mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Till Toenshoff <toensh...@me.com>
Subject Re: Review Request 57846: Docker environment gets passed by key and invocation environment.
Date Thu, 23 Mar 2017 02:47:37 GMT


> On March 23, 2017, 1:15 a.m., Alexander Rukletsov wrote:
> > If you can't use the env file to pass task's env to the docker client, and can't
prefix task's env var names to avoid collision with docker client's env vars, the only way
to pass task's vars IIUC is to use `-e` flag and set *both* `name` and `value`.

Yes, very unfortunate. I am now reverting back to the use of `-e KEY=VALUE`. Additionally
using `VLOG` to at least prevent sensitive data from being logged to users. This leaves the
leak via `ps` which we can not address until `Secrets` are properly propagated into all codepaths.
Once that is done, we can actually partially go back to this `-e KEY` approach at least for
the sensitive data which we do not need for the CLI but only for the container - conflicts
should not be an issue then.


- Till


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/57846/#review169822
-----------------------------------------------------------


On March 22, 2017, 7:57 p.m., Till Toenshoff wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/57846/
> -----------------------------------------------------------
> 
> (Updated March 22, 2017, 7:57 p.m.)
> 
> 
> Review request for mesos, Adam B, Alexander Rukletsov, Gilbert Song, James DeFelice,
Jie Yu, and Joseph Wu.
> 
> 
> Bugs: MESOS-6951
>     https://issues.apache.org/jira/browse/MESOS-6951
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> see summary.
> 
> 
> Diffs
> -----
> 
>   src/docker/docker.cpp 44fbde8e8a2c6c957af7339b4fb9479af7f21ff7 
> 
> 
> Diff: https://reviews.apache.org/r/57846/diff/1/
> 
> 
> Testing
> -------
> 
> make check & sudo ./bin/mesos-tests.sh
> 
> Functional testing - running `ps` while docker test active to confirm we do not leak
values to the commandline;
> 
> ```
> /usr/bin/docker-current -H unix:///var/run/docker.sock run --cpu-shares 1024 --memory
536870912 -e MESOS_CONTAINER_NAME -e MESOS_SANDBOX -v /tmp/DockerContainerizerTest_ROOT_DOCKER_KillOrphanContainers_r7ImX7:/mnt/mesos/sandbox
--net host
> ```
> 
> Further functional testing on variables containing linefeeds in progress...
> 
> 
> Thanks,
> 
> Till Toenshoff
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message