You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Avinash Sridharan (JIRA)" <ji...@apache.org> on 2017/10/04 17:16:01 UTC

[jira] [Assigned] (MESOS-6240) Allow executor/agent communication over non-TCP/IP stream socket.

     [ https://issues.apache.org/jira/browse/MESOS-6240?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Avinash Sridharan reassigned MESOS-6240:
----------------------------------------

    Assignee: Benjamin Hindman

> Allow executor/agent communication over non-TCP/IP stream socket.
> -----------------------------------------------------------------
>
>                 Key: MESOS-6240
>                 URL: https://issues.apache.org/jira/browse/MESOS-6240
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>         Environment: Linux and Windows
>            Reporter: Avinash Sridharan
>            Assignee: Benjamin Hindman
>            Priority: Critical
>              Labels: mesosphere
>
> Currently, the executor agent communication happens specifically over TCP sockets. This works fine in most cases, but specifically for the `MesosContainerizer` when containers are running on CNI networks, this mode of communication starts imposing constraints on the CNI network. Since, now there has to connectivity between the CNI network  (on which the executor is running) and the agent. Introducing paths from a CNI network to the underlying agent, at best, creates headaches for operators and at worst introduces serious security holes in the network, since it is breaking the isolation between the container CNI network and the host network (on which the agent is running).
> In order to simplify/strengthen deployment of Mesos containers on CNI networks we therefore need to move away from using TCP/IP sockets for executor/agent communication. Since, executor and agent are guaranteed to run on the same host, the above problems can be resolved if, for the `MesosContainerizer`, we use UNIX domain sockets or named pipes instead of TCP/IP sockets for the executor/agent communication.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)