[jira] [Comment Edited] (MESOS-6240) Allow executor/agent communication over non-TCP/IP stream socket.

Mon, 20 Mar 2017 17:07:00 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-6240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15762620#comment-15762620
 ] 

Avinash Sridharan edited comment on MESOS-6240 at 3/21/17 12:06 AM:
--------------------------------------------------------------------

Libprocess has support for domain socket, but the agent <-> executor 
communication is still over TCP/IP sockets. We still need to evaluate changes 
required to switch the agent <-> executor communication to domain socket.


was (Author: avin...@mesosphere.io):
Libprocess has support for domain socket, but the agent<->executor 
communication is still over TCP/IP sockets. We still need to evaluate changes 
required to switch the agent<->executor communication to domain socket.

> Allow executor/agent communication over non-TCP/IP stream socket.
> -----------------------------------------------------------------
>
>                 Key: MESOS-6240
>                 URL: https://issues.apache.org/jira/browse/MESOS-6240
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>         Environment: Linux and Windows
>            Reporter: Avinash Sridharan
>              Labels: mesosphere
>
> Currently, the executor agent communication happens specifically over TCP 
> sockets. This works fine in most cases, but specifically for the 
> `MesosContainerizer` when containers are running on CNI networks, this mode 
> of communication starts imposing constraints on the CNI network. Since, now 
> there has to connectivity between the CNI network  (on which the executor is 
> running) and the agent. Introducing paths from a CNI network to the 
> underlying agent, at best, creates headaches for operators and at worst 
> introduces serious security holes in the network, since it is breaking the 
> isolation between the container CNI network and the host network (on which 
> the agent is running).
> In order to simplify/strengthen deployment of Mesos containers on CNI 
> networks we therefore need to move away from using TCP/IP sockets for 
> executor/agent communication. Since, executor and agent are guaranteed to run 
> on the same host, the above problems can be resolved if, for the 
> `MesosContainerizer`, we use UNIX domain sockets or named pipes instead of 
> TCP/IP sockets for the executor/agent communication.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Reply via email to