>- Is it possible to hide host processes from the container?
You may consider to use the namespaces/pid isolator, add `namespaces/pid`
in the `--isolation` flag when launch Mesos Agent
> -Is it possible to run processes that open network ports (possibly
already open on the host system) and have them mapped to different ports on
the host system, just as with Docker's `-p`?
You need to use CNI port mapping. Refer to its document
https://reviews.apache.org/r/53015/
>  Is there any method (except `sudo`/`setuser`) to achieve running as a
user present in the image's /etc/fstab?
Mesos don't support user namespace now, need to use su to switch users

On Thu, Nov 3, 2016 at 9:56 AM, Tobias Pfeiffer <t...@preferred.jp> wrote:

> Actually, say I was in a fancy mood, could I actually *not* use the Docker
> image provider and instead run `nvidia-docker run [more hand-crafted
> parameters] myimage <cmd>` as an ordinary command within the Mesos
> container, or would I have to dig very deep into Mesos to find the right
> parameters to pass to nvidia-docker?
>
> Thanks
> Tobias
>
> On Thu, Nov 3, 2016 at 10:18 AM, Tobias Pfeiffer <t...@preferred.jp> wrote:
>
>> Hi,
>>
>> I asked this question also yesterday in the #mesos channel on IRC, but I
>> guess due to timezone differences there were not many people awake and/or
>> working, sorry for reposting. (Maybe someone answered after I left, but it
>> seems that the IRC bot is only archiving channel joins/leaves? ->
>> http://wilderness.apache.org/channels/?f=apache-syncope/2016-11-02)
>>
>> My question is about the Mesos containerizer. I want to run code using
>> the Mesos GPU support and the docs state that this is currently only
>> supported by the Mesos containerizer. So my understanding of using the
>> Mesos containerizer with Docker images is that
>> - the content of the Docker images is unpacked to the filesystem (using
>> one of the provisioner backends, such as "copy" or "overlay")
>> - the user's command is executed in a chroot in that directory.
>> Is that correct?
>>
>> The first thing I noticed is (besides a much higher latency due to the
>> image provisioning process) that `ps aux` and `hostname` expose details of
>> the host system, so I was wondering about the level of isolation that I can
>> achieve with the Mesos containerizer, as opposed to running in a Docker
>> container. In particular:
>> - Is it possible to hide host processes from the container?
>> - Is it possible to run processes that open network ports (possibly
>> already open on the host system) and have them mapped to different ports on
>> the host system, just as with Docker's `-p`?
>> - I have a USER directive in my Dockerfile in order for the CMD to be
>> executed as that user, but that does not seem to be supported (yet?) by the
>> Docker image provider. Is there any method (except `sudo`/`setuser`) to
>> achieve running as a user present in the image's /etc/fstab?
>> - I may have to run untrusted code, so can I make sure that users cannot
>> break out of the chroot? What about UID namespacing, so that root in the
>> chroot does not become root on the host system when breaking out?
>>
>> Thanks for your help
>> Tobias
>>
>
>


-- 
Best Regards,
Haosdent Huang

Reply via email to