mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 68366: Added agent protected port range option in network isolator.
Date Wed, 22 Aug 2018 19:27:29 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207762
-----------------------------------------------------------



Can you please update the commit comment to better describe the specific changes?

Maybe something along these lines:

```
Added a custom port range option to the `network/ports` isolator.

Added the `--foo-bar` flag to the `network/ports` isolator. This allows
the operator to specify a custom port range to be protected by the isolator. If a task
listens on a port that it isn't holding resources for, the isolator will
not raise a limitation unless the port is within this range. We can
represent the `--check_agent_port_range_only` as a special case of a
protected range.

etc ...
```


src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 285 (patched)
<https://reviews.apache.org/r/68366/#comment291268>

    Add a test case for this?



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 288 (patched)
<https://reviews.apache.org/r/68366/#comment291267>

    Don't exit, just return the error.



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 352 (patched)
<https://reviews.apache.org/r/68366/#comment291265>

    Make this "ports".



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 364 (patched)
<https://reviews.apache.org/r/68366/#comment291266>

    "Invalid port range resource type"



src/slave/containerizer/mesos/isolators/network/ports.cpp
Line 340 (original), 378 (patched)
<https://reviews.apache.org/r/68366/#comment291269>

    Let's add a log message after this with the protected port range here:
    ```
    LOG(INFO) << "isolating ports " << stringify(protectedPorts);
    ```
    
    We could even simplify this a bit more by defaulting `protectedPorts` to `[0-65535]`.



src/tests/containerizer/ports_isolator_tests.cpp
Lines 979 (patched)
<https://reviews.apache.org/r/68366/#comment291271>

    "because we want to show that invalid port usage outside the protected range is allowed"



src/tests/containerizer/ports_isolator_tests.cpp
Lines 1016 (patched)
<https://reviews.apache.org/r/68366/#comment291272>

    I'm a little uncomfortable with the hard-coded port numbers here.
    
    Maybe:
    ```
    uint16_t usedPort;
    
    // We need to use a port that is inside the offered resources but outside the isolated
range and not the same as the one we are accepting from the offer.
    do {
      usedPort = selectOtherPort(resources, taskPort);
    } while (usedPort < 45000 || usedPort > 45002)
    ```



src/tests/containerizer/ports_isolator_tests.cpp
Lines 1066 (patched)
<https://reviews.apache.org/r/68366/#comment291270>

    "is not in"


- James Peach


On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
> 
> (Updated Aug. 22, 2018, 5:35 p.m.)
> 
> 
> Review request for mesos and James Peach.
> 
> 
> Bugs: MESOS-9133
>     https://issues.apache.org/jira/browse/MESOS-9133
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
> 
> 
> Diffs
> -----
> 
>   docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e 
>   docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8

>   src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9

>   src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f 
>   src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b 
>   src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884

> 
> 
> Diff: https://reviews.apache.org/r/68366/diff/6/
> 
> 
> Testing
> -------
> 
> New test added to test feature:
> 
> [       OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
> 
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [  PASSED  ] 1 test.
> 
> Existing test updated to test the negative cases:
> 
> [       OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
> 
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [  PASSED  ] 1 test.
> 
> Existing test for isolator feature:
> 
> [       OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
> 
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [  PASSED  ] 1 test.
> 
> 
> Thanks,
> 
> Xudong Ni
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message