You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Xudong Ni via Review Board <no...@reviews.apache.org> on 2018/08/15 21:24:18 UTC
Review Request 68366: Added agent config option to allow ignoring
ephemeral port range.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow ignoring
ports bound within the ephemeral port range
Diffs
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/1/
Testing
-------
New test added to test feature:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
[----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (82 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
[----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1909 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207461
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2177/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 16, 2018, 9:28 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2018, 9:28 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/2/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (786 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (787 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (799 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207524
-----------------------------------------------------------
FAIL: Some of the unit tests failed. Please check the relevant logs.
Reviews applied: `['68366']`
Failed command: `Start-MesosCITesting`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2185/mesos-review-68366
Relevant logs:
- [mesos-tests-cmake.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2185/mesos-review-68366/logs/mesos-tests-cmake.log):
```
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\zookeeper.c(3479): warning C4101: 'addrstr': unreferenced local variable [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\recordio.c(170): warning C4267: '=': conversion from 'size_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\mt_adaptor.c(496): warning C4244: '=': conversion from 'time_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(256): warning C4090: 'function': different 'const' qualifiers [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(205): warning C4716: 'pthread_cond_wait': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(166): warning C4716: 'pthread_cond_broadcast': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(124): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(128): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(279): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(301): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(368): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(372): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(512): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(543): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(548): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(569): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
"D:\DCOS\mesos\src\tests\mesos-tests.vcxproj" (default target) (1) ->
"D:\DCOS\mesos\src\slave\mesos-agent.vcxproj" (default target) (11) ->
(ClCompile target) ->
d:\dcos\mesos\mesos\src\slave\main.cpp(322): error C2039: 'check_agent_port_range_only': is not a member of 'mesos::internal::slave::Flags' [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
d:\dcos\mesos\mesos\src\slave\main.cpp(323): error C2039: 'container_ports_protected_range': is not a member of 'mesos::internal::slave::Flags' [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
d:\dcos\mesos\mesos\src\slave\main.cpp(323): error C2228: left of '.isSome' must have class/struct/union [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
172 Warning(s)
3 Error(s)
Time Elapsed 00:18:23.87
```
- Mesos Reviewbot Windows
On Aug. 17, 2018, 5:21 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 5:21 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/3/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 22, 2018, 7:27 p.m., James Peach wrote:
> > Can you please update the commit comment to better describe the specific changes?
> >
> > Maybe something along these lines:
> >
> > ```
> > Added a custom port range option to the `network/ports` isolator.
> >
> > Added the `--foo-bar` flag to the `network/ports` isolator. This allows
> > the operator to specify a custom port range to be protected by the isolator. If a task
> > listens on a port that it isn't holding resources for, the isolator will
> > not raise a limitation unless the port is within this range. We can
> > represent the `--check_agent_port_range_only` as a special case of a
> > protected range.
> >
> > etc ...
> > ```
commit comment is updated
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207762
-----------------------------------------------------------
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207762
-----------------------------------------------------------
Can you please update the commit comment to better describe the specific changes?
Maybe something along these lines:
```
Added a custom port range option to the `network/ports` isolator.
Added the `--foo-bar` flag to the `network/ports` isolator. This allows
the operator to specify a custom port range to be protected by the isolator. If a task
listens on a port that it isn't holding resources for, the isolator will
not raise a limitation unless the port is within this range. We can
represent the `--check_agent_port_range_only` as a special case of a
protected range.
etc ...
```
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 285 (patched)
<https://reviews.apache.org/r/68366/#comment291268>
Add a test case for this?
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 288 (patched)
<https://reviews.apache.org/r/68366/#comment291267>
Don't exit, just return the error.
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 352 (patched)
<https://reviews.apache.org/r/68366/#comment291265>
Make this "ports".
