Thanks. Good to see it is already being tracked.
On 2017-03-20 14:39 (-0600), Avinash Sridharan <avin...@mesosphere.io> wrote: > Hi Marcus, > The reason we need connectivity from the container's network namespace to > the host network namespace is that the Mesos executor running in the > container's network namespace needs to register back with the agent in > order to send TASK updates about the container to the agent. Without this > connectivity the agent will not know if the container has started > successfully and will simply kill the container, failing the container > launch. > > I know this is a restriction on some virtual networking solutions, and > going forward the right solution would be to support agent/executor > communication over domain sockets: > https://issues.apache.org/jira/browse/MESOS-6240 > > We still need to figure out when that can be accomplished. > > In terms of the work arounds, if you can open communication to port 5051 > between the host network namespace and the container's network namespace it > should just work. > > On Mon, Mar 20, 2017 at 9:50 AM, Marcus Sorensen <shadow...@gmail.com> > wrote: > > > http://mesos.apache.org/documentation/latest/cni/ > > > > "For Mesos, the executors launched as containers need to register with the > > Agent in order for a task to be successfully launched. Hence, it is > > imperative that the Agent IP is reachable from the container IP and vice > > versa. " > > > > Can anyone shed some light on this requirement for me? We'd like to > > understand the purpose of this to determine if we can work around it or > > find some means of securing it. We are really focusing on network security > > and isolation in our CNI design, we'd prefer to maintain network isolation > > between the Mesos containers and hosts. > > > > In particular, if we have to work around it, I'm wondering if there'd be > > any opportunity for the CNI plugin to open access to the port for just a > > short period until registration, then firewall it off and what the behavior > > might be if there is not continual access. Or perhaps we add a link local > > interface of some sort and a route, such that individual containers can > > reach their agent but the Mesos container networks don't need to be > > generally open to the Mesos host networks. > > > > > > -- > Avinash Sridharan, Mesosphere > +1 (323) 702 5245 <(323)%20702-5245> >
