You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@mesos.apache.org by Xudong Ni via Review Board <no...@reviews.apache.org> on 2018/08/15 21:24:18 UTC
Review Request 68366: Added agent config option to allow ignoring
ephemeral port range.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow ignoring
ports bound within the ephemeral port range
Diffs
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/1/
Testing
-------
New test added to test feature:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
[----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (82 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
[----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1909 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207461
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2177/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 16, 2018, 9:28 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 16, 2018, 9:28 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/2/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (786 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (787 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (799 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (70 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (71 ms total)
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1895 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1896 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1909 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207524
-----------------------------------------------------------
FAIL: Some of the unit tests failed. Please check the relevant logs.
Reviews applied: `['68366']`
Failed command: `Start-MesosCITesting`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2185/mesos-review-68366
Relevant logs:
- [mesos-tests-cmake.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2185/mesos-review-68366/logs/mesos-tests-cmake.log):
```
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\zookeeper.c(3479): warning C4101: 'addrstr': unreferenced local variable [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\recordio.c(170): warning C4267: '=': conversion from 'size_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\mt_adaptor.c(496): warning C4244: '=': conversion from 'time_t' to 'int32_t', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(256): warning C4090: 'function': different 'const' qualifiers [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(205): warning C4716: 'pthread_cond_wait': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\winport.c(166): warning C4716: 'pthread_cond_broadcast': must return a value [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\zookeeper.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(124): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(128): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(279): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(301): warning C4267: 'initializing': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(368): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(372): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(512): warning C4267: 'function': conversion from 'size_t' to 'int', possible loss of data [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(543): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(548): warning C4996: 'fopen': This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
d:\dcos\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8\src\c\src\cli.c(569): warning C4996: 'strcpy': This function or variable may be unsafe. Consider using strcpy_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details. [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8\src\zookeeper-3.4.8-build\cli.vcxproj] [D:\DCOS\mesos\3rdparty\zookeeper-3.4.8.vcxproj]
"D:\DCOS\mesos\src\tests\mesos-tests.vcxproj" (default target) (1) ->
"D:\DCOS\mesos\src\slave\mesos-agent.vcxproj" (default target) (11) ->
(ClCompile target) ->
d:\dcos\mesos\mesos\src\slave\main.cpp(322): error C2039: 'check_agent_port_range_only': is not a member of 'mesos::internal::slave::Flags' [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
d:\dcos\mesos\mesos\src\slave\main.cpp(323): error C2039: 'container_ports_protected_range': is not a member of 'mesos::internal::slave::Flags' [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
d:\dcos\mesos\mesos\src\slave\main.cpp(323): error C2228: left of '.isSome' must have class/struct/union [D:\DCOS\mesos\src\slave\mesos-agent.vcxproj]
172 Warning(s)
3 Error(s)
Time Elapsed 00:18:23.87
```
- Mesos Reviewbot Windows
On Aug. 17, 2018, 5:21 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 5:21 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/3/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 22, 2018, 7:27 p.m., James Peach wrote:
> > Can you please update the commit comment to better describe the specific changes?
> >
> > Maybe something along these lines:
> >
> > ```
> > Added a custom port range option to the `network/ports` isolator.
> >
> > Added the `--foo-bar` flag to the `network/ports` isolator. This allows
> > the operator to specify a custom port range to be protected by the isolator. If a task
> > listens on a port that it isn't holding resources for, the isolator will
> > not raise a limitation unless the port is within this range. We can
> > represent the `--check_agent_port_range_only` as a special case of a
> > protected range.
> >
> > etc ...
> > ```
commit comment is updated
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207762
-----------------------------------------------------------
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207762
-----------------------------------------------------------
Can you please update the commit comment to better describe the specific changes?
Maybe something along these lines:
```
Added a custom port range option to the `network/ports` isolator.
Added the `--foo-bar` flag to the `network/ports` isolator. This allows
the operator to specify a custom port range to be protected by the isolator. If a task
listens on a port that it isn't holding resources for, the isolator will
not raise a limitation unless the port is within this range. We can
represent the `--check_agent_port_range_only` as a special case of a
protected range.
etc ...