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 364 (patched)
<https://reviews.apache.org/r/68366/#comment291266>
"Invalid port range resource type"
src/slave/containerizer/mesos/isolators/network/ports.cpp
Line 340 (original), 378 (patched)
<https://reviews.apache.org/r/68366/#comment291269>
Let's add a log message after this with the protected port range here:
```
LOG(INFO) << "isolating ports " << stringify(protectedPorts);
```
We could even simplify this a bit more by defaulting `protectedPorts` to `[0-65535]`.
src/tests/containerizer/ports_isolator_tests.cpp
Lines 979 (patched)
<https://reviews.apache.org/r/68366/#comment291271>
"because we want to show that invalid port usage outside the protected range is allowed"
src/tests/containerizer/ports_isolator_tests.cpp
Lines 1016 (patched)
<https://reviews.apache.org/r/68366/#comment291272>
I'm a little uncomfortable with the hard-coded port numbers here.
Maybe:
```
uint16_t usedPort;
// We need to use a port that is inside the offered resources but outside the isolated range and not the same as the one we are accepting from the offer.
do {
usedPort = selectOtherPort(resources, taskPort);
} while (usedPort < 45000 || usedPort > 45002)
```
src/tests/containerizer/ports_isolator_tests.cpp
Lines 1066 (patched)
<https://reviews.apache.org/r/68366/#comment291270>
"is not in"
- James Peach
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207763
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2219/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 22, 2018, 10:35 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 10:35 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207796
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2223/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 23, 2018, 2:56 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 2:56 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/7/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1691 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (85 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1801 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1794 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207797
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 23, 2018, 2:56 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 2:56 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/7/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1691 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (85 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1801 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1794 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207845
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 23, 2018, 10:16 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 10:16 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/8/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (91 ms total)
> [ PASSED ] 1 test
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1810 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1784 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1841 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207843
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2227/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 23, 2018, 10:16 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 10:16 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/8/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (91 ms total)
> [ PASSED ] 1 test
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1810 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1784 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1841 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207926
-----------------------------------------------------------
Ship it!
Ship It!
- James Peach
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207931
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2237/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207932
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 24, 2018, 10:54 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/9/
Changes: https://reviews.apache.org/r/68366/diff/8-9/
Testing (updated)
-------
sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
[----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
[----------] Global test environment tear-down
[==========] 13 tests from 1 test case ran. (26399 ms total)
[ PASSED ] 13 tests.
Thanks,
Xudong Ni
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 23, 2018, 10:16 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/8/
Changes: https://reviews.apache.org/r/68366/diff/7-8/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1806 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
[----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (91 ms total)
[ PASSED ] 1 test
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1810 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1784 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1841 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 23, 2018, 2:56 a.m.)
Review request for mesos and James Peach.
Summary (updated)
-----------------
Added a custom port range option to the `network/ports` isolator.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description (updated)
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/7/
Changes: https://reviews.apache.org/r/68366/diff/6-7/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1691 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
[----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (85 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1801 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1806 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1794 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 22, 2018, 11:50 p.m., James Peach wrote:
> > I think this change broke the `NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource` test, just regressing against master.
Fixed it; There was an empty ports condition removed in one of iteration but didn't add back in the later iterations
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207781
-----------------------------------------------------------
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207781
-----------------------------------------------------------
I think this change broke the `NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource` test, just regressing against master.
- James Peach
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 22, 2018, 5:35 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/6/
Changes: https://reviews.apache.org/r/68366/diff/5-6/
Testing
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1900 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
[----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (69 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (2004 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207644
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2201/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 20, 2018, 2:53 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 20, 2018, 2:53 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/5/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 20, 2018, 9:53 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/5/
Changes: https://reviews.apache.org/r/68366/diff/4-5/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1900 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
[----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (69 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (2004 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207581
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 17, 2018, 6:27 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 6:27 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/4/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207541
-----------------------------------------------------------
FAIL: Some of the unit tests failed. Please check the relevant logs.
