> On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/containerizer.cpp > > Line 244 (original), 245 (patched) > > <https://reviews.apache.org/r/60766/diff/8/?file=1800294#file1800294line245> > > > > So here we only count `network/cni` isolator and `network/port_mapping` > > isolator, either of them (but not both of them) can work with > > `network/ports` isolator. Can you please also update the comments > > accordingly?
This is already commented just above. > On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 308-311 (original), 313-323 (patched) > > <https://reviews.apache.org/r/60766/diff/8/?file=1800296#file1800296line313> > > > > I think we only need to do this check for top-level container, but not > > for nested container since nested container always share network namespace > > with its parent. So we may need to add `!containerId.has_parent()` into the > > condition of the first `if`. The check for nested containers needs to be separate since the child might be nested within a CNI network or a host network. When `prepare` a nested container, we only isolate it if we already isolated the corresponding root of the container tree. > On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 392-402 (patched) > > <https://reviews.apache.org/r/60766/diff/8/?file=1800296#file1800296line392> > > > > Can we check `state->executor_info().container().network_infos()` > > rather than checking CNI container dir? Are we guaranteed to have a named network in `state->executor_info` in the case of nested containers joining the parent network? If not, then I think we still have to check whether the root container has a CNI configuration. I updated the patch to do this. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60766/#review183307 ----------------------------------------------------------- On Aug. 21, 2017, 10:01 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60766/ > ----------------------------------------------------------- > > (Updated Aug. 21, 2017, 10:01 p.m.) > > > Review request for mesos, Qian Zhang and Jiang Yan Xu. > > > Bugs: MESOS-7675 > https://issues.apache.org/jira/browse/MESOS-7675 > > > Repository: mesos > > > Description > ------- > > Working on the assumption that containers with CNI networks will > get their own IP addresses and don't need port isolation, ignore > any containers that are joining CNI networks. > > > Diffs > ----- > > src/slave/containerizer/mesos/containerizer.cpp > 5772421c3078d36225b946a5286b8c1bf2f007e8 > src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/60766/diff/9/ > > > Testing > ------- > > make check (Fedora 26). > > > Thanks, > > James Peach > >
