mesos-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject mesos git commit: Added doc for filesystem isolators.
Date Fri, 12 Jan 2018 00:08:03 GMT
Repository: mesos
Updated Branches:
  refs/heads/master 090f112fa -> 31835a163

Added doc for filesystem isolators.



Branch: refs/heads/master
Commit: 31835a1637fa44f97f57b72df9abd044d57d5009
Parents: 090f112
Author: Jie Yu <>
Authored: Thu Jan 11 15:48:10 2018 -0800
Committer: Jie Yu <>
Committed: Thu Jan 11 16:07:55 2018 -0800

 docs/      |  5 +--
 docs/isolators/ | 66 ++++++++++++++++++++++++++++++++++++++
 docs/   |  4 +--
 3 files changed, 71 insertions(+), 4 deletions(-)
diff --git a/docs/ b/docs/
index 359d4b2..d5a7e2c 100644
--- a/docs/
+++ b/docs/
@@ -53,8 +53,9 @@ host filesystem.
 If you are using the [Mesos Containerizer](,
 `HOST_PATH` volumes are handled by the `volume/host_path` isolator. To
 enable this isolator, append `volume/host_path` to the `--isolation`
-flag when starting the agent. This isolator depends on
-`filesystem/linux` isolator.
+flag when starting the agent. This isolator depends on the
 [Docker Containerizer]( supports `HOST_PATH`
 volume as well.
diff --git a/docs/isolators/ b/docs/isolators/
new file mode 100644
index 0000000..39e5638
--- /dev/null
+++ b/docs/isolators/
@@ -0,0 +1,66 @@
+title: Apache Mesos - Filesystem Isolators in Mesos Containerizer
+layout: documentation
+# Filesystem Isolators in Mesos Containerizer
+The [Mesos Containerizer](../ has several 'filesystem'
+isolators that are used to provide isolation for a container's filesystems.
+Usually, each platform has a corresponding filesystem isolator associated with
+it, because the level of isolation depends on the capabilities of that platform.
+Currently, the Mesos Containerizer supports the
+[`filesystem/posix`](#filesystemposix-isolator) and
+[`filesystem/linux`](#filesystemlinux-isolator) isolators.
+[`filesystem/shared`]( isolator has a subset of the
+features provided by the [`filesystem/linux`](#filesystemlinux-isolator)
+isolator and is broken on hosts with systemd
+([MESOS-6563](, thus is not
+recommended and will be deprecated.
+If you are using the Mesos Containerizer, at least one of the filesystem
+isolators needs to be specified through the `--isolation` flag. If a user does
+not specify any filesystem isolator, Mesos Containerizer will default to using
+the [`filesystem/posix`](#filesystemposix-isolator) isolator.
+Filesystem isolation is a pre-requisite for all the [container volume
+isolators](../ because it provides some basic
+functionality that the volume isolators depends on. For example, the
+[`filesystem/linux`](#filesystemlinux-isolator) isolator will create a new mount
+namespace for the container so that any volume mounts made by the volume
+isolators will be hidden from the host mount namespace.
+The filesystem isolator is also responsible for preparing [persistent volumes](../
+for containers.
+## `filesystem/posix` isolator
+The `filesystem/posix` isolator works on all POSIX systems. It isolates
+container sandboxes and persistent volumes using UNIX file permissions.
+All containers share the same host filesystem. As a result, if you want to
+specify a [container image](../ for the container, you cannot
+use this isolator. Use the [`filesystem/linux`](#filesystemlinux-isolator)
+isolator instead.
+The `filesystem/posix` isolator handles [persistent volumes](../
+by creating symlinks in the container's sandbox that point to the actual
+persistent volumes on the host filesystem.
+## `filesystem/linux` isolator
+The `filesystem/linux` isolator works only on Linux. It isolates the filesystems
+of containers using the following primitives:
+* Each container gets its own mount namespace. The default [mount propagation](
+  in each container is set to 'slave'.
+* Use UNIX file permissions to protect container sandboxes and persistent
+  volumes.
+Each container is allowed to define its own [image](../ If a
+container image is specified, by default, the container won't be able to see
+files and directories on the host filesystem.
+The `filesystem/linux` isolator handles [persistent volumes](../
+by bind mounting persistent volumes into the container's sandbox.
diff --git a/docs/ b/docs/
index ae990cb..28d5ccd 100644
--- a/docs/
+++ b/docs/
@@ -42,8 +42,8 @@ Mesos supports the following built-in isolators.
 - [docker/runtime](isolators/
 - [docker/volume](isolators/
 - [environment\_secret](
-- filesystem/linux
-- filesystem/posix
+- [filesystem/linux](isolators/
+- [filesystem/posix](isolators/
 - [filesystem/shared](isolators/
 - filesystem/windows
 - [gpu/nvidia](

View raw message