⚠️ Project Retired: Apache Mesos was retired to the Apache Attic in August 2025 (completed October 2025). No new security patches or updates will be released. This documentation is provided for legacy environments that still operate Mesos-based stacks.
Recommendation: Plan migration to Kubernetes, Nomad, or other modern orchestrators.
Mesos security must cover master/agent authentication, framework authorization, ZooKeeper security, and network segmentation for scheduler/executor traffic.
¶ 1) Enable Authentication and Authorization
- Enable Mesos authentication: Configure
--authenticate flags on masters and agents
- Framework credentials: Create credentials file with framework usernames and secrets
- Use HTTP authentication: Enable credential-based authentication for all endpoints
- Protect agent registration: Authenticate agents to prevent rogue node joins
- ACL-based authorization: Define access control lists for operations
- Restrict framework registration: Limit which frameworks can register
- Limit task launch permissions: Control who can launch tasks on which agents
- Use role-based quotas: Prevent resource abuse by any single framework
# Create credentials file
echo "principal1 secret1" > /etc/mesos/credentials
echo "principal2 secret2" >> /etc/mesos/credentials
# Set proper permissions
chmod 600 /etc/mesos/credentials
chown root:root /etc/mesos/credentials
# Generate secret using openssl
openssl rand -base64 32
- Disable unauthenticated HTTP: Require authentication for all endpoints
- Remove default credentials: Never use default or empty credentials
- Audit endpoint access: Review which endpoints are exposed
¶ 2) Secure Transport and Secrets
- Enable TLS for APIs: Configure SSL certificates for master and agent APIs
- Use strong ciphers: Configure TLS with modern cipher suites only
- Certificate management: Use valid certificates from trusted CAs
- Regular rotation: Rotate certificates before expiration
- Encrypt credentials at rest: Protect credential files with filesystem encryption
- Restrict file permissions: Use chmod 600 for sensitive config files
- Use secret management: Integrate with HashiCorp Vault or similar
- Avoid plaintext in configs: Use environment variables or secret stores
- Enable ZooKeeper authentication: Configure SASL authentication for ZK
- Restrict ZK access: Limit ZooKeeper to private management network
- Secure ZK data: Enable encryption for ZK client connections
- Isolate ZK ensemble: Run ZooKeeper on dedicated secure hosts
# Verify ZooKeeper access restrictions
sudo ss -tulpn | grep ':2181'
echo "ruok" | nc localhost 2181
- Isolate management network: Separate Mesos traffic from application traffic
- Firewall rules: Restrict access to Mesos ports (5050, 5051)
- VLAN segmentation: Use separate VLANs for cluster management
- Private subnets: Deploy masters and agents in private subnets
¶ 3) Isolate Workloads and Host Runtime
- Use container isolators: Enable Docker or AppC containerizers
- Configure cgroups: Set resource limits per framework/task
- Enable Linux namespaces: Isolate processes, network, and filesystem
- Restrict privileged containers: Block privileged container execution
- Harden host OS: Apply security baselines to Mesos hosts
- Limit sudo access: Restrict administrative access on agents
- Monitor host metrics: Track unusual resource consumption
- Patch management: Keep host OS and Mesos packages updated
- Review framework code: Audit framework schedulers and executors
- Limit framework permissions: Grant minimum required permissions
- Isolate frameworks: Run frameworks in separate containers/VMs
- Monitor framework behavior: Alert on unusual framework activity
- Segment data plane: Separate management and data-plane networks
- Apply network policies: Use firewall rules between components
- Restrict egress: Limit outbound connections from tasks
- Monitor network traffic: Detect unusual communication patterns
¶ 4) Monitoring and Incident Response
- Enable audit logging: Log all authentication and authorization events
- Centralize logs: Forward logs to SIEM or log management platform
- Monitor master logs: Watch for authentication failures
- Track framework events: Log framework registration and deregistration
- Alert on auth failures: Detect brute force attempts
- Monitor resource usage: Alert on unusual resource consumption
- Track configuration changes: Audit Mesos configuration modifications
- Watch for rogue frameworks: Detect unauthorized framework registrations
- Document response procedures: Create runbooks for security incidents
- Isolation procedures: Know how to isolate compromised components
- Credential rotation: Have procedures for emergency credential rotation
- Backup and recovery: Maintain secure backups of configurations
¶ Verification Commands
# Check Mesos version (if installed)
mesos-master --version 2>/dev/null || mesos-agent --version 2>/dev/null
# Verify authentication configuration
grep -R "authenticate\|authorize\|credentials\|ssl" /etc/mesos* 2>/dev/null | head -20
# Check listening ports
sudo ss -tulpn | grep -E ':5050|:5051|:2181'
# Verify credential file permissions
ls -la /etc/mesos/credentials 2>/dev/null
# Check ZooKeeper connection
echo "ruok" | nc localhost 2181 2>/dev/null || echo "ZK not responding"
# Review Mesos logs for auth failures
grep -i "authentication\|unauthorized\|denied" /var/log/mesos/*.log 2>/dev/null | tail -20
# Check TLS configuration
openssl s_client -connect localhost:5050 -tls1_2 </dev/null 2>/dev/null | head -10
- Apache Mesos Documentation: https://mesos.apache.org/documentation/
- Mesos Authentication: https://mesos.apache.org/documentation/latest/authentication/
- Mesos Authorization: https://mesos.apache.org/documentation/latest/authorization/
- Mesos SSL Configuration: https://mesos.apache.org/documentation/latest/ssl/
- Apache Attic (Retired): https://attic.apache.org/projects/mesos.html
- Mesos Source Repository: https://github.com/apache/mesos
For teams running Mesos in production:
- Assess current workloads: Document all frameworks and jobs
- Evaluate alternatives: Kubernetes, Nomad, or other orchestrators
- Plan migration path: Phased approach with parallel operation
- Test thoroughly: Validate workloads on new platform
- Decommission Mesos: Remove after successful migration