Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review172061
---


Fix it, then Ship it!




Ship It!


src/slave/containerizer/docker.cpp
Lines 361-368 (patched)


`SYS_PTRACE` is required to inspect the namesapces of other processes.

I change to 

```
+// `--pid=host` is required for `mesos-docker-executor` to find
+// the pid of the task in `/proc` when running
+// `mesos-docker-executor` in a separate docker container.
+Parameter* pidParameter = dockerInfo.add_parameters();
+pidParameter ->set_key("pid");
+pidParameter->set_value("host");
+
+// `--cap-add=SYS_ADMIN` and `--cap-add=SYS_PTRACE` are required
+// for `mesos-docker-executor` to enter the namespaces of the task
+// during health checking when running `mesos-docker-executor` in a
+// separate docker container.
+Parameter* capAddParameter = dockerInfo.add_parameters();
+capAddParameter->set_key("cap-add");
+capAddParameter->set_value("SYS_ADMIN");
+capAddParameter = dockerInfo.add_parameters();
+capAddParameter->set_key("cap-add");
+capAddParameter->set_value("SYS_PTRACE");
```


- haosdent huang


On April 16, 2017, 9:26 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 16, 2017, 9:26 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

> On 四月 8, 2017, 11:38 a.m., haosdent huang wrote:
> > src/slave/containerizer/docker.cpp
> > Lines 366 (patched)
> > 
> >
> > I think it is fine to use priviliged to lauch mesos-executor. But after 
> > discussed with @xiaods, let me find if we could avoid to use privileged via 
> > --cap-add.

add new pr to fix it, it works in my side workround.


- Deshi


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171402
---


On 四月 16, 2017, 9:26 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated 四月 16, 2017, 9:26 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/4/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

(Updated 四月 16, 2017, 9:26 a.m.)


Review request for mesos, Alexander Rukletsov and haosdent huang.


Changes
---

use alternative cap-add SYS_ADMIN


Bugs: MESOS-7210
https://issues.apache.org/jira/browse/MESOS-7210


Repository: mesos


Description
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs (updated)
-

  src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 


Diff: https://reviews.apache.org/r/58200/diff/4/

Changes: https://reviews.apache.org/r/58200/diff/3-4/


Testing
---

1. Build the image with latest code. Let's name the image with `mesos-build` 
here.

2. Launch mesos master.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-master \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--port=5050 \
--work_dir=/tmp/mesos
```

3. Launch mesos agent.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-agent \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--master=127.0.0.1:5050 \
--systemd_enable_support=false \
--work_dir=/tmp/mesos \
--containerizers=docker,mesos \
--docker_mesos_image=mesos-build
```

4. Launch task with health check.

Define the task with health check.

```
$ cat /tmp/task.json
{
  "name": "test-health-check",
  "task_id": {"value" : "test-health-check"},
  "agent_id": {"value" : ""},
  "resources": [
{
  "name": "cpus",
  "type": "SCALAR",
  "scalar": {
"value": 0.1
  },
  "role": "*"
},
{
  "name": "mem",
  "type": "SCALAR",
  "scalar": {
"value": 32
  },
  "role": "*"
}
  ],
  "command": {
"value": "sleep 1000"
  },
  "container": {
"type": "DOCKER",
"volumes": [],
"docker": {
  "image": "mesos-build",
  "network": "HOST"
}
  },
  "health_check": {
"type": "HTTP",
"http": {
  "scheme": "http",
  "port": 5050
},
"gracePeriodSeconds": 300,
"intervalSeconds": 60,
"timeoutSeconds": 20,
"maxConsecutiveFailures": 3
  }
}
```

Lauch task

```
$ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
```

And verified the healthy status of task is correct.

```
I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
of task (pid: '88727') successfully
I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health check 
for task 'test-health-check' in 86.311186ms
I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for task 
'test-health-check' passed
```


Thanks,

Deshi Xiao

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Mesos Reviewbot]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171403
---



Patch looks great!

