@Carlos Mesosphere currently doesn't build packages with ssl enabled. On Tue, Aug 25, 2015 at 3:12 PM, Carlos Sanchez <[email protected]> wrote:
> Hi Joris, > > I did build from sources, following instructions in > http://mesos.apache.org/gettingstarted/ > > Is the mesosphere binary compiled with libevent and ssl enabled as > mentioned previously? would make debugging easier if I don't have to rebuild > > > > On Tue, Aug 25, 2015 at 8:52 PM, Joris Van Remoortere <[email protected] > > wrote: > >> @carlos >> Are you building 0.23.0 from source? >> Just so we don't miss anything: Can you make sure to run ./bootstrap, >> and build in a clean directory with your configuration similar to this: >> >> ../configure --enable-libevent --enable-ssl >> >> Here <http://mesos.apache.org/documentation/latest/mesos-ssl/> is the >> document I am using as a reference >> >> When you start up a master, if you just specify SSL_ENABLED=true it >> should error out and notify you that other required flags such as >> SSL_KEY_FILE >> are not provided. Can you verify this? If that is not happening, then the >> 2 options are: >> 1. Your environment variables are not making it to the binary: See Jeff >> Schroeder's comments >> 2. The binary is not actually the one you expect. Double check the >> checksum with the binary you built after configuring with SSL. >> >> >> >> On Fri, Aug 14, 2015 at 12:55 PM, Carlos Sanchez <[email protected]> >> wrote: >> >>> looking forward to it, thanks! >>> running out of ideas here on what am I doing wrong >>> >>> On Fri, Aug 14, 2015 at 6:53 PM, Marco Massenzio <[email protected]> >>> wrote: >>> > FYI - Joris is out this week, he'll be probably able to get back to you >>> > early next (modulo MesosCon craziness :) >>> > >>> > Marco Massenzio >>> > Distributed Systems Engineer >>> > >>> > On Fri, Aug 14, 2015 at 9:14 AM, Carlos Sanchez <[email protected]> >>> wrote: >>> >> >>> >> no suggestions? >>> >> >>> >> On Tue, Aug 11, 2015 at 6:47 PM, Vinod Kone <[email protected]> >>> wrote: >>> >> > @joris, can you help out here? >>> >> > >>> >> > On Tue, Aug 11, 2015 at 9:43 AM, Carlos Sanchez <[email protected]> >>> >> > wrote: >>> >> >> >>> >> >> I have tried to enable SSL with no success, even compiling from >>> source >>> >> >> with the ssl flags --enable-libevent --enable-ssl >>> >> >> >>> >> >> export SSL_ENABLED=true >>> >> >> export SSL_SUPPORT_DOWNGRADE=false >>> >> >> export SSL_REQUIRE_CERT=true >>> >> >> export SSL_CERT_FILE=/etc/mesos/... >>> >> >> export SSL_KEY_FILE=/etc/mesos/... >>> >> >> export SSL_CA_FILE=/etc/mesos/... >>> >> >> >>> >> >> >>> >> >> /home/ubuntu/mesos-deb-packaging/mesos-repo/build/src/mesos-master >>> >> >> --work_dir="/var/lib/mesos" >>> >> >> >>> >> >> Port 5050 is still served as plain http, no SSL >>> >> >> >>> >> >> Nothing about ssl shows up in the logs, any ideas? >>> >> >> >>> >> >> Thanks >>> >> >> >>> >> >> >>> >> >> > >>> >> >> > From: Dharmit Shah <[email protected]> >>> >> >> > To: [email protected] >>> >> >> > Cc: >>> >> >> > Date: Mon, 10 Aug 2015 14:13:04 +0530 >>> >> >> > Subject: Re: SSL in Mesos 0.23 >>> >> >> > Hi Jeff, >>> >> >> > >>> >> >> > Thanks for the suggestion. >>> >> >> > >>> >> >> > I modified the systemd service file to use >>> >> >> > `/etc/sysconfig/mesos-master` and `/etc/sysconfig/mesos-slave` as >>> >> >> > environment files for master and slave services respectively. In >>> >> >> > these >>> >> >> > files, I specified the environment variables that I used to >>> specify >>> >> >> > on >>> >> >> > the command line. >>> >> >> > >>> >> >> > Now if I check `strings /proc/<pid>/environ | grep SSL` for pids >>> of >>> >> >> > master and slave services, I see the environment variables that >>> I set >>> >> >> > in the /etc/sysconfig/<environment-file>. >>> >> >> > >>> >> >> > Now that it looks like I have started the master and slave >>> services >>> >> >> > with SSL enabled, how do I really confirm that communication >>> between >>> >> >> > master and slaves is really happening over SSL? >>> >> >> > >>> >> >> > Also, how do I enable SSL communication for a framework like >>> >> >> > Marathon? >>> >> >> > >>> >> >> > Regards, >>> >> >> > Dharmit. >>> >> >> > >>> >> >> > On Fri, Aug 7, 2015 at 10:56 PM, Jeff Schroeder >>> >> >> > <[email protected]> wrote: >>> >> >> > > The sudo command defaults to envreset (look for that in the man >>> >> >> > > page) >>> >> >> > > which >>> >> >> > > strips all env variables sans a select few. I'd almost bet that >>> >> >> > > your >>> >> >> > > SSL_* >>> >> >> > > variables are not present and were not passed to the slave. >>> Just >>> >> >> > > sudo >>> >> >> > > -i and >>> >> >> > > start the slaves *as root* without sudo. There is no benefit to >>> >> >> > > starting >>> >> >> > > them with sudo. You can verify what I'm saying with something >>> along >>> >> >> > > the >>> >> >> > > lines of: >>> >> >> > > >>> >> >> > > strings /proc/$(pidof mesos-slave)/environ | grep ^SSL_ >>> >> >> > > >>> >> >> > > >>> >> >> > > On Friday, August 7, 2015, Dharmit Shah <[email protected] >>> > >>> >> >> > > wrote: >>> >> >> > >> >>> >> >> > >> Hello again, >>> >> >> > >> >>> >> >> > >> Thanks for your responses. I will share what I tried after >>> your >>> >> >> > >> suggestions. >>> >> >> > >> >>> >> >> > >> 1. `ldd /usr/sbin/mesos-master` and `ldd >>> /usr/sbin/mesos-slave` >>> >> >> > >> returned similar output as one suggested by Craig. So, I >>> guess, >>> >> >> > >> the >>> >> >> > >> Mesosphere repo binaries have SSL enabled. Right? >>> >> >> > >> >>> >> >> > >> 2. I created SSL private key and cert on one system in my >>> cluster >>> >> >> > >> by >>> >> >> > >> referring this guide on DO [1]. Admittedly, my knowledge of >>> SSL is >>> >> >> > >> limited. >>> >> >> > >> >>> >> >> > >> 3. Next, I copied the key and cert to all three mesos-master >>> nodes >>> >> >> > >> and >>> >> >> > >> four mesos-slave nodes. Shouldn't slave nodes be provided only >>> >> >> > >> with >>> >> >> > >> the cert and not the private key? Whereas all master nodes may >>> >> >> > >> have >>> >> >> > >> the private key and cert both. Or am I understanding SSL >>> >> >> > >> incorrectly >>> >> >> > >> here? >>> >> >> > >> >>> >> >> > >> 4. After copying the cert and key, I started the mesos-master >>> >> >> > >> service >>> >> >> > >> on master nodes with below command: >>> >> >> > >> >>> >> >> > >> $ sudo SSL_ENABLED=true SSL_KEY_FILE=~/ssl/mesos.key >>> >> >> > >> SSL_CERT_FILE=~/ssl/mesos.crt /usr/sbin/mesos-master >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> --zk=zk://172.19.10.111:2181,172.19.10.112:2181, >>> 