[jira] [Comment Edited] (MESOS-7675) Isolate network ports.

Thu, 29 Jun 2017 10:35:29 -0700 

    [ 
https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068513#comment-16068513
 ] 

James Peach edited comment on MESOS-7675 at 6/29/17 5:34 PM:
-------------------------------------------------------------

{quote}
Would this monitor only the network ports advertised as `ports` resources? 
Wondering about interaction with ephemeral ports.
{quote}

It ensures that any ports that processes are listening on are within the 
allocated {{ports}} resources. So ephemeral ports bound by connecting to other 
services aren't checked. Ephemeral port bound by listening on an {{ANY}} 
address are checked and cause the container to be killed.


was (Author: jamespeach):
{quote}
Would this monitor only the network ports advertised as `ports` resources? 
Wondering about interaction with ephemeral ports.
{quote}

It ensures that any ports that processes are listening on are within the 
allocated {{ports}} resources. So ephemeral ports bound by connecting to other 
services aren't checked.

> Isolate network ports.
> ----------------------
>
>                 Key: MESOS-7675
>                 URL: https://issues.apache.org/jira/browse/MESOS-7675
>             Project: Mesos
>          Issue Type: Improvement
>          Components: agent
>            Reporter: James Peach
>            Assignee: James Peach
>            Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it 
> only listens on the ports that it has resources for. Implement a ports 
> isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and 
> {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} 
> links)
> * For each open socket, check whether its node (given in the link target) in 
> the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the 
> task, send a resource limitation for the task
> Matching pids to tasks depends on using cgroup isolation, otherwise we would 
> have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}} 
> isolator with kernel + libnl3 patches to publish the socket classid when we 
> find the listening socket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to