Added Linux Namespaces semantic doc. This patch adds a table showing the current semantics that the linux launcher supports namespaces for top level and nested container.
Review: https://reviews.apache.org/r/54073/ Project: http://git-wip-us.apache.org/repos/asf/mesos/repo Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/ca69c77f Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/ca69c77f Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/ca69c77f Branch: refs/heads/master Commit: ca69c77fc49903d7c913b0b5cd6198f811636253 Parents: 8186f03 Author: Gilbert Song <songzihao1...@gmail.com> Authored: Thu Oct 12 17:15:12 2017 -0700 Committer: Gilbert Song <songzihao1...@gmail.com> Committed: Thu Oct 12 18:19:59 2017 -0700 ---------------------------------------------------------------------- docs/containerizer-internals.md | 59 +++++++++++++++++++++++++++++++++--- 1 file changed, 55 insertions(+), 4 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/mesos/blob/ca69c77f/docs/containerizer-internals.md ---------------------------------------------------------------------- diff --git a/docs/containerizer-internals.md b/docs/containerizer-internals.md index 5e4f349..63bc8e6 100644 --- a/docs/containerizer-internals.md +++ b/docs/containerizer-internals.md @@ -114,14 +114,65 @@ Launcher is responsible for forking/destroying containers. * Signals the child process to continue (exec'ing) by writing a character to the write end of the pipe in the parent process. +Starting from Mesos 1.1.0, [nested container](nested-container-and-task-group.md) +is supported. The Linux Launcher is responsible to fork the subprocess +for the nested container with appropriate Linux namespaces being +cloned. The following is the table for Linux namespaces that +are supported for top level and nested containers. + +###### Linux Namespaces + +<table class="table table-striped"> + <tr> + <th>Linux Namespaces</th> + <th>Top Level Container</th> + <th>Nested Container</th> + </tr> + <tr> + <td>Mount</td> + <td>Not shared</td> + <td>Not shared</td> + </tr> + <tr> + <td>PID</td> + <td>Configurable</td> + <td>Configurable</td> + </tr> + <tr> + <td>Network & UTS</td> + <td>Configurable</td> + <td>Shared w/ parent</td> + </tr> + <tr> + <td>IPC</td> + <td>Not shared -> configurable (TBD)</td> + <td>Not shared -> configurable (TBD)</td> + </tr> + <tr> + <td>Cgroup</td> + <td>Shared w/ agent -> Not shared (TBD)</td> + <td>Shared w/ parent -> Not shared (TBD)</td> + </tr> + <tr> + <td>User (not supported)</td> + <td>Shared w/ agent</td> + <td>Shared w/ parent</td> + </tr> +</table> + +*Note: For the top level container, `shared` means that the container +shares the namespace from the agent. For the nested container, `shared` +means that the nested container shares the namespace from its parent +container. + ###### Posix launcher (TBD) <a name="Isolators"></a> -##### Isolators +##### [Isolators](mesos-containerizer.md#isolators) -Isolators are responsible for creating an environment for the -containers where resources like cpu, network, storage and memory can -be isolated from other containers. +[Isolators](mesos-containerizer.md#isolators) are responsible for creating +an environment for the containers where resources like cpu, network, +storage and memory can be isolated from other containers. ### Containerizer states