You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by jp...@apache.org on 2017/10/19 23:34:24 UTC

[03/11] mesos git commit: Configure the `network/ports` isolator watch interval.

Configure the `network/ports` isolator watch interval.

Added the `--container_ports_watch_interval` option to tune the
interval at which the `network/ports` isolator scans for rogue
listening ports.

Review: https://reviews.apache.org/r/60592/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/4868d0b7
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/4868d0b7
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/4868d0b7

Branch: refs/heads/master
Commit: 4868d0b7e185afd97ae047e7ba9fa5743a699f48
Parents: 5aec841
Author: James Peach <jp...@apache.org>
Authored: Thu Oct 19 15:35:49 2017 -0700
Committer: James Peach <jp...@apache.org>
Committed: Thu Oct 19 16:33:35 2017 -0700

----------------------------------------------------------------------
 src/slave/containerizer/mesos/isolators/network/ports.cpp | 7 +++++--
 src/slave/containerizer/mesos/isolators/network/ports.hpp | 5 ++---
 src/slave/flags.cpp                                       | 8 ++++++++
 src/slave/flags.hpp                                       | 7 ++++++-
 4 files changed, 21 insertions(+), 6 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/4868d0b7/src/slave/containerizer/mesos/isolators/network/ports.cpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/network/ports.cpp b/src/slave/containerizer/mesos/isolators/network/ports.cpp
index d3ec8ae..5a58d07 100644
--- a/src/slave/containerizer/mesos/isolators/network/ports.cpp
+++ b/src/slave/containerizer/mesos/isolators/network/ports.cpp
@@ -269,15 +269,18 @@ Try<Isolator*> NetworkPortsIsolatorProcess::create(const Flags& flags)
 
   return new MesosIsolator(process::Owned<MesosIsolatorProcess>(
       new NetworkPortsIsolatorProcess(
+          flags.container_ports_watch_interval,
           flags.cgroups_root,
           freezerHierarchy.get())));
 }
 
 
 NetworkPortsIsolatorProcess::NetworkPortsIsolatorProcess(
+    const Duration& _watchInterval,
     const string& _cgroupsRoot,
     const string& _freezerHierarchy)
   : ProcessBase(process::ID::generate("network-ports-isolator")),
+    watchInterval(_watchInterval),
     cgroupsRoot(_cgroupsRoot),
     freezerHierarchy(_freezerHierarchy)
 {
@@ -447,8 +450,8 @@ void NetworkPortsIsolatorProcess::initialize()
   // loop to schedule against (the ports isolator process) has been spawned.
   process::loop(
       self,
-      []() {
-        return process::after(PORTS_WATCH_INTERVAL);
+      [=]() {
+        return process::after(watchInterval);
       },
       [=](const Nothing&) {
         return process::async(

http://git-wip-us.apache.org/repos/asf/mesos/blob/4868d0b7/src/slave/containerizer/mesos/isolators/network/ports.hpp
----------------------------------------------------------------------
diff --git a/src/slave/containerizer/mesos/isolators/network/ports.hpp b/src/slave/containerizer/mesos/isolators/network/ports.hpp
index acad7bf..5a1e0e3 100644
--- a/src/slave/containerizer/mesos/isolators/network/ports.hpp
+++ b/src/slave/containerizer/mesos/isolators/network/ports.hpp
@@ -38,9 +38,6 @@ namespace mesos {
 namespace internal {
 namespace slave {
 
-constexpr Duration PORTS_WATCH_INTERVAL = Minutes(1);
-
-
 // The `network/ports` isolator provides isolation of TCP listener
 // ports for tasks that share the host network namespace. It ensures
 // that tasks listen only on ports for which they hold `ports` resources.
@@ -85,6 +82,7 @@ protected:
 
 private:
   NetworkPortsIsolatorProcess(
+      const Duration& _watchInterval,
       const std::string& _cgroupsRoot,
       const std::string& _freezerHierarchy);
 
@@ -94,6 +92,7 @@ private:
     process::Promise<mesos::slave::ContainerLimitation> limitation;
   };
 
+  const Duration watchInterval;
   const std::string cgroupsRoot;
   const std::string freezerHierarchy;
 

http://git-wip-us.apache.org/repos/asf/mesos/blob/4868d0b7/src/slave/flags.cpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.cpp b/src/slave/flags.cpp
index d424ade..d9116de 100644
--- a/src/slave/flags.cpp
+++ b/src/slave/flags.cpp
@@ -1003,6 +1003,14 @@ mesos::internal::slave::Flags::Flags()
 
 #endif // ENABLE_PORT_MAPPING_ISOLATOR
 
+#ifdef ENABLE_NETWORK_PORTS_ISOLATOR
+  add(&Flags::container_ports_watch_interval,
+      "container_ports_watch_interval",
+      "Interval at which the `network/ports` isolator should check for\n"
+      "containers listening on ports they don't have resources for.",
+      Seconds(30));
+#endif // ENABLE_NETWORK_PORTS_ISOLATOR
+
   add(&Flags::network_cni_plugins_dir,
       "network_cni_plugins_dir",
       "A search path for CNI plugin binaries. The `network/cni`\n"

http://git-wip-us.apache.org/repos/asf/mesos/blob/4868d0b7/src/slave/flags.hpp
----------------------------------------------------------------------
diff --git a/src/slave/flags.hpp b/src/slave/flags.hpp
index ab73fc7..a038e9d 100644
--- a/src/slave/flags.hpp
+++ b/src/slave/flags.hpp
@@ -143,7 +143,12 @@ public:
   bool network_enable_socket_statistics_summary;
   bool network_enable_socket_statistics_details;
   bool network_enable_snmp_statistics;
-#endif
+#endif // ENABLE_PORT_MAPPING_ISOLATOR
+
+#ifdef ENABLE_NETWORK_PORTS_ISOLATOR
+  Duration container_ports_watch_interval;
+#endif // ENABLE_NETWORK_PORTS_ISOLATOR
+
   Option<std::string> network_cni_plugins_dir;
   Option<std::string> network_cni_config_dir;
   Duration container_disk_watch_interval;