It sounds easy in theory but it is not, described for another purpose but the Dragons explained: http://gruchalski.com/apache-zookeeper-authentication.html I’d suggest a firewall. Opening ZK ports only to known IP addresses.
Kind regards, Radek Gruchalski ra...@gruchalski.com (mailto:ra...@gruchalski.com) (mailto:ra...@gruchalski.com) de.linkedin.com/in/radgruchalski/ (http://de.linkedin.com/in/radgruchalski/) Confidentiality: This communication is intended for the above-named person and may be confidential and/or legally privileged. If it has come to you in error you must take no action based on it, nor must you copy or show it to anyone; please delete/destroy and inform the sender immediately. On Tuesday, 10 November 2015 at 12:17, haosdent wrote: > How about use zookeeper acl? > https://zookeeper.apache.org/doc/r3.1.2/zookeeperProgrammers.html#sc_ZooKeeperAccessControl > > On Tue, Nov 10, 2015 at 6:01 PM, Xiaodong Zhang <xdzh...@alauda.io > (mailto:xdzh...@alauda.io)> wrote: > > What should I do in this scenarios: > > > > slave register to master with --master=masterip:masterport > > > > After that ,master nodes change their leader. > > > > I found mesos-slave can’t not register to master anymore. So it seems > > masterip:masterport is not a PROD-READY choice. > > > > Does that mean slaves have to register to master via zk? > > > > If use zk. How should mesos make the communication security when my master > > and slave communicate each other via public ip. > > > > > > 发件人: Guangya Liu <gyliu...@gmail.com (mailto:gyliu...@gmail.com)> > > 答复: "user@mesos.apache.org (mailto:user@mesos.apache.org)" > > <user@mesos.apache.org (mailto:user@mesos.apache.org)> > > 日期: 2015年11月3日 星期二 下午2:10 > > > > 至: "user@mesos.apache.org (mailto:user@mesos.apache.org)" > > <user@mesos.apache.org (mailto:user@mesos.apache.org)> > > 主题: Re: mess slave can't register to master via master ip:port > > > > I filed a jira ticket https://issues.apache.org/jira/browse/MESOS-3822 to > > trace this. Thanks. > > > > On Tue, Nov 3, 2015 at 2:02 PM, haosdent <haosd...@gmail.com > > (mailto:haosd...@gmail.com)> wrote: > > > I think it is not correct. > > > > > > On Tue, Nov 3, 2015 at 12:44 PM, Xiaodong Zhang <xdzh...@alauda.io > > > (mailto:xdzh...@alauda.io)> wrote: > > > > If that so. I think this document should be modified. > > > > > > > > http://mesos.apache.org/documentation/latest/configuration/#SlaveOptions > > > > > > > > > > > > > > > > Right? > > > > > > > > > > > > 发件人: Guangya Liu <gyliu...@gmail.com (mailto:gyliu...@gmail.com)> > > > > 答复: "user@mesos.apache.org (mailto:user@mesos.apache.org)" > > > > <user@mesos.apache.org (mailto:user@mesos.apache.org)> > > > > 日期: 2015年11月3日 星期二 下午12:39 > > > > 至: "user@mesos.apache.org (mailto:user@mesos.apache.org)" > > > > <user@mesos.apache.org (mailto:user@mesos.apache.org)> > > > > 主题: Re: mess slave can't register to master via master ip:port > > > > > > > > Seems mesos does not support such mode, please refer to > > > > https://github.com/apache/mesos/blob/master/src/slave/main.cpp#L105-L111 > > > > for the format of "--master". Thanks! > > > > > > > > On Tue, Nov 3, 2015 at 12:28 PM, haosdent <haosd...@gmail.com > > > > (mailto:haosd...@gmail.com)> wrote: > > > > > After checking code, seems Mesos only support --master=IP1:5050 or > > > > > --master=zk://xx or --master=file:///. > > > > > > > > > > On Tue, Nov 3, 2015 at 12:15 PM, haosdent <haosd...@gmail.com > > > > > (mailto:haosd...@gmail.com)> wrote: > > > > > > Do your masters have already managed by zookeeper? And what is your > > > > > > master start command? > > > > > > > > > > > > On Tue, Nov 3, 2015 at 12:06 PM, Xiaodong Zhang <xdzh...@alauda.io > > > > > > (mailto:xdzh...@alauda.io)> wrote: > > > > > > > Hi all: > > > > > > > > > > > > > > My slave command like this: > > > > > > > > > > > > > > /usr/sbin/mesos-slave --master=IP1:5050,IP2:5050,IP3:5050 …. > > > > > > > --credential … > > > > > > > > > > > > > > Only if IP1 is the leader, the slave can register to master > > > > > > > successfully, Or it will register fail. > > > > > > > > > > > > > > Slave log like this: > > > > > > > > > > > > > > Creating new client SASL connection > > > > > > > Authentication timed out > > > > > > > Failed to authenticate with master master@172.31.43.77:5050 > > > > > > > (http://master@172.31.43.77:5050): Authentication discarded > > > > > > > Authenticating with master master@172.31.43.77:5050 > > > > > > > (http://master@172.31.43.77:5050) > > > > > > > Using default CRAM-MD5 authenticatee > > > > > > > > > > > > > > Is this a bug?Or it is designed like this. > > > > > > > > > > > > > > BTW: --master:zk://xxxxxxx work well. > > > > > > > > > > > > > > > > > > -- > > > > > > Best Regards, > > > > > > Haosdent Huang > > > > > > > > > > > > > > > -- > > > > > Best Regards, > > > > > Haosdent Huang > > > > > > > > > > > > -- > > > Best Regards, > > > Haosdent Huang > > > > -- > Best Regards, > Haosdent Huang
