quick research and gather the following list in this [Google 
doc|https://docs.google.com/document/d/1W26RUpYEB92eTQYbACIOem5B9hzXX59jeEIT9RB2X1o/edit#heading=h.gzvg4ec6wllm].



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MESOS-8908) Add -fno-omit-frame-pointer to improve debugging and profiling.

2018-05-11 Thread Benjamin Mahler (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8908?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16472687#comment-16472687
 ] 

Benjamin Mahler commented on MESOS-8908:


Linking in MESOS-6229, as there was some discussion between 
[~jpe...@apache.org] and [~bbannier] on https://reviews.apache.org/r/52695/.

{{-fno-omit-frame-pointer}} was slated for a follow up patch but it looks like 
that didn't manifest.

> Add -fno-omit-frame-pointer to improve debugging and profiling.
> ---
>
> Key: MESOS-8908
> URL: https://issues.apache.org/jira/browse/MESOS-8908
> Project: Mesos
>  Issue Type: Improvement
>  Components: build, libprocess, stout
>Reporter: Benjamin Mahler
>Priority: Major
>
> Currently, we build without {{-fno-omit-frame-pointer}} which is needed to 
> get reliable stack traces. Without this, obtaining {{perf}} profiles from 
> users is not reliable:
> http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html#C
> Apparently, the performance win from frame pointer omission is very minor and 
> many projects opt to disable the optimization given the benefits to debugging 
> and profiling.
> I tried the {{--call-graph dwarf}} "workaround" for perf but still 
> experienced {{[unknown]}} stack frames and what looked to be missing frames:
> http://www.brendangregg.com/perf.html#StackTraces (see dwarf section)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Created] (MESOS-8908) Add -fno-omit-frame-pointer to improve debugging and profiling.

2018-05-11 Thread Benjamin Mahler (JIRA) 
Benjamin Mahler created MESOS-8908:
--

 Summary: Add -fno-omit-frame-pointer to improve debugging and 
profiling.
 Key: MESOS-8908
 URL: https://issues.apache.org/jira/browse/MESOS-8908
 Project: Mesos
  Issue Type: Improvement
  Components: build, libprocess, stout
Reporter: Benjamin Mahler


Currently, we build without {{-fno-omit-frame-pointer}} which is needed to get 
reliable stack traces. Without this, obtaining {{perf}} profiles from users is 
not reliable:

http://www.brendangregg.com/FlameGraphs/cpuflamegraphs.html#C

Apparently, the performance win from frame pointer omission is very minor and 
many projects opt to disable the optimization given the benefits to debugging 
and profiling.

I tried the {{--call-graph dwarf}} "workaround" for perf but still experienced 
{{[unknown]}} stack frames and what looked to be missing frames:

http://www.brendangregg.com/perf.html#StackTraces (see dwarf section)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MESOS-6229) Default to using hardened compilation flags

2018-05-11 Thread Benjamin Mahler (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-6229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16472650#comment-16472650
 ] 

Benjamin Mahler commented on MESOS-6229:


Was hoping to introduce {{-fno-omit-frame-pointer}} and came across this 
ticket. Looks like that particular flag wasn't introduced? Any reason?

> Default to using hardened compilation flags
> ---
>
> Key: MESOS-6229
> URL: https://issues.apache.org/jira/browse/MESOS-6229
> Project: Mesos
>  Issue Type: Improvement
>Reporter: Aaron Wood
>Assignee: Aaron Wood
>Priority: Minor
>  Labels: c++, clang, gcc, security
> Fix For: 1.2.0
>
>
> Provide a default set of hardened compilation flags to help protect against 
> overflows and other attacks. Apply to libprocess and stout as well. Current 
> set of flags that were discussed on slack to implement:
> -Wformat­-security
> -Wstack-protector
> -fstack-protector-strong (-fstack-protector-all might be overkill, it could 
> be more effective to use this. Requires gcc >= 4.9 which should be 
> reasonable. Detect compiler support and use what we can but prefer 
> -fstack-protector-strong)
> -pie
> -fPIE 
> -fPIC
> -D_FORTIFY_SOURCE=2
> ­-Wl,-z,relro,-z,now (currently not a part of the patch, this should be 
> another JIRA)
> -fno-omit-frame-pointer
> https://reviews.apache.org/r/52645/
> https://reviews.apache.org/r/52695/
> https://reviews.apache.org/r/52696/



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Assigned] (MESOS-8904) Master crash when removing quota.

