[jira] [Commented] (MESOS-8534) Allow nested containers in TaskGroups to have separate network namespaces

[ASF GitHub Bot (JIRA)]

    [ 
https://issues.apache.org/jira/browse/MESOS-8534?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16366506#comment-16366506
 ] 

ASF GitHub Bot commented on MESOS-8534:
---------------------------------------

Github user jieyu commented on a diff in the pull request:

    https://github.com/apache/mesos/pull/263#discussion_r168647358
  
    --- Diff: src/slave/containerizer/mesos/isolators/network/cni/cni.cpp ---
    @@ -570,10 +570,17 @@ Future<Option<ContainerLaunchInfo>> 
NetworkCniIsolatorProcess::prepare(
         return Failure("Container has already been prepared");
       }
     
    +  bool needsSeparateNs = false;
    +  if ((containerConfig.has_container_info() &&
    +        containerConfig.container_info().network_infos().size() > 0) ||
    +            !containerId.has_parent()) {
    --- End diff --
    
    This is misleading. It's possible that the top level container joins host 
network (thus does not require a separate network namespace). Calling the 
boolean `needsSeparateNs` is misleading.
    
    I think basically the first step in this function is to calculate 
`containerNetworks` and `hostname` for the container. I'd suggest making it 
more explicit:
    
    ```c++
    hashmap<string, ContainerNetwork> containerNetworks; 
    Option<string> hostname;
    
    bool isNestedContainer = containerId.has_parent();
    bool isDebugContainer = containerConfig.container_class() == 
ContainerClass::DEBUG;
    
    // Not setting network infos for a nested container means that it'll join 
its parent's networks.
    bool joinParentNetwork =
      !containerConfig.has_container_info() ||
      containerConfig.container_info().network_infos().empty();
    
    if (isDebugContainer || (isNestedContainer && joinParentNetwork) {
      ContainerID rootContainerId = protobuf::getRootContainerId(containerId);
      if (infos.contains(rootContainerId)) {
        containerNetworks = infos[rootContainerId]->containerNetworks;
      }
    } else {
      // Top level container, or nested container joining separate network than 
the parent.
      if (containerConfig.has_container_info()) {
        const ContainerInfo& containerInfo = containerConfig.container_info();
    
        if (containerInfo.type() != ContainerInfo::MESOS) {
          return Failure("...");
        }
        
        if (containerInfo.has_hostname()) {
          hostname = containerInfo.hostname();
        }
        
        int ifIndex = 0;
        foreach (...) {
          ...
        }
      }
    }
    ```


> Allow nested containers in TaskGroups to have separate network namespaces
> -------------------------------------------------------------------------
>
>                 Key: MESOS-8534
>                 URL: https://issues.apache.org/jira/browse/MESOS-8534
>             Project: Mesos
>          Issue Type: Task
>          Components: containerization
>            Reporter: Sagar Sadashiv Patwardhan
>            Priority: Minor
>              Labels: cni
>
> As per the discussion with [~jieyu] and [~avinash.mesos] , I am going to 
> allow nested containers in TaskGroups to have separate namespaces. I am also 
> going to retain the existing functionality, where nested containers can share 
> namespaces with parent/root container.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)