Tomek and Olivier, The bridge network support (with port mapping) has been added to Mesos 1.2. See this doc for more details how to use it: https://github.com/apache/mesos/blob/master/docs/cni.md#a-port-mapper-plugin-for-cni-networks
TL;DR: we developed a CNI port mapper plugin (DNAT) in Mesos repo, and uses a delegation model in CNI. For the bridge CNI plugin, you can simply use the default bridge plugin in CNI repo ( https://github.com/containernetworking/cni). @avinash can explain more here. On Fri, Mar 31, 2017 at 3:40 AM, Olivier Sallou <[email protected]> wrote: > > > On 03/31/2017 10:23 AM, Tomek Janiszewski wrote: > > I have a question that is related to this topic. In "docker support and > current limitations" section [1] there is a following statement: > > Only host network is supported. We will add bridge network support soon > using CNI support in Mesos (MESOS-4641 > <https://issues.apache.org/jira/browse/MESOS-4641>) > Mentioned issue is resolved. Does this means bridge network is working for > Mesos containerizer? > > [1]: https://github.com/apache/mesos/blob/master/docs/ > container-image.md#docker-support-and-current-limitations > > CNI support in unified containerizer (mesos) gives the possibility to > assign an IP per container, so no port mapping (the ports you use will be > used direclty as container has its own IP address). There is no "bridge" > network as per Docker (mapping of container port 80 to host port 30000 for > example) > > Olivier > > > pt., 31 mar 2017 o 02:04 użytkownik Jie Yu <[email protected]> napisał: > >> are you talking about the NAT feature of docker in BRIDGE m >> >> >> Yes >> >> - regarding the "port mapping isolator giving network namespace" : what >> confuses me is that, given the previous answers, I thought that in that >> case, the non-ephemeral port range was *shared* (as a ressource) between >> containers, which sounds to me at the opposite of the namespace concept (as >> a slightly different example 2 docker container have their own private 80 >> port for instance). >> >> >> The port mapping isolator is for the case where ip per container is not >> possible (due to ipam restriction, etc), but the user still wants to have >> network namespace per container (for isolation, getting statistics, etc.) >> >> Since all containers, even if they are in separate namespaces, share the >> same IP, we have to use some other mechanism to tell which packet belongs >> to which container. We use ports in that case. You can find more details >> about port mapping isolator in this talk I gave in 2015 MesosCon: >> https://www.youtube.com/watch?v=ZA96g1M4v8Y >> >> - Jie >> >> On Thu, Mar 30, 2017 at 2:13 AM, Thomas HUMMEL <[email protected]> >> wrote: >> >> >> On 03/29/2017 07:25 PM, Jie Yu wrote: >> >> Thomas, >> >> I think you are confused about the port mapping for NAT purpose, and the port >> mapping isolator >> <http://mesos.apache.org/documentation/latest/port-mapping-isolator/>. >> Those two very different thing. The port mapping isolator (unfortunate >> naming), as described in the doc, gives you network namespace per container >> without requiring ip per container. No NAT is involved. I think for you >> case, you should not use it and it does not work for DockerContainerizer. >> >> Thanks, >> >> I'm not sure to understand what you say : >> >> - are you talking about the NAT feature of docker in BRIDGE mode ? >> >> - regarding the "port mapping isolator giving network namespace" : what >> confuses me is that, given the previous answers, I thought that in that >> case, the non-ephemeral port range was *shared* (as a ressource) between >> containers, which sounds to me at the opposite of the namespace concept (as >> a slightly different example 2 docker container have their own private 80 >> port for instance). >> >> What am I missing ? >> >> Thanks >> >> -- >> TH >> >> >> > -- > Olivier Sallou > IRISA / University of Rennes 1 > Campus de Beaulieu, 35000 RENNES - FRANCE > Tel: 02.99.84.71.95 > > gpg key id: 4096R/326D8438 (keyring.debian.org) > Key fingerprint = 5FB4 6F83 D3B9 5204 6335 D26D 78DC 68DB 326D 8438 > > >
