[
https://issues.apache.org/jira/browse/MESOS-1574?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14101448#comment-14101448
]
Jie Yu commented on MESOS-1574:
-------------------------------
If you turn on the network isolator in 0.20.0, we will have isolation for
'ports' resource as well. So if a process is using a port that is not assigned
to it, it can still bind that port, but it won't be able to use that port to
communicate with others. THat's because we install tc filters for each
container and will drop those packages if the src port does not belong to the
container.
> what to do when a rogue process binds to a port mesos didn't allocate to it?
> ----------------------------------------------------------------------------
>
> Key: MESOS-1574
> URL: https://issues.apache.org/jira/browse/MESOS-1574
> Project: Mesos
> Issue Type: Improvement
> Components: allocation, isolation
> Reporter: Jay Buffington
> Priority: Minor
>
> I recently had an issue where a slave had a process who's parent was init
> that was bound to a port in the range that mesos thought was a free resource.
> I'm not sure if this is due to a bug in mesos (it lost track of this process
> during an upgrade?) or if there was a bad user who started a process on the
> host manually outside of mesos. The process is over a month old and I have
> no history in mesos to ask it if/when it launched the task :(
> If a rogue process binds to a port that mesos-slave has offered to the master
> as an available resource there should be some sort of reckoning. Mesos could:
> * kill the rogue process
> * rescind the offer for that port
> * have an api that can be plugged into a monitoring system to alert humans
> of this inconsistency
--
This message was sent by Atlassian JIRA
(v6.2#6252)
