You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2017/09/18 19:24:22 UTC
[2/4] mesos-site git commit: Updated the website built from mesos
SHA: c7bd862.
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/isolators/network-port-mapping/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/isolators/network-port-mapping/index.html b/content/documentation/latest/isolators/network-port-mapping/index.html
new file mode 100644
index 0000000..cf7625e
--- /dev/null
+++ b/content/documentation/latest/isolators/network-port-mapping/index.html
@@ -0,0 +1,539 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Apache Mesos - Port Mapping Network Isolator</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <meta property="og:locale" content="en_US"/>
+ <meta property="og:type" content="website"/>
+ <meta property="og:title" content="Apache Mesos"/>
+ <meta property="og:site_name" content="Apache Mesos"/>
+ <meta property="og:url" content="http://mesos.apache.org/"/>
+ <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta property="og:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <meta name="twitter:card" content="summary"/>
+ <meta name="twitter:site" content="@ApacheMesos"/>
+ <meta name="twitter:title" content="Apache Mesos"/>
+ <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta name="twitter:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+ <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+ <link href="../../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
+
+
+
+ <!-- Google Analytics Magic -->
+ <script type="text/javascript">
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-20226872-1']);
+ _gaq.push(['_setDomainName', 'apache.org']);
+ _gaq.push(['_trackPageview']);
+
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+ </script>
+
+ </head>
+ <body>
+ <!-- magical breadcrumbs -->
+ <div class="topnav">
+ <div class="container">
+ <ul class="breadcrumb">
+ <li>
+ <div class="dropdown">
+ <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
+ <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+ <li><a href="http://www.apache.org">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </div>
+ </li>
+
+ <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+
+
+ <li><a href="/documentation
+/">Documentation
+</a></li>
+
+
+ </ul><!-- /.breadcrumb -->
+ </div><!-- /.container -->
+ </div><!-- /.topnav -->
+
+ <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
+ </div><!-- /.navbar-header -->
+
+ <div class="navbar-collapse collapse" id="mesos-menu">
+ <ul class="nav navbar-nav navbar-right">
+ <li><a href="/gettingstarted/">Getting Started</a></li>
+ <li><a href="/blog/">Blog</a></li>
+ <li><a href="/documentation/latest/">Documentation</a></li>
+ <li><a href="/downloads/">Downloads</a></li>
+ <li><a href="/community/">Community</a></li>
+ </ul>
+ </div><!-- /#mesos-menu -->
+ </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+ <div class="container">
+ <div class="row-fluid">
+ <div class="col-md-4">
+ <h4>If you're new to Mesos</h4>
+ <p>See the <a href="/gettingstarted/">getting started</a> page for more
+ information about downloading, building, and deploying Mesos.</p>
+
+ <h4>If you'd like to get involved or you're looking for support</h4>
+ <p>See our <a href="/community/">community</a> page for more details.</p>
+ </div>
+ <div class="col-md-8">
+ <h1>Port Mapping Network Isolator</h1>
+
+<p>The port mapping network isolator provides a way to achieve
+per-container network monitoring and isolation without relying on IP
+per container. The network isolator prevents a single container from
+exhausting the available network ports, consuming an unfair share of
+the network bandwidth or significantly delaying packet transmission
+for others. Network statistics for each active container are published
+through the
+<a href="/documentation/latest/isolators/../endpoints/slave/monitor/statistics/">/monitor/statistics</a>
+endpoint on the agent. The port mapping network isolator is
+transparent for the majority of tasks running on an agent (those that
+bind to port 0 and let the kernel allocate their port).</p>
+
+<h2>Installation</h2>
+
+<p>Port mapping network isolator is <strong>not</strong> supported by default. To
+enable it you need to install additional dependencies and configure it
+during the build process.</p>
+
+<h3>Prerequisites</h3>
+
+<p>Per-container network monitoring and isolation is only supported on Linux kernel
+versions 3.6 and above. Additionally, the kernel must include these patches
+(merged in kernel version 3.15).</p>
+
+<ul>
+<li><a href="https://github.com/torvalds/linux/commit/6a662719c9868b3d6c7d26b3a085f0cd3cc15e64">6a662719c9868b3d6c7d26b3a085f0cd3cc15e64</a></li>
+<li><a href="https://github.com/torvalds/linux/commit/0d5edc68739f1c1e0519acbea1d3f0c1882a15d7">0d5edc68739f1c1e0519acbea1d3f0c1882a15d7</a></li>
+<li><a href="https://github.com/torvalds/linux/commit/e374c618b1465f0292047a9f4c244bd71ab5f1f0">e374c618b1465f0292047a9f4c244bd71ab5f1f0</a></li>
+<li><a href="https://github.com/torvalds/linux/commit/25f929fbff0d1bcebf2e92656d33025cd330cbf8">25f929fbff0d1bcebf2e92656d33025cd330cbf8</a></li>
+</ul>
+
+
+<p>The following packages are required on the agent:</p>
+
+<ul>
+<li><a href="https://github.com/thom311/libnl/releases">libnl3</a> >= 3.2.26</li>
+<li><a href="http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2">iproute</a> >= 2.6.39 is advised for debugging purpose but not required.</li>
+</ul>
+
+
+<p>Additionally, if you are building from source, you need will also need the
+libnl3 development package to compile Mesos:</p>
+
+<ul>
+<li><a href="https://github.com/thom311/libnl/releases">libnl3-devel / libnl3-dev</a> >= 3.2.26</li>
+</ul>
+
+
+<h3>Build</h3>
+
+<p>To build Mesos with port mapping network isolator support, you need to
+add a configure option:</p>
+
+<pre><code>$ ./configure --with-network-isolator
+$ make
+</code></pre>
+
+<h2>Configuration</h2>
+
+<p>The port mapping network isolator is enabled on the agent by adding
+<code>network/port_mapping</code> to the agent command line <code>--isolation</code> flag.</p>
+
+<pre><code>--isolation="network/port_mapping"
+</code></pre>
+
+<p>If the agent has not been compiled with port mapping network isolator
+support, it will refuse to start and print an error:</p>
+
+<pre><code>I0708 00:17:08.080271 44267 containerizer.cpp:111] Using isolation: network/port_mapping
+Failed to create a containerizer: Could not create MesosContainerizer: Unknown or unsupported
+ isolator: network/port_mapping
+</code></pre>
+
+<h2>Configuring network ports</h2>
+
+<p>Without port mapping network isolator, all the containers on a host
+share the public IP address of the agent and can bind to any port
+allowed by the OS.</p>
+
+<p>When the port mapping network isolator is enabled, each container on
+the agent has a separate network stack (via Linux <a href="http://lwn.net/Articles/580893/">network
+namespaces</a>). All containers still
+share the same public IP of the agent (so that the service discovery
+mechanism does not need to be changed). The agent assigns each
+container a non-overlapping range of the ports and only packets
+to/from these assigned port ranges will be delivered. Applications
+requesting the kernel assign a port (by binding to port 0) will be
+given ports from the container assigned range. Applications can bind
+to ports outside the container assigned ranges but packets from
+to/from these ports will be silently dropped by the host.</p>
+
+<p>Mesos provides two ranges of ports to containers:</p>
+
+<ul>
+<li><p>OS allocated “<a href="https://en.wikipedia.org/wiki/Ephemeral_port">ephemeral</a>” ports
+are assigned by the OS in a range specified for each container by Mesos.</p></li>
+<li><p>Mesos allocated “non-ephemeral” ports are acquired by a framework using the
+same Mesos resource offer mechanism used for cpu, memory etc. for allocation to
+executors/tasks as required.</p></li>
+</ul>
+
+
+<p>Additionally, the host itself will require ephemeral ports for network
+communication. You need to configure these three <strong>non-overlapping</strong> port ranges
+on the host.</p>
+
+<h3>Host ephemeral port range</h3>
+
+<p>The currently configured host ephemeral port range can be discovered at any time
+using the command <code>sysctl net.ipv4.ip_local_port_range</code>. If ports need to be set
+aside for agent containers, the ephemeral port range can be updated in
+<code>/etc/sysctl.conf</code>. Rebooting after the update will apply the change and
+eliminate the possibility that ports are already in use by other processes. For
+example, by adding the following:</p>
+
+<pre><code># net.ipv4.ip_local_port_range defines the host ephemeral port range, by
+# default 32768-61000. We reduce this range to allow the Mesos agent to
+# allocate ports 32768-57344
+# net.ipv4.ip_local_port_range = 32768 61000
+net.ipv4.ip_local_port_range = 57345 61000
+</code></pre>
+
+<h3>Container port ranges</h3>
+
+<p>The container ephemeral and non-ephemeral port ranges are configured using the
+agent <code>--resources</code> flag. The non-ephemeral port range is provided to the
+master, which will then offer it to frameworks for allocation.</p>
+
+<p>The ephemeral port range is sub-divided by the agent, giving
+<code>ephemeral_ports_per_container</code> (default 1024) to each container. The maximum
+number of containers on the agent will therefore be limited to approximately:</p>
+
+<pre><code>number of ephemeral_ports / ephemeral_ports_per_container
+</code></pre>
+
+<p>The master <code>--max_executors_per_agent</code> flag is be used to prevent allocation of
+more executors on an agent when the ephemeral port range has been exhausted.</p>
+
+<p>It is recommended (but not required) that <code>ephemeral_ports_per_container</code> be set
+to a power of 2 (e.g., 512, 1024) and the lower bound of the ephemeral port
+range be a multiple of <code>ephemeral_ports_per_container</code> to minimize CPU overhead
+in packet processing. For example:</p>
+
+<pre><code>--resources=ports:[31000-32000];ephemeral_ports:[32768-57344] \
+--ephemeral_ports_per_container=512
+</code></pre>
+
+<h3>Rate limiting container traffic</h3>
+
+<p>Outbound traffic from a container to the network can be rate limited to prevent
+a single container from consuming all available network resources with
+detrimental effects to the other containers on the host. The
+<code>--egress_rate_limit_per_container</code> flag specifies that each container launched
+on the host be limited to the specified bandwidth (in bytes per second).
