From: ebiederm@xmission.com (Eric W. Biederman)
To: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com>
Cc: Glauber Costa <glommer@parallels.com>,
Linux Containers <containers@lists.osdl.org>,
netdev@vger.kernel.org, David Miller <davem@davemloft.net>,
Pavel Emelyanov <xemul@parallels.com>
Subject: Re: [RFC] per-containers tcp buffer limitation
Date: Wed, 24 Aug 2011 19:16:38 -0700 [thread overview]
Message-ID: <m14o16qlq1.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20110825104956.41c4b60e.kamezawa.hiroyu@jp.fujitsu.com> (KAMEZAWA Hiroyuki's message of "Thu, 25 Aug 2011 10:49:56 +0900")
KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> writes:
> On Wed, 24 Aug 2011 22:28:59 -0300
> Glauber Costa <glommer@parallels.com> wrote:
>
>> On 08/24/2011 09:35 PM, Eric W. Biederman wrote:
>> > Glauber Costa<glommer@parallels.com> writes:
>> Hi Eric,
>>
>> Thanks for your attention.
>>
>> So, this that you propose was my first implementation. I ended up
>> throwing it away after playing with it for a while.
>>
>> One of the first problems that arise from that, is that the sysctls are
>> a tunable visible from inside the container. Those limits, however, are
>> to be set from the outside world. The code is not much better than that
>> either, and instead of creating new cgroup structures and linking them
>> to the protocol, we end up doing it for net ns. We end up increasing
>> structures just the same...
You don't need to add a netns member to sockets.
But I do agree that there are odd permission issues with using the
existing sysctls and making them per namespace.
However almost everything I have seen with memory limits I have found
very strange. They all seem like a very bad version of disabling memory
over commits.
>> Also, since we're doing resource control, it seems more natural to use
>> cgroups. Now, the fact that there are no correlation whatsoever between
>> cgroups and namespaces does bother me. But that's another story, much
>> more broader and general than this patch.
>>
>
> I think using cgroup makes sense. A question in mind is whehter it is
> better to integrate this kind of 'memory usage' controls to memcg or
> not.
Maybe. When sockets start getting a cgroup member I start wondering,
how many cgroup members will sockets potentially belong to.
> How do you think ? IMHO, having cgroup per class of object is messy.
> ...
> How about adding
> memory.tcp_mem
> to memcg ?
>
> Or, adding kmem cgroup ?
>
>> About overhead, since this is the first RFC, I did not care about
>> measuring. However, it seems trivial to me to guarantee that at least
>> that it won't impose a significant performance penalty when it is
>> compiled out. If we're moving forward with this implementation, I will
>> include data in the next release so we can discuss in this basis.
>>
>
> IMHO, you should show performance number even if RFC. Then, people will
> see patch with more interests.
And also compiled out doesn't really count. Cgroups are something you
want people to compile into distributions for the common case, and you
don't want to impose a noticeable performance penalty for the common
case.
Eric
next prev parent reply other threads:[~2011-08-25 2:16 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-24 22:54 [RFC] per-containers tcp buffer limitation Glauber Costa
2011-08-24 22:54 ` Glauber Costa
2011-08-25 0:35 ` Eric W. Biederman
2011-08-25 0:35 ` Eric W. Biederman
2011-08-25 1:28 ` Glauber Costa
2011-08-25 1:28 ` Glauber Costa
2011-08-25 1:49 ` KAMEZAWA Hiroyuki
2011-08-25 2:16 ` Eric W. Biederman [this message]
[not found] ` <m14o16qlq1.fsf-+imSwln9KH6u2/kzUuoCbdi2O/JbrIOy@public.gmane.org>
2011-08-25 12:55 ` Daniel Wagner
2011-08-25 15:05 ` Chris Friesen
2011-08-25 15:44 ` Stephen Hemminger
2011-08-25 18:11 ` Glauber Costa
2011-08-25 18:11 ` Glauber Costa
2011-08-25 18:33 ` Daniel Wagner
2011-08-25 18:33 ` Daniel Wagner
2011-08-25 18:45 ` Daniel Wagner
2011-08-25 18:27 ` Daniel Wagner
[not found] ` <4E56942A.3080905-kQCPcA+X3s7YtjvyW6yDsg@public.gmane.org>
2011-08-27 23:39 ` Matthew Helsley
2011-08-28 6:09 ` David Miller
2011-08-25 18:02 ` Glauber Costa
2011-08-25 18:02 ` Glauber Costa
2011-08-25 18:05 ` Glauber Costa
2011-08-25 18:05 ` Glauber Costa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m14o16qlq1.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=containers@lists.osdl.org \
--cc=davem@davemloft.net \
--cc=glommer@parallels.com \
--cc=kamezawa.hiroyu@jp.fujitsu.com \
--cc=netdev@vger.kernel.org \
--cc=xemul@parallels.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.