From: Daniel Lezcano <dlezcano@fr.ibm.com>
To: hadi@cyberus.ca
Cc: devel@openvz.org, "Eric W. Biederman" <ebiederm@xmission.com>,
Linux Containers <containers@lists.osdl.org>,
Stephen Hemminger <shemminger@osdl.org>,
netdev@vger.kernel.org, Dmitry Mishin <dim@openvz.org>
Subject: Re: Network virtualization/isolation
Date: Mon, 04 Dec 2006 11:18:09 +0100 [thread overview]
Message-ID: <4573F5E1.8040606@fr.ibm.com> (raw)
In-Reply-To: <1165148762.3517.58.camel@localhost>
Hi Jamal,
thanks for taking the time read the document.
The objective of the document was not to convince one approach is better
than other. I wanted to show the pros and the cons of each approach and
to point that the 2 approaches are complementary.
Currently, there are some resources moved to a namespace relative
access, the IPC and the utsname and this is into the 2.6.19 kernel.
The work on the pid namespace is still in progress.
The idea is to use a "clone" approach relying on the "unshare_ns"
syscall. The syscall is called with a set of flags for pids, ipcs,
utsname, network ... You can then "unshare" only the network and have an
application into its own network environment.
For a l3 approach, like a l2, you can run an apache server into a
unshared network environment. Better, you can run several apaches server
into several network namespaces without modifying the server's network
configuration.
Some of us, consider l2 as perfectly adapted for some kind of containers
like system containers and some kind of application containers running
big servers, but find the l2 too much (seems to be a hammer to crush a
beetle) for simple network requirements like for network migration,
jails or containers which does not take care of such virtualization. For
example, you want to create thousands of containers for a cluster of HPC
jobs and just to have migration for these jobs. Does it make sense to
have l2 approach ?
Dmitry Mishin and I, we thought about a l2/l3 solution and we thing we
found a solution to have the 2 at runtime. Roughly, it is a l3 based on
bind filtering and socket isolation, very similar to what vserver
provides. I did a prototype, and it works well for IPV4/unicast.
So, considering, we have a l2 isolation/virtualization, and having a l3
relying on the l2 network isolation resources subset. Is it an
acceptable solution ?
-- Daniel
next prev parent reply other threads:[~2006-12-04 10:18 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-25 15:51 Network virtualization/isolation Daniel Lezcano
2006-10-23 20:01 ` Stephen Hemminger
2006-10-26 9:44 ` Daniel Lezcano
2006-10-26 15:56 ` Stephen Hemminger
2006-10-26 22:16 ` Daniel Lezcano
2006-10-27 7:34 ` Dmitry Mishin
2006-10-27 9:10 ` Daniel Lezcano
2006-11-01 14:35 ` jamal
2006-11-01 16:13 ` Daniel Lezcano
2006-11-14 15:17 ` Daniel Lezcano
2006-11-14 18:12 ` James Morris
2006-11-15 9:56 ` Daniel Lezcano
2006-11-22 12:00 ` Daniel Lezcano
2006-11-25 9:09 ` Eric W. Biederman
2006-11-28 14:15 ` Daniel Lezcano
2006-11-28 16:51 ` Eric W. Biederman
2006-11-28 17:37 ` Herbert Poetzl
2006-11-28 20:26 ` Daniel Lezcano
2006-11-28 21:50 ` Eric W. Biederman
2006-11-29 5:54 ` Herbert Poetzl
2006-11-29 20:21 ` Brian Haley
2006-11-29 22:10 ` [Devel] " Daniel Lezcano
2006-11-30 16:15 ` Vlad Yasevich
2006-11-30 16:38 ` Daniel Lezcano
2006-11-30 17:24 ` Herbert Poetzl
2006-12-03 12:26 ` jamal
2006-12-03 14:13 ` jamal
2006-12-03 16:00 ` Eric W. Biederman
2006-12-04 15:19 ` Dmitry Mishin
2006-12-04 15:45 ` Eric W. Biederman
2006-12-04 16:43 ` Herbert Poetzl
2006-12-04 16:58 ` Eric W. Biederman
2006-12-04 17:02 ` Dmitry Mishin
2006-12-04 17:19 ` Herbert Poetzl
2006-12-04 17:41 ` Daniel Lezcano
2006-12-04 12:15 ` Eric W. Biederman
2006-12-04 13:44 ` jamal
2006-12-04 15:35 ` Eric W. Biederman
2006-12-04 16:00 ` Dmitry Mishin
2006-12-04 16:52 ` Eric W. Biederman
2006-12-06 11:54 ` [Devel] " Kirill Korotaev
2006-12-06 18:30 ` Herbert Poetzl
2006-12-08 19:57 ` Eric W. Biederman
2006-12-09 3:50 ` Herbert Poetzl
2006-12-09 6:13 ` Andrew Morton
2006-12-09 6:35 ` Herbert Poetzl
2006-12-09 21:18 ` Dmitry Mishin
2006-12-09 22:34 ` Kir Kolyshkin
2006-12-10 2:21 ` Herbert Poetzl
2006-12-09 8:07 ` Eric W. Biederman
2006-12-09 11:27 ` Tomasz Torcz
2006-12-09 19:04 ` Herbert Poetzl
2006-12-03 16:37 ` Herbert Poetzl
2006-12-03 16:58 ` jamal
2006-12-04 10:18 ` Daniel Lezcano [this message]
2006-12-04 13:22 ` jamal
2006-12-02 11:29 ` Kari Hurtta
2006-12-02 11:49 ` Kari Hurtta
2006-11-29 5:58 ` Herbert Poetzl
2006-11-25 8:21 ` Eric W. Biederman
2006-11-26 18:34 ` Herbert Poetzl
2006-11-26 19:41 ` Ben Greear
2006-11-26 20:52 ` Eric W. Biederman
2006-11-25 8:27 ` Eric W. Biederman
-- strict thread matches above, loose matches on Subject: below --
2006-11-25 16:35 Leonid Grossman
2006-11-25 19:26 ` Eric W. Biederman
2006-11-25 22:17 Leonid Grossman
2006-11-25 23:16 ` Eric W. Biederman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4573F5E1.8040606@fr.ibm.com \
--to=dlezcano@fr.ibm.com \
--cc=containers@lists.osdl.org \
--cc=devel@openvz.org \
--cc=dim@openvz.org \
--cc=ebiederm@xmission.com \
--cc=hadi@cyberus.ca \
--cc=netdev@vger.kernel.org \
--cc=shemminger@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).