+Network traffic which would cause this limit to be exceeded is delayed for later
+transmission. The TCP protocol will adjust to the increased latency and reduce
+the transmission rate ensuring no packets need be dropped.</p>
+
+<pre><code>--egress_rate_limit_per_container=100MB
+</code></pre>
+
+<p>We do not rate limit inbound traffic since we can only modify the network flows
+after they have been received by the host and any congestion has already
+occurred.</p>
+
+<h3>Egress traffic isolation</h3>
+
+<p>Delaying network data for later transmission can increase latency and jitter
+(variability) for all traffic on the interface. Mesos can reduce the impact on
+other containers on the same host by using flow classification and isolation
+using the containers port ranges to maintain unique flows for each container and
+sending traffic from these flows fairly (using the
+<a href="https://tools.ietf.org/html/draft-hoeiland-joergensen-aqm-fq-codel-00">FQ_Codel</a>
+algorithm). Use the <code>--egress_unique_flow_per_container</code> flag to enable.</p>
+
+<pre><code>--egress_unique_flow_per_container
+</code></pre>
+
+<h3>Putting it all together</h3>
+
+<p>A complete agent command line enabling port mapping network isolator,
+reserving ports 57345-61000 for host ephemeral ports, 32768-57344 for
+container ephemeral ports, 31000-32000 for non-ephemeral ports
+allocated by the framework, limiting container transmit bandwidth to
+300 Mbits/second (37.5MBytes) with unique flows enabled would thus be:</p>
+
+<pre><code>mesos-agent \
+--isolation=network/port_mapping \
+--resources=ports:[31000-32000];ephemeral_ports:[32768-57344] \
+--ephemeral_ports_per_container=1024 \
+--egress_rate_limit_per_container=37500KB \
+--egress_unique_flow_per_container
+</code></pre>
+
+<h2>Monitoring container network statistics</h2>
+
+<p>Mesos exposes statistics from the Linux network stack for each container network
+on the <a href="/documentation/latest/isolators/endpoints/slave/monitor/statistics/">/monitor/statistics</a> agent endpoint.</p>
+
+<p>From the network interface inside the container, we report the following
+counters (since container creation) under the <code>statistics</code> key:</p>
+
+<table class="table table-striped">
+<thead>
+<tr><th>Metric</th><th>Description</th><th>Type</th>
+</thead>
+<tr>
+ <td><code>net_rx_bytes</code></td>
+ <td>Received bytes</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_rx_dropped</code></td>
+ <td>Packets dropped on receive</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_rx_errors</code></td>
+ <td>Errors reported on receive</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_rx_packets</code></td>
+ <td>Packets received</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_tx_bytes</code></td>
+ <td>Sent bytes</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_tx_dropped</code></td>
+ <td>Packets dropped on send</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_tx_errors</code></td>
+ <td>Errors reported on send</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>net_tx_packets</code></td>
+ <td>Packets sent</td>
+ <td>Counter</td>
+</tr>
+</table>
+
+
+<p>Additionally, <a href="http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html">Linux Traffic Control</a> can report the following
+statistics for the elements which implement bandwidth limiting and bloat
+reduction under the <code>statistics/net_traffic_control_statistics</code> key. The entry
+for each of these elements includes:</p>
+
+<table class="table table-striped">
+<thead>
+<tr><th>Metric</th><th>Description</th><th>Type</th>
+</thead>
+<tr>
+ <td><code>backlog</code></td>
+ <td>Bytes queued for transmission [1]</td>
+ <td>Gauge</td>
+</tr>
+<tr>
+ <td><code>bytes</code></td>
+ <td>Sent bytes</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>drops</code></td>
+ <td>Packets dropped on send</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>overlimits</code></td>
+ <td>Count of times the interface was over its transmit limit when it attempted to send a packet. Since the normal action when the network is overlimit is to delay the packet, the overlimit counter can be incremented many times for each packet sent on a heavily congested interface. [2]</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>packets</code></td>
+ <td>Packets sent</td>
+ <td>Counter</td>
+</tr>
+<tr>
+ <td><code>qlen</code></td>
+ <td>Packets queued for transmission</td>
+ <td>Gauge</td>
+</tr>
+<tr>
+ <td><code>ratebps</code></td>
+ <td>Transmit rate in bytes/second [3]</td>
+ <td>Gauge</td>
+</tr>
+<tr>
+ <td><code>ratepps</code></td>
+ <td>Transmit rate in packets/second [3]</td>
+ <td>Gauge</td>
+</tr>
+<tr>
+ <td><code>requeues</code></td>
+ <td>Packets failed to send due to resource contention (such as kernel locking) [3]</td>
+ <td>Counter</td>
+</tr>
+</table>
+
+
+<p>[1] <code>backlog</code> is only reported on the bloat_reduction interface.</p>
+
+<p>[2] <code>overlimits</code> are only reported on the bw_limit interface.</p>
+
+<p>[3] Currently always reported as 0 by the underlying Traffic Control element.</p>
+
+<p>For example, these are the statistics you will get by hitting the <code>/monitor/statistics</code> endpoint on an agent with network monitoring turned on:</p>
+
+<pre><code>$ curl -s http://localhost:5051/monitor/statistics | python2.6 -mjson.tool
+[
+ {
+ "executor_id": "job.1436298853",
+ "executor_name": "Command Executor (Task: job.1436298853) (Command: sh -c 'iperf ....')",
+ "framework_id": "20150707-195256-1740121354-5150-29801-0000",
+ "source": "job.1436298853",
+ "statistics": {
+ "cpus_limit": 1.1,
+ "cpus_nr_periods": 16314,
+ "cpus_nr_throttled": 16313,
+ "cpus_system_time_secs": 2667.06,
+ "cpus_throttled_time_secs": 8036.840845388,
+ "cpus_user_time_secs": 123.49,
+ "mem_anon_bytes": 8388608,
+ "mem_cache_bytes": 16384,
+ "mem_critical_pressure_counter": 0,
+ "mem_file_bytes": 16384,
+ "mem_limit_bytes": 167772160,
+ "mem_low_pressure_counter": 0,
+ "mem_mapped_file_bytes": 0,
+ "mem_medium_pressure_counter": 0,
+ "mem_rss_bytes": 8388608,
+ "mem_total_bytes": 9945088,
+ "net_rx_bytes": 10847,
+ "net_rx_dropped": 0,
+ "net_rx_errors": 0,
+ "net_rx_packets": 143,
+ "net_traffic_control_statistics": [
+ {
+ "backlog": 0,
+ "bytes": 163206809152,
+ "drops": 77147,
+ "id": "bw_limit",
+ "overlimits": 210693719,
+ "packets": 107941027,
+ "qlen": 10236,
+ "ratebps": 0,
+ "ratepps": 0,
+ "requeues": 0
+ },
+ {
+ "backlog": 15481368,
+ "bytes": 163206874168,
+ "drops": 27081494,
+ "id": "bloat_reduction",
+ "overlimits": 0,
+ "packets": 107941070,
+ "qlen": 10239,
+ "ratebps": 0,
+ "ratepps": 0,
+ "requeues": 0
+ }
+ ],
+ "net_tx_bytes": 163200529816,
+ "net_tx_dropped": 0,
+ "net_tx_errors": 0,
+ "net_tx_packets": 107936874,
+ "perf": {
+ "duration": 0,
+ "timestamp": 1436298855.82807
+ },
+ "timestamp": 1436300487.41595
+ }
+ }
+]
+</code></pre>
+
+ </div>
+</div>
+
+ </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+ <!-- footer -->
+ <div class="footer">
+ <div class="container">
+ <div class="col-md-4 social-blk">
+ <span class="social">
+ <a href="https://twitter.com/ApacheMesos"
+ class="twitter-follow-button"
+ data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+ class="twitter-hashtag-button"
+ data-size="large"
+ data-related="ApacheMesos">Tweet #mesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ </span>
+ </div>
+
+ <div class="col-md-8 trademark">
+ <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
+ Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
+ <p>
+ </div>
+ </div><!-- /.container -->
+ </div><!-- /.footer -->
+
+ <!-- JS -->
+ <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+ <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/isolators/posix-rlimits/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/isolators/posix-rlimits/index.html b/content/documentation/latest/isolators/posix-rlimits/index.html
new file mode 100644
index 0000000..7b5c8e9
--- /dev/null
+++ b/content/documentation/latest/isolators/posix-rlimits/index.html
@@ -0,0 +1,307 @@
+<!DOCTYPE html>
+<html>
+ <head>
+ <meta charset="utf-8">
+ <title>Apache Mesos - POSIX Resource Limits Support in Mesos Containerizer</title>
+ <meta name="viewport" content="width=device-width, initial-scale=1.0">
+
+ <meta property="og:locale" content="en_US"/>
+ <meta property="og:type" content="website"/>
+ <meta property="og:title" content="Apache Mesos"/>
+ <meta property="og:site_name" content="Apache Mesos"/>
+ <meta property="og:url" content="http://mesos.apache.org/"/>
+ <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta property="og:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <meta name="twitter:card" content="summary"/>
+ <meta name="twitter:site" content="@ApacheMesos"/>
+ <meta name="twitter:title" content="Apache Mesos"/>
+ <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
+ <meta name="twitter:description"
+ content="Apache Mesos abstracts resources away from machines,
+ enabling fault-tolerant and elastic distributed systems
+ to easily be built and run effectively."/>
+
+ <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
+ <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
+ <link href="../../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
+
+
+
