> On Aug. 16, 2018, 5:22 p.m., James Peach wrote: > > As per our offline discussion, I think that we can generalize this to make > > it consistent with the existing options. If we have the concept of a > > protected port range, then the existing features map to "protect all ports" > > and "protect agent ports". This option will end up being "protect a custom > > port range". I think that this concept makes the options easier to explain > > and easier for operators to reason about.
Updated the review as suggested, make the option more generic - Xudong ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/68366/#review207415 ----------------------------------------------------------- On Aug. 16, 2018, 9:28 p.m., Xudong Ni wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/68366/ > ----------------------------------------------------------- > > (Updated Aug. 16, 2018, 9:28 p.m.) > > > Review request for mesos and James Peach. > > > Bugs: MESOS-9133 > https://issues.apache.org/jira/browse/MESOS-9133 > > > Repository: mesos > > > Description > ------- > > For a network isolator disabled environment, in practice, there could > be a lot of users already binding to ephemeral ports; It would take > a lot of efforts to find/notify/modify those apps; In order to take > advantage of network isolator and enable it in such system, it would > be useful to add mesos-agent configuration option to allow enforce > port isolation in only the specified certain port range > > > Diffs > ----- > > docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb > docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768 > src/slave/containerizer/mesos/isolators/network/ports.hpp > 6944d01e0f8a11eda381ef1754f19ee0cf9359c8 > src/slave/containerizer/mesos/isolators/network/ports.cpp > 2a7ff2530f898cf892739c715b07b3387b423ed9 > src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c > src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9 > src/tests/containerizer/ports_isolator_tests.cpp > db080c4e9c8b0c036294a8f7a42617ca1231f884 > > > Diff: https://reviews.apache.org/r/68366/diff/2/ > > > Testing > ------- > > New test added to test feature: > > [ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort > [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort > (786 ms) > [----------] 1 test from NetworkPortsIsolatorTest (787 ms total) > > [----------] Global test environment tear-down > [==========] 1 test from 1 test case ran. (799 ms total) > [ PASSED ] 1 test. > > Existing test updated to test the negative cases: > > [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags > [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms) > [----------] 1 test from NetworkPortsIsolatorTest (71 ms total) > > Existing test for isolator feature: > > [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms) > [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total) > > [----------] Global test environment tear-down > [==========] 1 test from 1 test case ran. (1909 ms total) > [ PASSED ] 1 test. > > > Thanks, > > Xudong Ni > >