You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by id...@apache.org on 2014/11/04 21:11:36 UTC

[2/2] git commit: Documentation for namespaces/pid isolator.

Documentation for namespaces/pid isolator.

Review: https://reviews.apache.org/r/27585


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3eb6382f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3eb6382f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3eb6382f

Branch: refs/heads/master
Commit: 3eb6382f86473d86c6c2c3b57a739b6b3c7d86fa
Parents: 47da3b8
Author: Ian Downes <id...@twitter.com>
Authored: Tue Nov 4 11:25:55 2014 -0800
Committer: Ian Downes <id...@twitter.com>
Committed: Tue Nov 4 12:10:59 2014 -0800

----------------------------------------------------------------------
 docs/mesos-containerizer.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/3eb6382f/docs/mesos-containerizer.md
----------------------------------------------------------------------
diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md
index 7170a83..e4b2c24 100644
--- a/docs/mesos-containerizer.md
+++ b/docs/mesos-containerizer.md
@@ -40,3 +40,21 @@ executor's work directory (mode 1777) and simultaneously mount it as
 /tmp inside the container. This is transparent to processes running
 inside the container. Containers will not be able to see the host's
 /tmp or any other container's /tmp.
+
+### Pid Namespace
+
+The Pid Namespace isolator can be used to isolate each container in
+a separate pid namespace with two main benefits:
+1. Visibility: Processes running in the container (executor and
+   descendants) are unable to see or signal processes outside the
+   namespace.
+2. Clean termination: Termination of the leading process in a pid
+   namespace will result in the kernel terminating all other processes
+   in the namespace.
+
+The Launcher will use (2) during destruction of a container in
+preference to the freezer cgroup, avoiding known kernel issues related
+to freezing cgroups under OOM conditions.
+
+/proc will be mounted for containers so tools such as 'ps' will work
+correctly.