mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Peach (JIRA)" <>
Subject [jira] [Commented] (MESOS-7675) Isolate network ports.
Date Thu, 29 Jun 2017 16:55:00 GMT


James Peach commented on MESOS-7675:

TODO optionally check only listening sockets that are advertised by master.

> Isolate network ports.
> ----------------------
>                 Key: MESOS-7675
>                 URL:
>             Project: Mesos
>          Issue Type: Improvement
>          Components: agent
>            Reporter: James Peach
>            Assignee: James Peach
>            Priority: Minor
> If a task uses network ports, there is no isolator that can enforce that it only listens
on the ports that it has resources for. Implement a ports isolator that can limit tasks to
listen only on allocated TCP ports.
> Roughly, the algorithm for this follows what standard tools like {{lsof}} and {{ss}}
> * Find all the listening TCP sockets (using netlink)
> * Index the sockets by their node (from the netlink information)
> * Find all the open sockets on the system (by scanning {{/proc/\*/fd/\*}} links)
> * For each open socket, check whether its node (given in the link target) in the set
of listen sockets that we scanned
> * If the socket is a listening socket and the corresponding PID is in the task, send
a resource limitation for the task
> Matching pids to tasks depends on using cgroup isolation, otherwise we would have to
build a full process tree, which would be nice to avoid.
> Scanning all the open sockets can be avoided by using the {{net_cls}} isolator with kernel
+ libnl3 patches to publish the socket classid when we find the listening socket.

This message was sent by Atlassian JIRA

View raw message