Hey folks - I hijacked some of the previous conversation to talk with our Docker folks, here is the response below:
Cheers, Tim ---------------------------------------------------------------------------------------------- From: "Daniel J Walsh" <dwa...@redhat.com> To: "Fedora Cloud SIG" <cl...@lists.fedoraproject.org>, "Scott Collier" <scoll...@redhat.com> Sent: Tuesday, September 23, 2014 9:26:45 AM Subject: Re: Fwd: Running mesos-slave in Docker container (Atomic Discussion) docker run --privileged Turns off all of the docker security. Has anyone tried to run a container for something like mesos that execs docker commands, to maybe look like docker run --privileged -v /:/host -v /run:/run -ti -net=host mesos /bin/sh This would cause all of / to be mounted in /host and then you could execute /host/usr/bin/docker for example. Not sure why you would want /var/lib/docker mounted into the mesos container. ----- Original Message ----- > From: "Scott Collier" <scoll...@redhat.com> > To: "Tim St Clair" <tstcl...@redhat.com> > Cc: "Fedora Cloud SIG" <cl...@lists.fedoraproject.org> > Sent: Tuesday, September 23, 2014 9:37:21 AM > Subject: Re: Fwd: Running mesos-slave in Docker container > On 09/23/2014 08:18 AM, Tim St Clair wrote: > > Scott - > > > When you mentioned running in "privileged mode" mode, what does that mean? > > Could you provide more details. > > Sure. I figured that the Mesos process / service might need to check metrics > on the host - which a container probably wouldn't have access to. By default > when you run a container, it drops all Linux capabilities (see "man > capabilities" for complete list). As of Docker 1.2, they added --cap-add and > --cap-drop ( https://blog.docker.com/2014/08/announcing-docker-1-2-0/ ) so > you can be specific about which ones you want. When you run a container in > --priviledged mode, you add all capabilities back. Now, instead of adding > all capabilities back, you could pick the ones you need. for example: > $ sudo docker run --cap-add=NET_ADMIN -dt fedora sleep 3000 > aa934b0e0c8f4a0202d2278a4884c136d7fd985f827e057a20617dcc67ff59db > $ sudo docker inspect --format '{{ .HostConfig.CapAdd }}' aa9 > [NET_ADMIN] > And you can see that the NET_ADMIN capability was added to the container. > HTH. > > Cheers, > > > Tim > > > ----- Original Message ----- > > > > From: "Tim Chen" <t...@mesosphere.io> > > > > > > To: user@mesos.apache.org , "Gabriel Monroy" <gabr...@opdemand.com> > > > > > > Sent: Tuesday, September 23, 2014 2:41:17 AM > > > > > > Subject: Re: Running mesos-slave in Docker container > > > > > > Hi Grzegorz, > > > > > > To run Mesos master|slave in a docker container is not straight forward > > > because we utilize kernel features therefore you need to explicitly test > > > out > > > the features you like to use with Mesos with slave/master in Docker. > > > > > > Gabriel during the Mesosphere hackathon has got master and slave running > > > in > > > docker containers, and he can probably share his Dockerfile and run > > > command. > > > > > > I believe one work around to get cgroups working with Docker run is to > > > mount > > > /sys into the container (mount -v /sys:/sys). > > > > > > Gabriel do you still have the command you used to run slave/master with > > > Docker? > > > > > > Tim > > > > > > On Tue, Sep 23, 2014 at 12:24 AM, Grzegorz Graczyk < gregor...@gmail.com > > > > > > > wrote: > > > > > > > I'm trying to run mesos-slave inside Docker container, but it can't > > > > start > > > > due > > > > to problem with mounting cgroups. > > > > > > > > > > I'm using: > > > > > > > > > > Kernel Version: 3.13.0-32-generic > > > > > > > > > > Operating System: Ubuntu 14.04.1 LTS > > > > > > > > > > Docker: 1.2.0(commit fa7b24f) > > > > > > > > > > Mesos: 0.20.0 > > > > > > > > > > Following error appears: > > > > > > > > > > I0923 07:11:20.921475 19 main.cpp:126] Build: 2014-08-22 05:04:26 by > > > > root > > > > > > > > > > I0923 07:11:20.921608 19 main.cpp:128] Version: 0.20.0 > > > > > > > > > > I0923 07:11:20.921620 19 main.cpp:131] Git tag: 0.20.0 > > > > > > > > > > I0923 07:11:20.921628 19 main.cpp:135] Git SHA: > > > > f421ffdf8d32a8834b3a6ee483b5b59f65956497 > > > > > > > > > > Failed to create a containerizer: Could not create DockerContainerizer: > > > > Failed to find a mounted cgroups hierarchy for the 'cpu' subsystem; you > > > > probably need to mount cgroups manually! > > > > > > > > > > I'm running docker container with command: > > > > > > > > > > docker run --name mesos-slave --privileged --net=host -v > > > > /var/run/docker.sock:/var/run/docker.sock -v > > > > /var/lib/docker:/var/lib/docker > > > > -v /usr/local/bin/docker:/usr/local/bin/docker gregory90/mesos-slave > > > > --containerizers=docker,mesos --master=zk://localhost:2181/mesos > > > > --ip=127.0.0.1 > > > > > > > > > > Everything is running on single machine. > > > > > > > > > > Everything works as expected when mesos-slave is run outside docker > > > > container. > > > > > > > > > > I'd appreciate some help. > > > > > > > > -- > > > Cheers, > > > Timothy St. Clair > > > Red Hat Inc. > > -- > -Scott > Systems Design and Engineering > Follow Us: https://twitter.com/RedHatRefArch Plus Us: > https://plus.google.com/u/0/b/114152126783830728030/ Like Us: > https://www.facebook.com/rhrefarch -- Cheers, Timothy St. Clair Red Hat Inc.