I have a question that is related to this topic. In "docker support and current limitations" section [1] there is a following statement: > Only host network is supported. We will add bridge network support soon using CNI support in Mesos (MESOS-4641 <https://issues.apache.org/jira/browse/MESOS-4641>) Mentioned issue is resolved. Does this means bridge network is working for Mesos containerizer?
[1]: https://github.com/apache/mesos/blob/master/docs/container-image.md#docker-support-and-current-limitations pt., 31 mar 2017 o 02:04 użytkownik Jie Yu <yujie....@gmail.com> napisał: > are you talking about the NAT feature of docker in BRIDGE m > > > Yes > > - regarding the "port mapping isolator giving network namespace" : what > confuses me is that, given the previous answers, I thought that in that > case, the non-ephemeral port range was *shared* (as a ressource) between > containers, which sounds to me at the opposite of the namespace concept (as > a slightly different example 2 docker container have their own private 80 > port for instance). > > > The port mapping isolator is for the case where ip per container is not > possible (due to ipam restriction, etc), but the user still wants to have > network namespace per container (for isolation, getting statistics, etc.) > > Since all containers, even if they are in separate namespaces, share the > same IP, we have to use some other mechanism to tell which packet belongs > to which container. We use ports in that case. You can find more details > about port mapping isolator in this talk I gave in 2015 MesosCon: > https://www.youtube.com/watch?v=ZA96g1M4v8Y > > - Jie > > On Thu, Mar 30, 2017 at 2:13 AM, Thomas HUMMEL <thomas.hum...@pasteur.fr> > wrote: > > > On 03/29/2017 07:25 PM, Jie Yu wrote: > > Thomas, > > I think you are confused about the port mapping for NAT purpose, and the port > mapping isolator > <http://mesos.apache.org/documentation/latest/port-mapping-isolator/>. > Those two very different thing. The port mapping isolator (unfortunate > naming), as described in the doc, gives you network namespace per container > without requiring ip per container. No NAT is involved. I think for you > case, you should not use it and it does not work for DockerContainerizer. > > Thanks, > > I'm not sure to understand what you say : > > - are you talking about the NAT feature of docker in BRIDGE mode ? > > - regarding the "port mapping isolator giving network namespace" : what > confuses me is that, given the previous answers, I thought that in that > case, the non-ephemeral port range was *shared* (as a ressource) between > containers, which sounds to me at the opposite of the namespace concept (as > a slightly different example 2 docker container have their own private 80 > port for instance). > > What am I missing ? > > Thanks > > -- > TH > > >