Reviews applied: `['68366']`
Failed command: `Start-MesosCITesting`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2187/mesos-review-68366
Relevant logs:
- [mesos-tests.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2187/mesos-review-68366/logs/mesos-tests.log):
```
I0817 20:27:16.670253 53228 sched.cpp:744] Framework registered with 4cf032dc-2d0d-465d-9108-ff6e3667ea74-0000
I0817 20:27:16.672251 58840 hierarchical.cpp:306] Added framework 4cf032dc-2d0d-465d-9108-ff6e3667ea74-0000
E0817 20:27:17.944257 41036 slave.cpp:7269] EXIT with status 1: Failed to perform recovery: Collect failed: Docker ps batch failed Collect failed: Failed to create subprocess 'docker -H npipe:////./pipe/docker_engine inspect mesos-f7586fff-a250-41b8-9c3a-355285f3d6b4': Failed to call `CreateProcess`: cmd.exe /c "docker -H npipe:////./pipe/docker_engine inspect mesos-f7586fff-a250-41b8-9c3a-355285f3d6b4"�: The paging file is too small for this operation to complete.
If recovery failed due to a change in configuration and you want to
keep the current agent id, you might want to change the
`--reconfiguration_policy` flag to a more permissive value.
To restart this agent with a new agent id instead, do as follows:
rm -f C:\Users\jenkins\AppData\Local\Temp\Y9spfR\meta\slaves\latest
This ensures that the agent does not
d:\dcos\mesos\mesos\src\tests\mock_docker.hpp(155): ERROR: this mock object (used in test DockerContainerizerTest.ROOT_DOCKER_DefaultDNS) should be deleted but never is. Its address is @000000358476B850.
d:\dcos\mesos\mesos\src\tests\containerizer\docker_containerizer_tests.cpp(4534): ERROR: this mock object (used in test DockerContainerizerTest.ROOT_DOCKER_DefaultDNS) should be deleted but never is. Its address is @000000358476BAB0.
d:\dcos\mesos\mesos\src\tests\mock_docker.cpp(48): ERROR: this mock object (used in test DockerContainerizerTest.ROOT_DOCKER_DefaultDNS) should be deleted but never is. Its address is @00000181291E7170.
d:\dcos\mesos\mesos\src\tests\mock_registrar.cpp(54): ERROR: this mock object (used in test DockerContainerizerTest.ROOT_DOCKER_DefaultDNS) should be deleted but never is. Its address is @00000181567482D0.
d:\dcos\mesos\mesos\3rdparty\libprocess\include\process\gmock.hpp(247): ERROR: this mock object (used in test DockerContainerizerTest.ROOT_DOCKER_DefaultDNS) should be deleted but never is. Its address is @00000181572200A8.
ERROR: 5 leaked mock objects found at program exit.
recover old live executors.
If you use the Docker containerizer and think that the Docker
daemon state is broken, you can try to clear it. But be careful:
these commands will erase all containers and images from this host,
not just those started by Mesos!
docker kill $(docker ps -q)
docker rm $(docker ps -a -q)
docker rmi $(docker images -q)
Finally, restart the agent.
```
- Mesos Reviewbot Windows
On Aug. 17, 2018, 6:27 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 6:27 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/4/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 17, 2018, 10:02 p.m., James Peach wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 343 (patched)
> > <https://reviews.apache.org/r/68366/diff/4/?file=2074705#file2074705line343>
> >
> > `flags.container_ports_protected_range` is already an interval set. You don't need to convert it to resources and back again.
flags.container_ports_protected_range is a string, we do need to convert it into range. Is there better way to do it?
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207557
-----------------------------------------------------------
On Aug. 17, 2018, 6:27 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 6:27 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/4/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207557
-----------------------------------------------------------
src/slave/containerizer/mesos/isolators/network/ports.cpp
Line 152 (original), 152 (patched)
<https://reviews.apache.org/r/68366/#comment290950>
We can simplify this comment to something like
```
If we have a protecting a subset of ports, then
only collect this listen socket if it falls within
the protected range.
