Securize Chronos

[kopax]

I am trying to set the listening interface of Chronos to make it private and not listen to 0.0.0.0 (default)

In the chronos documentation, there is one parameter that could fit for my needs --http_address but it can only be set to 0.0.0.0, otherwise it doesn't work.

This is also an unresponded issue on mesos/chronos : #393

As far as I know, it is not possible to set the listening interface of Chronos framework.

To use chronos securely :

1. Use PanteraS in private LAN / private CLOUD so you won't care about the security issue
2. Use Chronos Mesos Framework Authentication
3. Disable Chronos using START_CHRONOS=false
4. At least, securize it with CRAM-MD5 and HTTPs

(1) is not possible this is too costy right now :-1: (2) is the solution I have choosen with (4)

I have tried to follow the documentation but couldn't make it to work.

There is in Chronos a --https_port option. This is the only https related option so I guess it will also enable the https server.

Have you tried built-in CRAM-MD5 mesos authentication mechanism ? Does it fit well with panteras and https/http ?

How do you provide the HTTPs certs to chronos ?

[sielaq]

We are not using chronos in production yet, my colleagues in kjiji Canada do, I will have to ask them. What I would do, I would wait for the fix for the bug you have mentioned, and in meantime I would use iptables to limit access only from localhost (Assuming your external interface is eth0, and your default polices are ACCEPT) iptables -A INPUT -i eth0 -p tcp --dport 4400 -j DROP if you have only one interface: iptables -A INPUT -p tcp -s localhost --dport 4400 -j ACCEPT iptables -A INPUT -p tcp --dport 4400 -j DROP

And I would set up https + authentication too.

But having iptables, you can start playing with hardening it.

[cookandy]

I think adding the authentication mechanism to both Chronos and Marathon would be a good enhancement. I'll see if I can put something together soon.

[kopax]

The iptables is a nice trick.

And I would set up https + authentication too.

How do you set up https ?

I have tried playing with the following settings and couldn't get a working one:

  --https_port  <arg>                         The port to listen on for HTTPS
                                              requests (default = 8443)
  --ssl_keystore_password  <arg>              Password for the keystore
                                              supplied with the
                                              `ssl_keystore_path` option.
                                              Required if `ssl_keystore_path`
                                              is supplied. May also be
                                              specified with the
                                              `MESOSPHERE_KEYSTORE_PASS`
                                              environment variable.
  --ssl_keystore_path  <arg>                  Path to the SSL keystore. HTTPS
                                              (SSL) will be enabled if this
                                              option is supplied. Requires
                                              `--ssl_keystore_password`. May
                                              also be specified with the
                                              `MESOSPHERE_KEYSTORE_PATH`

@cookandy Don't forget mesos consul-ui and supervisor then, the whole suite security could be en enhancement. In generate_yml.sh, bind interface shouldn't be set to 0.0.0.0 but to ${IP}"

[cookandy]

I think Marathon and Chronos will be relatively easy to secure. However, Mesos must be configured with the --enable-libevent --enable-ssl options when building it to support SSL.

This means that we can add HTTPS to the Marathon and Chronos web UIs, and even use authentication - however, all traffic between Mesos master/slaves will be unencrypted (as will the web UI). We can disable anonymous joining of the Mesos cluster by using the --authenticate --authenticate_slaves flags, but the Mesos web UI will still be unsecured. Is that ok?

[sielaq]

I hope that https://github.com/eBayClassifiedsGroup/PanteraS/commit/b1cc3a59bfa6b9e62151beecbcb49ccf09819f6d will help you to stop exposing relevant API by setting LISTEN_IP. I have set default LISTEN_IP like it was (0.0.0.0). Most of apps I was able to set up http listening address, but as you have noticed some of apps still expose some ports (marathon / chronos)

And some are expose by purpose HAproxy (80) some still require modification (81)