mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 60496: Added socket checking to the network ports isolator.
Date Wed, 30 Aug 2017 23:19:39 GMT


> On Aug. 24, 2017, 2:53 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 200-202 (original), 373-375 (patched)
> > <https://reviews.apache.org/r/60496/diff/15/?file=1802539#file1802539line373>
> >
> >     When framework launches a task group, this `update()` method will be called
twice for the top-level container (executor):
> >     1. When the top-level container is launched. At this time, the `resources` is
the top-level container's own resources.
> >     2. When the executor subscribes the agent (https://github.com/apache/mesos/blob/1.3.1/src/slave/slave.cpp#L3719).
At this time, the `resources` is the top-level container's own resources + all nested containers
resources, so in this `update()` method, the `info->ports` for the top-level container
will be updated to include the ports of all nested containers. This seems not correct, since
executor process will be allowed to listen on ports not assigned to it.

Fixed in [r/60766](https://reviews.apache.org/r/60766) by calling `update()` in the root-level
container pass.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60496/#review183696
-----------------------------------------------------------


On Aug. 23, 2017, 8:29 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60496/
> -----------------------------------------------------------
> 
> (Updated Aug. 23, 2017, 8:29 p.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented ports resource restrictions in the network ports isolator.
> Periodically, scan for listening sockets and match them up to all
> the open sockets in the containers we are tracking in the network.
> Check any sockets we find against the ports resource and trigger a
> resource limitation if the port has not been allocated.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60496/diff/15/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message