From: Daniel Lezcano <dlezcano@fr.ibm.com>
To: Andrey Savochkin <saw@swsoft.com>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
serue@us.ibm.com, haveblue@us.ibm.com, clg@fr.ibm.com,
Andrew Morton <akpm@osdl.org>,
dev@sw.ru, herbert@13thfloor.at, devel@openvz.org,
sam@vilain.net, ebiederm@xmission.com, viro@ftp.linux.org.uk,
Alexey Kuznetsov <alexey@sw.ru>
Subject: Re: [patch 2/6] [Network namespace] Network device sharing by view
Date: Tue, 27 Jun 2006 13:21:02 +0200 [thread overview]
Message-ID: <44A1149E.6060802@fr.ibm.com> (raw)
In-Reply-To: <20060627133849.E13959@castle.nmd.msu.ru>
>>>My point is that if you make namespace tagging at routing time, and
>>>your packets are being routed only once, you lose the ability
>>>to have separate routing tables in each namespace.
>>
>>Right. What is the advantage of having separate the routing tables ?
>
>
> Routing is everything.
> For example, I want namespaces to have their private tunnel devices.
> It means that namespaces should be allowed have private routes of local type,
> private default routes, and so on...
>
Ok, we are talking about the same things. We do it only in a different way:
* separate routing table :
namespace
|
\--- route_tables
|
\---routes
* tagged routing table :
route_tables
|
\---routes
|
\---namespace
When using routes private to the namespace, globally the logic of the ip
stack is not changed, it manipulates only differents variables. It is
more clean than tagging the route for the reasons mentioned by Eric.
When using route tagging, the logic is changed because when doing lookup
on the routes table which is global, the namespace is used to match the
route and make it visible.
I use the second method, because I think it is more effecient and reduce
the overhead. But the isolation is minimalist and only aims to avoid the
application using ressources outside of the container (aka namespace)
without taking care of the system. For example, I didn't take care of
network devices, because as far as see I can't imagine an administrator
wanting to change the network device name while there are hundred of
containers running. Concerning tunnel devices for example, they should
be created inside the container.
I think, private network ressources method is more elegant and involves
more network ressources, but there is probably a significant overhead
and some difficulties to have __lightweight__ container (aka application
container), make nfs working well, etc... I did some tests with tbench
and the loopback with the private namespace and there is roughly an
overhead of 4 % without the isolation since with the tagging method
there is 1 % with the isolation.
The network namespace aims the isolation for now, but the container
based on the namespaces will probably need checkpoint/restart and
migration ability. The migration is needed not only for servers but for
HPC jobs too.
So I don't know what level of isolation/virtualization is really needed
by users, what should be acceptable (strong isolation and overhead /
weak isolation and efficiency). I don't know if people wanting strong
isolation will not prefer Xen (cleary with much more overhead than your
patches ;) )
Regards
-- Daniel
next prev parent reply other threads:[~2006-06-27 11:21 UTC|newest]
Thread overview: 113+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-09 21:02 [RFC] [patch 0/6] [Network namespace] introduction dlezcano
2006-06-09 21:02 ` [RFC] [patch 1/6] [Network namespace] Network namespace structure dlezcano
2006-06-09 21:02 ` [RFC] [patch 2/6] [Network namespace] Network device sharing by view dlezcano
2006-06-11 10:18 ` Andrew Morton
2006-06-18 18:53 ` Al Viro
2006-06-26 9:47 ` Andrey Savochkin
2006-06-26 13:02 ` Herbert Poetzl
2006-06-26 14:05 ` Eric W. Biederman
2006-06-26 14:08 ` Andrey Savochkin
2006-06-26 18:28 ` Herbert Poetzl
2006-06-26 18:59 ` Eric W. Biederman
2006-06-26 14:56 ` Daniel Lezcano
2006-06-26 15:21 ` Eric W. Biederman
2006-06-26 15:27 ` Andrey Savochkin
2006-06-26 15:49 ` Daniel Lezcano
2006-06-26 16:40 ` Eric W. Biederman
2006-06-26 18:36 ` Herbert Poetzl
