From: David Ahern <dsahern@gmail.com>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: "David S. Miller" <davem@davemloft.net>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
Jakub Kicinski <kuba@kernel.org>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next] ipv6/route: inherit max_sizes from current netns
Date: Wed, 20 May 2020 11:27:02 -0600 [thread overview]
Message-ID: <dd09bef6-61c4-5217-4448-e58cd39dbad9@gmail.com> (raw)
In-Reply-To: <20200520172417.4m7pyalpftdd2xrm@wittgenstein>
On 5/20/20 11:24 AM, Christian Brauner wrote:
> On Wed, May 20, 2020 at 10:54:21AM -0600, David Ahern wrote:
>> On 5/20/20 8:58 AM, Christian Brauner wrote:
>>> During NorthSec (cf. [1]) a very large number of unprivileged
>>> containers and nested containers are run during the competition to
>>> provide a safe environment for the various teams during the event. Every
>>> year a range of feature requests or bug reports come out of this and
>>> this year's no different.
>>> One of the containers was running a simple VPN server. There were about
>>> 1.5k users connected to this VPN over ipv6 and the container was setup
>>> with about 100 custom routing tables when it hit the max_sizes routing
>>> limit. After this no new connections could be established anymore,
>>> pinging didn't work anymore; you get the idea.
>>>
>>
>> should have been addressed by:
>>
>> commit d8882935fcae28bceb5f6f56f09cded8d36d85e6
>> Author: Eric Dumazet <edumazet@google.com>
>> Date: Fri May 8 07:34:14 2020 -0700
>> ipv6: use DST_NOCOUNT in ip6_rt_pcpu_alloc()
>> We currently have to adjust ipv6 route gc_thresh/max_size depending
>> on number of cpus on a server, this makes very little sense.
>>
>>
>> Did your tests include this patch?
>
> No, it's also pretty hard to trigger. The conference was pretty good for
> this.
> I tested on top of rc6. I'm probably missing the big picture here, could
> you briefy explain how this commit fixes the problem we ran into?
>
ipv6 still has limits on the number of dst_entry's that can be created.
Eric traced the overflow to per-cpu caches in each FIB entry.
Larger systems (lots of cpus) x lots of unique connections = overflow
Eric's change removes the per-cpu dst caches from the counting, so only
exceptions (mtu, redirect) are now counted towards the limit.
next prev parent reply other threads:[~2020-05-20 17:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-20 14:58 [PATCH net-next] ipv6/route: inherit max_sizes from current netns Christian Brauner
2020-05-20 16:54 ` David Ahern
2020-05-20 17:24 ` Christian Brauner
2020-05-20 17:27 ` David Ahern [this message]
2020-05-20 17:27 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dd09bef6-61c4-5217-4448-e58cd39dbad9@gmail.com \
--to=dsahern@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=yoshfuji@linux-ipv6.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).