On 03/31/2017 10:23 AM, Tomek Janiszewski wrote: > I have a question that is related to this topic. In "docker support > and current limitations" section [1] there is a following statement: > > Only host network is supported. We will add bridge network support > soon using CNI support in Mesos (MESOS-4641 > <https://issues.apache.org/jira/browse/MESOS-4641>) > Mentioned issue is resolved. Does this means bridge network is working > for Mesos containerizer? > > [1]: > https://github.com/apache/mesos/blob/master/docs/container-image.md#docker-support-and-current-limitations CNI support in unified containerizer (mesos) gives the possibility to assign an IP per container, so no port mapping (the ports you use will be used direclty as container has its own IP address). There is no "bridge" network as per Docker (mapping of container port 80 to host port 30000 for example)
Olivier > > pt., 31 mar 2017 o 02:04 użytkownik Jie Yu <yujie....@gmail.com > <mailto:yujie....@gmail.com>> napisał: > > are you talking about the NAT feature of docker in BRIDGE m > > > Yes > > - regarding the "port mapping isolator giving network > namespace" : what confuses me is that, given the previous > answers, I thought that in that case, the > non-ephemeral port range was *shared* (as a ressource) between > containers, which sounds to me at the opposite of the > namespace concept (as a slightly different example 2 docker > container have their own private 80 port for instance). > > > The port mapping isolator is for the case where ip per container > is not possible (due to ipam restriction, etc), but the user still > wants to have network namespace per container (for isolation, > getting statistics, etc.) > > Since all containers, even if they are in separate namespaces, > share the same IP, we have to use some other mechanism to tell > which packet belongs to which container. We use ports in that > case. You can find more details about port mapping isolator in > this talk I gave in 2015 > MesosCon: https://www.youtube.com/watch?v=ZA96g1M4v8Y > > - Jie > > On Thu, Mar 30, 2017 at 2:13 AM, Thomas HUMMEL > <thomas.hum...@pasteur.fr <mailto:thomas.hum...@pasteur.fr>> wrote: > > > On 03/29/2017 07:25 PM, Jie Yu wrote: >> Thomas, >> >> I think you are confused about the port mapping for NAT >> purpose, and the port mapping isolator >> >> <http://mesos.apache.org/documentation/latest/port-mapping-isolator/>. >> Those two very different thing. The port mapping isolator >> (unfortunate naming), as described in the doc, gives you >> network namespace per container without requiring ip per >> container. No NAT is involved. I think for you case, you >> should not use it and it does not work for DockerContainerizer. > Thanks, > > I'm not sure to understand what you say : > > - are you talking about the NAT feature of docker in BRIDGE mode ? > > - regarding the "port mapping isolator giving network > namespace" : what confuses me is that, given the previous > answers, I thought that in that case, the non-ephemeral port > range was *shared* (as a ressource) between containers, which > sounds to me at the opposite of the namespace concept (as a > slightly different example 2 docker container have their own > private 80 port for instance). > > What am I missing ? > > Thanks > > -- > TH > > -- Olivier Sallou IRISA / University of Rennes 1 Campus de Beaulieu, 35000 RENNES - FRANCE Tel: 02.99.84.71.95 gpg key id: 4096R/326D8438 (keyring.debian.org) Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438
