From: Oren Laadan <orenl@librato.com>
To: Dan Smith <danms@us.ibm.com>
Cc: containers@lists.osdl.org, netdev@vger.kernel.org,
John Dykstra <jdykstra72@gmail.com>
Subject: Re: [PATCH 2/2] [RFC] Add c/r support for connected INET sockets
Date: Tue, 13 Oct 2009 15:35:07 -0400 [thread overview]
Message-ID: <4AD4D66B.6090903@librato.com> (raw)
In-Reply-To: <87pr8rcdl0.fsf@caffeine.danplanet.com>
Dan Smith wrote:
> OL> IIRC, the TCP stack takes the timestamp for each packet directly
> OL> from jiffies. So you need to teach TCP to add a per-container (or
> OL> you can make it per-socket) delta to that timestamp.
>
> After wondering what the heck you were talking about, I realized I
> assumed you were talking about TCP timeouts and not timestamps :)
>
> I assume you mean the following:
>
> 1. Put a absolute time stamp in the checkpoint stream
> 2. Calculate the delta between that and the current time on the
> restoring host
> 3. Use that value to offset timestamps from that point on.
>
> Correct?
Sort of. Right now we already record the absolute time-of-checkpoint:
ctx->ktime_begin. The restart-blocks are saved relative to it. I'd
suggest the same for all time related data from the network - save it
in the checkpoint image as delta's compared to checkpoint time.
At restart, the restart-blocks are restored relative to restart-time,
using the saved delta. That would work for the TCP timestamps too.
>
> Since I brought it up, do you agree that the retransmit timers should
> be canonicalized to time-after checkpoint values? It occurs to me
> that right now I restore a jiffies value on the receiving host which
> is guaranteed to be incorrect :)
As for TCP timeouts - I don't think they matter that much in the case
of live migration, whether the timeout after restart happens in the
saved delta relative to original checkpoint-time, or new restart-time.
The difference is likely to be subsecond to a few seconds at most,
not important for most use-cases, I'd think.
(If we are concerned about a TCP hickup due to a migration, there are
tricks to work around it that; timeouts and retransmits are not the
best way to go, because once you get there you already slowed down
TCP significantly).
Here, too, once we have time virtualization this can be revisited, to
allow the user to choose a policy how to use the deltas.
>
> OL> So I'm thinking, for both, do (1) put a big fat comment in the
> OL> code saying that sanity-tests are needed, and what for, and (2)
> OL> send a separate mail to the networking people with these two
> OL> scenarios and request comments ?
>
> Yeah, although I would hope that they're seeing this conversation and
> would chime in (hence the cc:netdev). Hopefully I don't have to
> disguise a separate email as non-C/R related to get past their
> filters! :)
>
> OL> For example, now, if a user wants to send a TCP packet with
> OL> arbitrary protocol parameters, he needs to use raw IP sockets,
> OL> which require privilege. Would restarting a connection with the
> OL> desired parameters become a way to bypass that restriction ?
> OL> (e.g. assume the user restarts while using the host's network
> OL> namespace).
>
> Um, yeah? I don't see much way around that if we're going to trust
> any of what is in the checkpoint stream. Perhaps we say CAP_NET_ADMIN
> is required to restart a live TCP connection?
>
I don't see much way around that either. My point is to bring the issue
to everyone's attention, and see what others say about it.
CAP_NET_ADMIN is one option. CAP_NET_RAW is another option ?
Oren.
prev parent reply other threads:[~2009-10-13 19:37 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <1254932945-12578-1-git-send-email-danms@us.ibm.com>
[not found] ` <1254932945-12578-1-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-07 16:29 ` [PATCH 2/2] [RFC] Add c/r support for connected INET sockets Dan Smith
[not found] ` <1254932945-12578-3-git-send-email-danms-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-07 17:19 ` Serge E. Hallyn
[not found] ` <20091007171907.GA20572-r/Jw6+rmf7HQT0dZR+AlfA@public.gmane.org>
2009-10-07 17:22 ` Dan Smith
2009-10-08 14:47 ` John Dykstra
2009-10-08 15:41 ` Dan Smith
[not found] ` <87ab01gag7.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-10-08 17:31 ` John Dykstra
2009-10-08 17:34 ` Dan Smith
[not found] ` <8763apg57w.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-10-08 18:10 ` John Dykstra
2009-10-08 18:11 ` Dan Smith
2009-10-12 21:52 ` Oren Laadan
2009-10-13 17:05 ` Dan Smith
[not found] ` <87ws2zcjhe.fsf-FLMGYpZoEPULwtHQx/6qkW3U47Q5hpJU@public.gmane.org>
2009-10-13 19:00 ` Oren Laadan
[not found] ` <4AD4CE61.30503-RdfvBDnrOixBDgjK7y7TUQ@public.gmane.org>
2009-10-13 19:12 ` Dan Smith
2009-10-13 19:35 ` Oren Laadan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4AD4D66B.6090903@librato.com \
--to=orenl@librato.com \
--cc=containers@lists.osdl.org \
--cc=danms@us.ibm.com \
--cc=jdykstra72@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).