[ https://issues.apache.org/jira/browse/MESOS-4823?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15198135#comment-15198135 ]
Dan Osborne edited comment on MESOS-4823 at 3/16/16 8:55 PM: ------------------------------------------------------------- Thank you for providing the example use case. Can you explain, on a technical level, on what conditions you are planning to trigger creation of these ip-tables rules? I'm concerned that the capability you're trying to provide makes a lot of assumptions about both the mesos cluster and the CNI network's configurations, and to what degree both are accessible by the public network. I believe that if this behavior goes in, to some degree it should be opt-in or opt-out, as not all clusters nor CNI network's would want such a behavior. Some counter use cases - 1. if the CNI network _is_ assigning publicly accessible addresses, the port mapping becomes a redundant. 2. if they are using a load balancer, they would not need port forwarding as the load balancer will forward public requests onto the private CNI network. was (Author: djosborne): Thank you for providing the example use case. Can you explain, on a technical level, what condition you are planning that will trigger creation of these ip-tables rules? I'm concerned that the capability you're trying to provide makes a lot of assumptions about both the mesos cluster and the CNI network's configurations, and to what degree both are accessible by the public network. I believe that if this behavior goes in, to some degree it should be opt-in or opt-out, as not all clusters nor CNI network's would want such a behavior. Some counter use cases - 1. if the CNI network _is_ assigning publicly accessible addresses, the port mapping becomes a redundant. 2. if they are using a load balancer, they would not need port forwarding as the load balancer will forward public requests onto the private CNI network. > Implement port forwarding in `network/cni` isolator > --------------------------------------------------- > > Key: MESOS-4823 > URL: https://issues.apache.org/jira/browse/MESOS-4823 > Project: Mesos > Issue Type: Task > Components: containerization > Environment: linux > Reporter: Avinash Sridharan > Assignee: Avinash Sridharan > Priority: Critical > Labels: mesosphere > > Most docker and appc images wish ports that micro-services are listening on, > to the outside world. When containers are running on bridged (or ptp) > networking this can be achieved by installing port forwarding rules on the > agent (using iptables). This can be done in the `network/cni` isolator. > The reason we would like this functionality to be implemented in the > `network/cni` isolator, and not a CNI plugin, is that the specifications > currently do not support specifying port forwarding rules. Further, to > install these rules the isolator needs two pieces of information, the exposed > ports and the IP address associated with the container. Bother are available > to the isolator. -- This message was sent by Atlassian JIRA (v6.3.4#6332)