[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14733687#comment-14733687 ] Kapil Arya commented on MESOS-2044: --- Exposing IPs as a Slave resource was considered but dropped for the following reason. The IPs aren't necessarily managed by the Slave. There could be an external IP address management service available that may not be managed by the Slave. Further, in some specific cases such as weave (http://weave.works/), an IP addresses manager instance is available on each Slave node, thus making it harder for a framework to request it directly. Further, it seems like there is a lack of clarity in the design doc if it's giving the impression that either IP-per-container must be supported by all nodes or not supported at all. This is not the case. The granularity here would be at the Node level. Either a particular Slave supports ip-per-container, or it doesn't. In the former case, it would still be possible to launch tasks/containers without requesting ip-per-container services. > Use one IP address per container for network isolation > -- > > Key: MESOS-2044 > URL: https://issues.apache.org/jira/browse/MESOS-2044 > Project: Mesos > Issue Type: Epic >Reporter: Cong Wang >Assignee: Kapil Arya > Labels: mesosphere > > If there are enough IP addresses, either IPv4 or IPv6, we should use one IP > address per container, instead of the ugly port range based solution. One > problem with this is the IP address management, usually it is managed by a > DHCP server, maybe we need to manage them in mesos master/slave. > Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=14730046#comment-14730046 ] Charles Allen commented on MESOS-2044: -- I'm a bit confused on why this needs to be so integrated into Mesos all through the stack instead of just being used as another type of Resource that any particular slave can expose, and exposing it as a pluggable resource on the slave. Then frameworks which know or care about such a resource can request it, and ones that don't know or care can simply ignore it. >From the proposals I've seen this is trying to be a global resource that >either must be supported by all nodes or not supported at all. Is that really >required? What use cases fail if IP address per container are simply exposed as a slave resource? > Use one IP address per container for network isolation > -- > > Key: MESOS-2044 > URL: https://issues.apache.org/jira/browse/MESOS-2044 > Project: Mesos > Issue Type: Epic >Reporter: Cong Wang >Assignee: Kapil Arya > Labels: mesosphere > > If there are enough IP addresses, either IPv4 or IPv6, we should use one IP > address per container, instead of the ugly port range based solution. One > problem with this is the IP address management, usually it is managed by a > DHCP server, maybe we need to manage them in mesos master/slave. > Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14625348#comment-14625348 ] Niklas Quarfot Nielsen commented on MESOS-2044: --- [~karya] Would you mind finding shepherds for the linked tickets? Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang Assignee: Kapil Arya If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14551652#comment-14551652 ] Swapnil Daingade commented on MESOS-2044: - We are trying to support network isolation between different YARN clusters running on Mesos as part of the Apache Myriad project. We tried using OpenVSwitch and Socketplane(Docker). See the design docs here. https://github.com/mesos/myriad/issues/96 https://docs.google.com/document/d/1uV2V0cSTngVfWs-5pYm2b9gOCYF4WSNkyzj2dm3bRnw/pub Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14551326#comment-14551326 ] Ian Downes commented on MESOS-2044: --- This JIRA is intended to address a single IP per container which is shared by the executor and all tasks within the container and is different to the host's. That's a very valid requirement though so please raise a separate ticket. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14544034#comment-14544034 ] James DeFelice commented on MESOS-2044: --- An executor may launch tasks into their own isolated network namespace, independent from that of the executor. Does this JIRA accommodate that? Or is this really an IP-per-executor JIRA? Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14542554#comment-14542554 ] Timothy St. Clair commented on MESOS-2044: -- should Mesos be involved in the IP assignment at all? - imho having extensible mechanics pre+post job hooks for custom provisioning/setup+teardown makes a lot of sense. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14542198#comment-14542198 ] Connor Doyle commented on MESOS-2044: - We should also consider whether IP-per-container will be flexible enough to map cleanly to existing network isolation tools. Perhaps this can be achieved in a way that leaves the door open to per-task IP assignment. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540290#comment-14540290 ] Niklas Quarfot Nielsen commented on MESOS-2044: --- We have scattered docs on this (both in terms of global resources in general and for Calico integration). Think we can start a fresh one and work our previous thinking in together :) Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540277#comment-14540277 ] Niklas Quarfot Nielsen commented on MESOS-2044: --- I think we should be flexible enough to support flannel (and Calico, OpenVSwitch, etc). I think we are mostly interested in the mechanics of treating IP pools as resources and let framework schedule on those, i.e. providing the plumbing to interface the container ip assignment, isolation (security and performance). Does this make sense? Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540298#comment-14540298 ] Timothy St. Clair commented on MESOS-2044: -- flannel intends to provide this abstraction layer for some of impls (VxLan, and OVS).. There may be more on the roadmap. Re: storage - Yes it's all stored under /coreos.com/network/subnets Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540281#comment-14540281 ] Timothy Chen commented on MESOS-2044: - I think it will be challenge to negotiate with different networking (flannel, etc) to assign ip pools for them, and we have to ensure nothing else is using flannel to assign ips outside of Mesos. AFAIK Flannel holds all state and assigns ips with etcd, don't really expose that information through an API. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540223#comment-14540223 ] Niklas Quarfot Nielsen commented on MESOS-2044: --- We need this for a networking solution we are working on, and I know that other folks are interested in this capability too. I suggest that we start an architecture proposal doc and start discussing an approach (and turn this into an epic). Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Task Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540282#comment-14540282 ] Jie Yu commented on MESOS-2044: --- [~nnielsen] Turning this into an epic and starting with an arch proposal doc sounds good. Are you guys working on the doc already? Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540320#comment-14540320 ] Niklas Quarfot Nielsen commented on MESOS-2044: --- Also, releasing the IPs again need to be supported (somehow :) Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540267#comment-14540267 ] Timothy St. Clair commented on MESOS-2044: -- This is essentially what flannel does. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540352#comment-14540352 ] Cong Wang commented on MESOS-2044: -- I think the reason why flannel has to manage IP addresses is that it uses overlay network, but we don't have to use it. ipvlan/macvlan should be enough for our goal here, I tend to keep Mesos away from the managing IP addresses, otherwise it has to deal with the existing slaves which get IP addresses from DHCP. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-2044) Use one IP address per container for network isolation
[ https://issues.apache.org/jira/browse/MESOS-2044?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14540359#comment-14540359 ] Timothy Chen commented on MESOS-2044: - I think having ipvlan/macvlan definitely makes sense, but in general I think it's also good to come up with an abstraction that if plugging into an existing network solution like flannel is desired then we have the flexibility to do so, just my 2c. Use one IP address per container for network isolation -- Key: MESOS-2044 URL: https://issues.apache.org/jira/browse/MESOS-2044 Project: Mesos Issue Type: Epic Reporter: Cong Wang If there are enough IP addresses, either IPv4 or IPv6, we should use one IP address per container, instead of the ugly port range based solution. One problem with this is the IP address management, usually it is managed by a DHCP server, maybe we need to manage them in mesos master/slave. Also, maybe use macvlan instead of veth for better isolation. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
