This topic describes how to deploy a non-native instance of Marathon with isolated roles, reservations, and quotas. This procedure does not support secrets or fine-grained ACLs. If you require these features, you must use the custom non-native Marathon procedure.

Prerequisites:

• DC/OS and DC/OS CLI installed.
• DC/OS Enterprise CLI 0.4.14 or later.
• You must be logged in as a superuser.
• SSH access to the cluster.

Step 1 - Reserve Resources

In this step, Mesos resources are reserved. Choose the procedure for either static or dynamic reservations.

Static Reservations

WARNING: This procedure kills all running tasks on your node.

1. SSH to your private agent node.

dcos node ssh --master-proxy --mesos-id=<agent-id>

1. Navigate to /var/lib/dcos and create a file named mesos-slave-common with these contents, where <myrole> is the name of your role.

   MESOS_DEFAULT_ROLE='<myrole>'
   

2. Stop the private agent node:

   sudo sh -c 'systemctl kill -s SIGUSR1 dcos-mesos-slave && systemctl stop dcos-mesos-slave'
   

3. Add the node back to your cluster.

   1. Reload the systemd configuration.

      sudo systemctl daemon-reload
      

   2. Remove the latest metadata pointer on the agent node:

      ⁠⁠⁠⁠sudo rm /var/lib/mesos/slave/meta/slaves/latest
      

   3. Start your agents with the newly configured attributes and resource specification⁠⁠.

      sudo systemctl start dcos-mesos-slave
      

      You can check the status with this command:

      sudo systemctl status dcos-mesos-slave
      

4. Repeat these steps for each additional node.

Dynamic Reservations

Reserve resources for your non-native Marathon instance with the Mesos ID (<mesos-id>), user ID (<userid>), role (<myrole>), and ports (<begin-port> and <end-port>) specified.

curl -i -k \
      -H "Authorization: token=`dcos config show core.dcos_acs_token`" \
      -H "Content-Type: application/json" \
      -H "Accept: application/json" \
      -d '{
  "type": "RESERVE_RESOURCES",
  "reserve_resources": {
    "agent_id": {
      "value": "<mesos-id>"
    },
    "resources": [
      {
        "type": "SCALAR",
        "name": "cpus",
        "reservation": {
          "principal": "<userid>"
        },
        "role": "<myrole>",
        "scalar": {
          "value": 1.0
        }
      },
      {
        "type": "SCALAR",
        "name": "mem",
        "reservation": {
          "principal": "<userid>"
        },
        "role": "<myrole>",
        "scalar": {
          "value": 512.0
        }
      },
      {
        "type": "RANGES",
        "name": "ports",
        "reservation": {
          "principal": "<userid>"
        },
        "role": "<myrole>",
        "ranges": {
          "range": [
            {
              "begin": <begin-port>,
              "end": <end-port>
            }
          ]
        }
      }
    ]
  }
}' \
      -X POST "`dcos config show core.dcos_url`/mesos/api/v1"

Step 2 - Install a Non-Native Marathon Instance with Assigned Role

In this step, a non-native Marathon instance is installed on DC/OS with the Mesos role assigned.

1. Create a custom JSON config file and save as marathon-config.json. This file is used to install the custom non-native Marathon instance.

   {"marathon": {
    "mesos-role": "<myrole>",
    "role": "<myrole>",
    "default-accepted-resource-roles": "*,<myrole>"
    }
   }
   

2. Install the Marathon package from Catalog with the custom JSON configuration specified (marathon-config.json).

   dcos package install --options=marathon-config.json marathon
   

Step 3 - Create a Marathon Service Account

In this step, a Marathon Service Account is created. Depending on your security mode, a Marathon Service Account is either optional or required.

1. Create a 2048-bit RSA public-private key pair (<private-key>.pem and <public-key>.pem) and save each value into a separate file within the current directory.

   dcos security org service-accounts keypair <private-key>.pem <public-key>.pem
   

2. Create a new service account called <service-account-id>, with the public key specified (<public-key>.pem).

   dcos security org service-accounts create -p <public-key>.pem -d "Non-native Marathon service account" <service-account-id>
   

Step 4 - Assign Permissions (Strict mode only)

In this step, permissions are assigned to the Marathon-on-Marathon instance. Permissions are required in strict mode and are ignored in permissive security mode.

All CLI commands can also be executed via the IAM API.

