From: Daniel Lezcano <dlezcano@fr.ibm.com>
To: Caitlin Bestler <caitlinb@broadcom.com>
Cc: ebiederm@xmission.com, Kir Kolyshkin <kir@openvz.org>,
devel@openvz.org, Andrey Savochkin <saw@sw.ru>,
alexey@sw.ru, Linux Containers <containers@lists.osdl.org>,
netdev@vger.kernel.org, sam@vilain.net
Subject: Re: [RFC] network namespaces
Date: Thu, 07 Sep 2006 10:25:56 +0200 [thread overview]
Message-ID: <44FFD794.7010802@fr.ibm.com> (raw)
In-Reply-To: <54AD0F12E08D1541B826BE97C98F99F1963B59@NT-SJCA-0751.brcm.ad.broadcom.com>
Caitlin Bestler wrote:
> ebiederm@xmission.com wrote:
>
>
>>>Finally, as I understand both network isolation and network
>>>virtualization (both level2 and level3) can happily co-exist. We do
>>>have several filesystems in kernel. Let's have several network
>>>virtualization approaches, and let a user choose. Is that makes
>>>sense?
>>
>>If there are not compelling arguments for using both ways of
>>doing it is silly to merge both, as it is more maintenance overhead.
>>
>
>
> My reading is that full virtualization (Xen, etc.) calls for
> implementing
> L2 switching between the partitions and the physical NIC(s).
>
> The tradeoffs between L2 and L3 switching are indeed complex, but
> there are two implications of doing L2 switching between partitions:
>
> 1) Do we really want to ask device drivers to support L2 switching for
> partitions and something *different* for containers?
>
> 2) Do we really want any single packet to traverse an L2 switch (for
> the partition-style virtualization layer) and then an L3 switch
> (for the container-style layer)?
>
> The full virtualization solution calls for virtual NICs with distinct
> MAC addresses. Is there any reason why this same solution cannot work
> for containers (just creating more than one VNIC for the partition,
> and then assigning each VNIC to a container?)
IHMO, I think there is one reason. The unsharing mechanism is not only
for containers, its aim other kind of isolation like a "bsdjail" for
example. The unshare syscall is flexible, shall the network unsharing be
one-block solution ? For example, we want to launch an application using
TCP/IP and we want to have an IP address only used by the application,
nothing more.
With a layer 2, we must after unsharing:
1) create a virtual device into the application namespace
2) assign an IP address
3) create a virtual device pass-through in the root namespace
4) set the virtual device IP
All this stuff, need a lot of administration (check mac addresses
conflicts, check interface names collision in root namespace, ...) for a
simple network isolation.
With a layer 3:
1) assign an IP address
In the other hand, a layer 3 isolation is not sufficient to reach the
level of isolation/virtualization needed for the system containers.
Very soon, I will commit more info at:
http://wiki.openvz.org/Containers/Networking
So the consensus is based on the fact that there is a lot of common code
for the layer 2 and layer 3 isolation/virtualization and we can find a
way to merge the 2 implementation in order to have a flexible network
virtualization/isolation.
-- Regards
Daniel.
next prev parent reply other threads:[~2006-09-07 8:26 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-15 14:20 [RFC] network namespaces Andrey Savochkin
2006-08-15 14:48 ` [PATCH 1/9] network namespaces: core and device list Andrey Savochkin
2006-08-16 14:46 ` Dave Hansen
2006-08-16 16:45 ` Stephen Hemminger
2006-08-15 14:48 ` [PATCH 2/9] network namespaces: IPv4 routing Andrey Savochkin
2006-08-15 14:48 ` [PATCH 3/9] network namespaces: playing and debugging Andrey Savochkin
2006-08-16 16:46 ` Stephen Hemminger
2006-08-16 17:22 ` Eric W. Biederman
2006-08-17 6:28 ` Andrey Savochkin
2006-08-17 8:30 ` Kirill Korotaev
2006-08-15 14:48 ` [PATCH 4/9] network namespaces: socket hashes Andrey Savochkin
2006-09-18 15:12 ` Daniel Lezcano
2006-09-20 16:32 ` Andrey Savochkin
2006-09-21 12:34 ` Daniel Lezcano
2006-08-15 14:48 ` [PATCH 5/9] network namespaces: async socket operations Andrey Savochkin
2006-09-22 15:33 ` Daniel Lezcano
2006-09-23 13:16 ` Andrey Savochkin
2006-08-15 14:48 ` [PATCH 6/9] allow proc_dir_entries to have destructor Andrey Savochkin
2006-08-15 14:48 ` [PATCH 7/9] net_device seq_file Andrey Savochkin
2006-08-15 14:48 ` [PATCH 8/9] network namespaces: device to pass packets between namespaces Andrey Savochkin
2006-08-15 14:48 ` [PATCH 9/9] network namespaces: playing with pass-through device Andrey Savochkin
2006-08-16 11:53 ` [RFC] network namespaces Serge E. Hallyn
2006-08-16 15:12 ` Alexey Kuznetsov
2006-08-16 17:35 ` Eric W. Biederman
2006-08-17 8:29 ` Kirill Korotaev
2006-09-05 13:34 ` Daniel Lezcano
2006-09-05 14:45 ` Eric W. Biederman
2006-09-05 15:32 ` Daniel Lezcano
2006-09-05 16:53 ` Herbert Poetzl
2006-09-05 18:27 ` Eric W. Biederman
2006-09-06 14:52 ` Kirill Korotaev
2006-09-06 15:09 ` [Devel] " Kir Kolyshkin
2006-09-06 9:10 ` Daniel Lezcano
2006-09-06 16:56 ` Herbert Poetzl
2006-09-06 17:37 ` [Devel] " Kir Kolyshkin
2006-09-06 18:34 ` Eric W. Biederman
2006-09-06 18:58 ` Kir Kolyshkin
2006-09-06 20:53 ` Cedric Le Goater
2006-09-06 23:06 ` Caitlin Bestler
2006-09-06 23:25 ` Eric W. Biederman
2006-09-07 0:53 ` Stephen Hemminger
2006-09-07 5:11 ` Eric W. Biederman
2006-09-07 8:25 ` Daniel Lezcano [this message]
2006-09-07 18:29 ` Eric W. Biederman
2006-09-08 6:02 ` Herbert Poetzl
2006-09-07 16:23 ` [Devel] " Kirill Korotaev
2006-09-07 17:27 ` Herbert Poetzl
2006-09-07 19:50 ` Eric W. Biederman
2006-09-08 13:10 ` Dmitry Mishin
2006-09-08 18:11 ` Herbert Poetzl
2006-09-09 7:57 ` Dmitry Mishin
2006-09-10 2:47 ` Herbert Poetzl
2006-09-10 3:41 ` Eric W. Biederman
2006-09-10 8:11 ` Dmitry Mishin
2006-09-10 11:48 ` Eric W. Biederman
2006-09-10 19:19 ` [Devel] " Herbert Poetzl
2006-09-10 7:45 ` Dmitry Mishin
2006-09-10 19:22 ` Herbert Poetzl
2006-09-12 3:26 ` Eric W. Biederman
2006-09-11 14:40 ` [Devel] " Daniel Lezcano
2006-09-11 14:57 ` Herbert Poetzl
2006-09-11 15:04 ` Daniel Lezcano
2006-09-11 15:10 ` Dmitry Mishin
2006-09-12 3:28 ` Eric W. Biederman
2006-09-12 7:38 ` Dmitry Mishin
2006-09-06 21:44 ` [Devel] " Daniel Lezcano
2006-09-06 17:58 ` Eric W. Biederman
2006-09-05 15:47 ` Kirill Korotaev
2006-09-05 17:09 ` Eric W. Biederman
2006-09-06 20:25 ` Cedric Le Goater
2006-09-06 20:40 ` Eric W. Biederman
2006-10-04 9:40 ` Daniel Lezcano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44FFD794.7010802@fr.ibm.com \
--to=dlezcano@fr.ibm.com \
--cc=alexey@sw.ru \
--cc=caitlinb@broadcom.com \
--cc=containers@lists.osdl.org \
--cc=devel@openvz.org \
--cc=ebiederm@xmission.com \
--cc=kir@openvz.org \
--cc=netdev@vger.kernel.org \
--cc=sam@vilain.net \
--cc=saw@sw.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.