You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@mesos.apache.org by id...@apache.org on 2014/11/04 21:11:35 UTC

[1/2] git commit: Documentation for filesystem/shared isolator.

Repository: mesos
Updated Branches:
  refs/heads/master aca54a479 -> 3eb6382f8


Documentation for filesystem/shared isolator.

Review: https://reviews.apache.org/r/27584


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/47da3b8d
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/47da3b8d
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/47da3b8d

Branch: refs/heads/master
Commit: 47da3b8dec270a05843f0dfb17ec59421d7c21eb
Parents: aca54a4
Author: Ian Downes <id...@twitter.com>
Authored: Tue Nov 4 11:25:31 2014 -0800
Committer: Ian Downes <id...@twitter.com>
Committed: Tue Nov 4 12:10:48 2014 -0800

----------------------------------------------------------------------
 docs/mesos-containerizer.md | 42 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 42 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/47da3b8d/docs/mesos-containerizer.md
----------------------------------------------------------------------
diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md
new file mode 100644
index 0000000..7170a83
--- /dev/null
+++ b/docs/mesos-containerizer.md
@@ -0,0 +1,42 @@
+---
+layout: documentaiton
+---
+
+# Mesos Containerizer
+
+The MesosContainerizer provides lightweight containerization and
+resource isolation of executors using Linux-specific functionality
+such as control cgroups and namespaces. It is composable so operators
+can selectively enable different isolators.
+
+It also provides basic support for POSIX systems (e.g., OSX) but
+without any actual isolation, only resource usage reporting.
+
+### Shared Filesystem
+
+The SharedFilesystem isolator can optionally be used on Linux hosts to
+enable modifications to each container's view of the shared
+filesystem.
+
+The modifications are specified in the ContainerInfo included in the
+ExecutorInfo, either by a framework or by using the
+--default\_container\_info slave flag.
+
+ContainerInfo specifies Volumes which map parts of the shared
+filesystem (host\_path) into the container's view of the filesystem
+(container\_path), as read-write or read-only. The host\_path can be
+absolute, in which case it will make the filesystem subtree rooted at
+host\_path also accessible under container\_path for each container.
+If host\_path is relative then it is considered as a directory
+relative to the executor's work directory. The directory will be
+created and permissions copied from the corresponding directory (which
+must exist) in the shared filesystem.
+
+The primary use-case for this isolator is to selectively make parts of
+the shared filesystem private to each container. For example, a
+private "/tmp" directory can be achieved with host\_path="tmp" and
+container\_path="/tmp" which will create a directory "tmp" inside the
+executor's work directory (mode 1777) and simultaneously mount it as
+/tmp inside the container. This is transparent to processes running
+inside the container. Containers will not be able to see the host's
+/tmp or any other container's /tmp.

[2/2] git commit: Documentation for namespaces/pid isolator.

Posted by id...@apache.org.

Documentation for namespaces/pid isolator.

Review: https://reviews.apache.org/r/27585


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/3eb6382f
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/3eb6382f
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/3eb6382f

Branch: refs/heads/master
Commit: 3eb6382f86473d86c6c2c3b57a739b6b3c7d86fa
Parents: 47da3b8
Author: Ian Downes <id...@twitter.com>
Authored: Tue Nov 4 11:25:55 2014 -0800
Committer: Ian Downes <id...@twitter.com>
Committed: Tue Nov 4 12:10:59 2014 -0800

----------------------------------------------------------------------
 docs/mesos-containerizer.md | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/3eb6382f/docs/mesos-containerizer.md
----------------------------------------------------------------------
diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md
index 7170a83..e4b2c24 100644
--- a/docs/mesos-containerizer.md
+++ b/docs/mesos-containerizer.md
@@ -40,3 +40,21 @@ executor's work directory (mode 1777) and simultaneously mount it as
 /tmp inside the container. This is transparent to processes running
 inside the container. Containers will not be able to see the host's
 /tmp or any other container's /tmp.
+
+### Pid Namespace
+
+The Pid Namespace isolator can be used to isolate each container in
+a separate pid namespace with two main benefits:
+1. Visibility: Processes running in the container (executor and
+   descendants) are unable to see or signal processes outside the
+   namespace.
+2. Clean termination: Termination of the leading process in a pid
+   namespace will result in the kernel terminating all other processes
+   in the namespace.
+
+The Launcher will use (2) during destruction of a container in
+preference to the freezer cgroup, avoiding known kernel issues related
+to freezing cgroups under OOM conditions.
+
+/proc will be mounted for containers so tools such as 'ps' will work
+correctly.