mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ji...@apache.org
Subject mesos git commit: Added doc for filesystem isolators.
Date Fri, 12 Jan 2018 00:08:03 GMT
Repository: mesos
Updated Branches:
  refs/heads/master 090f112fa -> 31835a163


Added doc for filesystem isolators.

Review: https://reviews.apache.org/r/62959/


Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/31835a16
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/31835a16
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/31835a16

Branch: refs/heads/master
Commit: 31835a1637fa44f97f57b72df9abd044d57d5009
Parents: 090f112
Author: Jie Yu <yujie.jay@gmail.com>
Authored: Thu Jan 11 15:48:10 2018 -0800
Committer: Jie Yu <yujie.jay@gmail.com>
Committed: Thu Jan 11 16:07:55 2018 -0800

----------------------------------------------------------------------
 docs/container-volume.md      |  5 +--
 docs/isolators/filesystems.md | 66 ++++++++++++++++++++++++++++++++++++++
 docs/mesos-containerizer.md   |  4 +--
 3 files changed, 71 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/mesos/blob/31835a16/docs/container-volume.md
----------------------------------------------------------------------
diff --git a/docs/container-volume.md b/docs/container-volume.md
index 359d4b2..d5a7e2c 100644
--- a/docs/container-volume.md
+++ b/docs/container-volume.md
@@ -53,8 +53,9 @@ host filesystem.
 If you are using the [Mesos Containerizer](mesos-containerizer.md),
 `HOST_PATH` volumes are handled by the `volume/host_path` isolator. To
 enable this isolator, append `volume/host_path` to the `--isolation`
-flag when starting the agent. This isolator depends on
-`filesystem/linux` isolator.
+flag when starting the agent. This isolator depends on the
+[`filesystem/linux`](isolators/filesystems.md#filesystemlinux-isolator)
+isolator.
 
 [Docker Containerizer](docker-containerizer.md) supports `HOST_PATH`
 volume as well.

http://git-wip-us.apache.org/repos/asf/mesos/blob/31835a16/docs/isolators/filesystems.md
----------------------------------------------------------------------
diff --git a/docs/isolators/filesystems.md b/docs/isolators/filesystems.md
new file mode 100644
index 0000000..39e5638
--- /dev/null
+++ b/docs/isolators/filesystems.md
@@ -0,0 +1,66 @@
+---
+title: Apache Mesos - Filesystem Isolators in Mesos Containerizer
+layout: documentation
+---
+
+# Filesystem Isolators in Mesos Containerizer
+
+The [Mesos Containerizer](../mesos-containerizer.md) has several 'filesystem'
+isolators that are used to provide isolation for a container's filesystems.
+Usually, each platform has a corresponding filesystem isolator associated with
+it, because the level of isolation depends on the capabilities of that platform.
+
+Currently, the Mesos Containerizer supports the
+[`filesystem/posix`](#filesystemposix-isolator) and
+[`filesystem/linux`](#filesystemlinux-isolator) isolators.
+[`filesystem/shared`](filesystem-shared.md) isolator has a subset of the
+features provided by the [`filesystem/linux`](#filesystemlinux-isolator)
+isolator and is broken on hosts with systemd
+([MESOS-6563](https://issues.apache.org/jira/browse/MESOS-6563)), thus is not
+recommended and will be deprecated.
+
+If you are using the Mesos Containerizer, at least one of the filesystem
+isolators needs to be specified through the `--isolation` flag. If a user does
+not specify any filesystem isolator, Mesos Containerizer will default to using
+the [`filesystem/posix`](#filesystemposix-isolator) isolator.
+
+Filesystem isolation is a pre-requisite for all the [container volume
+isolators](../container-volume.md) because it provides some basic
+functionality that the volume isolators depends on. For example, the
+[`filesystem/linux`](#filesystemlinux-isolator) isolator will create a new mount
+namespace for the container so that any volume mounts made by the volume
+isolators will be hidden from the host mount namespace.
+
+The filesystem isolator is also responsible for preparing [persistent volumes](../persistent-volume.md)
+for containers.
+
+## `filesystem/posix` isolator
+
+The `filesystem/posix` isolator works on all POSIX systems. It isolates
+container sandboxes and persistent volumes using UNIX file permissions.
+
+All containers share the same host filesystem. As a result, if you want to
+specify a [container image](../container-image.md) for the container, you cannot
+use this isolator. Use the [`filesystem/linux`](#filesystemlinux-isolator)
+isolator instead.
+
+The `filesystem/posix` isolator handles [persistent volumes](../persistent-volume.md)
+by creating symlinks in the container's sandbox that point to the actual
+persistent volumes on the host filesystem.
+
+## `filesystem/linux` isolator
+
+The `filesystem/linux` isolator works only on Linux. It isolates the filesystems
+of containers using the following primitives:
+
+* Each container gets its own mount namespace. The default [mount propagation](https://www.kernel.org/doc/Documentation/filesystems/sharedsubtree.txt)
+  in each container is set to 'slave'.
+* Use UNIX file permissions to protect container sandboxes and persistent
+  volumes.
+
+Each container is allowed to define its own [image](../container-image.md). If a
+container image is specified, by default, the container won't be able to see
+files and directories on the host filesystem.
+
+The `filesystem/linux` isolator handles [persistent volumes](../persistent-volume.md)
+by bind mounting persistent volumes into the container's sandbox.

http://git-wip-us.apache.org/repos/asf/mesos/blob/31835a16/docs/mesos-containerizer.md
----------------------------------------------------------------------
diff --git a/docs/mesos-containerizer.md b/docs/mesos-containerizer.md
index ae990cb..28d5ccd 100644
--- a/docs/mesos-containerizer.md
+++ b/docs/mesos-containerizer.md
@@ -42,8 +42,8 @@ Mesos supports the following built-in isolators.
 - [docker/runtime](isolators/docker-runtime.md)
 - [docker/volume](isolators/docker-volume.md)
 - [environment\_secret](secrets.md#environment-based-secrets)
-- filesystem/linux
-- filesystem/posix
+- [filesystem/linux](isolators/filesystems.md)
+- [filesystem/posix](isolators/filesystems.md)
 - [filesystem/shared](isolators/filesystem-shared.md)
 - filesystem/windows
 - [gpu/nvidia](gpu-support.md)


Mime
View raw message