From: Dmitry Mishin <dim@openvz.org>
To: Stephen Hemminger <shemminger@osdl.org>
Cc: Daniel Lezcano <dlezcano@fr.ibm.com>, netdev@vger.kernel.org
Subject: Re: Network virtualization/isolation
Date: Fri, 27 Oct 2006 11:34:56 +0400 [thread overview]
Message-ID: <200610271134.56830.dim@openvz.org> (raw)
In-Reply-To: <20061026085659.33b4c6dd@freekitty>
On Thursday 26 October 2006 19:56, Stephen Hemminger wrote:
> On Thu, 26 Oct 2006 11:44:55 +0200
>
> Daniel Lezcano <dlezcano@fr.ibm.com> wrote:
> > Stephen Hemminger wrote:
> > > On Wed, 25 Oct 2006 17:51:28 +0200
> > >
> > > Daniel Lezcano <dlezcano@fr.ibm.com> wrote:
> > >>Hi Stephen,
> > >>
> > >>currently the work to make the container enablement into the kernel is
> > >>doing good progress. The ipc, pid, utsname and filesystem system
> > >>ressources are isolated/virtualized relying on the namespaces concept.
> > >>
> > >>But, there is missing the network virtualization/isolation. Two
> > >>approaches are proposed: doing the isolation at the layer 2 and at the
> > >>layer 3.
> > >>
> > >>The first one instanciate a network device by namespace and add a peer
> > >>network device into the "root namespace", all the routing ressources
> > >> are relative to the namespace. This work is done by Andrey Savochkin
> > >> from the openvz project.
> > >>
> > >>The second relies on the routes and associates the network namespace
> > >>pointer with each route. When the traffic is incoming, the packet
> > >>follows an input route and retrieve the associated network namespace.
> > >>When the traffic is outgoing, the packet, identified from the network
> > >>namespace is coming from, follows only the routes matching the same
> > >>network namespace. This work is made by me.
> > >>
> > >>IMHO, we need the two approach, the layer-2 to be able to bring *very*
> > >>strong isolation for system container with a performance cost and a
> > >>layer-3 to be able to have good isolation for lightweight container or
> > >>application container when performances are more important.
> > >>
> > >>Do you have some suggestions ? What is your point of view on that ?
> > >>
> > >>Thanks in advance.
> > >>
> > >> -- Daniel
> > >
> > > Any solution should allow both and it should build on the existing
> > > netfilter infrastructure.
> >
> > The problem is netfilter can not give a good isolation, eg. how can be
> > handled netstat command ? or avoid to see IP addresses assigned to
> > another container when doing ifconfig ? Furthermore, one of the biggest
> > interest of the network isolation is to bring mobility with a container
> > and that can only be done if the network ressources inside the kernel
> > can be identified by container in order to checkpoint/restart them.
> >
> > The all-in-namespace solution, ie. at layer 2, is very good in terms of
> > isolation but it adds an non-negligeable overhead. The layer 3 isolation
> > has an insignifiant overhead, a good isolation perfectly adapted for
> > applications containers.
> >
> > Unfortunatly, from the point of view of implementation, layer 3 can not
> > be a subset of layer 2 isolation when using "all-in-namespace" and layer
> > 2 isolation can not be a extension of the layer 3 isolation.
> >
> > I think the layer 2 and the layer 3 implementations can coexists. You
> > can for example create a system container with a layer 2 isolation and
> > inside it add a layer 3 isolation.
> >
> > Does that make sense ?
> >
> > -- Daniel
>
> Assuming you are talking about pseudo-virtualized environments,
> there are several different discussions.
>
> 1. How should the namespace be isolated for the virtualized containered
> applications?
>
> 2. How should traffic be restricted into/out of those containers. This
> is where existing netfilter, classification, etc, should be used.
> The network code is overly rich as it is, we don't need another
> abstraction.
>
> 3. Can the virtualized containers be secure? No. we really can't keep
> hostile root in a container from killing system without going to
> a hypervisor.
Stephen,
Virtualized container can be secure, if it is complete system virtualization,
not just an application container. OpenVZ implements such and it is used hard
over the world. And of course, we care a lot to keep hostile root from
killing whole system.
