The Mesos Containerizer has several ‘filesystem’ isolators that are used to provide isolation for a container’s filesystems. Usually, each platform has a corresponding filesystem isolator associated with it, because the level of isolation depends on the capabilities of that platform.
Currently, the Mesos Containerizer supports the filesystem/posix
and filesystem/linux
isolators. filesystem/shared
isolator has a subset of the features provided by the filesystem/linux
isolator and is broken on hosts with systemd (MESOS-6563), thus is not recommended and will be deprecated.
If you are using the Mesos Containerizer, at least one of the filesystem isolators needs to be specified through the --isolation
flag. If a user does not specify any filesystem isolator, Mesos Containerizer will default to using the filesystem/posix
isolator.
Filesystem isolation is a pre-requisite for all the container volume isolators because it provides some basic functionality that the volume isolators depends on. For example, the filesystem/linux
isolator will create a new mount namespace for the container so that any volume mounts made by the volume isolators will be hidden from the host mount namespace.
The filesystem isolator is also responsible for preparing persistent volumes for containers.
filesystem/posix
isolatorThe filesystem/posix
isolator works on all POSIX systems. It isolates container sandboxes and persistent volumes using UNIX file permissions.
All containers share the same host filesystem. As a result, if you want to specify a container image for the container, you cannot use this isolator. Use the filesystem/linux
isolator instead.
The filesystem/posix
isolator handles persistent volumes by creating symlinks in the container’s sandbox that point to the actual persistent volumes on the host filesystem.
filesystem/linux
isolatorThe filesystem/linux
isolator works only on Linux. It isolates the filesystems of containers using the following primitives:
Each container is allowed to define its own image. If a container image is specified, by default, the container won’t be able to see files and directories on the host filesystem.
The filesystem/linux
isolator handles persistent volumes by bind mounting persistent volumes into the container’s sandbox.