Re: Review Request 60496: Added socket checking to the network ports isolator.

Wed, 23 Aug 2017 19:54:07 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60496/#review183696
-----------------------------------------------------------




src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 200-202 (original), 373-375 (patched)
<https://reviews.apache.org/r/60496/#comment259760>

    When framework launches a task group, this `update()` method will be called 
twice for the top-level container (executor):
    1. When the top-level container is launched. At this time, the `resources` 
is the top-level container's own resources.
    2. When the executor subscribes the agent 
(https://github.com/apache/mesos/blob/1.3.1/src/slave/slave.cpp#L3719). At this 
time, the `resources` is the top-level container's own resources + all nested 
containers resources, so in this `update()` method, the `info->ports` for the 
top-level container will be updated to include the ports of all nested 
containers. This seems not correct, since executor process will be allowed to 
listen on ports not assigned to it.


- Qian Zhang


On Aug. 24, 2017, 4:29 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60496/
> -----------------------------------------------------------
> 
> (Updated Aug. 24, 2017, 4:29 a.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented ports resource restrictions in the network ports isolator.
> Periodically, scan for listening sockets and match them up to all
> the open sockets in the containers we are tracking in the network.
> Check any sockets we find against the ports resource and trigger a
> resource limitation if the port has not been allocated.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60496/diff/15/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Reply via email to