From reviews-return-20623-apmail-mesos-reviews-archive=mesos.apache.org@mesos.apache.org Fri Jan 15 19:21:12 2016 Return-Path: X-Original-To: apmail-mesos-reviews-archive@minotaur.apache.org Delivered-To: apmail-mesos-reviews-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 030AA1887F for ; Fri, 15 Jan 2016 19:21:12 +0000 (UTC) Received: (qmail 96112 invoked by uid 500); 15 Jan 2016 19:21:11 -0000 Delivered-To: apmail-mesos-reviews-archive@mesos.apache.org Received: (qmail 96085 invoked by uid 500); 15 Jan 2016 19:21:11 -0000 Mailing-List: contact reviews-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: reviews@mesos.apache.org Delivered-To: mailing list reviews@mesos.apache.org Received: (qmail 96069 invoked by uid 99); 15 Jan 2016 19:21:11 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 15 Jan 2016 19:21:11 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id A00A6280ED5; Fri, 15 Jan 2016 19:21:10 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============8422470033464799700==" MIME-Version: 1.0 Subject: Re: Review Request 42047: Specified the CgroupsNetClsIsolatorProcess class. From: "Cong Wang" To: "Jie Yu" Cc: "Cong Wang" , "Avinash sridharan" , "mesos" Date: Fri, 15 Jan 2016 19:21:10 -0000 Message-ID: <20160115192110.26792.76320@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Cong Wang" X-ReviewGroup: mesos X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/42047/ X-Sender: "Cong Wang" References: <20160115060043.26792.8179@reviews.apache.org> In-Reply-To: <20160115060043.26792.8179@reviews.apache.org> Reply-To: "Cong Wang" X-ReviewRequest-Repository: mesos --===============8422470033464799700== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit > On Jan. 15, 2016, 6 a.m., Cong Wang wrote: > > Why do we need netcls to regulate framework traffic on a per-container basis? Given the fact that a) the port range based filters already work and the code (see egress fq_codel) already exists b) we only have port range based network isolation so far. > > > > I see no point of this. Please describe your use case with details, just pointing to netcls kernel doc doesn't help at all. > > Cong Wang wrote: > Since no one answers this, I assume no one in Mesosphere actually understands it... So looks like you are pushing something no one is actually going to use. > > Avinash sridharan wrote: > The egress_fq_codel that you are pointing too (I am assuming this is the jira you are refferring to https://issues.apache.org/jira/browse/MESOS-2422) needs port mapping isolator to enforce QoS on any egress traffic shaping/policing, and for that matter any network policy enforcement. > > The net_cls cgroup is a linux kernel construct that allows operators to support traffic shapping/policing and any network policy enforcement using existing networking tools like tc and iptables. By enabling net_cls cgroup it gives mesos a more generalized way of allowing operators to enforce network policy irrespective of whether the task is running in the global namespace or in a specific network namespace. In other words it will allow network policy enforcement to take place irrespective of the type of network isolator you are using. For e.g., if someone wants to use ip-per-container (MESOS-2044) vs the port mapping isolator, operators would still be able to perform policy enforcement without relying on the network isolator to provide those constructs. True, I know what netcls is more than you do, but you just ignore the fact that we _only_ have port mapping isolator in our _current_ code, that is my whole point. We can always add this _after_ ip-per-container work is merged in upstream, it is never too late. No need to mention this is hard to work together with the fq_codel filters on egress. This is why I ask for more details, but you still don't give any detail so far. - Cong ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/42047/#review114665 ----------------------------------------------------------- On Jan. 15, 2016, 5:42 p.m., Avinash sridharan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/42047/ > ----------------------------------------------------------- > > (Updated Jan. 15, 2016, 5:42 p.m.) > > > Review request for mesos and Jie Yu. > > > Bugs: MESOS-4262 > https://issues.apache.org/jira/browse/MESOS-4262 > > > Repository: mesos > > > Description > ------- > > Specified the CgroupsNetClsIsolatorProcess class. This adds the ability to isolate a mesos container using the net_cls cgroup subsystem. > > > Diffs > ----- > > src/CMakeLists.txt 39a23df3227a4f524ea0d408dc894fa5bbab7d10 > src/Makefile.am 8cbfb1ba5fa49f2d3cc26ea325838a1c68a79660 > src/slave/containerizer/mesos/isolators/cgroups/net_cls.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/cgroups/net_cls.cpp PRE-CREATION > > Diff: https://reviews.apache.org/r/42047/diff/ > > > Testing > ------- > > > Thanks, > > Avinash sridharan > > --===============8422470033464799700==--