[
https://issues.apache.org/jira/browse/MESOS-6240?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16191759#comment-16191759
]
Aaron Wood commented on MESOS-6240:
-----------------------------------
+1 to what [~zhitao] said!
> Allow executor/agent communication over non-TCP/IP stream socket.
> -----------------------------------------------------------------
>
> Key: MESOS-6240
> URL: https://issues.apache.org/jira/browse/MESOS-6240
> Project: Mesos
> Issue Type: Improvement
> Components: containerization
> Environment: Linux and Windows
> Reporter: Avinash Sridharan
> Assignee: Benjamin Hindman
> Priority: Critical
> Labels: mesosphere
>
> Currently, the executor agent communication happens specifically over TCP
> sockets. This works fine in most cases, but specifically for the
> `MesosContainerizer` when containers are running on CNI networks, this mode
> of communication starts imposing constraints on the CNI network. Since, now
> there has to connectivity between the CNI network (on which the executor is
> running) and the agent. Introducing paths from a CNI network to the
> underlying agent, at best, creates headaches for operators and at worst
> introduces serious security holes in the network, since it is breaking the
> isolation between the container CNI network and the host network (on which
> the agent is running).
> In order to simplify/strengthen deployment of Mesos containers on CNI
> networks we therefore need to move away from using TCP/IP sockets for
> executor/agent communication. Since, executor and agent are guaranteed to run
> on the same host, the above problems can be resolved if, for the
> `MesosContainerizer`, we use UNIX domain sockets or named pipes instead of
> TCP/IP sockets for the executor/agent communication.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
