Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-6566

The Docker executor should not leak task env variables in the Docker command cmd line.

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Accepted
    • Major
    • Resolution: Unresolved
    • None
    • None
    • docker, security

    Description

      Task environment variables are sensitive, as they might contain secrets.

      The Docker executor starts tasks by executing a docker run command, and it includes the env variables in the cmd line of the docker command, exposing them to all the users in the machine:

      $ ./src/mesos-execute --command="sleep 200" --containerizer=docker --docker_image=alpine --env='{"foo": "bar"}' --master=10.0.2.15:5050 --name=test
$ ps aux | grep bar
[...] docker -H unix:///var/run/docker.sock run [...] -e foo=bar [...] alpine -c sleep 200
$

      The Docker executor could pass Docker the --env-file flag, pointing it to a file with the environment variables.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. MESOS-6951 Docker containerizer: mangled environment when env value contains LF byte.

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              gkleiman Gastón Kleiman
              Kapil Arya Kapil Arya
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated: