OWNerchestration - Overview

Managing containers and jobs spread across multiple servers within a data-center can be a very tedious task. Thankfully, job orchestration software (e.g. Mesos, DC/OS, Marathon, Chronos, etc…) has recently emerged that makes many of these unwieldy management tasks dead simple for organizations to leverage.

Many large companies are already using some of these software solutions to easily scale their production applications to support massive data-center wide workloads, see: http://mesos.apache.org/documentation/latest/powered-by-mesos/

Unfortunately, when left with the default configuration, many of these software solutions are one pivot away from an attacker compromising every server you have joined into these production data-center clusters of computing power.

Data-Center Operating System (DC/OS) is a distributed, highly available task/job scheduler based on Apache Mesos, which makes running jobs and/or containers in production across a data-center of servers child’s play by tying together many of these independent software packages into a cohesive and smooth platform.

An example DC/OS deployment will look something like the following within a logical network map…


I am going to walk you through the various steps needed to pwn a default configuration of DC/OS, Mesos, etc… in this series of posts. While you may find implementations of these software packaged on the Internet that are noticeably less secure and hopefully you will find implementations in enterprises that are considerably more secure, this research serves as a starting point to hopefully help you get orientated and ensure that your implementations are at least not egregiously insecure.

Bryce KunzComment