You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@mesos.apache.org by Qian Zhang <zh...@gmail.com> on 2017/08/21 08:32:48 UTC

Re: Review Request 60766: Ignored containers that join CNI networks.

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60766/#review183307
-----------------------------------------------------------




src/slave/containerizer/mesos/containerizer.cpp
Line 244 (original), 245 (patched)
<https://reviews.apache.org/r/60766/#comment259349>

    So here we only count `network/cni` isolator and `network/port_mapping` isolator, either of them (but not both of them) can work with `network/ports` isolator. Can you please also update the comments accordingly?



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 308-311 (original), 313-323 (patched)
<https://reviews.apache.org/r/60766/#comment259352>

    I think we only need to do this check for top-level container, but not for nested container since nested container always share network namespace with its parent. So we may need to add `!containerId.has_parent()` into the condition of the first `if`.



src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 392-402 (patched)
<https://reviews.apache.org/r/60766/#comment259353>

    Can we check `state->executor_info().container().network_infos()` rather than checking CNI container dir?


- Qian Zhang


On July 29, 2017, 8:01 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60766/
> -----------------------------------------------------------
> 
> (Updated July 29, 2017, 8:01 a.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Working on the assumption that containers with CNI networks will
> get their own IP addresses and don't need port isolation, ignore
> any containers that are joining CNI networks.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/containerizer.cpp 5772421c3078d36225b946a5286b8c1bf2f007e8 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60766/diff/8/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26).
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 60766: Ignored containers that join CNI networks.

Posted by Qian Zhang <zh...@gmail.com>.


> On Aug. 21, 2017, 4:32 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Line 244 (original), 245 (patched)
> > <https://reviews.apache.org/r/60766/diff/8/?file=1800294#file1800294line245>
> >
> >     So here we only count `network/cni` isolator and `network/port_mapping` isolator, either of them (but not both of them) can work with `network/ports` isolator. Can you please also update the comments accordingly?
> 
> James Peach wrote:
>     This is already commented just above.

The comments is:
> One and only one `network` isolator is required

However, I think we may need to be more explicitly, like: Only one of `network/cni` and `network/port_mapping` isolators is required.


> On Aug. 21, 2017, 4:32 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 392-402 (patched)
> > <https://reviews.apache.org/r/60766/diff/8/?file=1800296#file1800296line392>
> >
> >     Can we check `state->executor_info().container().network_infos()` rather than checking CNI container dir?
> 
> James Peach wrote:
>     Are we guaranteed to have a named network in `state->executor_info` in the case of nested containers joining the parent network? If not, then I think we still have to check whether the root container has a CNI configuration. I updated the patch to do this.

Why do we need to check `state->executor_info` for nested containers? In this `recover()` method, for a nested container, I think we still need to check `state->executor_info` for its root container. Or maybe you can just check `infos.contains(rootContainerId)` for nested container like what you did in `prepare()`, but I am not sure if nested containers always come after their root container in the `state` list, it looks like it can be guaranteed.


- Qian


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60766/#review183307
-----------------------------------------------------------


On Aug. 22, 2017, 6:01 a.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60766/
> -----------------------------------------------------------
> 
> (Updated Aug. 22, 2017, 6:01 a.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Working on the assumption that containers with CNI networks will
> get their own IP addresses and don't need port isolation, ignore
> any containers that are joining CNI networks.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/containerizer.cpp 5772421c3078d36225b946a5286b8c1bf2f007e8 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60766/diff/9/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26).
> 
> 
> Thanks,
> 
> James Peach
> 
>

Re: Review Request 60766: Ignored containers that join CNI networks.

Posted by James Peach <jp...@apache.org>.


> On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/containerizer.cpp
> > Line 244 (original), 245 (patched)
> > <https://reviews.apache.org/r/60766/diff/8/?file=1800294#file1800294line245>
> >
> >     So here we only count `network/cni` isolator and `network/port_mapping` isolator, either of them (but not both of them) can work with `network/ports` isolator. Can you please also update the comments accordingly?

This is already commented just above.


> On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 308-311 (original), 313-323 (patched)
> > <https://reviews.apache.org/r/60766/diff/8/?file=1800296#file1800296line313>
> >
> >     I think we only need to do this check for top-level container, but not for nested container since nested container always share network namespace with its parent. So we may need to add `!containerId.has_parent()` into the condition of the first `if`.

The check for nested containers needs to be separate since the child might be nested within a CNI network or a host network. When `prepare` a nested container, we only isolate it if we already isolated the corresponding root of the container tree.


> On Aug. 21, 2017, 8:32 a.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 392-402 (patched)
> > <https://reviews.apache.org/r/60766/diff/8/?file=1800296#file1800296line392>
> >
> >     Can we check `state->executor_info().container().network_infos()` rather than checking CNI container dir?

Are we guaranteed to have a named network in `state->executor_info` in the case of nested containers joining the parent network? If not, then I think we still have to check whether the root container has a CNI configuration. I updated the patch to do this.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60766/#review183307
-----------------------------------------------------------


On Aug. 21, 2017, 10:01 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60766/
> -----------------------------------------------------------
> 
> (Updated Aug. 21, 2017, 10:01 p.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Working on the assumption that containers with CNI networks will
> get their own IP addresses and don't need port isolation, ignore
> any containers that are joining CNI networks.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/containerizer.cpp 5772421c3078d36225b946a5286b8c1bf2f007e8 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60766/diff/9/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26).
> 
> 
> Thanks,
> 
> James Peach
> 
>