mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chi Zhang" <chzhc...@gmail.com>
Subject Re: Review Request 21594: Port-Range Based Network Isolator for Linux
Date Tue, 24 Jun 2014 07:27:51 GMT


> On June 19, 2014, 2:06 a.m., Vinod Kone wrote:
> > src/slave/containerizer/isolators/network/port_mapping.cpp, lines 347-349
> > <https://reviews.apache.org/r/21594/diff/4/?file=611965#file611965line347>
> >
> >     Why do we drop these? Are there no apps out there which spoof the source ip?
> 
> Vinod Kone wrote:
>     can you explain why this is dropped? as a courtesy to reviewers, we always expect
dropped issues to have an explanation. http://mesos.apache.org/documentation/latest/mesos-developers-guide/

We did have a discussion on this but I missed to comment on this. It generally takes root
permission to spoof the source ip, which we don't have right now. 


- Chi


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/21594/#review46101
-----------------------------------------------------------


On June 24, 2014, 7:26 a.m., Chi Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/21594/
> -----------------------------------------------------------
> 
> (Updated June 24, 2014, 7:26 a.m.)
> 
> 
> Review request for mesos, Ian Downes, Jie Yu, Vinod Kone, and Cong Wang.
> 
> 
> Bugs: https://issues.apache.org/jira/browse/MESOS-1324
>     https://issues.apache.org/jira/browse/https://issues.apache.org/jira/browse/MESOS-1324
> 
> 
> Repository: mesos-git
> 
> 
> Description
> -------
> 
> Added a network isolator using port-range based traffic redirection on Linux.
> 
> - Containers are assigned non-ephemeral ports by the scheduler and ephemeral ports by
the network isolator. 
> - Virtual ethernet devices and Traffic Control filters are set up so that network traffic
in and out of the containers is isolated based on the ports assigned to them. 
> - Containers run inside their own network namespaces with separate network stacks, from
which per-container network statistics can be retrieved.
> 
> A joint work with:
> - Cong Wang (cwang@twopensource.com)
> - Jie Yu (yujie.jay@gmail.com)
> - Ian Downes (ian.downes@gmail.com)
> 
> 
> Diffs
> -----
> 
>   include/mesos/mesos.proto 2f6be05 
>   src/Makefile.am 5e5ccd5 
>   src/slave/constants.hpp c65a62d 
>   src/slave/constants.cpp 51f65bb 
>   src/slave/containerizer/isolators/network/helper.cpp PRE-CREATION 
>   src/slave/containerizer/isolators/network/port_mapping.hpp PRE-CREATION 
>   src/slave/containerizer/isolators/network/port_mapping.cpp PRE-CREATION 
>   src/slave/containerizer/linux_launcher.cpp acaf9b5 
>   src/slave/containerizer/mesos_containerizer.cpp 917eebf 
>   src/slave/flags.hpp 3b8ba08 
>   src/tests/environment.cpp e991d57 
>   src/tests/isolator_tests.cpp 5a141e3 
>   src/tests/mesos.cpp 1037420 
> 
> Diff: https://reviews.apache.org/r/21594/diff/
> 
> 
> Testing
> -------
> 
> make check on linux. more test cases are being written. 
> 
> 
> Thanks,
> 
> Chi Zhang
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message