You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@mesos.apache.org by "Avinash Sridharan (JIRA)" <ji...@apache.org> on 2017/06/26 03:45:00 UTC

[jira] [Commented] (MESOS-7675) Isolate network ports.

    [ https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16062520#comment-16062520 ] 

Avinash Sridharan commented on MESOS-7675:
------------------------------------------

[~jpeach@apache.org] I am assuming this would work only for tasks on the host network. Also, this seems like we need to perform the algorithm for the lifetime of every task running on the agent? How do you propose we do this. By doing a periodic scan?

PS: By group isolation, did you mean cgroup isolation?

> Isolate network ports.
> ----------------------
>
>                 Key: MESOS-7675
>                 URL: https://issues.apache.org/jira/browse/MESOS-7675
>             Project: Mesos
>          Issue Type: Improvement
>          Components: agent
>            Reporter: James Peach
>            Assignee: James Peach
>            Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it only listens on the ports that it has resources for. Implement a ports isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
> * For each open socket, check whether its node (given in the link target) in the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the task, send a resource limitation for the task
> Matching pids to tasks depends on using group isolation, otherwise we would have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}} isolator with kernel + libnl3 patches to publish the socket classid when we find the listening socket.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)