2018-05-11 Thread Greg Mann (JIRA) 

 [ 
https://issues.apache.org/jira/browse/MESOS-8904?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Greg Mann reassigned MESOS-8904:


Assignee: Greg Mann

> Master crash when removing quota.
> -
>
> Key: MESOS-8904
> URL: https://issues.apache.org/jira/browse/MESOS-8904
> Project: Mesos
>  Issue Type: Bug
>  Components: master
>Affects Versions: 1.3.2, 1.4.1, 1.5.0, 1.6.0
>Reporter: Benjamin Mahler
>Assignee: Greg Mann
>Priority: Blocker
>
> The allocator can crash when quota is removed due to a race between the 
> removal and the quota_allocated metric computation. If the metric dispatches 
> before the quota removal can remove the metric, then this crash occurs:
> {noformat}
> May 10 20:15:28 int-master1.sanitized.mesosphe.re mesos-master[7189]: F0510 
> 20:15:28.821099  7205 sorter.cpp:395] Check failed: 'find(clientPath)' Must 
> be non NULL
> May 10 20:15:28 int-master1.sanitized.mesosphe.re mesos-master[7189]: *** 
> Check failure stack trace: ***
> May 10 20:15:28 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d843bdcd  google::LogMessage::Fail()
> May 10 20:15:28 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d843dbfd  google::LogMessage::SendToLog()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d843b9bc  google::LogMessage::Flush()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d843e4f9  google::LogMessageFatal::~LogMessageFatal()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d791f79d  google::CheckNotNull<>()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d791a3c4  
> mesos::internal::master::allocator::DRFSorter::allocationScalarQuantities()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d7900bc9  
> mesos::internal::master::allocator::internal::HierarchicalAllocatorProcess::_quota_allocated()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d79182f9  
> _ZNSt17_Function_handlerIFvPN7process11ProcessBaseEESt5_BindIFZNS0_8dispatchIdN5mesos8internal6master9allocator8internal28HierarchicalAllocatorProcessERKSsSD_SD_SD_EENS0_6FutureIT_EERKNS0_3PIDIT0_EEMSI_FSF_T1_T2_EOT3_OT4_EUlRSsSU_S2_E_SsSsSt12_PlaceholderILi1E9_M_invokeERKSt9_Any_dataS2_
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d83a6eac  process::ProcessManager::resume()
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d83ac826  
> _ZNSt6thread5_ImplISt12_Bind_simpleIFZN7process14ProcessManager12init_threadsEvEUlvE_vEEE6_M_runEv
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d63d12b0  (unknown)
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d5befe25  start_thread
> May 10 20:15:29 int-master1.sanitized.mesosphe.re mesos-master[7189]: @ 
> 0x7fd7d591d34d  __clone
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Commented] (MESOS-8219) Validate that any offer operation is only applied on resources from a single provider

2018-05-11 Thread Gilbert Song (JIRA) 

[ 
https://issues.apache.org/jira/browse/MESOS-8219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16472122#comment-16472122
 ] 

Gilbert Song commented on MESOS-8219:
-

Should the fixVersion includes 1.6.0?

> Validate that any offer operation is only applied on resources from a single 
> provider
> -
>
> Key: MESOS-8219
> URL: https://issues.apache.org/jira/browse/MESOS-8219
> Project: Mesos
>  Issue Type: Task
>  Components: master
>Reporter: Benjamin Bannier
>Assignee: Jan Schlicht
>Priority: Major
> Fix For: 1.5.1
>
>
> Offer operations can only be applied to resources from one single resource 
> provider. A number of places in the implementation assume that the provider 
> ID obtained from any {Resource} in an offer operation is equivalent to the 
> one from any other resource. We should update the master to validate that 
> invariant and reject malformed operations.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)