[jira] [Comment Edited] (MESOS-1574) what to do when a rogue process binds to a port mesos didn't allocate to it?

Mon, 14 Jul 2014 14:06:34 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14061243#comment-14061243
 ] 

Ian Downes edited comment on MESOS-1574 at 7/14/14 9:05 PM:
------------------------------------------------------------

ip_local_port_range sets the range for local ports when opening outgoing 
connections; it does not restrict processes from binding to ports inside that 
range.

[~jaybuff] are you using a cgroups isolator? If so, you can check if the 
process' cgroup is managed by mesos, implying it's a descendent of a terminated 
mesos-slave:
{noformat}
$ cat /proc/$pid/cgroup
4:memory:/sys/fs/cgroup/memory/mesos/XXX
3:freezer:/sys/fs/cgroup/freezer/mesos/XXX
2:cpuacct:/sys/fs/cgroup/cpuacct/mesos/XXX
1:cpu:/sys/fs/cgroup/cpu/mesos/XXX
{noformat}


was (Author: idownes):
ip_local_port_range sets the range for local ports when opening outgoing 
connections; it does not restrict processes from binding to ports inside that 
range.

[~jaybuff] are you using a cgroups isolator? If so, you can check if the 
process' cgroup is managed by mesos, implying it's a descendent of a terminated 
mesos-slave:
$ cat /proc/$pid/cgroup
4:memory:/sys/fs/cgroup/memory/mesos/XXX
3:freezer:/sys/fs/cgroup/freezer/mesos/XXX
2:cpuacct:/sys/fs/cgroup/cpuacct/mesos/XXX
1:cpu:/sys/fs/cgroup/cpu/mesos/XXX


> what to do when a rogue process binds to a port mesos didn't allocate to it?
> ----------------------------------------------------------------------------
>
>                 Key: MESOS-1574
>                 URL: https://issues.apache.org/jira/browse/MESOS-1574
>             Project: Mesos
>          Issue Type: Improvement
>          Components: allocation, isolation
>            Reporter: Jay Buffington
>            Priority: Minor
>
> I recently had an issue where a slave had a process who's parent was init 
> that was bound to a port in the range that mesos thought was a free resource. 
>  I'm not sure if this is due to a bug in mesos (it lost track of this process 
> during an upgrade?) or if there was a bad user who started a process on the 
> host manually outside of mesos.  The process is over a month old and I have 
> no history in mesos to ask it if/when it launched the task :(
> If a rogue process binds to a port that mesos-slave has offered to the master 
> as an available resource there should be some sort of reckoning.  Mesos could:
>    * kill the rogue process
>    * rescind the offer for that port
>    * have an api that can be plugged into a monitoring system to alert humans 
> of this inconsistency



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to