```
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 285 (patched)
<https://reviews.apache.org/r/68366/#comment291268>
Add a test case for this?
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 288 (patched)
<https://reviews.apache.org/r/68366/#comment291267>
Don't exit, just return the error.
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 352 (patched)
<https://reviews.apache.org/r/68366/#comment291265>
Make this "ports".
src/slave/containerizer/mesos/isolators/network/ports.cpp
Lines 364 (patched)
<https://reviews.apache.org/r/68366/#comment291266>
"Invalid port range resource type"
src/slave/containerizer/mesos/isolators/network/ports.cpp
Line 340 (original), 378 (patched)
<https://reviews.apache.org/r/68366/#comment291269>
Let's add a log message after this with the protected port range here:
```
LOG(INFO) << "isolating ports " << stringify(protectedPorts);
```
We could even simplify this a bit more by defaulting `protectedPorts` to `[0-65535]`.
src/tests/containerizer/ports_isolator_tests.cpp
Lines 979 (patched)
<https://reviews.apache.org/r/68366/#comment291271>
"because we want to show that invalid port usage outside the protected range is allowed"
src/tests/containerizer/ports_isolator_tests.cpp
Lines 1016 (patched)
<https://reviews.apache.org/r/68366/#comment291272>
I'm a little uncomfortable with the hard-coded port numbers here.
Maybe:
```
uint16_t usedPort;
// We need to use a port that is inside the offered resources but outside the isolated range and not the same as the one we are accepting from the offer.
do {
usedPort = selectOtherPort(resources, taskPort);
} while (usedPort < 45000 || usedPort > 45002)
```
src/tests/containerizer/ports_isolator_tests.cpp
Lines 1066 (patched)
<https://reviews.apache.org/r/68366/#comment291270>
"is not in"
- James Peach
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207763
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2219/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 22, 2018, 10:35 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 10:35 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207796
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2223/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 23, 2018, 2:56 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 2:56 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/7/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1691 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (85 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1801 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1794 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207797
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 23, 2018, 2:56 a.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 2:56 a.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/7/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1691 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (85 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1801 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1794 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207845
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 23, 2018, 10:16 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 10:16 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/8/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (91 ms total)
> [ PASSED ] 1 test
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1810 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1784 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1841 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207843
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2227/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 23, 2018, 10:16 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 23, 2018, 10:16 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/8/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1806 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (91 ms total)
> [ PASSED ] 1 test
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1810 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1784 ms total)
> [ PASSED ] 1 test.
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1841 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207926
-----------------------------------------------------------
Ship it!
Ship It!
- James Peach
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207931
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2237/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207932
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 24, 2018, 10:54 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 24, 2018, 10:54 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> Added the `--container_ports_isolated_range` flag to the
> `network/ports` isolator. This allows the operator to specify a custom
> port range to be protected by the isolator. If a task listens on a port
> that it isn't holding resources for, the isolator will not raise a
> limitation unless the port is within this range. We can represent the
> `--check_agent_port_range_only` as a special case of a protected range.
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/9/
>
>
> Testing
> -------
>
> sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
>
> [----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
>
> [----------] Global test environment tear-down
> [==========] 13 tests from 1 test case ran. (26399 ms total)
> [ PASSED ] 13 tests.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 24, 2018, 10:54 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/9/
Changes: https://reviews.apache.org/r/68366/diff/8-9/
Testing (updated)
-------
sudo GLOG_v=1 ./bin/mesos-tests.sh --verbose --gtest_filter="NetworkPortsIsolatorTest.*"
[----------] 13 tests from NetworkPortsIsolatorTest (26387 ms total)
[----------] Global test environment tear-down
[==========] 13 tests from 1 test case ran. (26399 ms total)
[ PASSED ] 13 tests.
Thanks,
Xudong Ni
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 23, 2018, 10:16 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/8/
Changes: https://reviews.apache.org/r/68366/diff/7-8/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1794 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1794 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1806 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (78 ms)
[----------] 1 test from NetworkPortsIsolatorTest (78 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (91 ms total)
[ PASSED ] 1 test
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1798 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1798 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1810 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1772 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1773 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1784 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1827 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1828 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1841 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added a custom port range option to the
`network/ports` isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 23, 2018, 2:56 a.m.)
Review request for mesos and James Peach.
Summary (updated)
-----------------
Added a custom port range option to the `network/ports` isolator.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description (updated)
-------
Added the `--container_ports_isolated_range` flag to the
`network/ports` isolator. This allows the operator to specify a custom
port range to be protected by the isolator. If a task listens on a port
that it isn't holding resources for, the isolator will not raise a
limitation unless the port is within this range. We can represent the
`--check_agent_port_range_only` as a special case of a protected range.
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/7/
Changes: https://reviews.apache.org/r/68366/diff/6-7/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementIsolatedPort (1678 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1679 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1691 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (73 ms)
[----------] 1 test from NetworkPortsIsolatorTest (73 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (85 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortEnforcement (1789 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1790 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1801 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource (1795 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1795 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1806 ms total)
[ PASSED ] 1 test.
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1782 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1783 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1794 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
> On Aug. 22, 2018, 11:50 p.m., James Peach wrote:
> > I think this change broke the `NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource` test, just regressing against master.
Fixed it; There was an empty ports condition removed in one of iteration but didn't add back in the later iterations
- Xudong
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207781
-----------------------------------------------------------
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by James Peach <jp...@apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207781
-----------------------------------------------------------
I think this change broke the `NetworkPortsIsolatorTest.ROOT_NC_NoPortsResource` test, just regressing against master.
- James Peach
On Aug. 22, 2018, 5:35 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 22, 2018, 5:35 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
> src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/6/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 22, 2018, 5:35 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md e98a9786aa2d1f5c87aec4db8b65457c3293156e
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp bff194fef98f38a8b91d86ef4ec99889d0cfe31f
src/slave/flags.cpp e017f3921a0bccc03f6ef639a04163bf7fc4e79b
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/6/
Changes: https://reviews.apache.org/r/68366/diff/5-6/
Testing
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1900 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
[----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (69 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (2004 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207644
-----------------------------------------------------------
PASS: Mesos patch 68366 was successfully built and tested.
Reviews applied: `['68366']`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2201/mesos-review-68366
- Mesos Reviewbot Windows
On Aug. 20, 2018, 2:53 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 20, 2018, 2:53 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/5/
>
>
> Testing
> -------
>
> New test added to test feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1900 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (69 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (2004 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Xudong Ni via Review Board <no...@reviews.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/
-----------------------------------------------------------
(Updated Aug. 20, 2018, 9:53 p.m.)
Review request for mesos and James Peach.
Bugs: MESOS-9133
https://issues.apache.org/jira/browse/MESOS-9133
Repository: mesos
Description
-------
For a network isolator disabled environment, in practice, there could
be a lot of users already binding to ephemeral ports; It would take
a lot of efforts to find/notify/modify those apps; In order to take
advantage of network isolator and enable it in such system, it would
be useful to add mesos-agent configuration option to allow enforce
port isolation in only the specified certain port range
Diffs (updated)
-----
docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
Diff: https://reviews.apache.org/r/68366/diff/5/
Changes: https://reviews.apache.org/r/68366/diff/4-5/
Testing (updated)
-------
New test added to test feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1886 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1887 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (1900 ms total)
[ PASSED ] 1 test.
Existing test updated to test the negative cases:
[ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (58 ms)
[----------] 1 test from NetworkPortsIsolatorTest (58 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (69 ms total)
[ PASSED ] 1 test.
Existing test for isolator feature:
[ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1992 ms)
[----------] 1 test from NetworkPortsIsolatorTest (1993 ms total)
[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (2004 ms total)
[ PASSED ] 1 test.
Thanks,
Xudong Ni
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207581
-----------------------------------------------------------
Patch looks great!
Reviews applied: [68366]
Passed command: export OS='ubuntu:14.04' BUILDTOOL='autotools' COMPILER='gcc' CONFIGURATION='--verbose --disable-libtool-wrappers' ENVIRONMENT='GLOG_v=1 MESOS_VERBOSE=1'; ./support/docker-build.sh
- Mesos Reviewbot
On Aug. 17, 2018, 6:27 p.m., Xudong Ni wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68366/
> -----------------------------------------------------------
>
> (Updated Aug. 17, 2018, 6:27 p.m.)
