在Mesos中启用SSL

Posted on 2016-7-4 in Others

出于安全考虑,近期我们想在我们的 Mesos 环境中启用 SSL。

默认情况下,Mesos 集群中所有的通信都是不加密的,这使得任何人都有可能进入集群,拦截以及控制 mesos 任务。

好消息是,从版本 0.23.0 起,Mesos 在 libprocess 中引入了 SSL/TLS 来加密 Mesos 组件之间的底层网络通信。并且,Mesos 的 WebUI 也开始支持 HTTPS。

而坏消息是,如果我们想启用 SSL/TLS,需要从源代码编译并安装 Mesos,而其他通过包管理(比如 yum 和 apt-get)的方式都是没有集成 SSL 特性的。

1. 通过源代码安装 Mesos

以下步骤均在 CentOS 7.1 上操作,Ubuntu 用户请参考这里

1.1 安装依赖

# Install a few utility tools
$ sudo yum install -y tar wget git

# Fetch the Apache Maven repo file.
$ sudo wget http://repos.fedorapeople.org/repos/dchen/apache-maven/epel-apache-maven.repo -O /etc/yum.repos.d/epel-apache-maven.repo

# Install the EPEL repo so that we can pull in 'libserf-1' as part of our
# subversion install below.
$ sudo yum install -y epel-release

# 'Mesos > 0.21.0' requires 'subversion > 1.8' devel package,
# which is not available in the default repositories.
# Create a WANdisco SVN repo file to install the correct version:
$ sudo cat > /etc/yum.repos.d/wandisco-svn.repo <<EOF
[WANdiscoSVN]
name=WANdisco SVN Repo 1.9
enabled=1
baseurl=http://opensource.wandisco.com/centos/7/svn-1.9/RPMS/$basearch/
gpgcheck=1
gpgkey=http://opensource.wandisco.com/RPM-GPG-KEY-WANdisco
EOF

# Parts of Mesos require systemd in order to operate. However, Mesos
# only supports versions of systemd that contain the 'Delegate' flag.
# This flag was first introduced in 'systemd version 218', which is
# lower than the default version installed by centos. Luckily, centos
# 7.1 has a patched 'systemd < 218' that contains the 'Delegate' flag.
# Explicity update systemd to this patched version.
$ sudo yum update systemd

# Install essential development tools.
$ sudo yum groupinstall -y "Development Tools"

# Install other Mesos dependencies.
$ sudo yum install -y apache-maven python-devel java-1.8.0-openjdk-devel zlib-devel libcurl-devel openssl-devel cyrus-sasl-devel cyrus-sasl-md5 apr-devel subversion-devel apr-util-devel libevent-devel openssl

1.2 下载 Mesos 源代码

Apache 下载最新的稳定版本。

$ wget http://www.apache.org/dist/mesos/0.28.2/mesos-0.28.2.tar.gz
$ tar -zxf mesos-0.28.2.tar.gz

1.3 编译并安装 Mesos

这里是比较重要的一步,如果需要支持 SSL/TLS,需要在 configure 的时候,加上 --enable-libevent --enable-ssl 的选项。

# Change working directory.
$ cd mesos-0.28.2

# Configure and build with SSL/TLS support enable.
$ mkdir build
$ cd build
$ ../configure --enable-libevent --enable-ssl
$ make

# Run test suite.
$ make check

# Install
$ make install

2. 启用 SSL

2.1 SSL 密钥(key)和证书(cert)

测试环境下,我们可以使用 OpenSSL 生成一个自签名的密钥和证书,但是在实际生产环境,请向国际认证机构购买证书。

密钥:

$ openssl genrsa -des3 -f4 -passout pass:testssl -out key.pem 4096
Generating RSA private key, 4096 bit long modulus
...............................++
..........................................................................++
e is 65537 (0x10001)

证书:

$ openssl req -new -x509 -passin pass:testssl -days 365 -key key.pem -out cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Sichuan
Locality Name (eg, city) [Default City]:Chengdu
Organization Name (eg, company) [Default Company Ltd]:TestCast Ltd.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:node1
Email Address []:

2.2 设置环境变量

再次之后,我们需要设置一些环境变量来启用 SSL,完整的环境变量列表,可以参考 Mesos 官方文档,但是在这个例子里,我们只需要设置3个:

$ export SSL_ENABLED=1 # or SSL_ENABLED=true, default=false|0
$ export SSL_KEY_FILE=/root/key.perm # path to key
$ export SSL_CERT_FILE=/root/cert.perm # path to certificate

2.3 启动 Mesos

完成以上步骤后,就大功告成了,这时候,只需要启动 mesos-master 和 mesos-slave,我们就会发现,只能通过 HTTPS 的方式访问 Mesos WebUI ,而 HTTP 的方式已经被停用了。