mesos-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Avinash Sridharan <avin...@mesosphere.io>
Subject Re: CNI: Mesos containers need to access Mesos agent
Date Mon, 20 Mar 2017 20:39:51 GMT
Hi Marcus,
 The reason we need connectivity from the container's network namespace to
the host network namespace is that the Mesos executor running in the
container's network namespace needs to register back with the agent in
order to send TASK updates about the container to the agent. Without this
connectivity the agent will not know if the container has started
successfully and will simply kill the container, failing the container
launch.

I know this is a restriction on some virtual networking solutions, and
going forward the right solution would be to support agent/executor
communication over domain sockets:
https://issues.apache.org/jira/browse/MESOS-6240

We still need to figure out when that can be accomplished.

In terms of the work arounds, if you can open communication to port 5051
between the host network namespace and the container's network namespace it
should just work.

On Mon, Mar 20, 2017 at 9:50 AM, Marcus Sorensen <shadowsor@gmail.com>
wrote:

> http://mesos.apache.org/documentation/latest/cni/
>
> "For Mesos, the executors launched as containers need to register with the
> Agent in order for a task to be successfully launched. Hence, it is
> imperative that the Agent IP is reachable from the container IP and vice
> versa. "
>
> Can anyone shed some light on this requirement for me?  We'd like to
> understand the purpose of this to determine if we can work around it or
> find some means of securing it.  We are really focusing on network security
> and isolation in our CNI design, we'd prefer to maintain network isolation
> between the Mesos containers and hosts.
>
> In particular, if we have to work around it, I'm wondering if there'd be
> any opportunity for the CNI plugin to open access to the port for just a
> short period until registration, then firewall it off and what the behavior
> might be if there is not continual access. Or perhaps we add a link local
> interface of some sort and a route, such that individual containers can
> reach their agent but the Mesos container networks don't need to be
> generally open to the Mesos host networks.
>



-- 
Avinash Sridharan, Mesosphere
+1 (323) 702 5245 <(323)%20702-5245>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message