+ <!-- Google Analytics Magic -->
+ <script type="text/javascript">
+ var _gaq = _gaq || [];
+ _gaq.push(['_setAccount', 'UA-20226872-1']);
+ _gaq.push(['_setDomainName', 'apache.org']);
+ _gaq.push(['_trackPageview']);
+
+ (function() {
+ var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
+ ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
+ var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
+ })();
+ </script>
+
+ </head>
+ <body>
+ <!-- magical breadcrumbs -->
+ <div class="topnav">
+ <div class="container">
+ <ul class="breadcrumb">
+ <li>
+ <div class="dropdown">
+ <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
+ <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
+ <li><a href="http://www.apache.org">Apache Homepage</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ </div>
+ </li>
+
+ <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
+
+
+ <li><a href="/documentation
+/">Documentation
+</a></li>
+
+
+ </ul><!-- /.breadcrumb -->
+ </div><!-- /.container -->
+ </div><!-- /.topnav -->
+
+ <!-- navbar excitement -->
+<div class="navbar navbar-default navbar-static-top" role="navigation">
+ <div class="container">
+ <div class="navbar-header">
+ <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
+ <span class="sr-only">Toggle navigation</span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ <span class="icon-bar"></span>
+ </button>
+ <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
+ </div><!-- /.navbar-header -->
+
+ <div class="navbar-collapse collapse" id="mesos-menu">
+ <ul class="nav navbar-nav navbar-right">
+ <li><a href="/gettingstarted/">Getting Started</a></li>
+ <li><a href="/blog/">Blog</a></li>
+ <li><a href="/documentation/latest/">Documentation</a></li>
+ <li><a href="/downloads/">Downloads</a></li>
+ <li><a href="/community/">Community</a></li>
+ </ul>
+ </div><!-- /#mesos-menu -->
+ </div><!-- /.container -->
+</div><!-- /.navbar -->
+
+<div class="content">
+ <div class="container">
+ <div class="row-fluid">
+ <div class="col-md-4">
+ <h4>If you're new to Mesos</h4>
+ <p>See the <a href="/gettingstarted/">getting started</a> page for more
+ information about downloading, building, and deploying Mesos.</p>
+
+ <h4>If you'd like to get involved or you're looking for support</h4>
+ <p>See our <a href="/community/">community</a> page for more details.</p>
+ </div>
+ <div class="col-md-8">
+ <h1>POSIX Resource Limits Support in Mesos Containerizer</h1>
+
+<p>This document describes the <code>posix/rlimits</code> isolator. The isolator adds support
+for setting POSIX resource limits (rlimits) for containers launched using the
+<a href="/documentation/latest/isolators/../mesos-containerizer/">Mesos containerizer</a>.</p>
+
+<p>To enable the POSIX Resource Limits support, append <code>posix/rlimits</code> to
+the <code>--isolation</code> flag when starting the agent.</p>
+
+<h2>POSIX Resource Limits</h2>
+
+<p>POSIX rlimits can be used control the resources a process can consume. Resource
+limits are typically set at boot time and inherited when a child process is
+forked from a parent process; resource limits can also be modified via
+<code>setrlimit(2)</code>. In many interactive shells, resource limits can be inspected or
+modified with the <code>ulimit</code> shell built-in.</p>
+
+<p>A POSIX resource limit consist of a <em>soft</em> and a <em>hard</em> limit. The soft limit
+specifies the effective resource limit for the current and forked process, while
+the hard limit gives the value up to which processes may increase their
+effective limit; increasing the hard limit is a privileged action. It is
+required that the soft limit is less than or equal to the hard limit.
+System administrators can use a hard resource limit to define the maximum amount
+of resources that can be consumed by a user; users can employ soft resource
+limits to ensure that one of their tasks only consumes a limited amount of the
+global hard resource limit.</p>
+
+<h2>Setting POSIX Resource Limits for Tasks</h2>
+
+<p>This isolator permits setting per-task resource limits. This isolator interprets
+rlimits specified as part of a task’s <code>ContainerInfo</code> for the Mesos
+containerizer, e.g.,</p>
+
+<pre><code class="{.json}">{
+ "container": {
+ "type": "MESOS",
+ "rlimit_info": {
+ "rlimits": [
+ {
+ "type": "RLMT_CORE"
+ },
+ {
+ "type": "RLMT_STACK",
+ "soft": 8192,
+ "hard": 32768
+ }
+ ]
+ }
+ }
+}
+</code></pre>
+
+<p>To enable interpretation of rlimits, agents need to
+be started with <code>posix/rlimits</code> in its <code>--isolation</code> flag, e.g.,</p>
+
+<pre><code class="{.console}">mesos-agent --master=<master ip> --ip=<agent ip>
+ --work_dir=/var/lib/mesos
+ --isolation=posix/rlimits[,other isolation flags]
+</code></pre>
+
+<p>To set a hard limit for a task larger than the current value of the hard limit,
+the agent process needs to be under a privileged user (with the
+<code>CAP_SYS_RESOURCE</code> capability), typically <code>root</code>.</p>
+
+<p>POSIX currently defines a base set of resources, see
+<a href="http://pubs.opengroup.org/onlinepubs/009695399/functions/getrlimit.html">the documentation</a>;
+Linux defines additional resource limits, see e.g., the documentation of
+<code>setrlimit(2)</code>.</p>
+
+<table class="table table-striped">
+ <thead>
+ <tr>
+ <th>Resource</th>
+ <th>Comment</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><code>RLIMIT_CORE</code></td>
+ <td><em>POSIX</em>: This is the maximum size of a core file, in bytes, that may be created by a process.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_CPU</code></td>
+ <td><em>POSIX</em>: This is the maximum amount of CPU time, in seconds, used by a process.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_DATA</code></td>
+ <td><em>POSIX</em>: This is the maximum size of a process' data segment, in bytes.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_FSIZE</code></td>
+ <td><em>POSIX</em>: This is the maximum size of a file, in bytes, that may be created by a process.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_NOFILE</code></td>
+ <td><em>POSIX</em>: This is a number one greater than the maximum value that the system may assign to a newly-created descriptor.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_STACK</code></td>
+ <td><em>POSIX</em>: This is the maximum size of the initial thread's stack, in bytes.</td>
+ </tr>
+ <tr>
+ <td><code>RLIMIT_AS</code></td>
+ <td><em>POSIX</em>: This is the maximum size of a process' total available memory, in bytes.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_LOCKS</code></td>
+ <td><em>Linux</em>: (Early Linux 2.4 only) A limit on the combined number of <code>flock(2)</code> locks and <code>fcntl(2)</code> leases that this process may establish.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_MEMLOCK</code></td>
+ <td><em>Linux</em>: The maximum number of bytes of memory that may be locked into RAM.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_MSGQUEUE</code></td>
+ <td><em>Linux</em>: Specifies the limit on the number of bytes that can be allocated for POSIX message queues for the real user ID of the calling process.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_NICE</code></td>
+ <td><em>Linux</em>: (Since Linux 2.6.12) Specifies a ceiling to which the process's nice value can be raised using <code>setpriority(2)</code> or <code>nice(2)</code>.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_NPROC</code></td>
+ <td><em>Linux</em>: The maximum number of processes (or, more precisely on Linux, threads) that can be created for the real user ID of the calling process.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_RSS</code></td>
+ <td><em>Linux</em>: Specifies the limit (in pages) of the process's resident set (the number of virtual pages resident in RAM).</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_RTPRIO</code></td>
+ <td><em>Linux</em>: (Since Linux 2.6.12) Specifies a ceiling on the real-time priority that may be set for this process using sched_setscheduler(2) and sched_setparam(2).</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_RTTIME</code></td>
+ <td><em>Linux</em>: (Since Linux 2.6.25) Specifies a limit (in microseconds) on the amount of CPU time that a process scheduled under a real-time scheduling policy may consume without making a blocking system call.</td>
+ </tr>
+ <tr>
+ <td><code>RLMT_SIGPENDING</code></td>
+ <td><em>Linux</em>: (Since Linux 2.6.8) Specifies the limit on the number of signals that may be queued for the real user ID of the calling process.</td>
+ </tr>
+ </tbody>
+</table>
+
+
+<p>Mesos maps these resource types onto <code>RLimit</code> types, where by convention the
+prefix <code>RLMT_</code> is used in place of <code>RLIMIT_</code> above. Not all limits types are
+supported on all platforms.</p>
+
+<p>We require either both the soft and hard <code>RLimit</code> value, or none to be
+set; the latter case is interpreted as the absence of an explicit limit.</p>
+
+ </div>
+</div>
+
+ </div><!-- /.container -->
+</div><!-- /.content -->
+
+<hr>
+
+
+
+ <!-- footer -->
+ <div class="footer">
+ <div class="container">
+ <div class="col-md-4 social-blk">
+ <span class="social">
+ <a href="https://twitter.com/ApacheMesos"
+ class="twitter-follow-button"
