Documentation for namespaces/pid isolator. Review: https://reviews.apache.org/r/27585
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3eb6382f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3eb6382f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3eb6382f Branch: refs/heads/master Commit: 3eb6382f86473d86c6c2c3b57a739b6b3c7d86fa Parents: 47da3b8 Author: Ian Downes <[email protected]> Authored: Tue Nov 4 11:25:55 2014 -0800 Committer: Ian Downes <[email protected]> Committed: Tue Nov 4 12:10:59 2014 -0800 ---------------------------------------------------------------------- docs/mesos-containerizer.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/3eb6382f/docs/mesos-containerizer.md ---------------------------------------------------------------------- diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md index 7170a83..e4b2c24 100644 --- a/docs/mesos-containerizer.md +++ b/docs/mesos-containerizer.md @@ -40,3 +40,21 @@ executor's work directory (mode 1777) and simultaneously mount it as /tmp inside the container. This is transparent to processes running inside the container. Containers will not be able to see the host's /tmp or any other container's /tmp. + +### Pid Namespace + +The Pid Namespace isolator can be used to isolate each container in +a separate pid namespace with two main benefits: +1. Visibility: Processes running in the container (executor and + descendants) are unable to see or signal processes outside the + namespace. +2. Clean termination: Termination of the leading process in a pid + namespace will result in the kernel terminating all other processes + in the namespace. + +The Launcher will use (2) during destruction of a container in +preference to the freezer cgroup, avoiding known kernel issues related +to freezing cgroups under OOM conditions. + +/proc will be mounted for containers so tools such as 'ps' will work +correctly.
