> On July 31, 2013, 6:41 p.m., Matthew Farrellee wrote: > > Non-code comment from the peanut gallery - technically cgroups and > > namespaces are separate. You get the benefits of killing an entire group of > > processes w/ cgroups and get group stats (mem, cpu, blk), but you don't get > > the isolation (signal sending, pid 1). You get the isolation benefit from > > namespaces, but not group stats. To help avoid confusing others in the > > future, consider making this the namespace_isolator.
We're just starting to rework the isolator abstraction to address these concerns, see https://issues.apache.org/jira/browse/MESOS-600 - Ian ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/13045/#review24364 ----------------------------------------------------------- On July 29, 2013, 10:52 p.m., Eric Biederman wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/13045/ > ----------------------------------------------------------- > > (Updated July 29, 2013, 10:52 p.m.) > > > Review request for mesos, Benjamin Hindman, Ben Mahler, Ian Downes, and Vinod > Kone. > > > Repository: mesos-git > > > Description > ------- > > cgroup_isolator: Isolate the exectuor and tasks in a pid namespace. > > This has several advantages: > > - It becomes impossible to send unix signals to processes outside of > the pid namespace. > > - Forked processes can not escape the pid namespace no matter what they do. > > - It becomes easy to cleanup a pid namespace because all processes are > killed when the first process the executor is killed. > > > Diffs > ----- > > src/slave/cgroups_isolator.cpp 0faf7d5 > > Diff: https://reviews.apache.org/r/13045/diff/ > > > Testing > ------- > > make -j 8 check > > And watched the tests pass. > > > Thanks, > > Eric Biederman > >
