Hi Gilbert, thanks for the detailed reply, this secrets is very interesting.
> * Fetch via URI - you probably do not need your application entrypoint to fetch. Instead Mesos > and marathon supports fetching URIs to your container sandbox. > http://mesos.apache.org/documentation/latest/fetcher/ This fetching is what I am doing now. I have containers with a default configuration file. But when I need updates I am fetching with something like this. "fetch": [ { "uri": "file:///mnt/docker-images/haproxy.cfg", "executable": false, "extract": false, "cache": false, "destPath": "haproxy.cfg" }, { "uri": "file:///mnt/docker-images/xxxx.crt", "executable": false, "extract": false, "cache": false, "destPath": "xxxx.crt" } ], But this file goes into the sandbox directory /mnt/sandbox, I just wonder why it can't go directly to the 'container rootfs'? This is what I now have to do in the entrypoint.sh if [ ! -z "${MESOS_SANDBOX}" ] && [ -f "${MESOS_SANDBOX}/haproxy.cfg" ] -----Original Message----- To: user Subject: Re: Provisioning containers with configuration file via sandbox mount or copy via entrypoint.sh It depends on how do you want to manage the configuration files for your containers - dynamic or static. * Dynamic * Fetch via URI - you probably do not need your application entrypoint to fetch. Instead Mesos and marathon supports fetching URIs to your container sandbox. http://mesos.apache.org/documentation/latest/fetcher/ * Pass into the container as a file based secret if it is sensitive. http://mesos.apache.org/documentation/latest/secrets/#file-based-secrets * Environment Variable. * Static * Host_path volume - mounting a host path or file into your container. http://mesos.apache.org/documentation/latest/container-volume/#host_path-volume-source * Build it in your container image if those configurations are not expected to be changed. > Furthermore this page[1] says the sandbox is considered read only, yet the stdout and stderr are located there??? I think the document <http://mesos.apache.org/documentation/latest/sandbox/#using-the-sandbox> means that sandbox is not expected to be touched by any 3rd party software or people other than Mesos, executor and task/application. -Gilbert On Sun, Jul 21, 2019 at 3:22 AM Marc Roos <m.r...@f1-outsourcing.eu> wrote: What would be the adviced way to add a configuration file to a container being used at startup. I am now fetching the files and then create an entrypoint.sh that copies this from the sandbox. Creating these custom entrypoints.sh is cumbersome. I thought about mounting the path's of the sandbox in the container but don't have good example to get this working[0]. Furthermore this page[1] says the sandbox is considered read only, yet the stdout and stderr are located there??? Is there a (security) advantage copying files from the sandbox at startup or just use a mount point? [0] https://www.mail-archive.com/user@mesos.apache.org/msg10445.html [1] http://mesos.apache.org/documentation/latest/sandbox/