[ https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16068513#comment-16068513 ]
James Peach edited comment on MESOS-7675 at 6/29/17 5:34 PM: ------------------------------------------------------------- {quote} Would this monitor only the network ports advertised as `ports` resources? Wondering about interaction with ephemeral ports. {quote} It ensures that any ports that processes are listening on are within the allocated {{ports}} resources. So ephemeral ports bound by connecting to other services aren't checked. Ephemeral port bound by listening on an {{ANY}} address are checked and cause the container to be killed. was (Author: jamespeach): {quote} Would this monitor only the network ports advertised as `ports` resources? Wondering about interaction with ephemeral ports. {quote} It ensures that any ports that processes are listening on are within the allocated {{ports}} resources. So ephemeral ports bound by connecting to other services aren't checked. > Isolate network ports. > ---------------------- > > Key: MESOS-7675 > URL: https://issues.apache.org/jira/browse/MESOS-7675 > Project: Mesos > Issue Type: Improvement > Components: agent > Reporter: James Peach > Assignee: James Peach > Priority: Minor > > If a task uses network ports, there is no isolator that can enforce that it > only listens on the ports that it has resources for. Implement a ports > isolator that can limit tasks to listen only on allocated TCP ports. > Roughly, the algorithm for this follows what standard tools like {{lsof}} and > {{ss}} do. > * Find all the listening TCP sockets (using netlink) > * Index the sockets by their node (from the netlink information) > * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} > links) > * For each open socket, check whether its node (given in the link target) in > the set of listen sockets that we scanned > * If the socket is a listening socket and the corresponding PID is in the > task, send a resource limitation for the task > Matching pids to tasks depends on using cgroup isolation, otherwise we would > have to build a full process tree, which would be nice to avoid. > Scanning all the open sockets can be avoided by using the {{net_cls}} > isolator with kernel + libnl3 patches to publish the socket classid when we > find the listening socket. -- This message was sent by Atlassian JIRA (v6.4.14#64029)