mesos-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Peach (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (MESOS-7605) UCR doesn't isolate uts namespace w/ host networking
Date Thu, 01 Feb 2018 17:38:00 GMT

    [ https://issues.apache.org/jira/browse/MESOS-7605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16348971#comment-16348971
] 

James Peach commented on MESOS-7605:
------------------------------------

{quote}
Qian Zhang That is exactly not the point of this change. CNI already supports setting the
container hostname as for all containers that have an image. The point of this isolator is
to guarantee that the host's UTS namespace is protected from containers (case 1) above. I
kept it explicitly out of scope for this isolator to actually set the hostname, since last
time I did that, we ended up moving that feature to the CNI isolator.
{quote}

I believed that the CNI isolator did set up the hostname correctly when joining the host network,
however [~qianzhang] is right that the CNI isolator doesn't clone the UTS namespace unless
you join a named network.

So I agree with [~qianzhang] that we should make the CNI isolator clone the UTS namespace
(and set the hostname) when it joins the host network and has a container image. We will still
need the UTS isolator for the case where there is not a container image or the CNI isolator
isn't used however.

IIRC [~avinash.mesos]'s original concern about this was that the specified hostname would
not be consistent with DNS. There's 2 things we can do about this ... (1) just accept it and
it's fine, (2) resolve the host's hostname and use that IP address to populate the container
{{resolv.conf}}. AFAICT, Docker just does (1).

> UCR doesn't isolate uts namespace w/ host networking
> ----------------------------------------------------
>
>                 Key: MESOS-7605
>                 URL: https://issues.apache.org/jira/browse/MESOS-7605
>             Project: Mesos
>          Issue Type: Improvement
>          Components: containerization
>            Reporter: James DeFelice
>            Assignee: James Peach
>            Priority: Major
>              Labels: mesosphere
>
> Docker's {{run}} command supports a {{--hostname}} parameter which impacts container
isolation, even in {{host}} network mode: (via https://docs.docker.com/engine/reference/run/)
> {quote}
> Even in host network mode a container has its own UTS namespace by default. As such --hostname
is allowed in host network mode and will only change the hostname inside the container. Similar
to --hostname, the --add-host, --dns, --dns-search, and --dns-option options can be used in
host network mode.
> {quote}
> I see no evidence that UCR offers a similar isolation capability.
> Related: the {{ContainerInfo}} protobuf has a {{hostname}} field which was initially
added to support the Docker containerizer's use of the {{--hostname}} Docker {{run}} flag.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message