Hi All, TLDR: We want to use a custom network isolator, but there is no way to enable the 'network' namespace from within an isolator module.
We are working on creating a custom network isolator as a Mesos module. However, the way Mesos Slave is setup, there is no way to enable 'network' namespace for the executor without enabling the 'port-mapping' isolator. This is due to the fact that the LinuxLauncher looks at the '--isolation' flag to figure out the list of namespaces to be enabled. The same problem would exist if one were to write a custom pid or filesystem isolation module. So, there are a couple of question: 1. With the current Mesos source code, is there a way to specify the 'network/port_mapping' isolator in a way that it doesn't do the actual work of mapping the ports (e.g., without specifying any port-mapping specific flags)? If this works, we can just specify this isolator on the slave command line and it would force the LinuxLauncher to create a new network namespace. 2. Is it reasonable to have a separate mechanism to specify what namespaces should be created/enabled for an executor if we don't want to use the in-built isolators such as pid and port-mapping? WRT (2), one potential mechanism is to introduce a new flag, '--namespace'. The downside of creating such a low-level flag is that it provides little to no value to the end users. The end users shouldn't be concerned about which namespaces to enable and so on. Another alternative is to create a decorator hook for the LinuxLauncher, which can force the LinuxLauncher to enable certain namespaces without having to look at the '--isolation' flag. The downside here is that the decorator will be literally setting up a few bits and nothing more. Are there any other alternatives for a better and cleaner design (both long term and short term)? Best, Kapil
