[
https://issues.apache.org/jira/browse/MESOS-7675?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
James Peach updated MESOS-7675:
-------------------------------
Description:
If a task uses network ports, there is no isolator that can enforce that it
only listens on the ports that it has resources for. Implement a ports isolator
that can limit tasks to listen only on allocated TCP ports.
Roughly, the algorithm for this follows what standard tools like {{lsof}} and
{{ss}} do.
* Find all the listening TCP sockets (using netlink)
* Index the sockets by their node (from the netlink information)
* Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
* For each open socket, check whether its node (given in the link target) in
the set of listen sockets that we scanned
* If the socket is a listening socket and the corresponding PID is in the task,
send a resource limitation for the task
Matching pids to tasks depends on using cgroup isolation, otherwise we would
have to build a full process tree, which would be nice to avoid.
Scanning all the open sockets can be avoided by using the {{net_cls}} isolator
with kernel + libnl3 patches to publish the socket classid when we find the
listening socket.
Design Doc:
https://docs.google.com/document/d/1BGmANq8IW-H4-YVUlpdf6qZFTZnDe-OKAY_e7uNp7LA
Kernel Patch: http://marc.info/?l=linux-kernel&m=150293015025396&w=2
was:
If a task uses network ports, there is no isolator that can enforce that it
only listens on the ports that it has resources for. Implement a ports isolator
that can limit tasks to listen only on allocated TCP ports.
Roughly, the algorithm for this follows what standard tools like {{lsof}} and
{{ss}} do.
* Find all the listening TCP sockets (using netlink)
* Index the sockets by their node (from the netlink information)
* Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
* For each open socket, check whether its node (given in the link target) in
the set of listen sockets that we scanned
* If the socket is a listening socket and the corresponding PID is in the task,
send a resource limitation for the task
Matching pids to tasks depends on using cgroup isolation, otherwise we would
have to build a full process tree, which would be nice to avoid.
Scanning all the open sockets can be avoided by using the {{net_cls}} isolator
with kernel + libnl3 patches to publish the socket classid when we find the
listening socket.
Design Doc:
https://docs.google.com/document/d/1BGmANq8IW-H4-YVUlpdf6qZFTZnDe-OKAY_e7uNp7LA
Kernel Patch: http://marc.info/?l=linux-netdev&m=150117919630874&w=2
> Isolate network ports.
> ----------------------
>
> Key: MESOS-7675
> URL: https://issues.apache.org/jira/browse/MESOS-7675
> Project: Mesos
> Issue Type: Improvement
> Components: agent
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
>
> If a task uses network ports, there is no isolator that can enforce that it
> only listens on the ports that it has resources for. Implement a ports
> isolator that can limit tasks to listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and
> {{ss}} do.
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}}
> links)
> * For each open socket, check whether its node (given in the link target) in
> the set of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the
> task, send a resource limitation for the task
> Matching pids to tasks depends on using cgroup isolation, otherwise we would
> have to build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}}
> isolator with kernel + libnl3 patches to publish the socket classid when we
> find the listening socket.
> Design Doc:
> https://docs.google.com/document/d/1BGmANq8IW-H4-YVUlpdf6qZFTZnDe-OKAY_e7uNp7LA
> Kernel Patch: http://marc.info/?l=linux-kernel&m=150293015025396&w=2
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
