----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/51857/#review149767 -----------------------------------------------------------
src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 378) <https://reviews.apache.org/r/51857/#comment217471> Should we skip nested container recover here? It's better to be explicit. src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 612) <https://reviews.apache.org/r/51857/#comment217468> We need to return failure if parent does not exist. src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (lines 684 - 685) <https://reviews.apache.org/r/51857/#comment217469> I would also mentioned that we need a mount namespace because we need to bind mount /etc/ files src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 706) <https://reviews.apache.org/r/51857/#comment217470> For the contaienr (both top level or nested) src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 1249) <https://reviews.apache.org/r/51857/#comment217473> Let's add a nested container check similar to what we have in cgroups isolator: ``` if (containerId.has_parent()) { return Failure("Not supported for nested containers"); } ``` src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 1253) <https://reviews.apache.org/r/51857/#comment217472> Also, you should mention that we don't maintain info for nested container. IP address can be obtained from its parent container. src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (line 1312) <https://reviews.apache.org/r/51857/#comment217474> s/child/nested/ src/slave/containerizer/mesos/isolators/network/cni/cni.cpp (lines 1644 - 1649) <https://reviews.apache.org/r/51857/#comment217476> What if the top level container join non-host network but its child container join host network without a rootfs? Looks like we do need to setup etc files in that case because the host etc files won't work? Maybe, it's time to address this TODO? - Jie Yu On Sept. 21, 2016, 12:06 a.m., Avinash sridharan wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/51857/ > ----------------------------------------------------------- > > (Updated Sept. 21, 2016, 12:06 a.m.) > > > Review request for mesos, Gilbert Song, Jie Yu, Joseph Wu, and Qian Zhang. > > > Bugs: MESOS-6156 > https://issues.apache.org/jira/browse/MESOS-6156 > > > Repository: mesos > > > Description > ------- > > The network file setup in the `network/cni` isolator is now nesting > aware. Since the children share the network and UTS namespace with the > parent, the network files need to be created only for the parent > container. For the child containers, the network files will be simply > a bind mount of the parents network files. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/cni/cni.hpp > 949da8f70fb1cd13d6359780b032cb170693ea3e > src/slave/containerizer/mesos/isolators/network/cni/cni.cpp > 359479083894e887647a694a1a133dce44817073 > > Diff: https://reviews.apache.org/r/51857/diff/ > > > Testing > ------- > > make > make check > and > sudo ./bin/mesos-tests.sh > > The only tests that failed were the SUDO make check tests: > [ FAILED ] 3 tests, listed below: > [ FAILED ] CgroupsAnyHierarchyWithCpuMemoryTest.ROOT_CGROUPS_Listen > [ FAILED ] CgroupsAnyHierarchyMemoryPressureTest.ROOT_IncreaseRSS > [ FAILED ] LinuxFilesystemIsolatorTest.ROOT_RecoverOrphanedPersistentVolume > > > Thanks, > > Avinash sridharan > >