You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "James Peach (JIRA)" <ji...@apache.org> on 2017/06/15 00:16:00 UTC
[jira] [Updated] (MESOS-7675) Isolate network ports.
[ https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Peach updated MESOS-7675:
-------------------------------
Description:
If a task uses network ports, there is no isolator that can enforce that it only listens on the ports that it has resources for. Implement a ports isolator that can limit tasks to listen only on allocated TCP ports.
Roughly, the algorithm for this follows what standard tools like {{lsof}} and {{ss}} do.
* Find all the listening TCP sockets (using netlink)
* Index the sockets by their node (from the netlink information)
* Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
* For each open socket, check whether its node (given in the link target) in the set of listen sockets that we scanned
* If the socket is a listening socket and the corresponding PID is in the task, send a resource limitation for the task
Matching pids to tasks depends on using group isolation, otherwise we would have to build a full process tree, which would be nice to avoid.
Scanning all the open sockets can be avoided by using the {{net_cls}} isolator with kernel + libnl3 patches to publish the socket classid when we find the listening socket.
was:
If a task uses network ports, there is no isolator that can enforce that it only listens on the ports that it has resources for. Implement a ports isolator that can limit tasks to listen only on allocated TCP ports.
Roughly, the algorithm for this follows what standard tools like {{lsof}} and {{ss}} do.
* Find all the listening TCP sockets (using netlink)
* Index the sockets by their node (from the netlink information)
* Find all the open sockets on the system (by scanning {{/proc/*/fd/*}} links)
* For each open socket, check whether its node (given in the link target) in the set of listen sockets that we scanned
* If the socket is a listening socket and the corresponding PID is in the task, send a resource limitation for the task
Matching pids to tasks depends on using group isolation, otherwise we would have to build a full process tree, which would be nice to avoid.
Scanning all the open sockets can be avoided by using the {{net_cls}} isolator with kernel + libnl3 patches to publish the socket classid when we find the listening socket.
> Isolate network ports.
> ----------------------
>
> Key: MESOS-7675
> URL: https://issues.apache.org/jira/browse/MESOS-7675
> Project: Mesos
> Issue Type: Improvement
> Components: agent
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it only listens on the ports that it has resources for. Implement a ports isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
> * For each open socket, check whether its node (given in the link target) in the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the task, send a resource limitation for the task
> Matching pids to tasks depends on using group isolation, otherwise we would have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}} isolator with kernel + libnl3 patches to publish the socket classid when we find the listening socket.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)