2006-06-26 19:35 ` Eric W. Biederman
2006-06-26 20:02 ` Herbert Poetzl
2006-06-26 20:37 ` Eric W. Biederman
2006-06-26 21:26 ` Herbert Poetzl
2006-06-26 21:59 ` Ben Greear
2006-06-26 22:11 ` Eric W. Biederman
2006-06-27 9:09 ` Andrey Savochkin
2006-06-27 15:48 ` Herbert Poetzl
2006-06-27 16:19 ` Andrey Savochkin
2006-06-27 16:40 ` Eric W. Biederman
2006-06-26 22:13 ` Ben Greear
2006-06-26 22:54 ` Herbert Poetzl
2006-06-26 23:08 ` Ben Greear
2006-06-27 16:07 ` Ben Greear
2006-06-27 22:48 ` Herbert Poetzl
2006-06-27 9:11 ` Andrey Savochkin
2006-06-27 9:34 ` Daniel Lezcano
2006-06-27 9:38 ` Andrey Savochkin
2006-06-27 11:21 ` Daniel Lezcano [this message]
2006-06-27 11:52 ` Eric W. Biederman
2006-06-27 16:02 ` Herbert Poetzl
2006-06-27 16:47 ` Eric W. Biederman
2006-06-27 17:19 ` Ben Greear
2006-06-27 22:52 ` Herbert Poetzl
2006-06-27 23:12 ` Dave Hansen
2006-06-27 23:42 ` Alexey Kuznetsov
2006-06-28 3:38 ` Eric W. Biederman
2006-06-28 13:36 ` Herbert Poetzl
2006-06-28 13:53 ` jamal
2006-06-28 14:19 ` Andrey Savochkin
2006-06-28 16:17 ` jamal
2006-06-28 16:58 ` Andrey Savochkin
2006-06-28 17:17 ` Eric W. Biederman
2006-06-28 17:04 ` Herbert Poetzl
2006-06-28 14:39 ` Eric W. Biederman
2006-06-30 1:41 ` Sam Vilain
2006-06-29 21:07 ` Sam Vilain
2006-06-29 22:14 ` strict isolation of net interfaces Cedric Le Goater
2006-06-30 2:39 ` Serge E. Hallyn
2006-06-30 2:49 ` Sam Vilain
2006-07-03 14:53 ` Andrey Savochkin
2006-07-04 3:00 ` Sam Vilain
2006-07-04 12:29 ` Daniel Lezcano
2006-07-04 13:13 ` Sam Vilain
2006-07-04 13:19 ` Daniel Lezcano
2006-06-30 8:56 ` Cedric Le Goater
2006-07-03 13:36 ` Herbert Poetzl
2006-06-30 12:23 ` Daniel Lezcano
2006-06-30 14:20 ` Eric W. Biederman
2006-06-30 15:22 ` Daniel Lezcano
2006-06-30 17:58 ` Eric W. Biederman
2006-06-30 16:14 ` Serge E. Hallyn
2006-06-30 17:41 ` Eric W. Biederman
2006-06-30 18:09 ` Eric W. Biederman
2006-06-30 0:15 ` [patch 2/6] [Network namespace] Network device sharing by view jamal
2006-06-30 3:35 ` Herbert Poetzl
2006-06-30 7:45 ` Andrey Savochkin
2006-06-30 13:50 ` jamal
2006-06-30 15:01 ` Andrey Savochkin
2006-06-30 18:22 ` Eric W. Biederman
2006-06-30 21:51 ` jamal
2006-07-01 0:50 ` Eric W. Biederman
2006-06-28 14:21 ` Eric W. Biederman
2006-06-28 14:51 ` Eric W. Biederman
2006-06-27 16:49 ` Alexey Kuznetsov
2006-06-27 11:55 ` Andrey Savochkin
2006-06-27 9:54 ` Kirill Korotaev
2006-06-27 16:09 ` Herbert Poetzl
2006-06-27 16:29 ` Eric W. Biederman
2006-06-27 23:07 ` Herbert Poetzl
2006-06-28 4:07 ` Eric W. Biederman
2006-06-28 6:31 ` Sam Vilain
2006-06-28 14:15 ` Herbert Poetzl
2006-06-28 15:36 ` Eric W. Biederman
2006-06-28 17:18 ` Herbert Poetzl
2006-06-28 10:14 ` Cedric Le Goater
2006-06-28 14:11 ` Herbert Poetzl
2006-06-28 16:10 ` Eric W. Biederman
2006-07-06 9:45 ` Routing tables (Re: [patch 2/6] [Network namespace] Network device sharing by view) Kari Hurtta
2006-06-09 21:02 ` [RFC] [patch 3/6] [Network namespace] Network devices isolation dlezcano
2006-06-18 18:57 ` Al Viro
2006-06-09 21:02 ` [RFC] [patch 4/6] [Network namespace] Network inet " dlezcano
2006-06-09 21:02 ` [RFC] [patch 5/6] [Network namespace] ipv4 isolation dlezcano
2006-06-10 0:23 ` James Morris
2006-06-10 0:27 ` Rick Jones
2006-06-10 0:47 ` James Morris
2006-06-09 21:02 ` [RFC] [patch 6/6] [Network namespace] Network namespace debugfs dlezcano
2006-06-10 7:16 ` [RFC] [patch 0/6] [Network namespace] introduction Kari Hurtta
2006-06-16 4:23 ` Eric W. Biederman
2006-06-16 9:06 ` Daniel Lezcano
2006-06-16 9:22 ` Eric W. Biederman
2006-06-18 18:47 ` Al Viro
2006-06-20 21:21 ` Daniel Lezcano
2006-06-20 21:25 ` Al Viro
2006-06-20 22:45 ` Daniel Lezcano
2006-06-26 23:38 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44A1149E.6060802@fr.ibm.com \
--to=dlezcano@fr.ibm.com \
--cc=akpm@osdl.org \
--cc=alexey@sw.ru \
--cc=clg@fr.ibm.com \
--cc=dev@sw.ru \
--cc=devel@openvz.org \
--cc=ebiederm@xmission.com \
--cc=haveblue@us.ibm.com \
--cc=herbert@13thfloor.at \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sam@vilain.net \
--cc=saw@swsoft.com \
--cc=serue@us.ibm.com \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).