Thomas, - it is the hostports which are used to multiplex traffic into container. > My understanding is that, since each container is in it's network > namespace, it has its own full range of container ports and that you use a > direct mapping (hostport n <-> same container port n), is that correct ?
Yes. - those ports which are divided into disjoint subsets are the ephermeral > ports. The non- ephemeral ports are in a set shared between all containers, > correct ? No. non-ephemeral ports are allocated by framework. (non-ephemeral ports are modeled as Resources in Mesos). So containers must have disjoint sets of non-ephemeral ports. - the use case you described is when you cannot afford one ip/container and > when you are using the mesos containeraizer : does it mean that network > mapping isolation makes no sense with the docker containerizer or can it be > somehow composed with it ?] If you're looking for private bridge + DNAT solution (like Docker --net=bridge), you can follow the following docs if you want to use it with Mesos containerizer. It's supported through a more standard interface called CNI (https://github.com/containernetworking/cni) https://github.com/apache/mesos/blob/master/docs/cni.md https://github.com/apache/mesos/blob/master/docs/cni.md#a-port-mapper-plugin-for-cni-networks The ip/container limitation is not related to which containerizer you're using. It's specific to the company (Twitter)'s environment. For instance, we cannot change the service discovery mechanism at that time, requiring all container's IP must be routable. I didn't quite understand why you cannot use NAT (in the same way docker in > BRIDGE mode does) and assign as many ip addresses that you want in a > private network... See my response above. If you're looking for docker --net=bridge support, follow the two links above. - Jie On Fri, Mar 31, 2017 at 3:39 AM, Thomas HUMMEL <thomas.hum...@pasteur.fr> wrote: > Thanks for your answer, > > I've watched your talk. Very interesting. > > Let me check if I get everything staight : > > - it is the hostports which are used to multiplex traffic into container. > My understanding is that, since each container is in it's network > namespace, it has its own full range of container ports and that you use a > direct mapping (hostport n <-> same container port n), is that correct ? > > - those ports which are divided into disjoint subsets are the ephermeral > ports. The non- ephemeral ports are in a set shared between all containers, > correct ? > > - the use case you described is when you cannot afford one ip/container > and when you are using the mesos containeraizer : does it mean that network > mapping isolation makes no sense with the docker containerizer or can it be > somehow composed with it ?] > > I didn't quite understand why you cannot use NAT (in the same way docker > in BRIDGE mode does) and assign as many ip addresses that you want in a > private network... > > Thanks. > > -- > > TH. > > > >