OpenVZ uses virtualization on IP level (implemented by Andrey Savochkin,
http://marc.theaimsgroup.com/?l=linux-netdev&m=115572448503723), with all
necessary network objects isolated/virtualized, such as sockets, devices,
routes, netfilters, etc.
--
Thanks,
Dmitry.
next prev parent reply other threads:[~2006-10-27 7:35 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 15:51 Network virtualization/isolation Daniel Lezcano
2006-10-23 20:01 ` Stephen Hemminger
2006-10-26 9:44 ` Daniel Lezcano
2006-10-26 15:56 ` Stephen Hemminger
2006-10-26 22:16 ` Daniel Lezcano
2006-10-27 7:34 ` Dmitry Mishin [this message]
2006-10-27 9:10 ` Daniel Lezcano
2006-11-01 14:35 ` jamal
2006-11-01 16:13 ` Daniel Lezcano
2006-11-14 15:17 ` Daniel Lezcano
2006-11-14 18:12 ` James Morris
2006-11-15 9:56 ` Daniel Lezcano
2006-11-22 12:00 ` Daniel Lezcano
2006-11-25 9:09 ` Eric W. Biederman
2006-11-28 14:15 ` Daniel Lezcano
2006-11-28 16:51 ` Eric W. Biederman
2006-11-28 17:37 ` Herbert Poetzl
2006-11-28 20:26 ` Daniel Lezcano
2006-11-28 21:50 ` Eric W. Biederman
2006-11-29 5:54 ` Herbert Poetzl
2006-11-29 20:21 ` Brian Haley
2006-11-29 22:10 ` [Devel] " Daniel Lezcano
2006-11-30 16:15 ` Vlad Yasevich
2006-11-30 16:38 ` Daniel Lezcano
2006-11-30 17:24 ` Herbert Poetzl
2006-12-03 12:26 ` jamal
2006-12-03 14:13 ` jamal
2006-12-03 16:00 ` Eric W. Biederman
2006-12-04 15:19 ` Dmitry Mishin
2006-12-04 15:45 ` Eric W. Biederman
2006-12-04 16:43 ` Herbert Poetzl
2006-12-04 16:58 ` Eric W. Biederman
2006-12-04 17:02 ` Dmitry Mishin
2006-12-04 17:19 ` Herbert Poetzl
2006-12-04 17:41 ` Daniel Lezcano
2006-12-04 12:15 ` Eric W. Biederman
2006-12-04 13:44 ` jamal
2006-12-04 15:35 ` Eric W. Biederman
2006-12-04 16:00 ` Dmitry Mishin
2006-12-04 16:52 ` Eric W. Biederman
2006-12-06 11:54 ` [Devel] " Kirill Korotaev
2006-12-06 18:30 ` Herbert Poetzl
2006-12-08 19:57 ` Eric W. Biederman
2006-12-09 3:50 ` Herbert Poetzl
2006-12-09 6:13 ` Andrew Morton
2006-12-09 6:35 ` Herbert Poetzl
2006-12-09 21:18 ` Dmitry Mishin
2006-12-09 22:34 ` Kir Kolyshkin
2006-12-10 2:21 ` Herbert Poetzl
2006-12-09 8:07 ` Eric W. Biederman
2006-12-09 11:27 ` Tomasz Torcz
2006-12-09 19:04 ` Herbert Poetzl
2006-12-03 16:37 ` Herbert Poetzl
2006-12-03 16:58 ` jamal
2006-12-04 10:18 ` Daniel Lezcano
2006-12-04 13:22 ` jamal
2006-12-02 11:29 ` Kari Hurtta
2006-12-02 11:49 ` Kari Hurtta
2006-11-29 5:58 ` Herbert Poetzl
2006-11-25 8:21 ` Eric W. Biederman
2006-11-26 18:34 ` Herbert Poetzl
2006-11-26 19:41 ` Ben Greear
2006-11-26 20:52 ` Eric W. Biederman
2006-11-25 8:27 ` Eric W. Biederman
-- strict thread matches above, loose matches on Subject: below --
2006-11-25 16:35 Leonid Grossman
2006-11-25 19:26 ` Eric W. Biederman
2006-11-25 22:17 Leonid Grossman
2006-11-25 23:16 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200610271134.56830.dim@openvz.org \
--to=dim@openvz.org \
--cc=dlezcano@fr.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).