[jira] [Commented] (MESOS-4262) Enable net_cls subsytem in cgroup infrastructure
[ https://issues.apache.org/jira/browse/MESOS-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15095447#comment-15095447 ] Kapil Arya commented on MESOS-4262: --- [~avin...@mesosphere.io] Will this make it before 0.27.0? If not, let's retarget it to 0.28.0. > Enable net_cls subsytem in cgroup infrastructure > > > Key: MESOS-4262 > URL: https://issues.apache.org/jira/browse/MESOS-4262 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: Avinash Sridharan >Assignee: Avinash Sridharan > Labels: container, mesosphere > > Currently the control group infrastructure within mesos supports only the > memory and CPU subsystems. We need to enhance this infrastructure to support > the net_cls subsystem as well. Details of the net_cls subsystem and its > use-cases can be found here: > https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt > Enabling the net_cls will allow us to provide operators to, potentially, > regulate framework traffic on a per-container basis. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-4262) Enable net_cls subsytem in cgroup infrastructure
[ https://issues.apache.org/jira/browse/MESOS-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15094334#comment-15094334 ] Cong Wang commented on MESOS-4262: -- I am a kernel developer, probably I know it more than you. ;) But still, since we only have port range for network isolation and we do have a port range based way to classify the packets, why do we need another one before we have something other than port range? Please describe your use case so that we can know if we could just use the existing way. For the code, please take a look at https://reviews.apache.org/r/31505/. > Enable net_cls subsytem in cgroup infrastructure > > > Key: MESOS-4262 > URL: https://issues.apache.org/jira/browse/MESOS-4262 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: Avinash Sridharan >Assignee: Avinash Sridharan > Labels: container, mesosphere > > Currently the control group infrastructure within mesos supports only the > memory and CPU subsystems. We need to enhance this infrastructure to support > the net_cls subsystem as well. Details of the net_cls subsystem and its > use-cases can be found here: > https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt > Enabling the net_cls will allow us to provide operators to, potentially, > regulate framework traffic on a per-container basis. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-4262) Enable net_cls subsytem in cgroup infrastructure
[ https://issues.apache.org/jira/browse/MESOS-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15094209#comment-15094209 ] Avinash Sridharan commented on MESOS-4262: -- Hi Cong, The net_cls cgroup is provided by the linux kernel and allows for tagging packets within the kernel. There are tools (tc and iptables for e.g) that use these tags to enforce network policies. This is a much more generic way of allowing external tools (which are very mature and flexible) to be used for traffic enforcement. You can go through the link posted in the description (https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt) to better understand what net_cls cgroups offers. Can you point out the code you are referring to ? > Enable net_cls subsytem in cgroup infrastructure > > > Key: MESOS-4262 > URL: https://issues.apache.org/jira/browse/MESOS-4262 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: Avinash Sridharan >Assignee: Avinash Sridharan > Labels: container, mesosphere > > Currently the control group infrastructure within mesos supports only the > memory and CPU subsystems. We need to enhance this infrastructure to support > the net_cls subsystem as well. Details of the net_cls subsystem and its > use-cases can be found here: > https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt > Enabling the net_cls will allow us to provide operators to, potentially, > regulate framework traffic on a per-container basis. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (MESOS-4262) Enable net_cls subsytem in cgroup infrastructure
[ https://issues.apache.org/jira/browse/MESOS-4262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15092504#comment-15092504 ] Cong Wang commented on MESOS-4262: -- Could you describe why you need this? Because we already have our own way to classify the packets for each container using the port range approach (check my egress flow classification code), so why do we need one more way to do this? > Enable net_cls subsytem in cgroup infrastructure > > > Key: MESOS-4262 > URL: https://issues.apache.org/jira/browse/MESOS-4262 > Project: Mesos > Issue Type: Improvement > Components: containerization >Reporter: Avinash Sridharan >Assignee: Avinash Sridharan > Labels: mesosphere > > Currently the control group infrastructure within mesos supports only the > memory and CPU subsystems. We need to enhance this infrastructure to support > the net_cls subsystem as well. Details of the net_cls subsystem and its > use-cases can be found here: > https://www.kernel.org/doc/Documentation/cgroups/net_cls.txt > Enabling the net_cls will allow us to provide operators to, potentially, > regulate framework traffic on a per-container basis. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