+ data-show-count="false" data-size="large">Follow @ApacheMesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
+ class="twitter-hashtag-button"
+ data-size="large"
+ data-related="ApacheMesos">Tweet #mesos</a>
+ <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
+ </span>
+ </div>
+
+ <div class="col-md-8 trademark">
+ <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
+ Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
+ <p>
+ </div>
+ </div><!-- /.container -->
+ </div><!-- /.footer -->
+
+ <!-- JS -->
+ <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
+ <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
+ </body>
+</html>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/linux_capabilities/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/linux_capabilities/index.html b/content/documentation/latest/linux_capabilities/index.html
deleted file mode 100644
index c4d07e1..0000000
--- a/content/documentation/latest/linux_capabilities/index.html
+++ /dev/null
@@ -1,230 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <title></title>
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
-
- <meta property="og:locale" content="en_US"/>
- <meta property="og:type" content="website"/>
- <meta property="og:title" content="Apache Mesos"/>
- <meta property="og:site_name" content="Apache Mesos"/>
- <meta property="og:url" content="http://mesos.apache.org/"/>
- <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
- <meta property="og:description"
- content="Apache Mesos abstracts resources away from machines,
- enabling fault-tolerant and elastic distributed systems
- to easily be built and run effectively."/>
-
- <meta name="twitter:card" content="summary"/>
- <meta name="twitter:site" content="@ApacheMesos"/>
- <meta name="twitter:title" content="Apache Mesos"/>
- <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
- <meta name="twitter:description"
- content="Apache Mesos abstracts resources away from machines,
- enabling fault-tolerant and elastic distributed systems
- to easily be built and run effectively."/>
-
- <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
- <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
- <link href="../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
-
-
-
- <!-- Google Analytics Magic -->
- <script type="text/javascript">
- var _gaq = _gaq || [];
- _gaq.push(['_setAccount', 'UA-20226872-1']);
- _gaq.push(['_setDomainName', 'apache.org']);
- _gaq.push(['_trackPageview']);
-
- (function() {
- var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
- ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
- var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
- })();
- </script>
-
- </head>
- <body>
- <!-- magical breadcrumbs -->
- <div class="topnav">
- <div class="container">
- <ul class="breadcrumb">
- <li>
- <div class="dropdown">
- <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
- <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
- <li><a href="http://www.apache.org">Apache Homepage</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
- <li><a href="http://www.apache.org/security/">Security</a></li>
- </ul>
- </div>
- </li>
-
- <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
-
-
- <li><a href="/documentation
-/">Documentation
-</a></li>
-
-
- </ul><!-- /.breadcrumb -->
- </div><!-- /.container -->
- </div><!-- /.topnav -->
-
- <!-- navbar excitement -->
-<div class="navbar navbar-default navbar-static-top" role="navigation">
- <div class="container">
- <div class="navbar-header">
- <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
- <span class="sr-only">Toggle navigation</span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- </button>
- <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
- </div><!-- /.navbar-header -->
-
- <div class="navbar-collapse collapse" id="mesos-menu">
- <ul class="nav navbar-nav navbar-right">
- <li><a href="/gettingstarted/">Getting Started</a></li>
- <li><a href="/blog/">Blog</a></li>
- <li><a href="/documentation/latest/">Documentation</a></li>
- <li><a href="/downloads/">Downloads</a></li>
- <li><a href="/community/">Community</a></li>
- </ul>
- </div><!-- /#mesos-menu -->
- </div><!-- /.container -->
-</div><!-- /.navbar -->
-
-<div class="content">
- <div class="container">
- <div class="row-fluid">
- <div class="col-md-4">
- <h4>If you're new to Mesos</h4>
- <p>See the <a href="/gettingstarted/">getting started</a> page for more
- information about downloading, building, and deploying Mesos.</p>
-
- <h4>If you'd like to get involved or you're looking for support</h4>
- <p>See our <a href="/community/">community</a> page for more details.</p>
- </div>
- <div class="col-md-8">
- <h1>Linux Capabilities Support in Mesos Containerizer</h1>
-
-<p>This document describes the <code>linux/capabilities</code> isolator. The
-isolator adds support for controlling <a href="http://man7.org/linux/man-pages/man7/capabilities.7.html">Linux
-Capabilities</a>
-of containers launched using the
-<a href="/documentation/latest/./mesos-containerizer/">MesosContainerizer</a></p>
-
-<p>The Linux capabilities isolator allows operators to control which
-privileged operations Mesos tasks may perform. Operators can specify
-which capabilities to allow for containers executing on an agent;
-containers on the other hand can expose which capabilities they need.</p>
-
-<p>See the protobuf definition of <code>CapabilityInfo::Capability</code> for the
-list of currently exposed capabilities.</p>
-
-<h2>Agent setup</h2>
-
-<p>The Linux capabilities isolator is loaded when <code>linux/capabilities</code> is
-present in the agent’s <code>--isolation</code> flag. This isolator requires the
-<code>CAP_SETPCAP</code> capability so agent processes typically need to be started
-as root.</p>
-
-<p>The <code>--effective_capabilities</code> flag specifies a set of capabilities that
-are always granted to tasks. If the running kernel (Linux 4.3 or later)
-supports ambient capabilities, these capabilities will be added to the
-effective capability set of the task when it is launched. Otherwise
-they must be re-acquired by arranging for the task to execute a file
-with the relevant file-based capabilities enabled.</p>
-
-<p>In the absence of capabilities specified by the scheduler, an empty list
-for <code>--effective_capabilities</code> signifies that all capabilities will
-be explicitly dropped. If the <code>--effective_capabilities</code> flag is not
-present, the task will be launched with the default capabilities of the
-task user but the ambient capabilities will not be set.</p>
-
-<p>The <code>--bounding_capabilities</code> flag specifies an upper bound on the
-the capabilities a task is allowed to acquire or be granted.
-Schedulers are not allowed to launch tasks with capabilities outside
-the set specified by the <code>--bounding_capabilities</code> flag, but may
-specify effective or bounding capabilities that are within this
-set.</p>
-
-<p>An empty list for <code>--bounding_capabilities</code> signifies that no capabilities
-are allowed, while an absent <code>--bounding_capabilities</code> flag signifies
-that all capabilities are allowed.</p>
-
-<p>A possible agent startup invocation could be</p>
-
-<pre><code class="{.console}">sudo mesos-agent --master=<master ip> --ip=<agent ip>
- --work_dir=/var/lib/mesos
- --isolation=linux/capabilities[,other isolation flags]
- --effective_capabilities='{"capabilities":[NET_RAW,MKNOD]}'
- --bounding_capabilities='{"capabilities":[NET_RAW,MKNOD,SYSLOG]}'
-</code></pre>
-
-<h2>Task setup</h2>
-
-<p>In order for a Mesos task to acquire specific effective capabilities
-or limit its bounding capabilities it should declare the required
-capabilities in the <code>LinuxInfo</code> element of its <code>ContainerInfo</code>.</p>
-
-<p>A Mesos task can only request capabilities which are allowed according
-to the <code>--bounding_capabilities</code> flag of the agent; a task requesting
-other capabilities will be rejected. When the <code>--bounding_capabilities</code>
-flag is not present, all capability requests will be granted.</p>
-
-<p>If the optional <code>effective_capabilities</code> field is not set, the value
-of the <code>--effective_capabilities</code> flag will be used to populate the
-task capabilities. If the optional <code>bounding_capabilities</code> field
-is not set, the value of the <code>--bounding_capabilities</code> flag will
-be used to populate the task capabilities. In both case, if an empty
-list of capabilities is given, the Mesos task will drop all
-capabilities in the corresponding set.</p>
-
- </div>
-</div>
-
- </div><!-- /.container -->
-</div><!-- /.content -->
-
-<hr>
-
-
-
- <!-- footer -->
- <div class="footer">
- <div class="container">
- <div class="col-md-4 social-blk">
- <span class="social">
- <a href="https://twitter.com/ApacheMesos"
- class="twitter-follow-button"
- data-show-count="false" data-size="large">Follow @ApacheMesos</a>
- <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
- <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
- class="twitter-hashtag-button"
- data-size="large"
- data-related="ApacheMesos">Tweet #mesos</a>
- <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
- </span>
- </div>
-
- <div class="col-md-8 trademark">
