mesos-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tomek Janiszewski <jani...@gmail.com>
Subject Re: Mesos (and Marathon) port mapping
Date Fri, 31 Mar 2017 08:23:08 GMT
I have a question that is related to this topic. In "docker support and
current limitations" section [1] there is a following statement:
> Only host network is supported. We will add bridge network support soon
using CNI support in Mesos (MESOS-4641
<https://issues.apache.org/jira/browse/MESOS-4641>)
Mentioned issue is resolved. Does this means bridge network is working for
Mesos containerizer?

[1]:
https://github.com/apache/mesos/blob/master/docs/container-image.md#docker-support-and-current-limitations

pt., 31 mar 2017 o 02:04 użytkownik Jie Yu <yujie.jay@gmail.com> napisał:

> are you talking about the NAT feature of docker in BRIDGE m
>
>
> Yes
>
>  - regarding the "port mapping isolator giving network namespace" : what
> confuses me is that, given the previous answers, I thought that in that
> case, the non-ephemeral port range was *shared* (as a ressource) between
> containers, which sounds to me at the opposite of the namespace concept (as
> a slightly different example 2 docker container have their own private 80
> port for instance).
>
>
> The port mapping isolator is for the case where ip per container is not
> possible (due to ipam restriction, etc), but the user still wants to have
> network namespace per container (for isolation, getting statistics, etc.)
>
> Since all containers, even if they are in separate namespaces, share the
> same IP, we have to use some other mechanism to tell which packet belongs
> to which container. We use ports in that case. You can find more details
> about port mapping isolator in this talk I gave in 2015 MesosCon:
> https://www.youtube.com/watch?v=ZA96g1M4v8Y
>
> - Jie
>
> On Thu, Mar 30, 2017 at 2:13 AM, Thomas HUMMEL <thomas.hummel@pasteur.fr>
> wrote:
>
>
> On 03/29/2017 07:25 PM, Jie Yu wrote:
>
> Thomas,
>
> I think you are confused about the port mapping for NAT purpose, and the port
> mapping isolator
> <http://mesos.apache.org/documentation/latest/port-mapping-isolator/>.
> Those two very different thing. The port mapping isolator (unfortunate
> naming), as described in the doc, gives you network namespace per container
> without requiring ip per container. No NAT is involved. I think for you
> case, you should not use it and it does not work for DockerContainerizer.
>
> Thanks,
>
> I'm not sure to understand what you say :
>
> - are you talking about the NAT feature of docker in BRIDGE mode ?
>
> - regarding the "port mapping isolator giving network namespace" : what
> confuses me is that, given the previous answers, I thought that in that
> case, the non-ephemeral port range was *shared* (as a ressource) between
> containers, which sounds to me at the opposite of the namespace concept (as
> a slightly different example 2 docker container have their own private 80
> port for instance).
>
> What am I missing ?
>
> Thanks
>
> --
> TH
>
>
>

Mime
View raw message