You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Qian Zhang (JIRA)" <ji...@apache.org> on 2018/02/01 08:51:00 UTC

[jira] [Commented] (MESOS-7605) UCR doesn't isolate uts namespace w/ host networking

    [ https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16348224#comment-16348224 ] 

Qian Zhang commented on MESOS-7605:
-----------------------------------

[~jamespeach] I reviewed your patches and have a comment: When UTS namespace isolator is enabled, a container wants to join host network and has `hostname` field set in its `ContainerInfo`, in this case, the container will have its own UTS namespace but will not have its own hostname though it has `hostname` field set in its `ContainerInfo`, this seems not correct to me. For Docker, if we run a container with `--network=host` and `--hostname=xxx`, this container will have its own UTS namespace and its own hostname which I think is the correct behavior.

My thinking is, instead of implementing a UTS namespace isolator, can we just improve the CNI isolator to ensure each container (as long as it has `ContainerInfo`) will have its own UTS namespace and its own hostname (as long as `hostname` field set in its `ContainerInfo`)? This is also consistent with what Docker does.

> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
>                 Key: MESOS-7605
>                 URL: https://issues.apache.org/jira/browse/MESOS-7605
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>            Reporter: James DeFelice
>            Assignee: James Peach
>            Priority: Major
>              Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts container isolation, even in {{host}} network mode: (via https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default. As such --hostname is allowed in host network mode and will only change the hostname inside the container. Similar to --hostname, the --add-host, --dns, --dns-search, and --dns-option options can be used in host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was initially added to support the Docker containerizer's use of the {{--hostname}} Docker {{run}} flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)