waiting the mesos containerizer become maturity. 2016-11-07 8:57 GMT+08:00 Tobias Pfeiffer <[email protected]>:
> Hi, > > thanks to both of you for your reply. For the moment I switched to using > a Mesos container without an underlying Docker image, and then execute > `docker run myimage <cmd>` in that container. I guess there will be a > number of issues with that approach at some point, but for the moment it is > ok. > > Thanks, > Tobias > > > On Thu, Nov 3, 2016 at 2:58 PM, Jie Yu <[email protected]> wrote: > >> To add to haosdent's reply: >> >> - I have a USER directive in my Dockerfile in order for the CMD to be >>> executed as that user, but that does not seem to be supported (yet?) by the >>> Docker image provider. Is there any method (except `sudo`/`setuser`) to >>> achieve running as a user present in the image's /etc/fstab? >> >> >> Currently, USER directive in Dockerfile is not honored. You can think of >> that as using `-u` when doing docker run, and uses the uid of the 'user' on >> the host ('user' here is what's specified in CommandInfo.user or >> frameworkInfo.user if the former is not specified). The reason we need to >> do that is because we want to make sure the processes in the container can >> access its sandbox and persistent volumes which is owned by 'user'. >> >> This can be potentially solved by using user namespace as haosdent >> pointed out. >> >> - I may have to run untrusted code, so can I make sure that users cannot >> break out of the chroot? What about UID namespacing, so that root in the >> chroot does not become root on the host system when breaking out? >> >> You can run your code using an unprivileged user (e.g., nobody). You just >> need to set CommandInfo.user. >> >> - Jie >> >> On Wed, Nov 2, 2016 at 7:14 PM, haosdent <[email protected]> wrote: >> >>> >- Is it possible to hide host processes from the container? >>> You may consider to use the namespaces/pid isolator, add >>> `namespaces/pid` in the `--isolation` flag when launch Mesos Agent >>> > -Is it possible to run processes that open network ports (possibly >>> already open on the host system) and have them mapped to different ports on >>> the host system, just as with Docker's `-p`? >>> You need to use CNI port mapping. Refer to its document >>> https://reviews.apache.org/r/53015/ >>> > Is there any method (except `sudo`/`setuser`) to achieve running as >>> a user present in the image's /etc/fstab? >>> Mesos don't support user namespace now, need to use su to switch users >>> >>> On Thu, Nov 3, 2016 at 9:56 AM, Tobias Pfeiffer <[email protected]> >>> wrote: >>> >>>> Actually, say I was in a fancy mood, could I actually *not* use the >>>> Docker image provider and instead run `nvidia-docker run [more hand-crafted >>>> parameters] myimage <cmd>` as an ordinary command within the Mesos >>>> container, or would I have to dig very deep into Mesos to find the right >>>> parameters to pass to nvidia-docker? >>>> >>>> Thanks >>>> Tobias >>>> >>>> On Thu, Nov 3, 2016 at 10:18 AM, Tobias Pfeiffer <[email protected]> >>>> wrote: >>>> >>>>> Hi, >>>>> >>>>> I asked this question also yesterday in the #mesos channel on IRC, but >>>>> I guess due to timezone differences there were not many people awake >>>>> and/or >>>>> working, sorry for reposting. (Maybe someone answered after I left, but it >>>>> seems that the IRC bot is only archiving channel joins/leaves? -> >>>>> http://wilderness.apache.org/channels/?f=apache-syncope/2016-11-02) >>>>> >>>>> My question is about the Mesos containerizer. I want to run code using >>>>> the Mesos GPU support and the docs state that this is currently only >>>>> supported by the Mesos containerizer. So my understanding of using the >>>>> Mesos containerizer with Docker images is that >>>>> - the content of the Docker images is unpacked to the filesystem >>>>> (using one of the provisioner backends, such as "copy" or "overlay") >>>>> - the user's command is executed in a chroot in that directory. >>>>> Is that correct? >>>>> >>>>> The first thing I noticed is (besides a much higher latency due to the >>>>> image provisioning process) that `ps aux` and `hostname` expose details of >>>>> the host system, so I was wondering about the level of isolation that I >>>>> can >>>>> achieve with the Mesos containerizer, as opposed to running in a Docker >>>>> container. In particular: >>>>> - Is it possible to hide host processes from the container? >>>>> - Is it possible to run processes that open network ports (possibly >>>>> already open on the host system) and have them mapped to different ports >>>>> on >>>>> the host system, just as with Docker's `-p`? >>>>> - I have a USER directive in my Dockerfile in order for the CMD to be >>>>> executed as that user, but that does not seem to be supported (yet?) by >>>>> the >>>>> Docker image provider. Is there any method (except `sudo`/`setuser`) to >>>>> achieve running as a user present in the image's /etc/fstab? >>>>> - I may have to run untrusted code, so can I make sure that users >>>>> cannot break out of the chroot? What about UID namespacing, so that root >>>>> in >>>>> the chroot does not become root on the host system when breaking out? >>>>> >>>>> Thanks for your help >>>>> Tobias >>>>> >>>> >>>> >>> >>> >>> -- >>> Best Regards, >>> Haosdent Huang >>> >> >> > -- Deshi Xiao Twitter: xds2000 E-mail: xiaods(AT)gmail.com
