Paul, yes encryption is a possibility since Mesos 0.23. See http://mesos.apache.org/documentation/latest/mesos-ssl/ I believe you can also select which listener port you want to use by specifying LIBPROCESS_PORT in the executor's environment.
On Tue, Oct 6, 2015 at 6:59 AM, Paul Bell <[email protected]> wrote: > Thanks, Alexander; I will check out the vid. > > I kind of assumed that this port was used for exactly the purpose you > mention. > > Is TLS a possibility here? > > -Paul > > On Tue, Oct 6, 2015 at 8:15 AM, Alexander Rojas <[email protected]> > wrote: > >> Hi Paul, >> >> I can refer you to the talk given by Adam Bordelon at MesosCon >> https://www.youtube.com/watch?v=G3sn1OLYDOE >> >> If you want to the short answer, the solution is to put a firewall around >> your cluster. >> >> On a closer look on the port, it is the one used for message passing >> between the mesas-docker-executor and other mesos components. >> >> >> On 05 Oct 2015, at 19:04, Paul Bell <[email protected]> wrote: >> >> Hi All, >> >> I am running an nmap port scan on a Mesos agent node and noticed nmap >> reporting an open TCP port at 50577. >> >> Poking around some, I discovered exactly 5 mesos-docker-executor >> processes, one for each of my 5 Docker containers, and each with an open >> listen port: >> >> root 14131 3617 0 10:39 ? 00:00:17 mesos-docker-executor >> --container=mesos-20151002-172703-2450482247-5050-3014-S0.5563c65a-e33e-4287-8ce4-b2aa8116aa95 >> --docker=/usr/local/ecxmcc/weaveShim --help=false >> --mapped_directory=/mnt/mesos/sandbox >> --sandbox_directory=/tmp/mesos/slaves/20151002-172703-2450482247-5050-3014-S0/frameworks/20151002-172703-2450482247-5050-3014-0000/executors/postgres.ea2954fd-6b6e-11e5-8bef-56847afe9799/runs/5563c65a-e33e-4287-8ce4-b2aa8116aa95 >> --stop_timeout=15secs >> >> I suppose that all of this is unsurprising. But I know of at least one >> big customer who will without delay run Nmap or Nessus against my clustered >> deployment. >> >> So I am wondering what the best practices approach is to securing these >> open ports. >> >> Thanks for your help. >> >> -Paul >> >> >> >> >> >
