[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Socket activation



On Wed, Aug 28, 2013 at 9:28 AM, Krishna Raman <kraman gmail com> wrote:
> So this is the current plan:
>
> 1) Idle the container and have sockets for each cartridge listening on a 169.254.*.* address on the container
> 2) When a SYN request comes in container is unidled and openshift container init process is started
> 3) Process triggers changes in IPtables which sets up a forwarding rule from the 169.254.*.* to the NAT'd address the cartridge is listening on
>         - SYN times out, and tcp retry sends another SYN which is sent to the cartridge
>         - connection is established as usual

I just got back from Burning Man, so I can reply now.

I share Clayton's concern about SYN-based un-idling. I manage the
network at my office with smart routers and switches, and their
failure-detection might trip if SYNs consistently get ignored.

Have you looked into environment-based socket passing with a shim like
socat? socat already supports specifying a socket using a file
descriptor, and it can forward to and from sockets in the container's
network namespace. It seems like it would be equivalent in
functionality and compatibility with SYN timeout and iptables but
without breaking the TCP spec or requiring global firewall changes at
container start-up time.

-- 
David Strauss
   | david davidstrauss net
   | +1 512 577 5827 [mobile]


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]