- <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
- Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
- <p>
- </div>
- </div><!-- /.container -->
- </div><!-- /.footer -->
-
- <!-- JS -->
- <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
- <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
- </body>
-</html>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/mesos-containerizer/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/mesos-containerizer/index.html b/content/documentation/latest/mesos-containerizer/index.html
index dc5cba5..1e2302b 100644
--- a/content/documentation/latest/mesos-containerizer/index.html
+++ b/content/documentation/latest/mesos-containerizer/index.html
@@ -115,295 +115,63 @@
<div class="col-md-8">
<h1>Mesos Containerizer</h1>
-<p>The MesosContainerizer provides lightweight containerization and
+<p>The Mesos Containerizer provides lightweight containerization and
resource isolation of executors using Linux-specific functionality
such as control cgroups and namespaces. It is composable so operators
-can selectively enable different isolators.</p>
+can selectively enable different <a href="#isolators">isolators</a>.</p>
<p>It also provides basic support for POSIX systems (e.g., OSX) but
without any actual isolation, only resource usage reporting.</p>
-<h3>Shared Filesystem</h3>
+<h2>Isolators</h2>
+
+<p>Isolators are components that each define an aspect of how a tasks
+execution environment (or container) is constructed. Isolators can
+control how containers are isolated from each other, how task resource
+limits are enforced, how networking is configured, how security
+policies are applied.</p>
+
+<p>Since the isolator interface is <a href="/documentation/latest/./modules/">modularized</a>, operators
+can write modules that implement custom isolators.</p>
+
+<p>Mesos supports the following built-in isolators.</p>
+
+<ul>
+<li>environment_secret</li>
+<li>appc/runtime</li>
+<li>cgroups/blkio</li>
+<li>cgroups/cpu</li>
+<li>cgroups/cpuset</li>
+<li>cgroups/devices</li>
+<li>cgroups/hugetlb</li>
+<li>cgroups/mem</li>
+<li><a href="/documentation/latest/./isolators/cgroups-net-cls/">cgroups/net_cls</a></li>
+<li>cgroups/net_prio</li>
+<li>cgroups/perf_event</li>
+<li>cgroups/pids</li>
+<li><a href="/documentation/latest/./isolators/disk-du/">disk/du</a></li>
+<li><a href="/documentation/latest/./isolators/disk-xfs/">disk/xfs</a></li>
+<li><a href="/documentation/latest/./isolators/docker-runtime/">docker/runtime</a></li>
+<li><a href="/documentation/latest/./isolators/docker-volume/">docker/volume</a></li>
+<li>filesystem/linux</li>
+<li>filesystem/posix</li>
+<li><a href="/documentation/latest/./isolators/filesystem-shared/">filesystem/shared</a></li>
+<li>filesystem/windows</li>
+<li><a href="/documentation/latest/./gpu-support/">gpu/nvidia</a></li>
+<li><a href="/documentation/latest/./isolators/linux-capabilities/">linux/capabilities</a></li>
+<li><a href="/documentation/latest/./isolators/namespaces-ipc/">namespaces/ipc</a></li>
+<li><a href="/documentation/latest/./isolators/namespaces-pid/">namespaces/pid</a></li>
+<li><a href="/documentation/latest/./cni/">network/cni</a></li>
+<li><a href="/documentation/latest/./isolators/network-port-mapping/">network/port_mapping</a></li>
+<li>posix/cpu</li>
+<li>posix/mem</li>
+<li><a href="/documentation/latest/./isolators/posix-rlimits/">posix/rlimits</a></li>
+<li><a href="/documentation/latest/./container-volume/#host_path-volume-source">volume/host_path</a></li>
+<li>volume/image</li>
+<li><a href="/documentation/latest/./container-volume/#sandbox_path-volume-source">volume/sandbox_path</a></li>
+<li>volume/secret</li>
+</ul>
-<p>The SharedFilesystem isolator can optionally be used on Linux hosts to
-enable modifications to each container’s view of the shared
-filesystem.</p>
-
-<p>The modifications are specified in the ContainerInfo included in the
-ExecutorInfo, either by a framework or by using the
-<code>--default_container_info</code> agent flag.</p>
-
-<p>ContainerInfo specifies Volumes which map parts of the shared
-filesystem (host_path) into the container’s view of the filesystem
-(container_path), as read-write or read-only. The host_path can be
-absolute, in which case it will make the filesystem subtree rooted at
-host_path also accessible under container_path for each container.
-If host_path is relative then it is considered as a directory
-relative to the executor’s work directory. The directory will be
-created and permissions copied from the corresponding directory (which
-must exist) in the shared filesystem.</p>
-
-<p>The primary use-case for this isolator is to selectively make parts of
-the shared filesystem private to each container. For example, a
-private “/tmp” directory can be achieved with <code>host_path="tmp"</code> and
-<code>container_path="/tmp"</code> which will create a directory “tmp” inside the
-executor’s work directory (mode 1777) and simultaneously mount it as
-/tmp inside the container. This is transparent to processes running
-inside the container. Containers will not be able to see the host’s
-/tmp or any other container’s /tmp.</p>
-
-<h3>Pid Namespace</h3>
-
-<p>The Pid Namespace isolator can be used to isolate each container in
-a separate pid namespace with two main benefits:</p>
-
-<ol>
-<li><p>Visibility: Processes running in the container (executor and
-descendants) are unable to see or signal processes outside the
-namespace.</p></li>
-<li><p>Clean termination: Termination of the leading process in a pid
-namespace will result in the kernel terminating all other processes
-in the namespace.</p></li>
-</ol>
-
-
-<p>The Launcher will use (2) during destruction of a container in
-preference to the freezer cgroup, avoiding known kernel issues related
-to freezing cgroups under OOM conditions.</p>
-
-<p>/proc will be mounted for containers so tools such as ‘ps’ will work
-correctly.</p>
-
-<h3>Posix Disk Isolator</h3>
-
-<p>The Posix Disk isolator provides basic disk isolation. It is able to
-report the disk usage for each sandbox and optionally enforce the disk
-quota. It can be used on both Linux and OS X.</p>
-
-<p>To enable the Posix Disk isolator, append <code>disk/du</code> to the <code>--isolation</code>
-flag when starting the agent.</p>
-
-<p>By default, the disk quota enforcement is disabled. To enable it,
-specify <code>--enforce_container_disk_quota</code> when starting the agent.</p>
-
-<p>The Posix Disk isolator reports disk usage for each sandbox by
-periodically running the <code>du</code> command. The disk usage can be retrieved
-from the resource statistics endpoint (<a href="/documentation/latest/./endpoints/slave/monitor/statistics/">/monitor/statistics</a>).</p>
-
-<p>The interval between two <code>du</code>s can be controlled by the agent flag
-<code>--container_disk_watch_interval</code>. For example,
-<code>--container_disk_watch_interval=1mins</code> sets the interval to be 1
-minute. The default interval is 15 seconds.</p>
-
-<h3>XFS Disk Isolator</h3>
-
-<p>The XFS Disk isolator uses XFS project quotas to track the disk space
-used by each container sandbox and to enforce the corresponding disk
-space allocation. When quota enforcement is enabled, write operations
-performed by tasks exceeding their disk allocation will fail with an
-<code>EDQUOT</code> error. The task will not be terminated by the containerizer.</p>
-
-<p>To enable the XFS Disk isolator, append <code>disk/xfs</code> to the <code>--isolation</code>
-flag when starting the agent.</p>
-
-<p>The XFS Disk isolator supports the <code>--enforce_container_disk_quota</code> flag.
-If enforcement is enabled, the isolator will set both the hard and soft
-quota limit. Otherwise, no limits will be set, Disk usage accounting
-will be performed but the task will be allowed to exceed its allocation.</p>
-
-<p>The XFS Disk isolator requires the sandbox directory to be located
-on an XFS filesystem that is mounted with the <code>pquota</code> option. There
-is no need to configure
-<a href="http://man7.org/linux/man-pages/man5/projects.5.html">projects</a>
-or <a href="http://man7.org/linux/man-pages/man5/projid.5.html">projid</a>
-files. The range of project IDs given to the <code>--xfs_project_range</code>
-must not overlap any project IDs allocated for other uses.</p>
-
-<p>The <a href="http://man7.org/linux/man-pages/man8/xfs_quota.8.html">xfs_quota</a>
-command can be used to show the current allocation of project IDs
-and quota. For example:</p>
-
-<pre><code>$ xfs_quota -x -c "report -a -n -L 5000 -U 10000"
-</code></pre>
-
-<p>To show which project a file belongs to, use the
-<a href="http://man7.org/linux/man-pages/man8/xfs_io.8.html">xfs_io</a> command
-to display the <code>fsxattr.projid</code> field. For example:</p>
-
-<pre><code>$ xfs_io -r -c stat /mnt/mesos/
-</code></pre>
-
-<p>Note that the Posix Disk isolator <code>--container_disk_watch_interval</code>
-does not apply to the XFS Disk isolator.</p>
-
-<h3>Docker Runtime Isolator</h3>
-
-<p>The Docker Runtime isolator is used for supporting runtime
-configurations from the docker image (e.g., Entrypoint/Cmd, Env,
-etc.). This isolator is tied with <code>--image_providers=docker</code>. If
-<code>--image_providers</code> contains <code>docker</code>, this isolator must be used.
