----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/51617/ -----------------------------------------------------------
(Updated Oct. 17, 2016, 1:42 p.m.) Review request for mesos, Jie Yu and Qian Zhang. Changes ------- Made `CNI_CONTAINTERID` a required env variable for the plugin. Bugs: MESOS-6023 https://issues.apache.org/jira/browse/MESOS-6023 Repository: mesos Description ------- Added the logic for installing and removing DNAT rules. Diffs (updated) ----- src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.hpp 7fad707a240234e35828917aea1bc79f42fe130e src/slave/containerizer/mesos/isolators/network/cni/plugins/port_mapper/port_mapper.cpp 2ff8b0e76a11b6f6c98b839d3ac91a81e41285f5 Diff: https://reviews.apache.org/r/51617/diff/ Testing ------- Ran the CNI plugin against a network namespace with the following JSON input: ``` { "name": "mynet", "type": "port-mapper", "chain": "MESOS-TEST", "excludeDevices": ["mesos-cni0"], "delegate": { "type" : "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "192.168.37.0/24", "routes": [ { "dst": "0.0.0.0/0" } ] } }, "args" : { "org.apache.mesos" : { "network_info" : { "port_mappings": { "host_port" : 8080, "container_port" : 9000 } } } } } ``` Used the ADD command to test that the CNI plugin correctly invokes the delegate plugin (a CNI bridge plugin in this case) and also inserts the correct iptable entries for the given port mapping. After running this plugin, this was the output of the `iptables -t nat -S MESOS-TEST` command: ``` sudo iptables -t nat -S MESOS-TEST -N MESOS-TEST -A MESOS-TEST ! -i mesos-cni0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.37.21:9000 ``` Ran a python HTTP server in this network namespace and verified that DNAT works from outside the box. Was able to connect to port 9000 of this server, by connecting to port 8080 on the host. Used the DEL command to test the CNI plugin correctly deletes the DNAT rule and chain, if there are no DNAT rules exist in the chain. After running the DEL command (by injecting `NetworkInfo` into the above JSON schema) verified the chain and the DNAT rule is deleted from iptables. Apart from these tests ran a single node cluster and did an end-to-end test with a modified `mesos-execute` binary that can setup port-mapping. Thanks, Avinash sridharan