We have figured out a way to provide IPs to containers as well as network-level policy driven ACLs using Nuage’s VSP and Docker monitor installed on each slave node leveraging OVS.
Shafay Latif > On Aug 10, 2015, at 11:46 PM, Christos Kozyrakis <[email protected]> wrote: > > Hi Trevor, > > we are working with Project Calico in order to implement two important > features (urgently missing in Mesos imho): > - IPs per container: this will eliminate port conflicts when apps with > specific port needs get deployed on the same slave > - network-level isolation: so that you can control which apps can reach each > other and how, within or across slaves. > > The details will be presented at MesosCon and code released soon after that > to the open source. > > Let me know if you need more info ahead of time. > > On Mon, Aug 10, 2015 at 11:24 PM, Trevor Powell <[email protected] > <mailto:[email protected]>> wrote: > Anyone have any thoughts on how Mesos may accomplish this use case? > > We have several workloads that span multiple slaves and we want to ensure > those work loads can see each other, the internet, and nothing else. > Basically we have untrusted groups of work loads. We trust the load to talk > to itself across a several slaves. But we don’t trust it to not affect or > inspect other work loads on the same slave. Basically we are looking to > place “blinders” on the work load. So it can only see what it needs to see > from the network level. > > I have heard of things like weave or Project calico > (http://www.projectcalico.org/learn/ <http://www.projectcalico.org/learn/>) . > They seem promising. But I ponder what Mesos is looking to do long term. > > -- > <11360A2A-682B-4E88-B66D-FF942D0869A1[183].png> <http://www.rms.com/> > Trevor Alexander Powell > Sr. Manager, Cloud Engineer & Architecture > 7575 Gateway Blvd. Newark, CA 94560 > T: +1.510.713.3751 <tel:%2B1.510.713.3751> > M: +1.650.325.7467 <tel:%2B1.650.325.7467> > www.rms.com <http://www.rms.com/> > > > -- > Christos
