mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qian Zhang <zhq527...@gmail.com>
Subject Re: Review Request 60496: Added socket checking to the network ports isolator.
Date Tue, 05 Sep 2017 07:25:28 GMT


> On Aug. 24, 2017, 10:53 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 200-202 (original), 373-375 (patched)
> > <https://reviews.apache.org/r/60496/diff/15/?file=1802539#file1802539line373>
> >
> >     When framework launches a task group, this `update()` method will be called
twice for the top-level container (executor):
> >     1. When the top-level container is launched. At this time, the `resources` is
the top-level container's own resources.
> >     2. When the executor subscribes the agent (https://github.com/apache/mesos/blob/1.3.1/src/slave/slave.cpp#L3719).
At this time, the `resources` is the top-level container's own resources + all nested containers
resources, so in this `update()` method, the `info->ports` for the top-level container
will be updated to include the ports of all nested containers. This seems not correct, since
executor process will be allowed to listen on ports not assigned to it.
> 
> James Peach wrote:
>     Fixed in [r/60766](https://reviews.apache.org/r/60766) by calling `update()` in the
root-level container pass.

So we actually can not handle the issue that I mentioned in the above, because currently Mesos
has not supported resource isolation for nested container yet. All the resources are attached
to the root container rather than each individual nested container, that means for port isolation,
we can only do it in pod (task group)'s resource level rather than nested container's resource
level. In future when Mesos supports resource isolation for nested container, we can revisit
this `network/ports` isolator to make it can check ports for each individual nested container
against its *own* resources rather than the root container's resources which is the best that
we can do currently.


- Qian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60496/#review183696
-----------------------------------------------------------


On Aug. 31, 2017, 7:19 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60496/
> -----------------------------------------------------------
> 
> (Updated Aug. 31, 2017, 7:19 a.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented ports resource restrictions in the network ports isolator.
> Periodically, scan for listening sockets and match them up to all
> the open sockets in the containers we are tracking in the network.
> Check any sockets we find against the ports resource and trigger a
> resource limitation if the port has not been allocated.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60496/diff/16/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message