@carlos Are you building 0.23.0 from source? Just so we don't miss anything: Can you make sure to run ./bootstrap, and build in a clean directory with your configuration similar to this:
../configure --enable-libevent --enable-ssl Here <http://mesos.apache.org/documentation/latest/mesos-ssl/> is the document I am using as a reference When you start up a master, if you just specify SSL_ENABLED=true it should error out and notify you that other required flags such as SSL_KEY_FILE are not provided. Can you verify this? If that is not happening, then the 2 options are: 1. Your environment variables are not making it to the binary: See Jeff Schroeder's comments 2. The binary is not actually the one you expect. Double check the checksum with the binary you built after configuring with SSL. On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <[email protected]> wrote: > looking forward to it, thanks! > running out of ideas here on what am I doing wrong > > On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <[email protected]> > wrote: > > FYI - Joris is out this week, he'll be probably able to get back to you > > early next (modulo MesosCon craziness :) > > > > Marco Massenzio > > Distributed Systems Engineer > > > > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <[email protected]> > wrote: > >> > >> no suggestions? > >> > >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <[email protected]> > wrote: > >> > @joris, can you help out here? > >> > > >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <[email protected]> > >> > wrote: > >> >> > >> >> I have tried to enable SSL with no success, even compiling from > source > >> >> with the ssl flags --enable-libevent --enable-ssl > >> >> > >> >> export SSL_ENABLED=true > >> >> export SSL_SUPPORT_DOWNGRADE=false > >> >> export SSL_REQUIRE_CERT=true > >> >> export SSL_CERT_FILE=/etc/mesos/... > >> >> export SSL_KEY_FILE=/etc/mesos/... > >> >> export SSL_CA_FILE=/etc/mesos/... > >> >> > >> >> > >> >> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master > >> >> --work_dir="/var/lib/mesos" > >> >> > >> >> Port 5050 is still served as plain http, no SSL > >> >> > >> >> Nothing about ssl shows up in the logs, any ideas? > >> >> > >> >> Thanks > >> >> > >> >> > >> >> > > >> >> > From: Dharmit Shah <[email protected]> > >> >> > To: [email protected] > >> >> > Cc: > >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530 > >> >> > Subject: Re: SSL in Mesos 0.23 > >> >> > Hi Jeff, > >> >> > > >> >> > Thanks for the suggestion. > >> >> > > >> >> > I modified the systemd service file to use > >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave` as > >> >> > environment files for master and slave services respectively. In > >> >> > these > >> >> > files, I specified the environment variables that I used to specify > >> >> > on > >> >> > the command line. > >> >> > > >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for pids of > >> >> > master and slave services, I see the environment variables that I > set > >> >> > in the /etc/sysconfig/<environment-file>. > >> >> > > >> >> > Now that it looks like I have started the master and slave services > >> >> > with SSL enabled, how do I really confirm that communication > between > >> >> > master and slaves is really happening over SSL? > >> >> > > >> >> > Also, how do I enable SSL communication for a framework like > >> >> > Marathon? > >> >> > > >> >> > Regards, > >> >> > Dharmit. > >> >> > > >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder > >> >> > <[email protected]> wrote: > >> >> > > The sudo command defaults to envreset (look for that in the man > >> >> > > page) > >> >> > > which > >> >> > > strips all env variables sans a select few. I'd almost bet that > >> >> > > your > >> >> > > SSL_* > >> >> > > variables are not present and were not passed to the slave. Just > >> >> > > sudo > >> >> > > -i and > >> >> > > start the slaves *as root* without sudo. There is no benefit to > >> >> > > starting > >> >> > > them with sudo. You can verify what I'm saying with something > along > >> >> > > the > >> >> > > lines of: > >> >> > > > >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_ > >> >> > > > >> >> > > > >> >> > > On Friday, August 7, 2015, Dharmit Shah <[email protected]> > >> >> > > wrote: > >> >> > >> > >> >> > >> Hello again, > >> >> > >> > >> >> > >> Thanks for your responses. I will share what I tried after your > >> >> > >> suggestions. > >> >> > >> > >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd /usr/sbin/mesos-slave` > >> >> > >> returned similar output as one suggested by Craig. So, I guess, > >> >> > >> the > >> >> > >> Mesosphere repo binaries have SSL enabled. Right? > >> >> > >> > >> >> > >> 2. I created SSL private key and cert on one system in my > cluster > >> >> > >> by > >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of SSL > is > >> >> > >> limited. > >> >> > >> > >> >> > >> 3. Next, I copied the key and cert to all three mesos-master > nodes > >> >> > >> and > >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided only > >> >> > >> with > >> >> > >> the cert and not the private key? Whereas all master nodes may > >> >> > >> have > >> >> > >> the private key and cert both. Or am I understanding SSL > >> >> > >> incorrectly > >> >> > >> here? > >> >> > >> > >> >> > >> 4. After copying the cert and key, I started the mesos-master > >> >> > >> service > >> >> > >> on master nodes with below command: > >> >> > >> > >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key > >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master > >> >> > >> > >> >> > >> > >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181, > 172.19.10.193:2181/mesos > >> >> > >> --port=5050 --log_dir=/var/log/mesos > --acls=file:///root/acls.json > >> >> > >> --credentials=/home/isys/mesos --quorum=2 > >> >> > >> --work_dir=/var/lib/mesos > >> >> > >> > >> >> > >> I check web UI and things look good. I am not completely sure if > >> >> > >> "https" should have worked for mesos web UI but, it didn't. > >> >> > >> > >> >> > >> 5. Next, I start slave nodes with below command: > >> >> > >> > >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt > >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave > >> >> > >> > >> >> > >> > >> >> > >> > >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181, > 172.19.10.193:2181/mesos > >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos > >> >> > >> --executor_registration_timeout=15mins > >> >> > >> > >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated" > mode. > >> >> > >> So > >> >> > >> far so good. I am still wondering how I should verify if > >> >> > >> communication > >> >> > >> is happening over SSL. > >> >> > >> > >> >> > >> 6. To check if SSL is indeed working, I stopped one slave node > and > >> >> > >> started it without SSL using `systemctl start mesos-slave`. I > was > >> >> > >> expecting it to not get into "Activated" state on Mesos web UI > but > >> >> > >> it > >> >> > >> did. So, I think SSL is not configured properly by me. > >> >> > >> > >> >> > >> I am attaching logs from the master nodes. These logs were > >> >> > >> generated > >> >> > >> after starting masters with command specified in point 4. > >> >> > >> > >> >> > >> Let me know if I am doing something wrong or if you need more > logs > >> >> > >> or > >> >> > >> need me to execute some specific commands. > >> >> > >> > >> >> > >> [1] > >> >> > >> > >> >> > >> > >> >> > >> > https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs > >> >> > >> > >> >> > >> Regards, > >> >> > >> Dharmit. > >> >> > >> > >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park <[email protected] > > > >> >> > >> wrote: > >> >> > >> > Hi Dharmit, > >> >> > >> > > >> >> > >> > I'm not certain whether the Mesosphere deb packages have SSL > >> >> > >> > enabled or > >> >> > >> > not, > >> >> > >> > although based on Craig's observation it looks like it is. > >> >> > >> > > >> >> > >> > I think the correct way to enable SSL is to set the > SSL_ENABLED > >> >> > >> > environment > >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of > course, > >> >> > >> > along > >> >> > >> > with > >> >> > >> > the rest of the SSL_ environment variables. > >> >> > >> > > >> >> > >> > e.g. SSL_ENABLED=true SSL_KEY_FILE=<path-to-your-private-key> > >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master > >> >> > >> > <master-flags> > >> >> > >> > > >> >> > >> > MPark. > >> >> > >> > > >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w <[email protected]> > >> >> > >> > wrote: > >> >> > >> >> > >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 using > mesos > >> >> > >> >> 0.23 > >> >> > >> >> from > >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and "libssl.so.10" > >> >> > >> >> > >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder > >> >> > >> >> <[email protected]> wrote: > >> >> > >> >>> > >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave > binaries? I > >> >> > >> >>> believe > >> >> > >> >>> you *should* see openssl libraries in the output if those > >> >> > >> >>> packages are > >> >> > >> >>> configured using --enable-ssl. > >> >> > >> >>> > >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah > >> >> > >> >>> <[email protected]> > >> >> > >> >>> wrote: > >> >> > >> >>>> > >> >> > >> >>>> Hello, > >> >> > >> >>>> > >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere > >> >> > >> >>>> website > >> >> > >> >>>> [1]. I > >> >> > >> >>>> set it up on a CentOS 7 system. For installation of > packages, > >> >> > >> >>>> I > >> >> > >> >>>> went > >> >> > >> >>>> with Mesosphere provided repositories. > >> >> > >> >>>> > >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL > capabilities, > >> >> > >> >>>> I > >> >> > >> >>>> believe > >> >> > >> >>>> it is possible to have communication between the master, > >> >> > >> >>>> slaves > >> >> > >> >>>> and > >> >> > >> >>>> frameworks be secured by SSL. Am I right? > >> >> > >> >>>> > >> >> > >> >>>> I would like to set it up in my environment. I am using > >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`. > >> >> > >> >>>> > >> >> > >> >>>> The official Mesos documentation on the topic [2] > illustrates > >> >> > >> >>>> how > >> >> > >> >>>> things can be setup when building Mesos from source. > >> >> > >> >>>> > >> >> > >> >>>> I would like to know if Mesos package shipped by Mesosphere > >> >> > >> >>>> repo > >> >> > >> >>>> has > >> >> > >> >>>> this feature or not yet? I tried setting > >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master nodes. > >> >> > >> >>>> But > >> >> > >> >>>> restarting `mesos-master` service failed stating that > option > >> >> > >> >>>> `ssl_enabled` is unknown. > >> >> > >> >>>> > >> >> > >> >>>> Thanks for your help! > >> >> > >> >>>> > >> >> > >> >>>> [1] > >> >> > >> >>>> > >> >> > >> >>>> > http://open.mesosphere.com/getting-started/datacenter/install/ > >> >> > >> >>>> [2] > http://mesos.apache.org/documentation/latest/mesos-ssl/ > >> >> > >> >>>> > >> >> > >> >>>> Regards, > >> >> > >> >>>> Dharmit. > >> >> > >> >>> > >> >> > >> >>> > >> >> > >> >>> > >> >> > >> >>> > >> >> > >> >>> -- > >> >> > >> >>> Jeff Schroeder > >> >> > >> >>> > >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix. > >> >> > >> >>> http://www.digitalprognosis.com > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> -- > >> >> > >> >> > >> >> > >> >> https://github.com/mindscratch > >> >> > >> >> https://www.google.com/+CraigWickesser > >> >> > >> >> https://twitter.com/mind_scratch > >> >> > >> >> https://twitter.com/craig_links > >> >> > > > >> >> > > > >> >> > > > >> >> > > -- > >> >> > > Text by Jeff, typos by iPhone > >> >> > > >> >> > > >> > > >> > > > > > >
