You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by gi...@apache.org on 2017/10/12 23:37:45 UTC
mesos-site git commit: Updated the website built from mesos SHA:
7305855.
Repository: mesos-site
Updated Branches:
refs/heads/asf-site 719fb0e5d -> 81c9b30d0
Updated the website built from mesos SHA: 7305855.
Project: http://git-wip-us.apache.org/repos/asf/mesos-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos-site/commit/81c9b30d
Tree: http://git-wip-us.apache.org/repos/asf/mesos-site/tree/81c9b30d
Diff: http://git-wip-us.apache.org/repos/asf/mesos-site/diff/81c9b30d
Branch: refs/heads/asf-site
Commit: 81c9b30d0f28df07f72bea31be79226c1e281c0c
Parents: 719fb0e
Author: jenkins <bu...@apache.org>
Authored: Thu Oct 12 23:37:43 2017 +0000
Committer: jenkins <bu...@apache.org>
Committed: Thu Oct 12 23:37:43 2017 +0000
----------------------------------------------------------------------
.../latest/isolators/namespaces-pid/index.html | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos-site/blob/81c9b30d/content/documentation/latest/isolators/namespaces-pid/index.html
----------------------------------------------------------------------
diff --git a/content/documentation/latest/isolators/namespaces-pid/index.html b/content/documentation/latest/isolators/namespaces-pid/index.html
index 0dfb4a3..9e5a5e3 100644
--- a/content/documentation/latest/isolators/namespaces-pid/index.html
+++ b/content/documentation/latest/isolators/namespaces-pid/index.html
@@ -140,6 +140,25 @@ to freezing cgroups under OOM conditions.</p>
<p><code>/proc</code> will be mounted for containers so tools such as <code>ps</code> will work
correctly.</p>
+<p>To enable the PID Namespace isolator, append <code>namespaces/pid</code> to the
+<code>--isolation</code> flag when starting the agent. By default, each container
+will have its own PID namespace if this isolator is enabled.</p>
+
+<p>Framework users can allow a container to share pid namespace with its
+parent by setting the <code>ContainerInfo.linux_info.share_pid_namespace</code>
+field to <code>true</code>. If the container is a top level container, it will
+share the pid namespace with the agent. If the container is a nested
+container, it will share the pid namespace with its parent container.
+The container will have its own pid namespace if the
+<code>ContainerInfo.linux_info.share_pid_namespace</code> field is set to <code>false</code>.</p>
+
+<p>As a security measure, operators can disallow any container to share
+the agent’s PID namespace by setting the agent flag
+<code>--disallow_sharing_agent_pid_namespace</code> to <code>true</code>. If this agent flag
+is set as <code>true</code> and the framework requests to launch a top level
+container which shares its pid namespace with the agent, the container
+launch will be rejected.</p>
+
</div>
</div>