-Otherwise, the agent will refuse to start.</p>
-
-<p>To enable the Docker Runtime isolator, append <code>docker/runtime</code> to the
-<code>--isolation</code> flag when starting the agent.</p>
-
-<p>Currently, docker image default <code>Entrypoint</code>, <code>Cmd</code>, <code>Env</code>, and <code>WorkingDir</code> are
-supported with docker runtime isolator. Users can specify <code>CommandInfo</code> to
-override the default <code>Entrypoint</code> and <code>Cmd</code> in the image (see below for
-details). The <code>CommandInfo</code> should be inside of either <code>TaskInfo</code> or
-<code>ExecutorInfo</code> (depending on whether the task is a command task or uses a custom
-executor, respectively).</p>
-
-<h4>Determine the Launch Command</h4>
-
-<p>If the user specifies a command in <code>CommandInfo</code>, that will override the
-default Entrypoint/Cmd in the docker image. Otherwise, we will use the
-default Entrypoint/Cmd and append arguments specified in <code>CommandInfo</code>
-accordingly. The details are explained in the following table.</p>
-
-<p>Users can specify <code>CommandInfo</code> including <code>shell</code>, <code>value</code> and
-<code>arguments</code>, which are represented in the first column of the table
-below. <code>0</code> represents <code>not specified</code>, while <code>1</code> represents
-<code>specified</code>. The first row is how <code>Entrypoint</code> and <code>Cmd</code> defined in
-the docker image. All cells in the table, except the first column and
-row, as well as cells labeled as <code>Error</code>, have the first element
-(i.e., <code>/Entrypt[0]</code>) as executable, and the rest as appending
-arguments.</p>
-
-<table class="table table-striped">
- <tr>
- <th></th>
- <th>Entrypoint=0<br>Cmd=0</th>
- <th>Entrypoint=0<br>Cmd=1</th>
- <th>Entrypoint=1<br>Cmd=0</th>
- <th>Entrypoint=1<br>Cmd=1</th>
- </tr>
- <tr>
- <td>sh=0<br>value=0<br>argv=0</td>
- <td>Error</td>
- <td>/Cmd[0]<br>Cmd[1]..</td>
- <td>/Entrypt[0]<br>Entrypt[1]..</td>
- <td>/Entrypt[0]<br>Entrypt[1]..<br>Cmd..</td>
- </tr>
- <tr>
- <td>sh=0<br>value=0<br>argv=1</td>
- <td>Error</td>
- <td>/Cmd[0]<br>argv</td>
- <td>/Entrypt[0]<br>Entrypt[1]..<br>argv</td>
- <td>/Entrypt[0]<br>Entrypt[1]..<br>argv</td>
- </tr>
- <tr>
- <td>sh=0<br>value=1<br>argv=0</td>
- <td>/value</td>
- <td>/value</td>
- <td>/value</td>
- <td>/value</td>
- </tr>
- <tr>
- <td>sh=0<br>value=1<br>argv=1</td>
- <td>/value<br>argv</td>
- <td>/value<br>argv</td>
- <td>/value<br>argv</td>
- <td>/value<br>argv</td>
- </tr>
- <tr>
- <td>sh=1<br>value=0<br>argv=0</td>
- <td>Error</td>
- <td>Error</td>
- <td>Error</td>
- <td>Error</td>
- </tr>
- <tr>
- <td>sh=1<br>value=0<br>argv=1</td>
- <td>Error</td>
- <td>Error</td>
- <td>Error</td>
- <td>Error</td>
- </tr>
- <tr>
- <td>sh=1<br>value=1<br>argv=0</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- </tr>
- <tr>
- <td>sh=1<br>value=1<br>argv=1</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- <td>/bin/sh -c<br>value</td>
- </tr>
-</table>
-
-
-<h3>The <code>cgroups/net_cls</code> Isolator</h3>
-
-<p>The cgroups/net_cls isolator allows operators to provide network
-performance isolation and network segmentation for containers within
-a Mesos cluster. To enable the cgroups/net_cls isolator, append
-<code>cgroups/net_cls</code> to the <code>--isolation</code> flag when starting the agent.</p>
-
-<p>As the name suggests, the isolator enables the net_cls subsystem for
-Linux cgroups and assigns a net_cls cgroup to each container launched
-by the <code>MesosContainerizer</code>. The objective of the net_cls subsystem
-is to allow the kernel to tag packets originating from a container
-with a 32-bit handle. These handles can be used by kernel modules such
-as <code>qdisc</code> (for traffic engineering) and <code>net-filter</code> (for
-firewall) to enforce network performance and security policies
-specified by the operators. The policies, based on the net_cls
-handles, can be specified by the operators through user-space tools
-such as
-<a href="http://tldp.org/HOWTO/Traffic-Control-HOWTO/software.html#s-iproute2-tc">tc</a>
-and <a href="http://linux.die.net/man/8/iptables">iptables</a>.</p>
-
-<p>The 32-bit handle associated with a net_cls cgroup can be specified by
-writing the handle to the <code>net_cls.classid</code> file, present within the
-net_cls cgroup. The 32-bit handle is of the form <code>0xAAAABBBB</code>, and
-consists of a 16-bit primary handle 0xAAAA and a 16-bit secondary
-handle 0xBBBB. You can read more about the use cases for the primary
-and secondary handles in the <a href="https://www.kernel.org/doc/Documentation/cgroup-v1/net_cls.txt">Linux kernel documentation for
-net_cls</a>.</p>
-
-<p>By default, the cgroups/net_cls isolator does not manage the net_cls
-handles, and assumes the operator is going to manage/assign these
-handles. To enable the management of net_cls handles by the
-cgroups/net_cls isolator you need to specify a 16-bit primary handle,
-of the form 0xAAAA, using the <code>--cgroups_net_cls_primary_handle</code> flag at
-agent startup.</p>
-
-<p>Once a primary handle has been specified for an agent, for each
-container the cgroups/net_cls isolator allocates a 16-bit secondary
-handle. It then assigns the 32-bit combination of the primary and
-secondary handle to the net_cls cgroup associated with the container
-by writing to <code>net_cls.classid</code>. The cgroups/net_cls isolator exposes
-the assigned net_cls handle to operators by exposing the handle as
-part of the <code>ContainerStatus</code> —associated with any task running within
-the container— in the agent’s <a href="/documentation/latest/./endpoints/slave/state/">/state</a> endpoint.</p>
-
-<h3>The <code>docker/volume</code> Isolator</h3>
-
-<p>This is described in a <a href="/documentation/latest/./docker-volume/">separate document</a>.</p>
-
-<h3>The <code>namespaces/ipc</code> Isolator</h3>
-
-<p>The IPC Namespace isolator can be used on Linux to place tasks
-in a distinct IPC namespace. The benefit of this is that any
-<a href="http://man7.org/linux/man-pages/man7/svipc.7.html">IPC objects</a> created
-in the container will be automatically removed when the container is
-destroyed.</p>
-
-<h3>The <code>network/cni</code> Isolator</h3>
-
-<p>This is described in a <a href="/documentation/latest/./cni/">separate document</a>.</p>
-
-<h3>The <code>linux/capabilities</code> Isolator</h3>
-
-<p>This is described in a <a href="/documentation/latest/./linux_capabilities/">separate document</a>.</p>
-
-<h3>The <code>posix/rlimits</code> Isolator</h3>
-
-<p>This is described in a <a href="/documentation/latest/./posix_rlimits/">separate document</a>.</p>
</div>
</div>
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/networking/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/networking/index.html b/content/documentation/latest/networking/index.html
index 67f9ee6..bfcb28e 100644
--- a/content/documentation/latest/networking/index.html
+++ b/content/documentation/latest/networking/index.html
@@ -148,7 +148,7 @@ Model</a>.</p>
<p>Note that while IP-per-container is one way to achieve network
isolation between containers, there are other alternatives to
implement network isolation within <code>MesosContainerizer</code>, e.g., using
-the <a href="/documentation/latest/./port-mapping-isolator/">port-mapping network isolator</a>.</p>
+the <a href="/documentation/latest/./isolators/network-port-mapping/">port-mapping network isolator</a>.</p>
<p>While the two container run-time engines use different mechanisms to
provide networking support for containers, the interface to specify
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/e73ac18b/content/documentation/latest/port-mapping-isolator/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/port-mapping-isolator/index.html b/content/documentation/latest/port-mapping-isolator/index.html
deleted file mode 100644
index c4750be..0000000
--- a/content/documentation/latest/port-mapping-isolator/index.html
+++ /dev/null
@@ -1,539 +0,0 @@
-<!DOCTYPE html>
-<html>
- <head>
- <meta charset="utf-8">
- <title>Apache Mesos - Port Mapping Network Isolator</title>
- <meta name="viewport" content="width=device-width, initial-scale=1.0">
-
- <meta property="og:locale" content="en_US"/>
- <meta property="og:type" content="website"/>
- <meta property="og:title" content="Apache Mesos"/>
- <meta property="og:site_name" content="Apache Mesos"/>
- <meta property="og:url" content="http://mesos.apache.org/"/>
- <meta property="og:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
- <meta property="og:description"
- content="Apache Mesos abstracts resources away from machines,
- enabling fault-tolerant and elastic distributed systems
- to easily be built and run effectively."/>
-
- <meta name="twitter:card" content="summary"/>
- <meta name="twitter:site" content="@ApacheMesos"/>
- <meta name="twitter:title" content="Apache Mesos"/>
- <meta name="twitter:image" content="http://mesos.apache.org/assets/img/mesos_logo_fb_preview.png"/>
- <meta name="twitter:description"
- content="Apache Mesos abstracts resources away from machines,
- enabling fault-tolerant and elastic distributed systems
- to easily be built and run effectively."/>
-
- <link href="//netdna.bootstrapcdn.com/bootstrap/3.1.1/css/bootstrap.min.css" rel="stylesheet">
- <link rel="alternate" type="application/atom+xml" title="Apache Mesos Blog" href="/blog/feed.xml">
- <link href="../../../assets/css/main.css" media="screen" rel="stylesheet" type="text/css" />
-
-
-
- <!-- Google Analytics Magic -->
- <script type="text/javascript">
- var _gaq = _gaq || [];
- _gaq.push(['_setAccount', 'UA-20226872-1']);