172.19.10.193:2181/mesos >>> >> >> > >> --port=5050 --log_dir=/var/log/mesos >>> --acls=file:///root/acls.json >>> >> >> > >> --credentials=/home/isys/mesos --quorum=2 >>> >> >> > >> --work_dir=/var/lib/mesos >>> >> >> > >> >>> >> >> > >> I check web UI and things look good. I am not completely sure >>> if >>> >> >> > >> "https" should have worked for mesos web UI but, it didn't. >>> >> >> > >> >>> >> >> > >> 5. Next, I start slave nodes with below command: >>> >> >> > >> >>> >> >> > >> $ sudo SSL_ENABLED=true SSL_CERT_FILE=~/mesos.crt >>> >> >> > >> SSL_KEY_FILE=~/mesos.key /usr/sbin/mesos-slave >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> --master=zk://172.19.10.111:2181,172.19.10.112:2181, >>> 172.19.10.193:2181/mesos >>> >> >> > >> --log_dir=/var/log/mesos --containerizers=docker,mesos >>> >> >> > >> --executor_registration_timeout=15mins >>> >> >> > >> >>> >> >> > >> Mesos web UI reported four mesos-slave nodes in "Activated" >>> mode. >>> >> >> > >> So >>> >> >> > >> far so good. I am still wondering how I should verify if >>> >> >> > >> communication >>> >> >> > >> is happening over SSL. >>> >> >> > >> >>> >> >> > >> 6. To check if SSL is indeed working, I stopped one slave >>> node and >>> >> >> > >> started it without SSL using `systemctl start mesos-slave`. I >>> was >>> >> >> > >> expecting it to not get into "Activated" state on Mesos web >>> UI but >>> >> >> > >> it >>> >> >> > >> did. So, I think SSL is not configured properly by me. >>> >> >> > >> >>> >> >> > >> I am attaching logs from the master nodes. These logs were >>> >> >> > >> generated >>> >> >> > >> after starting masters with command specified in point 4. >>> >> >> > >> >>> >> >> > >> Let me know if I am doing something wrong or if you need more >>> logs >>> >> >> > >> or >>> >> >> > >> need me to execute some specific commands. >>> >> >> > >> >>> >> >> > >> [1] >>> >> >> > >> >>> >> >> > >> >>> >> >> > >> >>> https://www.digitalocean.com/community/tutorials/openssl-essentials-working-with-ssl-certificates-private-keys-and-csrs >>> >> >> > >> >>> >> >> > >> Regards, >>> >> >> > >> Dharmit. >>> >> >> > >> >>> >> >> > >> On Fri, Aug 7, 2015 at 2:52 AM, Michael Park < >>> [email protected]> >>> >> >> > >> wrote: >>> >> >> > >> > Hi Dharmit, >>> >> >> > >> > >>> >> >> > >> > I'm not certain whether the Mesosphere deb packages have SSL >>> >> >> > >> > enabled or >>> >> >> > >> > not, >>> >> >> > >> > although based on Craig's observation it looks like it is. >>> >> >> > >> > >>> >> >> > >> > I think the correct way to enable SSL is to set the >>> SSL_ENABLED >>> >> >> > >> > environment >>> >> >> > >> > variable, rather than /etc/mesos-master/ssl_enabled. Of >>> course, >>> >> >> > >> > along >>> >> >> > >> > with >>> >> >> > >> > the rest of the SSL_ environment variables. >>> >> >> > >> > >>> >> >> > >> > e.g. SSL_ENABLED=true >>> SSL_KEY_FILE=<path-to-your-private-key> >>> >> >> > >> > SSL_CERT_FILE=<path-to-your-certificate> ./mesos-master >>> >> >> > >> > <master-flags> >>> >> >> > >> > >>> >> >> > >> > MPark. >>> >> >> > >> > >>> >> >> > >> > On Thu, Aug 6, 2015 at 9:30 AM craig w <[email protected] >>> > >>> >> >> > >> > wrote: >>> >> >> > >> >> >>> >> >> > >> >> I've run ldd on /usr/sbin/mesos-master (on CentOS 7 using >>> mesos >>> >> >> > >> >> 0.23 >>> >> >> > >> >> from >>> >> >> > >> >> mesosphere repo) and I see "libssl.3.so" and >>> "libssl.so.10" >>> >> >> > >> >> >>> >> >> > >> >> On Thu, Aug 6, 2015 at 12:20 PM, Jeff Schroeder >>> >> >> > >> >> <[email protected]> wrote: >>> >> >> > >> >>> >>> >> >> > >> >>> Can you run ldd on the mesos-master or mesos-slave >>> binaries? I >>> >> >> > >> >>> believe >>> >> >> > >> >>> you *should* see openssl libraries in the output if those >>> >> >> > >> >>> packages are >>> >> >> > >> >>> configured using --enable-ssl. >>> >> >> > >> >>> >>> >> >> > >> >>> On Thu, Aug 6, 2015 at 9:46 AM, Dharmit Shah >>> >> >> > >> >>> <[email protected]> >>> >> >> > >> >>> wrote: >>> >> >> > >> >>>> >>> >> >> > >> >>>> Hello, >>> >> >> > >> >>>> >>> >> >> > >> >>>> I followed Mesos cluster setup guide on the Mesosphere >>> >> >> > >> >>>> website >>> >> >> > >> >>>> [1]. I >>> >> >> > >> >>>> set it up on a CentOS 7 system. For installation of >>> packages, >>> >> >> > >> >>>> I >>> >> >> > >> >>>> went >>> >> >> > >> >>>> with Mesosphere provided repositories. >>> >> >> > >> >>>> >>> >> >> > >> >>>> Now that Mesos 0.23 has been released with SSL >>> capabilities, >>> >> >> > >> >>>> I >>> >> >> > >> >>>> believe >>> >> >> > >> >>>> it is possible to have communication between the master, >>> >> >> > >> >>>> slaves >>> >> >> > >> >>>> and >>> >> >> > >> >>>> frameworks be secured by SSL. Am I right? >>> >> >> > >> >>>> >>> >> >> > >> >>>> I would like to set it up in my environment. I am using >>> >> >> > >> >>>> `mesos-0.23.0-1.0.centos701406.x86_64`. >>> >> >> > >> >>>> >>> >> >> > >> >>>> The official Mesos documentation on the topic [2] >>> illustrates >>> >> >> > >> >>>> how >>> >> >> > >> >>>> things can be setup when building Mesos from source. >>> >> >> > >> >>>> >>> >> >> > >> >>>> I would like to know if Mesos package shipped by >>> Mesosphere >>> >> >> > >> >>>> repo >>> >> >> > >> >>>> has >>> >> >> > >> >>>> this feature or not yet? I tried setting >>> >> >> > >> >>>> `/etc/mesos-master/ssl_enabled` on one of the master >>> nodes. >>> >> >> > >> >>>> But >>> >> >> > >> >>>> restarting `mesos-master` service failed stating that >>> option >>> >> >> > >> >>>> `ssl_enabled` is unknown. >>> >> >> > >> >>>> >>> >> >> > >> >>>> Thanks for your help! >>> >> >> > >> >>>> >>> >> >> > >> >>>> [1] >>> >> >> > >> >>>> >>> >> >> > >> >>>> >>> http://open.mesosphere.com/getting-started/datacenter/install/ >>> >> >> > >> >>>> [2] >>> http://mesos.apache.org/documentation/latest/mesos-ssl/ >>> >> >> > >> >>>> >>> >> >> > >> >>>> Regards, >>> >> >> > >> >>>> Dharmit. >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> >>> >> >> > >> >>> -- >>> >> >> > >> >>> Jeff Schroeder >>> >> >> > >> >>> >>> >> >> > >> >>> Don't drink and derive, alcohol and analysis don't mix. >>> >> >> > >> >>> http://www.digitalprognosis.com >>> >> >> > >> >> >>> >> >> > >> >> >>> >> >> > >> >> >>> >> >> > >> >> >>> >> >> > >> >> -- >>> >> >> > >> >> >>> >> >> > >> >> https://github.com/mindscratch >>> >> >> > >> >> https://www.google.com/+CraigWickesser >>> >> >> > >> >> https://twitter.com/mind_scratch >>> >> >> > >> >> https://twitter.com/craig_links >>> >> >> > > >>> >> >> > > >>> >> >> > > >>> >> >> > > -- >>> >> >> > > Text by Jeff, typos by iPhone >>> >> >> > >>> >> >> > >>> >> > >>> >> > >>> > >>> > >>> >> >> >
