You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@mesos.apache.org by Qian Zhang <zh...@gmail.com> on 2016/10/08 03:14:36 UTC

[Port mapping] Discuss where to validate the host port container wants to expose to is from the offered resources

Hi All,

I am currently working on MESOS-6106
<https://issues.apache.org/jira/browse/MESOS-6106>, the purpose of this
ticket is to validate the host port container wants to expose to is from
the offered resources, so that we can ensure container will not expose to
an arbitrary host port.

My idea is, we validate `ContainerInfo.NetworkInfo.PortMapping.host_port`
against the offered resources in master ("Master::_accept()") by adding a
new validate method in "src/master/validation.cpp", and in agent, we can
also double check it in the "prepare()" method of CNI isolator.

However, I see for DockContainerizer, we do the similar validation on in
agent (
https://github.com/apache/mesos/blob/1.0.1/src/docker/docker.cpp#L718:#L729)
but not in master. @Tim Chen, can you please let me know why we did such
validation only in agent but not in master? Is it because
"ContainerInfo.DockerInfo.PortMapping" is DockerContainerizer specific and
we only want to do generic validation in master?

@Jie and @BenM, please also let me know your comments, thanks!


Thanks,
Qian Zhang