[
https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16066082#comment-16066082
]
James Peach commented on MESOS-7675:
------------------------------------
Posted some reviews for early feedback.
These are trivial fixes that we need for the isolator:
| [r/60494|https://reviews.apache.org/r/60494] | Expose LinuxLauncher cgroups
helper. |
| [r/60493|https://reviews.apache.org/r/60493] | Remove diagnostic socket IPv4
assumptions. |
| [r/60491|https://reviews.apache.org/r/60491] | Capture the inode when
scanning for sockets. |
This is the isolator itself:
| [r/60496|https://reviews.apache.org/r/60496] | WIP: Add socket checking to
the network ports isolator. |
| [r/60495|https://reviews.apache.org/r/60495] | WIP: Network ports isolator
listen socket utilities. |
| [r/60492|https://reviews.apache.org/r/60492] | Add network/ports isolator
skeleton. |
There are a couple of issues I'd like to get feedback on
* What's the right way to only isolate tasks with host networking?
* Should we do the socket scanning in a background process?
* What should we do about the command executor using unallocated ports?
> Isolate network ports.
> ----------------------
>
> Key: MESOS-7675
> URL: https://issues.apache.org/jira/browse/MESOS-7675
> Project: Mesos
> Issue Type: Improvement
> Components: agent
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it
> only listens on the ports that it has resources for. Implement a ports
> isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and
> {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}}
> links)
> * For each open socket, check whether its node (given in the link target) in
> the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the
> task, send a resource limitation for the task
> Matching pids to tasks depends on using cgroup isolation, otherwise we would
> have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}}
> isolator with kernel + libnl3 patches to publish the socket classid when we
> find the listening socket.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
