> On Aug. 24, 2017, 2:53 a.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 200-202 (original), 373-375 (patched) > > <https://reviews.apache.org/r/60496/diff/15/?file=1802539#file1802539line373> > > > > When framework launches a task group, this `update()` method will be > > called twice for the top-level container (executor): > > 1. When the top-level container is launched. At this time, the > > `resources` is the top-level container's own resources. > > 2. When the executor subscribes the agent > > (https://github.com/apache/mesos/blob/1.3.1/src/slave/slave.cpp#L3719). At > > this time, the `resources` is the top-level container's own resources + all > > nested containers resources, so in this `update()` method, the > > `info->ports` for the top-level container will be updated to include the > > ports of all nested containers. This seems not correct, since executor > > process will be allowed to listen on ports not assigned to it.
Fixed in [r/60766](https://reviews.apache.org/r/60766) by calling `update()` in the root-level container pass. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60496/#review183696 ----------------------------------------------------------- On Aug. 23, 2017, 8:29 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60496/ > ----------------------------------------------------------- > > (Updated Aug. 23, 2017, 8:29 p.m.) > > > Review request for mesos, Qian Zhang and Jiang Yan Xu. > > > Bugs: MESOS-7675 > https://issues.apache.org/jira/browse/MESOS-7675 > > > Repository: mesos > > > Description > ------- > > Implemented ports resource restrictions in the network ports isolator. > Periodically, scan for listening sockets and match them up to all > the open sockets in the containers we are tracking in the network. > Check any sockets we find against the ports resource and trigger a > resource limitation if the port has not been allocated. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/60496/diff/15/ > > > Testing > ------- > > make check (Fedora 26) > > > Thanks, > > James Peach > >
