vendredi 26 juin 2015

How should a .dockercfg file be hosted in a Mesosphere-on-AWS setup so that only Mesosphere can use it?

We have set up a test cluster with Mesosphere on AWS, in a private VPC. We have some Docker images which are public, which are easy enough to deploy. However most of our services are private images, hosted on the Docker Hub private plan, and require authentication to access.

Mesosphere is capable of private registry authentication, but it achieves this in a not-exactly-ideal way: a HTTPS URI to a .dockercfg file needs to be specified in all Mesos/Marathon task definitions.

A few options spring to mind, but none of them seem immediately satisfactory:

  • The most obvious option that springs to mind is to host it in practically its own bucket on S3, but then it doesn't seem easy to restrict access to it in the right way, especially since S3 has an interesting take on basic auth in the query string.
  • As we are dealing with usernames and passwords, the AWS Key Management Service (or even CloudHSM at the extreme) thing seems like it should be a good idea - but AFAIK Mesos has no built-in support for this, and we are not handling individual variables but a file.
  • One could in theory SCP the .dockercfg to each Mesos slave, but that would require knowing all the slaves in advance, and it does not scale as new slaves are added to the cluster.

As the title suggests, the question is basically: how should the .dockercfg file be hosted within AWS so that access may be restricted to only the Mesos(phere) master+slaves as tightly as possible?




Aucun commentaire:

Enregistrer un commentaire