[
https://issues.apache.org/jira/browse/MESOS-4343?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Avinash Sridharan updated MESOS-4343:
-
Description:
Linux provides net_cls as a cgroup subsystem. A net_cls cgroup is associated
with a 16-bit major handle and a 16-bit minor handle. When a task is
associated with a net_cls cgroup, the kernel tags every packet being generated
by the task with the major and minor handle associated with the net_cls cgroup.
These tags are then used by network performance shaping and firewall tools such
as tc (traffic controller) and iptables.
Currently, mesos agents do not provide any isolator that can enable
mesos-containers in a net_cls cgroup, or assign network handles to a net_cls
cgroup. As part of this epic we plan to achieve the following:
a) Implement net_cls cgroup isolator for mesos agents.
b) Implement a manager for the net_cls handles.
c) Allow operators to set a major network handle when launching an agent.
d) Expose the net_cls network handle allocated to a container, to entities
such as operators and frameworks.
Once the above goals are met operators can learn about network handles
allocated to containers and apply them to tools such as tc and iptables to
enforce network policies.
was:
Linux provides net_cls as a cgroup subsystem. A net_cls cgroup is associated
with a 16-bit major handle and a 16-bit minor handle. When a task is
associated with a net_cls cgroup, the kernel tags every packet being generated
by the task with the major and minor handle associated with the net_cls cgroup
that the task belongs too. These tags are then used by network performance
shaping and firewall tools such as tc (traffic controller) and iptables.
Currently, mesos agents do not provide any isolator that can enable
mesos-containers in a net_cls cgroup, or assign network handles to a net_cls
cgroup. As part of this epic we plan to achieve the following:
a) Implement net_cls cgroup isolator for mesos agents.
b) Implement an net-handles allocator class that can manage.
c) Allow operators to set a major network handle when launching an agent.
d) Expose the net_cls network handle allocated to a container, to entities
such as operators and frameworks.
Once the above goals are met operators can learn about network handles
allocated to containers and apply them to tools such as tc and iptables to
enforce network policies.
> Introduce the ability to assign network handles to mesos containers
> ---
>
> Key: MESOS-4343
> URL: https://issues.apache.org/jira/browse/MESOS-4343
> Project: Mesos
> Issue Type: Epic
> Components: containerization
>Reporter: Avinash Sridharan
>Assignee: Avinash Sridharan
> Labels: containers, mesosphere
> Fix For: 0.28.0
>
>
> Linux provides net_cls as a cgroup subsystem. A net_cls cgroup is associated
> with a 16-bit major handle and a 16-bit minor handle. When a task is
> associated with a net_cls cgroup, the kernel tags every packet being
> generated by the task with the major and minor handle associated with the
> net_cls cgroup. These tags are then used by network performance shaping and
> firewall tools such as tc (traffic controller) and iptables.
> Currently, mesos agents do not provide any isolator that can enable
> mesos-containers in a net_cls cgroup, or assign network handles to a net_cls
> cgroup. As part of this epic we plan to achieve the following:
> a) Implement net_cls cgroup isolator for mesos agents.
> b) Implement a manager for the net_cls handles.
> c) Allow operators to set a major network handle when launching an agent.
> d) Expose the net_cls network handle allocated to a container, to entities
> such as operators and frameworks.
> Once the above goals are met operators can learn about network handles
> allocated to containers and apply them to tools such as tc and iptables to
> enforce network policies.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
