[ 
https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16072946#comment-16072946
 ] 

James Peach edited comment on MESOS-7675 at 8/9/17 8:47 PM:
------------------------------------------------------------

Updated review chain:

| [r/61536|https://reviews.apache.org/r/61536] | Added network ports isolator 
socket utilities tests. |
| [r/60593|https://reviews.apache.org/r/60593] | Test the `network/ports` 
isolator recovery. |
| [r/60765|https://reviews.apache.org/r/60765] | Added basic `network/ports` 
isolator tests. |
| [r/60903|https://reviews.apache.org/r/60903] | Added the `network/ports` 
isolator to the Mesos containerizer. |
| [r/60766|https://reviews.apache.org/r/60766] | Ignored containers that join 
CNI networks. |
| [r/60591|https://reviews.apache.org/r/60591] | Optionally isolate only the 
agent network ports. |
| [r/60592|https://reviews.apache.org/r/60592] | Configure the `network/ports` 
isolator watch interval. |
| [r/60496|https://reviews.apache.org/r/60496] | Added socket checking to the 
network ports isolator. |
| [r/60495|https://reviews.apache.org/r/60495] | Added network ports isolator 
listen socket utilities. |
| [r/61538|https://reviews.apache.org/r/61538] | Used common port range 
interval code in the port_mapping isolator. |
| [r/60492|https://reviews.apache.org/r/60492] | Added a `network/ports` 
isolator skeleton. |
| [r/60902|https://reviews.apache.org/r/60902] | Moved the libnl3 configure 
checks into a macro. |
| [r/60836|https://reviews.apache.org/r/60836] | Added IntervalSet to Ranges 
conversion helper declarations. |
| [r/60901|https://reviews.apache.org/r/60901] | Use a consistent preprocessor 
check for ENABLE_PORT_MAPPING_ISOLATOR. |
| [r/60764|https://reviews.apache.org/r/60764] | Refactored isolator dependency 
checking. |
| [r/60494|https://reviews.apache.org/r/60494] | Exposed LinuxLauncher cgroups 
helper. |
| [r/60493|https://reviews.apache.org/r/60493] | Removed diagnostic socket IPv4 
assumptions. |
| [r/60491|https://reviews.apache.org/r/60491] | Captured the inode when 
scanning for sockets. |
| [r/60594|https://reviews.apache.org/r/60594] | Added a`network/ports` 
isolator nested container test. |



was (Author: jamespeach):
Updated review chain:

| [r/60765|https://reviews.apache.org/r/60765] | Add basic `network/ports` 
isolator tests. |
| [r/60766|https://reviews.apache.org/r/60766] | Ignore containers that join 
CNI networks. |
| [r/60594|https://reviews.apache.org/r/60594] | Add a`network/ports` isolator 
nested container test. |
| [r/60593|https://reviews.apache.org/r/60593] | Test the `network/ports` 
isolator recovery. |
| [r/60592|https://reviews.apache.org/r/60592] | Configure the `network/ports` 
isolator watch interval. |
| [r/60591|https://reviews.apache.org/r/60591] | Optionally isolate only the 
agent network ports. |
| [r/60496|https://reviews.apache.org/r/60496] | Add socket checking to the 
network ports isolator. |
| [r/60495|https://reviews.apache.org/r/60495] | Network ports isolator listen 
socket utilities. |
| [r/60767|https://reviews.apache.org/r/60767] | Allow `network/ports` to 
co-exist with other network isolators. |
| [r/60764|https://reviews.apache.org/r/60764] | Refactor isolator dependency 
checking. |
| [r/60492|https://reviews.apache.org/r/60492] | Add network/ports isolator 
skeleton. |
| [r/60494|https://reviews.apache.org/r/60494] | Expose LinuxLauncher cgroups 
helper. |
| [r/60493|https://reviews.apache.org/r/60493] | Remove diagnostic socket IPv4 
assumptions. |
| [r/60491|https://reviews.apache.org/r/60491] | Capture the inode when 
scanning for sockets. |

> Isolate network ports.
> ----------------------
>
>                 Key: MESOS-7675
>                 URL: https://issues.apache.org/jira/browse/MESOS-7675
>             Project: Mesos
>          Issue Type: Improvement
>          Components: agent
>            Reporter: James Peach
>            Assignee: James Peach
>            Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it 
> only listens on the ports that it has resources for. Implement a ports 
> isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and 
> {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} 
> links)
> * For each open socket, check whether its node (given in the link target) in 
> the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the 
> task, send a resource limitation for the task
> Matching pids to tasks depends on using cgroup isolation, otherwise we would 
> have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}} 
> isolator with kernel + libnl3 patches to publish the socket classid when we 
> find the listening socket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Reply via email to