Actually, say I was in a fancy mood, could I actually *not* use the Docker image provider and instead run `nvidia-docker run [more hand-crafted parameters] myimage <cmd>` as an ordinary command within the Mesos container, or would I have to dig very deep into Mesos to find the right parameters to pass to nvidia-docker?
Thanks Tobias On Thu, Nov 3, 2016 at 10:18 AM, Tobias Pfeiffer <t...@preferred.jp> wrote: > Hi, > > I asked this question also yesterday in the #mesos channel on IRC, but I > guess due to timezone differences there were not many people awake and/or > working, sorry for reposting. (Maybe someone answered after I left, but it > seems that the IRC bot is only archiving channel joins/leaves? -> > http://wilderness.apache.org/channels/?f=apache-syncope/2016-11-02) > > My question is about the Mesos containerizer. I want to run code using the > Mesos GPU support and the docs state that this is currently only supported > by the Mesos containerizer. So my understanding of using the Mesos > containerizer with Docker images is that > - the content of the Docker images is unpacked to the filesystem (using > one of the provisioner backends, such as "copy" or "overlay") > - the user's command is executed in a chroot in that directory. > Is that correct? > > The first thing I noticed is (besides a much higher latency due to the > image provisioning process) that `ps aux` and `hostname` expose details of > the host system, so I was wondering about the level of isolation that I can > achieve with the Mesos containerizer, as opposed to running in a Docker > container. In particular: > - Is it possible to hide host processes from the container? > - Is it possible to run processes that open network ports (possibly > already open on the host system) and have them mapped to different ports on > the host system, just as with Docker's `-p`? > - I have a USER directive in my Dockerfile in order for the CMD to be > executed as that user, but that does not seem to be supported (yet?) by the > Docker image provider. Is there any method (except `sudo`/`setuser`) to > achieve running as a user present in the image's /etc/fstab? > - I may have to run untrusted code, so can I make sure that users cannot > break out of the chroot? What about UID namespacing, so that root in the > chroot does not become root on the host system when breaking out? > > Thanks for your help > Tobias >
