From: Herbert Poetzl <herbert@13thfloor.at>
To: Daniel Lezcano <dlezcano@fr.ibm.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Dmitry Mishin <dim@openvz.org>,
netdev@vger.kernel.org,
Linux Containers <containers@lists.osdl.org>,
hadi@cyberus.ca, Stephen Hemminger <shemminger@osdl.org>
Subject: Re: Network virtualization/isolation
Date: Wed, 29 Nov 2006 06:58:57 +0100 [thread overview]
Message-ID: <20061129055857.GJ2826@MAIL.13thfloor.at> (raw)
In-Reply-To: <456C9B8C.1010701@fr.ibm.com>
On Tue, Nov 28, 2006 at 09:26:52PM +0100, Daniel Lezcano wrote:
> Eric W. Biederman wrote:
> > I do not want to get into a big debate on the merits of various
> > techniques at this time. We seem to be in basic agreement
> > about what we are talking about.
> >
> > There is one thing I think we can all agree upon.
> > - Everything except isolation at the network device/L2 layer, does not
> > allow guests to have the full power of the linux networking stack.
> Agree.
> >
> > - There has been a demonstrated use for the full power of the linux
> > networking stack in containers..
> Agree.
> >
> > - There are a set of techniques which look as though they will give
> > us full speed when we do isolation of the network stack at the
> > network device/L2 layer.
> Agree.
>
> > Is there any reason why we don't want to implement network namespaces
> > without the full power of the linux network stack?
> Don't make me wrong, I never said layer 2 should not be used. I am only
> arguing a layer 3 should use the mechanism provided by the layer 2 and
> use a subset of it like the sockets virtualization/isolation.
>
> Just IP isolation for lightweight containers, applications containers in
> order to have mobility.
>
> > If there is a case where we clearly don't want the full power of the
> > linux network stack in a guest but we still need a namespace we can
> > start looking at the merits of the alternatives.
> Dmitry and I, we are looking for a l3 based on a subset of the l2 and
> according with Herbert needs.
> If we can provide a l3 isolation based on the l2 which:
> - does not collide with l2
> - fit the needs of Herbert
> - allows the migration
> - use common code between l2 and l3
> Should it not be sufficient to justify to have a l3 with the l2
> isolation?
sounds good to me ...
> >> What is this new paradigm you are talking about ?
> >
> > The basic point is this. The less like stock linux the inside of a
> > container looks, and the more of a special case it is the more
> > confusing it is. The classic example is that for a system container
> > routing packets between containers over the loopback interface is
> > completely unexpected.
>
> Right for system container, but not necessary for application containers.
yep
best,
Herbert
> >> There is not extra networking data structure instantiation in the
> >> Daniel's L3.
> > Nope just an extra field which serves the same purpose.
> >
> >>> - Bind/Connect/Accept filtering. There are so few places in
> >>> the code this is easy to maintain without sharing code with
> >>> everyone else.
> >> For isolation too ? Can we build network migration on top of that ?
>
> > As long as you can take your globally visible network address with you
> > when you migrate you can build network migration on top of it. So yes
> > bind/accept filtering is sufficient to implement migration, if you are
> > only using IP based protocols.
>
> When you migrate an application, you must cleanup related sockets on the
> source machine. The cleanup can not rely on the IP addresses because you
> will be not able to discriminate all the sockets related to the
> container. Another stuff is the network objects life-cycle, the
> container will die when the application will finish, the timewait
> sockets will stay until all data are flushed to peer. You can not
> restart a new container with the same IP address, so you need to monitor
> the socket before relaunching a new container or unmounting the aliased
> interface associated with the container. You need a ref counting for the
> container and this refcount is exactly what has the network namespace.
> Another example, you can not have several application binding to
> INADDR_ANY:port without conflict. The multiport instantiation is exactly
> what brings the sockets isolation/virtualization with the l2/l3.
