[
https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062520#comment-16062520
]
Avinash Sridharan commented on MESOS-7675:
------------------------------------------
[[email protected]] I am assuming this would work only for tasks on the host
network. Also, this seems like we need to perform the algorithm for the
lifetime of every task running on the agent? How do you propose we do this. By
doing a periodic scan?
PS: By group isolation, did you mean cgroup isolation?
> Isolate network ports.
> ----------------------
>
> Key: MESOS-7675
> URL: https://issues.apache.org/jira/browse/MESOS-7675
> Project: Mesos
> Issue Type: Improvement
> Components: agent
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it
> only listens on the ports that it has resources for. Implement a ports
> isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and
> {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}}
> links)
> * For each open socket, check whether its node (given in the link target) in
> the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the
> task, send a resource limitation for the task
> Matching pids to tasks depends on using group isolation, otherwise we would
> have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}}
> isolator with kernel + libnl3 patches to publish the socket classid when we
> find the listening socket.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