```
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 298 (patched)
<https://reviews.apache.org/r/68366/#comment290951>
The default is to protect all ports, in which case `protectedPorts` is `None()`. I would have though that this would break tests, but maybe we don't cover that case?
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 342 (patched)
<https://reviews.apache.org/r/68366/#comment290952>
"protected ports range"
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 343 (patched)
<https://reviews.apache.org/r/68366/#comment290946>
`flags.container_ports_protected_range` is already an interval set. You don't need to convert it to resources and back again.
src/slave/main.cpp
Lines 329 (patched)
<https://reviews.apache.org/r/68366/#comment290947>
Conventionally, isolator flag checks are done in the `create` function for the isolator, so you can move this to `NetworkPortsIsolatorProcess::create`.
src/tests/containerizer/ports_isolator_tests.cpp
Lines 241 (patched)
<https://reviews.apache.org/r/68366/#comment290959>
Ports are 16 bit? If you are checking for out of range, don't you want `EXPECT_ERROR` here?
src/tests/containerizer/ports_isolator_tests.cpp
Lines 249 (patched)
<https://reviews.apache.org/r/68366/#comment290957>
This should be `EXPECT_ERROR` since you expect the flag to error out?
src/tests/containerizer/ports_isolator_tests.cpp
Lines 254 (patched)
<https://reviews.apache.org/r/68366/#comment290956>
This should be `EXPECT_ERROR` since you expect the flag to error out?
src/tests/containerizer/ports_isolator_tests.cpp
Lines 1017 (patched)
<https://reviews.apache.org/r/68366/#comment290958>
Just for robustness,
```
CHECK_NE(taskPort, usedPort);
```
- James Peach
On Aug. 17, 2018, 6:27 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 6:27 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/4/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 17, 2018, 6:27 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/4/
Changes: https://reviews.apache.org/r/68366/diff/3-4/
Testing
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1826 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
[----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (82 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1836 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 17, 2018, 5:21 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/3/
Changes: https://reviews.apache.org/r/68366/diff/2-3/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1826 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
[----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (82 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1836 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207478
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 16, 2018, 11:28 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2018, 11:28 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/2/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (786 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (787 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (799 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 16, 2018, 9:28 p.m.)
Review request for mesos and James Peach.
Summary (updated)
-----------------
Added agent protected port range option in network isolator.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description (updated)
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/2/
Changes: https://reviews.apache.org/r/68366/diff/1-2/
Testing (updated)
-------
New test added to test feature:
[ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (786 ms)
[----------] 1 test from NetworkPortsIsolatorTest (787 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (799 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
[----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1909 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 16, 2018, 5:22 p.m., James Peach wrote:
> > As per our offline discussion, I think that we can generalize this to make it consistent with the existing options. If we have the concept of a protected port range, then the existing features map to "protect all ports" and "protect agent ports". This option will end up being "protect a custom port range". I think that this concept makes the options easier to explain and easier for operators to reason about.
Updated the review as suggested, make the option more generic
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207415
-----------------------------------------------------------
On Aug. 16, 2018, 9:28 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2018, 9:28 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/2/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (786 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (787 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (799 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent config option to allow ignoring
ephemeral port range.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207415
-----------------------------------------------------------
As per our offline discussion, I think that we can generalize this to make it consistent with the existing options. If we have the concept of a protected port range, then the existing features map to "protect all ports" and "protect agent ports". This option will end up being "protect a custom port range". I think that this concept makes the options easier to explain and easier for operators to reason about.
- James Peach
On Aug. 15, 2018, 9:24 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 15, 2018, 9:24 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow ignoring
> ports bound within the ephemeral port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/1/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent config option to allow ignoring
ephemeral port range.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207372
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2166/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 15, 2018, 2:24 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 15, 2018, 2:24 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow ignoring
> ports bound within the ephemeral port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/1/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>