Grant the permission for user <uid> to launch Mesos tasks that will execute as Linux user nobody. To allow executing tasks as a different Linux user, replace nobody with that user’s Linux user ID. For example, to launch tasks as Linux user bob, replace nobody with bob below. Note that the nobody and root users exist on all agents by default, but if a custom bob user is specified it must have been manually created (using the adduser or similar utility) on every agent that tasks can be executed on.

dcos security org users grant <uid> dcos:mesos:master:task:user:nobody create --description "Tasks can execute as Linux user nobody"
dcos security org users grant <uid> dcos:mesos:master:framework:role:<myrole> create --description "Controls the ability of <myrole> to register as a framework with the Mesos master"
dcos security org users grant <uid> dcos:mesos:master:reservation:role:<myrole> create --description "Controls the ability of <myrole> to reserve resources"
dcos security org users grant <uid> dcos:mesos:master:volume:role:<myrole> create --description "Controls the ability of <myrole> to access volumes"
dcos security org users grant <uid> dcos:mesos:master:reservation:principal:<uid> delete --description "Controls the ability of <uid> to reserve resources"
dcos security org users grant <uid> dcos:mesos:master:task:app_id:/ create--description "Controls the ability to launch tasks"
dcos security org users grant <uid> dcos:mesos:master:volume:principal:<uid> delete --description "Controls the ability of <uid> to access volumes"

Step 5 - Grant User Access to Non-Native Marathon

In this step, a user is granted access to the non-native Marathon instance.

1. Log in to the DC/OS web interface as a user with the superuser permission.

   

   Figure 1. DC/OS web interface login screen.

2. Select Organization and choose Users or Groups.

3. Select the name of the user or group to grant the permission to.

   

   Figure 2. Select user or group permission

4. From the Permissions tab click ADD PERMISSION.

5. Click INSERT PERMISSION STRING to toggle the dialog.

   

   Figure 3. Add permissions.

6. Copy and paste the permission in the Permissions Strings field. Choose the permission strings based on your security mode.

   Permissive

   • Full access

     dcos:adminrouter:service:<service-name> full
     dcos:service:marathon:<service-name>:services:/ full
     dcos:adminrouter:ops:mesos full
     dcos:adminrouter:ops:slave full
     

   • Access to an individual service or group

     Specify the service or group (<service-or-group>) and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:<service-name>:services:/<service-or-group> read,update.

     dcos:adminrouter:service:<service-name> full
     dcos:service:marathon:<service-name>:services:/<service-or-group> <action>
     dcos:adminrouter:ops:mesos full
     dcos:adminrouter:ops:slave full
     

   Strict

   • Full access

     dcos:adminrouter:service:<service-name> full
     dcos:service:marathon:<service-name>:services:/ full
     dcos:adminrouter:ops:mesos full
     dcos:adminrouter:ops:slave full
     dcos:mesos:agent:executor:app_id:/ read
     dcos:mesos:agent:framework:role:<myrole> read
     dcos:mesos:agent:sandbox:app_id:/ read
     dcos:mesos:agent:task:app_id:/ read
     dcos:mesos:master:executor:app_id:/ read
     dcos:mesos:master:framework:role:<myrole> read
     dcos:mesos:master:task:app_id:/ read
     

   • Access to an individual service or group

     Specify the service or group (<service-or-group>), service name (<service-name>), role (<myrole>), and action (<action>). Actions can be either create, read, update, delete, or full. To permit more than one operation, use a comma to separate them, for example: dcos:service:marathon:<service-name>:services:/<service-or-group> read,update.

     dcos:adminrouter:service:<service-name> full
     dcos:service:marathon:<service-name>:services:/<service-or-group> <action>
     dcos:adminrouter:ops:mesos full
     dcos:adminrouter:ops:slave full
     dcos:mesos:agent:executor:app_id:/<service-or-group> read
     dcos:mesos:agent:framework:role:<myrole> read
     dcos:mesos:agent:sandbox:app_id:/<service-or-group> read
     dcos:mesos:agent:task:app_id:/<service-or-group> read
     dcos:mesos:master:executor:app_id:/<service-or-group> read
     dcos:mesos:master:framework:role:<myrole> read
     dcos:mesos:master:task:app_id:/<service-or-group> read
     

7. Click ADD PERMISSIONS and then Close.

Step 6 - Access the Non-Native Marathon Instance

In this step, you log in as a authorized user to the non-native Marathon DC/OS service.

1. Launch the non-native Marathon interface at: http://<master-public-ip>/service/<service-name>/.

2. Enter your username and password and click LOG IN.

   

   Figure 4. DC/OS log in screen

   You are done!

   

   Figure 5. Success screen.