Re: Review Request 60496: Added socket checking to the network ports isolator.

Qian Zhang Fri, 15 Sep 2017 20:01:31 -0700

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60496/#review185517
-----------------------------------------------------------





src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 421-424 (patched)
<https://reviews.apache.org/r/60496/#comment261833>

    I did some experiments and found when I launch a comman task which is 
allocated with ports [31001-31005] and the command (`nc`) actually listens on 
31006, then I found this task can be killed, but here the message is:
    ```
    "Container aa99dab3-2a25-44e0-bc88-16c485c5c87a is listening on unallocated 
port(s) {[31006,31007)}"
    ```
    This message seems not correct:
    1. why 31007? The `nc` command only listens on 31006. And if I change the 
`nc` command to listen on 31009, the message will be "`... {[31009,31010)}`".
    2. The brackets in `{[31006,31007)}` are not correct, it should be either 
`[]` or `()` but not `[)`.



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 421-424 (patched)
<https://reviews.apache.org/r/60496/#comment261834>

    We need to log this message like what we did here:
    
https://github.com/apache/mesos/blob/1.3.1/src/slave/containerizer/mesos/isolators/cgroups/subsystems/memory.cpp#L556


- Qian Zhang


On Sept. 8, 2017, 8:09 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60496/
> -----------------------------------------------------------
> 
> (Updated Sept. 8, 2017, 8:09 a.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented ports resource restrictions in the network ports isolator.
> Periodically, scan for listening sockets and match them up to all
> the open sockets in the containers we are tracking in the network.
> Check any sockets we find against the ports resource and trigger a
> resource limitation if the port has not been allocated.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60496/diff/18/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26)
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 60496: Added socket checking to the network ports isolator.

Reply via email to