[
https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16183154#comment-16183154
]
James Peach commented on MESOS-7605:
------------------------------------
After thinking about this some more, there are 3 cases
1. No container image. In this case there's no container image (so we won't
rewrite {{/etc/hostname}}) but we still want to enter a UTS namespace for
security reasons.
2. Container image with {{network/cni}}. When we have a container image, we can
consistently set the hostname inside the container. {{network/cni}} only
enters a UTS namespace when setting the hostname.
3. Container image w/ {{network/port_mapping}}. This isolator never enters a
UTS namespace to set the hostname and is agnostic to whether there is a
container image.
The goal here is to isolate the UTS namespace, not necessarily support
per-container hostname in every configuration. Since {{network/cni}} is always
enabled by default, we could have that isolator always enter a UTS namespace,
however it seems unreasonable to exclude {{network/port_mapping}} users.
So what I would like to do here is add a simple {{namespaces/uts}} isolator
that does nothing more than place a container tree in a new UTS namespace. To
be compatible with CNI and network namespaces, all the containers in the tree
should join the same UTS namespace.
Note that this would not change the semantics of how we set the hostname in
containers. It merely adds an additional layer of namespace isolation in more
cases. The {namespaces/uts}} isolator will not update the hostname inside the
container. If that is required, then the {{network/cni}} isolator should be
used.
Ping [~gilbert], [~qianzhang], [~jieyu], [~avinash.mesos]
> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
> Key: MESOS-7605
> URL: https://issues.apache.org/jira/browse/MESOS-7605
> Project: Mesos
> Issue Type: Improvement
> Components: containerization
> Reporter: James DeFelice
> Assignee: James Peach
> Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts
> container isolation, even in {{host}} network mode: (via
> https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default.
> As such --hostname is allowed in host network mode and will only change the
> hostname inside the container. Similar to --hostname, the --add-host, --dns,
> --dns-search, and --dns-option options can be used in host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was
> initially added to support the Docker containerizer's use of the
> {{--hostname}} Docker {{run}} flag.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
