[ https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16072946#comment-16072946 ]
James Peach commented on MESOS-7675: ------------------------------------ Updated review chain: | [r/60592|https://reviews.apache.org/r/60592] | Configure the `network/ports` isolator watch interval. | | [r/60594|https://reviews.apache.org/r/60594] | Add a`network/ports` isolator nested container test. | | [r/60593|https://reviews.apache.org/r/60593] | Test the `network/ports` isolator recovery. | | [r/60591|https://reviews.apache.org/r/60591] | Optionally isolate only the agent network ports. | | [r/60496|https://reviews.apache.org/r/60496] | WIP: Add socket checking to the network ports isolator. | | [r/60495|https://reviews.apache.org/r/60495] | WIP: Network ports isolator listen socket utilities. | | [r/60492|https://reviews.apache.org/r/60492] | Add network/ports isolator skeleton. | | [r/60494|https://reviews.apache.org/r/60494] | Expose LinuxLauncher cgroups helper. | | [r/60493|https://reviews.apache.org/r/60493] | Remove diagnostic socket IPv4 assumptions. | | [r/60491|https://reviews.apache.org/r/60491] | Capture the inode when scanning for sockets. | > Isolate network ports. > ---------------------- > > Key: MESOS-7675 > URL: https://issues.apache.org/jira/browse/MESOS-7675 > Project: Mesos > Issue Type: Improvement > Components: agent > Reporter: James Peach > Assignee: James Peach > Priority: Minor > > If a task uses network ports, there is no isolator that can enforce that it > only listens on the ports that it has resources for. Implement a ports > isolator that can limit tasks to listen only on allocated TCP ports. > Roughly, the algorithm for this follows what standard tools like {{lsof}} and > {{ss}} do. > * Find all the listening TCP sockets (using netlink) > * Index the sockets by their node (from the netlink information) > * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} > links) > * For each open socket, check whether its node (given in the link target) in > the set of listen sockets that we scanned > * If the socket is a listening socket and the corresponding PID is in the > task, send a resource limitation for the task > Matching pids to tasks depends on using cgroup isolation, otherwise we would > have to build a full process tree, which would be nice to avoid. > Scanning all the open sockets can be avoided by using the {{net_cls}} > isolator with kernel + libnl3 patches to publish the socket classid when we > find the listening socket. -- This message was sent by Atlassian JIRA (v6.4.14#64029)