- _gaq.push(['_setDomainName', 'apache.org']);
- _gaq.push(['_trackPageview']);
-
- (function() {
- var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
- ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
- var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
- })();
- </script>
-
- </head>
- <body>
- <!-- magical breadcrumbs -->
- <div class="topnav">
- <div class="container">
- <ul class="breadcrumb">
- <li>
- <div class="dropdown">
- <a data-toggle="dropdown" href="#">Apache Software Foundation <span class="caret"></span></a>
- <ul class="dropdown-menu" role="menu" aria-labelledby="dLabel">
- <li><a href="http://www.apache.org">Apache Homepage</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
- <li><a href="http://www.apache.org/security/">Security</a></li>
- </ul>
- </div>
- </li>
-
- <li><a href="http://mesos.apache.org">Apache Mesos</a></li>
-
-
- <li><a href="/documentation
-/">Documentation
-</a></li>
-
-
- </ul><!-- /.breadcrumb -->
- </div><!-- /.container -->
- </div><!-- /.topnav -->
-
- <!-- navbar excitement -->
-<div class="navbar navbar-default navbar-static-top" role="navigation">
- <div class="container">
- <div class="navbar-header">
- <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#mesos-menu" aria-expanded="false">
- <span class="sr-only">Toggle navigation</span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- <span class="icon-bar"></span>
- </button>
- <a class="navbar-brand" href="/"><img src="/assets/img/mesos_logo.png" alt="Apache Mesos logo"/></a>
- </div><!-- /.navbar-header -->
-
- <div class="navbar-collapse collapse" id="mesos-menu">
- <ul class="nav navbar-nav navbar-right">
- <li><a href="/gettingstarted/">Getting Started</a></li>
- <li><a href="/blog/">Blog</a></li>
- <li><a href="/documentation/latest/">Documentation</a></li>
- <li><a href="/downloads/">Downloads</a></li>
- <li><a href="/community/">Community</a></li>
- </ul>
- </div><!-- /#mesos-menu -->
- </div><!-- /.container -->
-</div><!-- /.navbar -->
-
-<div class="content">
- <div class="container">
- <div class="row-fluid">
- <div class="col-md-4">
- <h4>If you're new to Mesos</h4>
- <p>See the <a href="/gettingstarted/">getting started</a> page for more
- information about downloading, building, and deploying Mesos.</p>
-
- <h4>If you'd like to get involved or you're looking for support</h4>
- <p>See our <a href="/community/">community</a> page for more details.</p>
- </div>
- <div class="col-md-8">
- <h1>Port Mapping Network Isolator</h1>
-
-<p>The port mapping network isolator provides a way to achieve
-per-container network monitoring and isolation without relying on IP
-per container. The network isolator prevents a single container from
-exhausting the available network ports, consuming an unfair share of
-the network bandwidth or significantly delaying packet transmission
-for others. Network statistics for each active container are published
-through the
-<a href="/documentation/latest/./endpoints/slave/monitor/statistics/">/monitor/statistics</a> endpoint
-on the agent. The port mapping network isolator is transparent for the
-majority of tasks running on an agent (those that bind to port 0 and
-let the kernel allocate their port).</p>
-
-<h2>Installation</h2>
-
-<p>Port mapping network isolator is <strong>not</strong> supported by default. To
-enable it you need to install additional dependencies and configure it
-during the build process.</p>
-
-<h3>Prerequisites</h3>
-
-<p>Per-container network monitoring and isolation is only supported on Linux kernel
-versions 3.6 and above. Additionally, the kernel must include these patches
-(merged in kernel version 3.15).</p>
-
-<ul>
-<li><a href="https://github.com/torvalds/linux/commit/6a662719c9868b3d6c7d26b3a085f0cd3cc15e64">6a662719c9868b3d6c7d26b3a085f0cd3cc15e64</a></li>
-<li><a href="https://github.com/torvalds/linux/commit/0d5edc68739f1c1e0519acbea1d3f0c1882a15d7">0d5edc68739f1c1e0519acbea1d3f0c1882a15d7</a></li>
-<li><a href="https://github.com/torvalds/linux/commit/e374c618b1465f0292047a9f4c244bd71ab5f1f0">e374c618b1465f0292047a9f4c244bd71ab5f1f0</a></li>
-<li><a href="https://github.com/torvalds/linux/commit/25f929fbff0d1bcebf2e92656d33025cd330cbf8">25f929fbff0d1bcebf2e92656d33025cd330cbf8</a></li>
-</ul>
-
-
-<p>The following packages are required on the agent:</p>
-
-<ul>
-<li><a href="https://github.com/thom311/libnl/releases">libnl3</a> >= 3.2.26</li>
-<li><a href="http://www.linuxfoundation.org/collaborate/workgroups/networking/iproute2">iproute</a> >= 2.6.39 is advised for debugging purpose but not required.</li>
-</ul>
-
-
-<p>Additionally, if you are building from source, you need will also need the
-libnl3 development package to compile Mesos:</p>
-
-<ul>
-<li><a href="https://github.com/thom311/libnl/releases">libnl3-devel / libnl3-dev</a> >= 3.2.26</li>
-</ul>
-
-
-<h3>Build</h3>
-
-<p>To build Mesos with port mapping network isolator support, you need to
-add a configure option:</p>
-
-<pre><code>$ ./configure --with-network-isolator
-$ make
-</code></pre>
-
-<h2>Configuration</h2>
-
-<p>The port mapping network isolator is enabled on the agent by adding
-<code>network/port_mapping</code> to the agent command line <code>--isolation</code> flag.</p>
-
-<pre><code>--isolation="network/port_mapping"
-</code></pre>
-
-<p>If the agent has not been compiled with port mapping network isolator
-support, it will refuse to start and print an error:</p>
-
-<pre><code>I0708 00:17:08.080271 44267 containerizer.cpp:111] Using isolation: network/port_mapping
-Failed to create a containerizer: Could not create MesosContainerizer: Unknown or unsupported
- isolator: network/port_mapping
-</code></pre>
-
-<h2>Configuring network ports</h2>
-
-<p>Without port mapping network isolator, all the containers on a host
-share the public IP address of the agent and can bind to any port
-allowed by the OS.</p>
-
-<p>When the port mapping network isolator is enabled, each container on
-the agent has a separate network stack (via Linux <a href="http://lwn.net/Articles/580893/">network
-namespaces</a>). All containers still
-share the same public IP of the agent (so that the service discovery
-mechanism does not need to be changed). The agent assigns each
-container a non-overlapping range of the ports and only packets
-to/from these assigned port ranges will be delivered. Applications
-requesting the kernel assign a port (by binding to port 0) will be
-given ports from the container assigned range. Applications can bind
-to ports outside the container assigned ranges but packets from
-to/from these ports will be silently dropped by the host.</p>
-
-<p>Mesos provides two ranges of ports to containers:</p>
-
-<ul>
-<li><p>OS allocated “<a href="https://en.wikipedia.org/wiki/Ephemeral_port">ephemeral</a>” ports
-are assigned by the OS in a range specified for each container by Mesos.</p></li>
-<li><p>Mesos allocated “non-ephemeral” ports are acquired by a framework using the
-same Mesos resource offer mechanism used for cpu, memory etc. for allocation to
-executors/tasks as required.</p></li>
-</ul>
-
-
-<p>Additionally, the host itself will require ephemeral ports for network
-communication. You need to configure these three <strong>non-overlapping</strong> port ranges
-on the host.</p>
-
-<h3>Host ephemeral port range</h3>
-
-<p>The currently configured host ephemeral port range can be discovered at any time
-using the command <code>sysctl net.ipv4.ip_local_port_range</code>. If ports need to be set
-aside for agent containers, the ephemeral port range can be updated in
-<code>/etc/sysctl.conf</code>. Rebooting after the update will apply the change and
-eliminate the possibility that ports are already in use by other processes. For
-example, by adding the following:</p>
-
-<pre><code># net.ipv4.ip_local_port_range defines the host ephemeral port range, by
-# default 32768-61000. We reduce this range to allow the Mesos agent to
-# allocate ports 32768-57344
-# net.ipv4.ip_local_port_range = 32768 61000
-net.ipv4.ip_local_port_range = 57345 61000
-</code></pre>
-
-<h3>Container port ranges</h3>
-
-<p>The container ephemeral and non-ephemeral port ranges are configured using the
-agent <code>--resources</code> flag. The non-ephemeral port range is provided to the
-master, which will then offer it to frameworks for allocation.</p>
-
-<p>The ephemeral port range is sub-divided by the agent, giving
-<code>ephemeral_ports_per_container</code> (default 1024) to each container. The maximum
-number of containers on the agent will therefore be limited to approximately:</p>
-
-<pre><code>number of ephemeral_ports / ephemeral_ports_per_container
-</code></pre>
-
-<p>The master <code>--max_executors_per_agent</code> flag is be used to prevent allocation of
-more executors on an agent when the ephemeral port range has been exhausted.</p>
-
-<p>It is recommended (but not required) that <code>ephemeral_ports_per_container</code> be set
-to a power of 2 (e.g., 512, 1024) and the lower bound of the ephemeral port
-range be a multiple of <code>ephemeral_ports_per_container</code> to minimize CPU overhead
-in packet processing. For example:</p>
-
-<pre><code>--resources=ports:[31000-32000];ephemeral_ports:[32768-57344] \
---ephemeral_ports_per_container=512
-</code></pre>
-
-<h3>Rate limiting container traffic</h3>
-
-<p>Outbound traffic from a container to the network can be rate limited to prevent
-a single container from consuming all available network resources with
-detrimental effects to the other containers on the host. The
-<code>--egress_rate_limit_per_container</code> flag specifies that each container launched
-on the host be limited to the specified bandwidth (in bytes per second).