>
> _______________________________________________
> Containers mailing list
> Containers@lists.osdl.org
> https://lists.osdl.org/mailman/listinfo/containers
next prev parent reply other threads:[~2006-11-29 5:58 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 15:51 Network virtualization/isolation Daniel Lezcano
2006-10-23 20:01 ` Stephen Hemminger
2006-10-26 9:44 ` Daniel Lezcano
2006-10-26 15:56 ` Stephen Hemminger
2006-10-26 22:16 ` Daniel Lezcano
2006-10-27 7:34 ` Dmitry Mishin
2006-10-27 9:10 ` Daniel Lezcano
2006-11-01 14:35 ` jamal
2006-11-01 16:13 ` Daniel Lezcano
2006-11-14 15:17 ` Daniel Lezcano
2006-11-14 18:12 ` James Morris
2006-11-15 9:56 ` Daniel Lezcano
2006-11-22 12:00 ` Daniel Lezcano
2006-11-25 9:09 ` Eric W. Biederman
2006-11-28 14:15 ` Daniel Lezcano
2006-11-28 16:51 ` Eric W. Biederman
2006-11-28 17:37 ` Herbert Poetzl
2006-11-28 20:26 ` Daniel Lezcano
2006-11-28 21:50 ` Eric W. Biederman
2006-11-29 5:54 ` Herbert Poetzl
2006-11-29 20:21 ` Brian Haley
2006-11-29 22:10 ` [Devel] " Daniel Lezcano
2006-11-30 16:15 ` Vlad Yasevich
2006-11-30 16:38 ` Daniel Lezcano
2006-11-30 17:24 ` Herbert Poetzl
2006-12-03 12:26 ` jamal
2006-12-03 14:13 ` jamal
2006-12-03 16:00 ` Eric W. Biederman
2006-12-04 15:19 ` Dmitry Mishin
2006-12-04 15:45 ` Eric W. Biederman
2006-12-04 16:43 ` Herbert Poetzl
2006-12-04 16:58 ` Eric W. Biederman
2006-12-04 17:02 ` Dmitry Mishin
2006-12-04 17:19 ` Herbert Poetzl
2006-12-04 17:41 ` Daniel Lezcano
2006-12-04 12:15 ` Eric W. Biederman
2006-12-04 13:44 ` jamal
2006-12-04 15:35 ` Eric W. Biederman
2006-12-04 16:00 ` Dmitry Mishin
2006-12-04 16:52 ` Eric W. Biederman
2006-12-06 11:54 ` [Devel] " Kirill Korotaev
2006-12-06 18:30 ` Herbert Poetzl
2006-12-08 19:57 ` Eric W. Biederman
2006-12-09 3:50 ` Herbert Poetzl
2006-12-09 6:13 ` Andrew Morton
2006-12-09 6:35 ` Herbert Poetzl
2006-12-09 21:18 ` Dmitry Mishin
2006-12-09 22:34 ` Kir Kolyshkin
2006-12-10 2:21 ` Herbert Poetzl
2006-12-09 8:07 ` Eric W. Biederman
2006-12-09 11:27 ` Tomasz Torcz
2006-12-09 19:04 ` Herbert Poetzl
2006-12-03 16:37 ` Herbert Poetzl
2006-12-03 16:58 ` jamal
2006-12-04 10:18 ` Daniel Lezcano
2006-12-04 13:22 ` jamal
2006-12-02 11:29 ` Kari Hurtta
2006-12-02 11:49 ` Kari Hurtta
2006-11-29 5:58 ` Herbert Poetzl [this message]
2006-11-25 8:21 ` Eric W. Biederman
2006-11-26 18:34 ` Herbert Poetzl
2006-11-26 19:41 ` Ben Greear
2006-11-26 20:52 ` Eric W. Biederman
2006-11-25 8:27 ` Eric W. Biederman
-- strict thread matches above, loose matches on Subject: below --
2006-11-25 16:35 Leonid Grossman
2006-11-25 19:26 ` Eric W. Biederman
2006-11-25 22:17 Leonid Grossman
2006-11-25 23:16 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061129055857.GJ2826@MAIL.13thfloor.at \
--to=herbert@13thfloor.at \
--cc=containers@lists.osdl.org \
--cc=dim@openvz.org \
--cc=dlezcano@fr.ibm.com \
--cc=ebiederm@xmission.com \
--cc=hadi@cyberus.ca \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).