mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Review Request 60496: Added socket checking to the network ports isolator.
Date Thu, 17 Aug 2017 17:43:26 GMT


> On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.hpp
> > Lines 39 (patched)
> > <https://reviews.apache.org/r/60496/diff/10/?file=1797107#file1797107line39>
> >
> >     Should be a `static` variable.
> >     
> >     Or do we want to make it configurable by introducing an agent flag (like the
existing one `--container_disk_watch_interval` for `disk/du` isolator)?

This is removed and replaces by a configuration option in [r/60592](https://reviews.apache.org/r/60592).


> On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 128-133 (patched)
> > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line128>
> >
> >     I think it is possible for `cgroups::processes()` to return some pids but the
corresponding proccesses do not exsit, and it is normal rather than an error case, right?
If so, that will cause `NetworkPortsIsolatorProcess::getProcessSockets()` fails since the
process does not exist, then I think `LOG(ERROR)` may not be needed since it is a normal case.

Dropped to `VLOG(1)` and commented.


> On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 148-150 (patched)
> > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line148>
> >
> >     It seems we only care about `port`, so it might not be needed to construct this
oject. What about just using `ntohs(socketInfo.sourcePort.get())` in the code below?

I think we should keep the full address. There's no performance impact and it is helpful for
code clarity and debugging.


> On Aug. 17, 2017, 2:45 p.m., Qian Zhang wrote:
> > src/slave/containerizer/mesos/isolators/network/ports.cpp
> > Lines 156-157 (patched)
> > <https://reviews.apache.org/r/60496/diff/10/?file=1797108#file1797108line156>
> >
> >     Do we really need this? I think showing pid like what you did in the `else`
block below should be enough.

Yes, I think this is definitely needed in order to understand why the isolator is killing
processes. Any time you need to debug what is getting killed this will make is much easier
to understand.


- James


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/60496/#review182691
-----------------------------------------------------------


On Aug. 17, 2017, 5:36 p.m., James Peach wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/60496/
> -----------------------------------------------------------
> 
> (Updated Aug. 17, 2017, 5:36 p.m.)
> 
> 
> Review request for mesos, Qian Zhang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-7675
>     https://issues.apache.org/jira/browse/MESOS-7675
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Implemented ports resource restrictions in the network ports isolator.
> Periodically, scan for listening sockets and match them up to all
> the open sockets in the containers we are tracking in the network.
> Check any sockets we find against the ports resource and trigger a
> resource limitation if the port has not been allocated.
> 
> 
> Diffs
> -----
> 
>   src/slave/containerizer/mesos/isolators/network/ports.hpp PRE-CREATION 
>   src/slave/containerizer/mesos/isolators/network/ports.cpp PRE-CREATION 
> 
> 
> Diff: https://reviews.apache.org/r/60496/diff/11/
> 
> 
> Testing
> -------
> 
> make check (Fedora 26)
> 
> 
> Thanks,
> 
> James Peach
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message