>
>
> Review request for mesos and James Peach.
>
>
> Bugs: MESOS-9133
> https://issues.apache.org/jira/browse/MESOS-9133
>
>
> Repository: mesos
>
>
> Description
> -------
>
> For a network isolator disabled environment, in practice, there could
> be a lot of users already binding to ephemeral ports; It would take
> a lot of efforts to find/notify/modify those apps; In order to take
> advantage of network isolator and enable it in such system, it would
> be useful to add mesos-agent configuration option to allow enforce
> port isolation in only the specified certain port range
>
>
> Diffs
> -----
>
> docs/configuration/agent.md 4e50b681bb956d559da6bf1d2c504099aae3cafb
> docs/isolators/network-ports.md 5d14fc2985e099783b09e2a19f99641b4ddbd768
> src/slave/containerizer/mesos/isolators/network/ports.hpp 6944d01e0f8a11eda381ef1754f19ee0cf9359c8
> src/slave/containerizer/mesos/isolators/network/ports.cpp 2a7ff2530f898cf892739c715b07b3387b423ed9
> src/slave/flags.hpp 88c35da5fd754abbd4bd316e1fa9efa4a70a6b8c
> src/slave/flags.cpp 54d9acc8693f53294bdc2a88183cac84a8dfbfd9
> src/slave/main.cpp 489e87522588be259d382f588b66907ba29f1788
> src/tests/containerizer/ports_isolator_tests.cpp db080c4e9c8b0c036294a8f7a42617ca1231f884
>
>
> Diff: https://reviews.apache.org/r/68366/diff/4/
>
>
> Testing
> -------
>
> New test added to test feature:
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_PortEnforcementProtectedPort (1812 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1813 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1826 ms total)
> [ PASSED ] 1 test.
>
> Existing test updated to test the negative cases:
>
> [ RUN ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags
> [ OK ] NetworkPortsIsolatorTest.ROOT_IsolatorFlags (69 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (70 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (82 ms total)
> [ PASSED ] 1 test.
>
> Existing test for isolator feature:
>
> [ OK ] NetworkPortsIsolatorTest.ROOT_NC_AllocatedPorts (1821 ms)
> [----------] 1 test from NetworkPortsIsolatorTest (1822 ms total)
>
> [----------] Global test environment tear-down
> [==========] 1 test from 1 test case ran. (1836 ms total)
> [ PASSED ] 1 test.
>
>
> Thanks,
>
> Xudong Ni
>
>
Re: Review Request 68366: Added agent protected port range option in
network isolator.
Posted by Mesos Reviewbot Windows <re...@mesos.apache.org>.
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68366/#review207541
-----------------------------------------------------------
FAIL: Some of the unit tests failed. Please check the relevant logs.
Reviews applied: `['68366']`
Failed command: `Start-MesosCITesting`
All the build artifacts available at: http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2187/mesos-review-68366
Relevant logs:
- [mesos-tests.log](http://dcos-win.westus.cloudapp.azure.com/artifacts/mesos-reviewbot-testing/2187/mesos-review-68366/logs/mesos-tests.log):
```
I0817 20:27:16.670253 53228 sched.cpp:744] Framework registered with 4cf032dc-2d0d-465d-9108-ff6e3667ea74-0000
I0817 20:27:16.672251 58840 hierarchical.cpp:306] Added framework 4cf032dc-2d0d-465d-9108-ff6e3667ea74-0000
E0817 20:27:17.944257 41036 slave.cpp:7269] EXIT with status 1: Failed to perform recovery: Collect failed: Docker ps batch failed Collect failed: Failed to create subprocess 'docker -H npipe:////./pipe/docker_engine inspect mesos-f7586fff-a250-41b8-9c3a-355285f3d6b4': Failed to call `CreateProcess`: cmd.exe /c "docker -H npipe:////./pipe/docker_engine inspect mesos-f7586fff-a250-41b8-9c3a-355285f3d6b4"