> On Aug. 21, 2017, 3:15 p.m., Qian Zhang wrote: > > src/slave/flags.cpp > > Lines 1012-1018 (patched) > > <https://reviews.apache.org/r/60591/diff/10/?file=1800293#file1800293line1012> > > > > So by default this flag is not enabled, that means any libprocess-based > > exectuors (e.g., command executor and default executor) will be killed > > since they will listen on ephemeral port? > > James Peach wrote: > Yes, that's correct. > > Qian Zhang wrote: > That is a breaking change. I mean once this code is merged, any > frameworks which uses command executor or default executor (e.g., Marathon) > will be broken since the tasks that they launch will be killed. > > James Peach wrote: > No, you'd have to enable the isolator to break your containers.
Agree. And do you think `--check_agent_port_range_only` would be a better name? If set to `true`, the `network/ports` isolator will do the check only within agent's port range to restrict containers to only listen on the ports that they have been assigned resources for, so containers are allowed to listen on additional ports outside agent's port range. If set to `false`, the `network/ports` isolator will restrict containers to only listen on ports that they have been assigned resources for regardless of agent's port range. And the default value of `--check_agent_port_range_only` should be `true`, which means `network/ports` isolator will run in soft mode, so when operator enable `network/ports` isolator but does not set this flag, the frameworks using libprocess-based executor will not be broken. - Qian ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60591/#review183303 ----------------------------------------------------------- On Aug. 22, 2017, 4:36 a.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60591/ > ----------------------------------------------------------- > > (Updated Aug. 22, 2017, 4:36 a.m.) > > > Review request for mesos, Qian Zhang and Jiang Yan Xu. > > > Bugs: MESOS-7675 > https://issues.apache.org/jira/browse/MESOS-7675 > > > Repository: mesos > > > Description > ------- > > Normally, the `network/ports` isolator will kill any task that > listens on a port that it does not have resources for. However, > executors that are based on the libprocess API will always listen > on a port in the ephemeral range, and we want to make it possible > to use libprocess-based executors. > > Added the `--container_ports_watch_resources_only` option to only > kill tasks when they listen on un-allocated ports within the port > range published by the agent resources. This still prevents port > collisions between tasks, but doesn't kill them just because the > executor is listening on a port. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION > src/slave/flags.hpp 2970fea0cfac6af275a758d4bfedfe9a943c2b60 > src/slave/flags.cpp 3b02f3e909a554f15104739832ae3f252926b45f > > > Diff: https://reviews.apache.org/r/60591/diff/13/ > > > Testing > ------- > > make check (Fedora 26) > > > Thanks, > > James Peach > >
