Details

    • Type: Epic
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 0.23.0
    • Component/s: containerization
    • Labels:
      None
    • Epic Name:
      Container Network Isolation
    • Target Version/s:

      Description

      The goal here is to provide network isolation between containers so that one container cannot saturate the entire network, affecting the performance of other containers.

      There are many options here. With the current network monitoring code (MESOS-1228, already committed), one option is to add a "tc police action" on the 'veth' of each container to drop packets when the traffic exceeds a certain limit.

      Other options include advanced shape control using tc classes (e.g., HTB, CBQ, etc.). We're gonna need to extend the current routing library to support that.

        Issues in Epic

          Activity

          Hide
          jieyu Jie Yu added a comment - - edited

          If you guys want to support network isolation for docker containers, please create a new epic and link to this one. Thanks.

          Show
          jieyu Jie Yu added a comment - - edited If you guys want to support network isolation for docker containers, please create a new epic and link to this one. Thanks.
          Hide
          nnielsen Niklas Quarfot Nielsen added a comment -

          Jie Yu Want this to go in 0.22.0 or should we bump?

          Show
          nnielsen Niklas Quarfot Nielsen added a comment - Jie Yu Want this to go in 0.22.0 or should we bump?
          Hide
          benjaminhindman Benjamin Hindman added a comment -

          I haven't chatted with anyone (yet) about integrating this with the DockerContainerizer, but it's definitely possible and could be a nice win to get network isolation for Docker.

          Show
          benjaminhindman Benjamin Hindman added a comment - I haven't chatted with anyone (yet) about integrating this with the DockerContainerizer, but it's definitely possible and could be a nice win to get network isolation for Docker.
          Hide
          tstclair Timothy St. Clair added a comment -

          Benjamin Hindman & Jie Yu
          Is there a map between the native work being done here, and possible iptables mods in Docker containers?

          Arguably you can easily fudge iptables of a Docker container to get similar behavior, and I believe this is the roadmap for their QoS tiers in Kubernetes.

          Show
          tstclair Timothy St. Clair added a comment - Benjamin Hindman & Jie Yu Is there a map between the native work being done here, and possible iptables mods in Docker containers? Arguably you can easily fudge iptables of a Docker container to get similar behavior, and I believe this is the roadmap for their QoS tiers in Kubernetes.

            People

            • Assignee:
              jieyu Jie Yu
              Reporter:
              jieyu Jie Yu
            • Votes:
              2 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development