If you're new to Mesos
See the getting started page for more information about downloading, building, and deploying Mesos.
If you'd like to get involved or you're looking for support
See our community page for more details.
Pid Namespace Isolator in Mesos Containerizer
namespaces/pid isolator can be used to isolate each container in
a separate pid namespace with two main benefits:
Visibility: Processes running in the container (executor and descendants) are unable to see or signal processes outside the namespace.
Clean termination: Termination of the leading process in a pid namespace will result in the kernel terminating all other processes in the namespace.
You can turn on this isolator by specifying the
--isolation=namespaces/pid,...). Note that
filesystem/linux isolator is required for turning on pid namespace
The Launcher will use (2) during destruction of a container in preference to the freezer cgroup, avoiding known kernel issues related to freezing cgroups under OOM conditions.
/proc will be mounted for containers so tools such as
ps will work
To enable the PID Namespace isolator, append
namespaces/pid to the
--isolation flag when starting the agent. By default, each container
will have its own PID namespace if this isolator is enabled.
Framework users can allow a container to share pid namespace with its
parent by setting the
true. If the container is a top level container, it will
share the pid namespace with the agent. If the container is a nested
container, it will share the pid namespace with its parent container.
The container will have its own pid namespace if the
ContainerInfo.linux_info.share_pid_namespace field is set to
As a security measure, operators can disallow any container to share
the agent’s PID namespace by setting the agent flag
true. If this agent flag
is set as
true and the framework requests to launch a top level
container which shares its pid namespace with the agent, the container
launch will be rejected.