http://mesos.apache.org/documentation/latest/cni/
"For Mesos, the executors launched as containers need to register with the Agent in order for a task to be successfully launched. Hence, it is imperative that the Agent IP is reachable from the container IP and vice versa. " Can anyone shed some light on this requirement for me? We'd like to understand the purpose of this to determine if we can work around it or find some means of securing it. We are really focusing on network security and isolation in our CNI design, we'd prefer to maintain network isolation between the Mesos containers and hosts. In particular, if we have to work around it, I'm wondering if there'd be any opportunity for the CNI plugin to open access to the port for just a short period until registration, then firewall it off and what the behavior might be if there is not continual access. Or perhaps we add a link local interface of some sort and a route, such that individual containers can reach their agent but the Mesos container networks don't need to be generally open to the Mesos host networks.