[
https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16348971#comment-16348971
]
James Peach commented on MESOS-7605:
------------------------------------
{quote}
Qian Zhang That is exactly not the point of this change. CNI already supports
setting the container hostname as for all containers that have an image. The
point of this isolator is to guarantee that the host's UTS namespace is
protected from containers (case 1) above. I kept it explicitly out of scope for
this isolator to actually set the hostname, since last time I did that, we
ended up moving that feature to the CNI isolator.
{quote}
I believed that the CNI isolator did set up the hostname correctly when joining
the host network, however [~qianzhang] is right that the CNI isolator doesn't
clone the UTS namespace unless you join a named network.
So I agree with [~qianzhang] that we should make the CNI isolator clone the UTS
namespace (and set the hostname) when it joins the host network and has a
container image. We will still need the UTS isolator for the case where there
is not a container image or the CNI isolator isn't used however.
IIRC [~avinash.mesos]'s original concern about this was that the specified
hostname would not be consistent with DNS. There's 2 things we can do about
this ... (1) just accept it and it's fine, (2) resolve the host's hostname and
use that IP address to populate the container {{resolv.conf}}. AFAICT, Docker
just does (1).
> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
> Key: MESOS-7605
> URL: https://issues.apache.org/jira/browse/MESOS-7605
> Project: Mesos
> Issue Type: Improvement
> Components: containerization
> Reporter: James DeFelice
> Assignee: James Peach
> Priority: Major
> Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts
> container isolation, even in {{host}} network mode: (via
> https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default.
> As such --hostname is allowed in host network mode and will only change the
> hostname inside the container. Similar to --hostname, the --add-host, --dns,
> --dns-search, and --dns-option options can be used in host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was
> initially added to support the Docker containerizer's use of the
> {{--hostname}} Docker {{run}} flag.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