Reviews applied: [58200]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' 
CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; 
./support/docker-build.sh

- Mesos Reviewbot


On April 8, 2017, 11:12 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 8, 2017, 11:12 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/3/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171402
---




src/slave/containerizer/docker.cpp
Lines 366 (patched)


I think it is fine to use priviliged to lauch mesos-executor. But after 
discussed with @xiaods, let me find if we could avoid to use privileged via 
--cap-add.


- haosdent huang


On April 8, 2017, 11:12 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 8, 2017, 11:12 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/3/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

(Updated 四月 8, 2017, 11:12 a.m.)


Review request for mesos, Alexander Rukletsov and haosdent huang.


Changes
---

Thanks haosdent.


Summary (updated)
-

Fix mesos runs with docker(pid namespace mismatch).


Bugs: MESOS-7210
https://issues.apache.org/jira/browse/MESOS-7210


Repository: mesos


Description (updated)
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs (updated)
-

  src/slave/containerizer/docker.cpp be1a298b12374bced44e2467cb7e90a1599abb8f 


Diff: https://reviews.apache.org/r/58200/diff/3/

Changes: https://reviews.apache.org/r/58200/diff/2-3/


Testing
---

1. Build the image with latest code. Let's name the image with `mesos-build` 
here.

2. Launch mesos master.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-master \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--port=5050 \
--work_dir=/tmp/mesos
```

3. Launch mesos agent.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-agent \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--master=127.0.0.1:5050 \
--systemd_enable_support=false \
--work_dir=/tmp/mesos \
--containerizers=docker,mesos \
--docker_mesos_image=mesos-build
```

4. Launch task with health check.

Define the task with health check.

```
$ cat /tmp/task.json
{
  "name": "test-health-check",
  "task_id": {"value" : "test-health-check"},
  "agent_id": {"value" : ""},
  "resources": [
{
  "name": "cpus",
  "type": "SCALAR",
  "scalar": {
"value": 0.1
  },
  "role": "*"
},
{
  "name": "mem",
  "type": "SCALAR",
  "scalar": {
"value": 32
  },
  "role": "*"
}
  ],
  "command": {
"value": "sleep 1000"
  },
  "container": {
"type": "DOCKER",
"volumes": [],
"docker": {
  "image": "mesos-build",
  "network": "HOST"
}
  },
  "health_check": {
"type": "HTTP",
"http": {
  "scheme": "http",
  "port": 5050
},
"gracePeriodSeconds": 300,
"intervalSeconds": 60,
"timeoutSeconds": 20,
"maxConsecutiveFailures": 3
  }
}
```

Lauch task

```
$ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
```

And verified the healthy status of task is correct.

```
I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
of task (pid: '88727') successfully
I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health check 
for task 'test-health-check' in 86.311186ms
I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for task 
'test-health-check' passed
```


Thanks,

Deshi Xiao

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

> On April 7, 2017, 4:31 p.m., haosdent huang wrote:
> >

This requires `mesos-docker-executor` share the same namespace with 
`mesos-agent`. So need `--pid=host`.

And `nsenter` requires privileged permissions, so need `--privileged=true`.


