> On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.hpp > > Lines 39 (patched) > > <https://reviews.apache.org/r/60496/diff/10/?file=1797107#file1797107line39> > > > > Should be a `static` variable. > > > > Or do we want to make it configurable by introducing an agent flag > > (like the existing one `--container_disk_watch_interval` for `disk/du` > > isolator)?
This is removed and replaces by a configuration option in [r/60592](https://reviews.apache.org/r/60592). > On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 128-133 (patched) > > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line128> > > > > I think it is possible for `cgroups::processes()` to return some pids > > but the corresponding proccesses do not exsit, and it is normal rather than > > an error case, right? If so, that will cause > > `NetworkPortsIsolatorProcess::getProcessSockets()` fails since the process > > does not exist, then I think `LOG(ERROR)` may not be needed since it is a > > normal case. Dropped to `VLOG(1)` and commented. > On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 148-150 (patched) > > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line148> > > > > It seems we only care about `port`, so it might not be needed to > > construct this oject. What about just using > > `ntohs(socketInfo.sourcePort.get())` in the code below? I think we should keep the full address. There's no performance impact and it is helpful for code clarity and debugging. > On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote: > > src/slave/containerizer/mesos/isolators/network/ports.cpp > > Lines 156-157 (patched) > > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line156> > > > > Do we really need this? I think showing pid like what you did in the > > `else` block below should be enough. Yes, I think this is definitely needed in order to understand why the isolator is killing processes. Any time you need to debug what is getting killed this will make is much easier to understand. - James ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/60496/#review182691 ----------------------------------------------------------- On Aug. 17, 2017, 5:36 p.m., James Peach wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/60496/ > ----------------------------------------------------------- > > (Updated Aug. 17, 2017, 5:36 p.m.) > > > Review request for mesos, Qian Zhang and Jiang Yan Xu. > > > Bugs: MESOS-7675 > https://issues.apache.org/jira/browse/MESOS-7675 > > > Repository: mesos > > > Description > ------- > > Implemented ports resource restrictions in the network ports isolator. > Periodically, scan for listening sockets and match them up to all > the open sockets in the containers we are tracking in the network. > Check any sockets we find against the ports resource and trigger a > resource limitation if the port has not been allocated. > > > Diffs > ----- > > src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION > src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION > > > Diff: https://reviews.apache.org/r/60496/diff/11/ > > > Testing > ------- > > make check (Fedora 26) > > > Thanks, > > James Peach > >
