Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2E001200D01 for ; Fri, 4 Aug 2017 03:29:06 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2C85616CE1A; Fri, 4 Aug 2017 01:29:06 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 7178716CE1B for ; Fri, 4 Aug 2017 03:29:05 +0200 (CEST) Received: (qmail 56694 invoked by uid 500); 4 Aug 2017 01:29:04 -0000 Mailing-List: contact issues-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@mesos.apache.org Delivered-To: mailing list issues@mesos.apache.org Received: (qmail 56685 invoked by uid 99); 4 Aug 2017 01:29:04 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Aug 2017 01:29:04 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 126F4C040D for ; Fri, 4 Aug 2017 01:29:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id ypXpZRsUT7nM for ; Fri, 4 Aug 2017 01:29:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTP id 2D48A60D9B for ; Fri, 4 Aug 2017 01:29:03 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 58DF9E0D71 for ; Fri, 4 Aug 2017 01:29:02 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id EE8FB2464C for ; Fri, 4 Aug 2017 01:29:00 +0000 (UTC) Date: Fri, 4 Aug 2017 01:29:00 +0000 (UTC) From: "Qian Zhang (JIRA)" To: issues@mesos.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (MESOS-7853) Support shared PID namespace. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 04 Aug 2017 01:29:06 -0000 [ https://issues.apache.org/jira/browse/MESOS-7853?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Qian Zhang updated MESOS-7853: ------------------------------ Sprint: Mesosphere Sprint 61 > Support shared PID namespace. > ----------------------------- > > Key: MESOS-7853 > URL: https://issues.apache.org/jira/browse/MESOS-7853 > Project: Mesos > Issue Type: Task > Components: containerization > Reporter: Gilbert Song > Assignee: Qian Zhang > Labels: containerizer, mesosphere, namespaces > > Currently, with the 'namespaces/pid' isolator enabled, each container will have its own pid namespace. This does not meet the need for some scenarios. For example, under the same executor container, one task wants to reach out to another task which need to share the same pid namespace. > We should support container pid namespace to be configurable. Users can choose one container to share its parent's pid namespace or not. > User facing API: > {noformat} > message LinuxInfo { > ...... > // True if it shares the pid namepace with its parent. If the > // container is a top level container, it means share the pid > // namespace with the agent. If the container is a nested > // container, it means share the pid namespce with its parent > // container. This field will be ignored if 'namespaces/pid' > // isolator is not enabled. > optional bool share_pid_namespace = 4; > } > {noformat} > A new agent flag: > --disallow_top_level_pid_ns_sharing (defaults to be: false) > this is a security concern from operator's perspective. While some of the nested containers share the pid namespace from their parents, the top level containers always not share the pid ns from the agent. -- This message was sent by Atlassian JIRA (v6.4.14#64029)