- haosdent


---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171361
---


On April 7, 2017, 4:40 p.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 7, 2017, 4:40 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/1/
> 
> 
> Testing
> ---
> 
> 1. Build the image with latest code. Let's name the image with `mesos-build` 
> here.
> 
> 2. Launch mesos master.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-master \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --port=5050 \
>   --work_dir=/tmp/mesos
> ```
> 
> 3. Launch mesos agent.
> 
> ```
> $ docker run \
>   -it \
>   --pid host \
>   --net host \
>   --privileged \
>   -v /var/run/docker.sock:/var/run/docker.sock \
>   -v /sys/fs/cgroup:/sys/fs/cgroup \
>   mesos-build \
>   mesos-agent \
>   --hostname=127.0.0.1 \
>   --ip=127.0.0.1 \
>   --master=127.0.0.1:5050 \
>   --systemd_enable_support=false \
>   --work_dir=/tmp/mesos \
>   --containerizers=docker,mesos \
>   --docker_mesos_image=mesos-build
> ```
> 
> 4. Launch task with health check.
> 
> Define the task with health check.
> 
> ```
> $ cat /tmp/task.json
> {
>   "name": "test-health-check",
>   "task_id": {"value" : "test-health-check"},
>   "agent_id": {"value" : ""},
>   "resources": [
> {
>   "name": "cpus",
>   "type": "SCALAR",
>   "scalar": {
> "value": 0.1
>   },
>   "role": "*"
> },
> {
>   "name": "mem",
>   "type": "SCALAR",
>   "scalar": {
> "value": 32
>   },
>   "role": "*"
> }
>   ],
>   "command": {
> "value": "sleep 1000"
>   },
>   "container": {
> "type": "DOCKER",
> "volumes": [],
> "docker": {
>   "image": "mesos-build",
>   "network": "HOST"
> }
>   },
>   "health_check": {
> "type": "HTTP",
> "http": {
>   "scheme": "http",
>   "port": 5050
> },
> "gracePeriodSeconds": 300,
> "intervalSeconds": 60,
> "timeoutSeconds": 20,
> "maxConsecutiveFailures": 3
>   }
> }
> ```
> 
> Lauch task
> 
> ```
> $ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
> ```
> 
> And verified the healthy status of task is correct.
> 
> ```
> I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
> of task (pid: '88727') successfully
> I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health 
> check for task 'test-health-check' in 86.311186ms
> I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for 
> task 'test-health-check' passed
> ```
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

(Updated April 7, 2017, 4:40 p.m.)


Review request for mesos, Alexander Rukletsov and haosdent huang.


Bugs: MESOS-7210
https://issues.apache.org/jira/browse/MESOS-7210


Repository: mesos


Description
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs
-

  src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 


Diff: https://reviews.apache.org/r/58200/diff/1/


Testing (updated)
---

1. Build the image with latest code. Let's name the image with `mesos-build` 
here.

2. Launch mesos master.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-master \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--port=5050 \
--work_dir=/tmp/mesos
```

3. Launch mesos agent.

```
$ docker run \
-it \
--pid host \
--net host \
--privileged \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /sys/fs/cgroup:/sys/fs/cgroup \
mesos-build \
mesos-agent \
--hostname=127.0.0.1 \
--ip=127.0.0.1 \
--master=127.0.0.1:5050 \
--systemd_enable_support=false \
--work_dir=/tmp/mesos \
--containerizers=docker,mesos \
--docker_mesos_image=mesos-build
```

4. Launch task with health check.

Define the task with health check.

```
$ cat /tmp/task.json
{
  "name": "test-health-check",
  "task_id": {"value" : "test-health-check"},
  "agent_id": {"value" : ""},
  "resources": [
{
  "name": "cpus",
  "type": "SCALAR",
  "scalar": {
"value": 0.1
  },
  "role": "*"
},
{
  "name": "mem",
  "type": "SCALAR",
  "scalar": {
"value": 32
  },
  "role": "*"
}
  ],
  "command": {
"value": "sleep 1000"
  },
  "container": {
"type": "DOCKER",
"volumes": [],
"docker": {
  "image": "mesos-build",
  "network": "HOST"
}
  },
  "health_check": {
"type": "HTTP",
"http": {
  "scheme": "http",
  "port": 5050
},
"gracePeriodSeconds": 300,
"intervalSeconds": 60,
"timeoutSeconds": 20,
"maxConsecutiveFailures": 3
  }
}
```

Lauch task

```
$ mesos-execute --master=127.0.0.1:5050 --task=/tmp/task.json
```

And verified the healthy status of task is correct.

