Hi, I asked this question also yesterday in the #mesos channel on IRC, but I guess due to timezone differences there were not many people awake and/or working, sorry for reposting. (Maybe someone answered after I left, but it seems that the IRC bot is only archiving channel joins/leaves? -> http://wilderness.apache.org/channels/?f=apache-syncope/2016-11-02)
My question is about the Mesos containerizer. I want to run code using the Mesos GPU support and the docs state that this is currently only supported by the Mesos containerizer. So my understanding of using the Mesos containerizer with Docker images is that - the content of the Docker images is unpacked to the filesystem (using one of the provisioner backends, such as "copy" or "overlay") - the user's command is executed in a chroot in that directory. Is that correct? The first thing I noticed is (besides a much higher latency due to the image provisioning process) that `ps aux` and `hostname` expose details of the host system, so I was wondering about the level of isolation that I can achieve with the Mesos containerizer, as opposed to running in a Docker container. In particular: - Is it possible to hide host processes from the container? - Is it possible to run processes that open network ports (possibly already open on the host system) and have them mapped to different ports on the host system, just as with Docker's `-p`? - I have a USER directive in my Dockerfile in order for the CMD to be executed as that user, but that does not seem to be supported (yet?) by the Docker image provider. Is there any method (except `sudo`/`setuser`) to achieve running as a user present in the image's /etc/fstab? - I may have to run untrusted code, so can I make sure that users cannot break out of the chroot? What about UID namespacing, so that root in the chroot does not become root on the host system when breaking out? Thanks for your help Tobias