-Network traffic which would cause this limit to be exceeded is delayed for later
-transmission. The TCP protocol will adjust to the increased latency and reduce
-the transmission rate ensuring no packets need be dropped.</p>
-
-<pre><code>--egress_rate_limit_per_container=100MB
-</code></pre>
-
-<p>We do not rate limit inbound traffic since we can only modify the network flows
-after they have been received by the host and any congestion has already
-occurred.</p>
-
-<h3>Egress traffic isolation</h3>
-
-<p>Delaying network data for later transmission can increase latency and jitter
-(variability) for all traffic on the interface. Mesos can reduce the impact on
-other containers on the same host by using flow classification and isolation
-using the containers port ranges to maintain unique flows for each container and
-sending traffic from these flows fairly (using the
-<a href="https://tools.ietf.org/html/draft-hoeiland-joergensen-aqm-fq-codel-00">FQ_Codel</a>
-algorithm). Use the <code>--egress_unique_flow_per_container</code> flag to enable.</p>
-
-<pre><code>--egress_unique_flow_per_container
-</code></pre>
-
-<h3>Putting it all together</h3>
-
-<p>A complete agent command line enabling port mapping network isolator,
-reserving ports 57345-61000 for host ephemeral ports, 32768-57344 for
-container ephemeral ports, 31000-32000 for non-ephemeral ports
-allocated by the framework, limiting container transmit bandwidth to
-300 Mbits/second (37.5MBytes) with unique flows enabled would thus be:</p>
-
-<pre><code>mesos-agent \
---isolation=network/port_mapping \
---resources=ports:[31000-32000];ephemeral_ports:[32768-57344] \
---ephemeral_ports_per_container=1024 \
---egress_rate_limit_per_container=37500KB \
---egress_unique_flow_per_container
-</code></pre>
-
-<h2>Monitoring container network statistics</h2>
-
-<p>Mesos exposes statistics from the Linux network stack for each container network
-on the <a href="/documentation/latest/./endpoints/slave/monitor/statistics/">/monitor/statistics</a> agent endpoint.</p>
-
-<p>From the network interface inside the container, we report the following
-counters (since container creation) under the <code>statistics</code> key:</p>
-
-<table class="table table-striped">
-<thead>
-<tr><th>Metric</th><th>Description</th><th>Type</th>
-</thead>
-<tr>
- <td><code>net_rx_bytes</code></td>
- <td>Received bytes</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_rx_dropped</code></td>
- <td>Packets dropped on receive</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_rx_errors</code></td>
- <td>Errors reported on receive</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_rx_packets</code></td>
- <td>Packets received</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_tx_bytes</code></td>
- <td>Sent bytes</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_tx_dropped</code></td>
- <td>Packets dropped on send</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_tx_errors</code></td>
- <td>Errors reported on send</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>net_tx_packets</code></td>
- <td>Packets sent</td>
- <td>Counter</td>
-</tr>
-</table>
-
-
-<p>Additionally, <a href="http://tldp.org/HOWTO/Traffic-Control-HOWTO/intro.html">Linux Traffic Control</a> can report the following
-statistics for the elements which implement bandwidth limiting and bloat
-reduction under the <code>statistics/net_traffic_control_statistics</code> key. The entry
-for each of these elements includes:</p>
-
-<table class="table table-striped">
-<thead>
-<tr><th>Metric</th><th>Description</th><th>Type</th>
-</thead>
-<tr>
- <td><code>backlog</code></td>
- <td>Bytes queued for transmission [1]</td>
- <td>Gauge</td>
-</tr>
-<tr>
- <td><code>bytes</code></td>
- <td>Sent bytes</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>drops</code></td>
- <td>Packets dropped on send</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>overlimits</code></td>
- <td>Count of times the interface was over its transmit limit when it attempted to send a packet. Since the normal action when the network is overlimit is to delay the packet, the overlimit counter can be incremented many times for each packet sent on a heavily congested interface. [2]</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>packets</code></td>
- <td>Packets sent</td>
- <td>Counter</td>
-</tr>
-<tr>
- <td><code>qlen</code></td>
- <td>Packets queued for transmission</td>
- <td>Gauge</td>
-</tr>
-<tr>
- <td><code>ratebps</code></td>
- <td>Transmit rate in bytes/second [3]</td>
- <td>Gauge</td>
-</tr>
-<tr>
- <td><code>ratepps</code></td>
- <td>Transmit rate in packets/second [3]</td>
- <td>Gauge</td>
-</tr>
-<tr>
- <td><code>requeues</code></td>
- <td>Packets failed to send due to resource contention (such as kernel locking) [3]</td>
- <td>Counter</td>
-</tr>
-</table>
-
-
-<p>[1] <code>backlog</code> is only reported on the bloat_reduction interface.</p>
-
-<p>[2] <code>overlimits</code> are only reported on the bw_limit interface.</p>
-
-<p>[3] Currently always reported as 0 by the underlying Traffic Control element.</p>
-
-<p>For example, these are the statistics you will get by hitting the <code>/monitor/statistics</code> endpoint on an agent with network monitoring turned on:</p>
-
-<pre><code>$ curl -s http://localhost:5051/monitor/statistics | python2.6 -mjson.tool
-[
- {
- "executor_id": "job.1436298853",
- "executor_name": "Command Executor (Task: job.1436298853) (Command: sh -c 'iperf ....')",
- "framework_id": "20150707-195256-1740121354-5150-29801-0000",
- "source": "job.1436298853",
- "statistics": {
- "cpus_limit": 1.1,
- "cpus_nr_periods": 16314,
- "cpus_nr_throttled": 16313,
- "cpus_system_time_secs": 2667.06,
- "cpus_throttled_time_secs": 8036.840845388,
- "cpus_user_time_secs": 123.49,
- "mem_anon_bytes": 8388608,
- "mem_cache_bytes": 16384,
- "mem_critical_pressure_counter": 0,
- "mem_file_bytes": 16384,
- "mem_limit_bytes": 167772160,
- "mem_low_pressure_counter": 0,
- "mem_mapped_file_bytes": 0,
- "mem_medium_pressure_counter": 0,
- "mem_rss_bytes": 8388608,
- "mem_total_bytes": 9945088,
- "net_rx_bytes": 10847,
- "net_rx_dropped": 0,
- "net_rx_errors": 0,
- "net_rx_packets": 143,
- "net_traffic_control_statistics": [
- {
- "backlog": 0,
- "bytes": 163206809152,
- "drops": 77147,
- "id": "bw_limit",
- "overlimits": 210693719,
- "packets": 107941027,
- "qlen": 10236,
- "ratebps": 0,
- "ratepps": 0,
- "requeues": 0
- },
- {
- "backlog": 15481368,
- "bytes": 163206874168,
- "drops": 27081494,
- "id": "bloat_reduction",
- "overlimits": 0,
- "packets": 107941070,
- "qlen": 10239,
- "ratebps": 0,
- "ratepps": 0,
- "requeues": 0
- }
- ],
- "net_tx_bytes": 163200529816,
- "net_tx_dropped": 0,
- "net_tx_errors": 0,
- "net_tx_packets": 107936874,
- "perf": {
- "duration": 0,
- "timestamp": 1436298855.82807
- },
- "timestamp": 1436300487.41595
- }
- }
-]
-</code></pre>
-
- </div>
-</div>
-
- </div><!-- /.container -->
-</div><!-- /.content -->
-
-<hr>
-
-
-
- <!-- footer -->
- <div class="footer">
- <div class="container">
- <div class="col-md-4 social-blk">
- <span class="social">
- <a href="https://twitter.com/ApacheMesos"
- class="twitter-follow-button"
- data-show-count="false" data-size="large">Follow @ApacheMesos</a>
- <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
- <a href="https://twitter.com/intent/tweet?button_hashtag=mesos"
- class="twitter-hashtag-button"
- data-size="large"
- data-related="ApacheMesos">Tweet #mesos</a>
- <script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+'://platform.twitter.com/widgets.js';fjs.parentNode.insertBefore(js,fjs);}}(document, 'script', 'twitter-wjs');</script>
- </span>
- </div>
-
- <div class="col-md-8 trademark">
- <p>© 2012-2017 <a href="http://apache.org">The Apache Software Foundation</a>.
- Apache Mesos, the Apache feather logo, and the Apache Mesos project logo are trademarks of The Apache Software Foundation.
- <p>
- </div>
- </div><!-- /.container -->
- </div><!-- /.footer -->
-
- <!-- JS -->
- <script src="//code.jquery.com/jquery-1.11.0.min.js" type="text/javascript"></script>
- <script src="//netdna.bootstrapcdn.com/bootstrap/3.1.1/js/bootstrap.min.js" type="text/javascript"></script>
- </body>
-</html>