```
I0407 16:29:57.258509 88767 health_checker.cpp:123] Entered the net namespace 
of task (pid: '88727') successfully
I0407 16:29:57.334801 88643 health_checker.cpp:395] Performed HTTP health check 
for task 'test-health-check' in 86.311186ms
I0407 16:29:57.334872 88643 health_checker.cpp:319] HTTP health check for task 
'test-health-check' passed
```


Thanks,

Deshi Xiao

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171361
---




src/slave/containerizer/docker.cpp
Lines 361-364 (patched)


I use

```
+Parameter* pidParameter = dockerInfo.add_parameters();
+pidParameter->set_key("pid");
+pidParameter->set_value("host");
+
+Parameter* privilegedParameter = dockerInfo.add_parameters();
+privilegedParameter->set_key("privileged");
+privilegedParameter->set_value("true");
+
```

and work in my side. May you help to double check again?


- haosdent huang


On April 5, 2017, 11:35 p.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 5, 2017, 11:35 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/1/
> 
> 
> Testing
> ---
> 
> first testing : 
> https://gist.github.com/xiaods/c5a11e3ab51e89a9609edc2c477f7ea8
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171353
---




src/slave/containerizer/docker.cpp
Lines 361 (patched)


Got this error

```
Failed to enter the net namespace of task (pid: '78851'): Operation not 
permitted
```

Need to add capacity.


- haosdent huang


On April 5, 2017, 11:35 p.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 5, 2017, 11:35 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/1/
> 
> 
> Testing
> ---
> 
> first testing : 
> https://gist.github.com/xiaods/c5a11e3ab51e89a9609edc2c477f7ea8
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

(Updated 四月 5, 2017, 11:35 p.m.)


Review request for mesos, Alexander Rukletsov and haosdent huang.


Bugs: MESOS-7210
https://issues.apache.org/jira/browse/MESOS-7210


Repository: mesos


Description
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs
-

  src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 


Diff: https://reviews.apache.org/r/58200/diff/1/


Testing (updated)
---

first testing : https://gist.github.com/xiaods/c5a11e3ab51e89a9609edc2c477f7ea8


Thanks,

Deshi Xiao

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[haosdent huang]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review171112
---



Hi, @deshi May you write down how you verify and test this patch? I would like 
to do the verification in my side.

- haosdent huang


On April 5, 2017, 6:59 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 5, 2017, 6:59 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Re: Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Mesos Reviewbot]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/#review17
---



Patch looks great!

Reviews applied: [58200]

Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' 
CONFIGURATION='--verbose' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; 
./support/docker-build.sh

- Mesos Reviewbot


On April 5, 2017, 6:59 a.m., Deshi Xiao wrote:
> 
> ---
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/58200/
> ---
> 
> (Updated April 5, 2017, 6:59 a.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov and haosdent huang.
> 
> 
> Bugs: MESOS-7210
> https://issues.apache.org/jira/browse/MESOS-7210
> 
> 
> Repository: mesos
> 
> 
> Description
> ---
> 
> Becuase MESOS HTTP checks doesn't work when mesos runs with
> --docker_mesos_image ( pid namespace mismatch ).So let docker
> executor run with container add host pid mapping(--pid=host)
> 
> 
> Diffs
> -
> 
>   src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 
> 
> 
> Diff: https://reviews.apache.org/r/58200/diff/1/
> 
> 
> Testing
> ---
> 
> 
> Thanks,
> 
> Deshi Xiao
> 
>

Review Request 58200: Fix mesos runs with docker(pid namespace mismatch).

[Deshi Xiao]

---
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/58200/
---

Review request for mesos, Alexander Rukletsov and haosdent huang.


Bugs: mesos-7210
https://issues.apache.org/jira/browse/mesos-7210


Repository: mesos


Description
---

Becuase MESOS HTTP checks doesn't work when mesos runs with
--docker_mesos_image ( pid namespace mismatch ).So let docker
executor run with container add host pid mapping(--pid=host)


Diffs
-

  src/slave/containerizer/docker.cpp ad9ab847cb3093724ef374d036c896b4e7f18b5e 


Diff: https://reviews.apache.org/r/58200/diff/1/


Testing
---


Thanks,

Deshi Xiao