OpenVZ Forum: Devel » [RFC] network namespaces

Home » Mailing lists » Devel » [RFC] network namespaces

Show: Today's Messages :: Show Polls :: Message Navigator
E-mail to friend

Re: [RFC] network namespaces [message #5921 is a reply to message #5915]

Tue, 05 September 2006 14:45

ebiederm
Messages: 1354
Registered: February 2006

Senior Member

Daniel Lezcano <dlezcano@fr.ibm.com> writes:

>>>2. People expressed concerns that complete separation of namespaces
>>> may introduce an undesired overhead in certain usage scenarios.
>>> The overhead comes from packets traversing input path, then output path,
>>> then input path again in the destination namespace if root namespace
>>> acts as a router.
>
> Yes, performance is probably one issue.
>
> My concerns was for layer 2 / layer 3 virtualization. I agree a layer 2
> isolation/virtualization is the best for the "system container".
> But there is another family of container called "application container", it is
> not a system which is run inside a container but only the application. If you
> want to run a oracle database inside a container, you can run it inside an
> application container without launching <init> and all the services.
>
> This family of containers are used too for HPC (high performance computing) and
> for distributed checkpoint/restart. The cluster runs hundred of jobs, spawning
> them on different hosts inside an application container. Usually the jobs
> communicates with broadcast and multicast.
> Application containers does not care of having different MAC address and rely on
> a layer 3 approach.
>
> Are application containers comfortable with a layer 2 virtualization ? I don't
> think so, because several jobs running inside the same host communicate via
> broadcast/multicast between them and between other jobs running on different
> hosts. The IP consumption is a problem too: 1 container == 2 IP (one for the
> root namespace/ one for the container), multiplicated with the number of
> jobs. Furthermore, lot of jobs == lot of virtual devices.
>
> However, after a discussion with Kirill at the OLS, it appears we can merge the
> layer 2 and 3 approaches if the level of network virtualization is tunable and
> we can choose layer 2 or layer 3 when doing the "unshare". The determination of
> the namespace for the incoming traffic can be done with an specific iptable
> module as a first step. While looking at the network namespace patches, it
> appears that the TCP/UDP part is **very** similar at what is needed for a layer
> 3 approach.
>
> Any thoughts ?

For HPC if you are interested in migration you need a separate IP per
container. If you can take you IP address with you migration of
networking state is simple. If you can't take your IP address with
you a network container is nearly pointless from a migration
perspective.

Beyond that from everything I have seen layer 2 is just much cleaner
than any layer 3 approach short of Serge's bind filtering.

Beyond that I have yet to see a clean semantics for anything
resembling your layer 2 layer 3 hybrid approach. If we can't have
clear semantics it is by definition impossible to implement correctly
because no one understands what it is supposed to do.

Note. A true layer 3 approach has no impact on TCP/UDP filtering
because it filters at bind time not at packet reception time. Once
you start inspecting packets I don't see what the gain is from not
going all of the way to layer 2.

Eric

Report message to a moderator

[Message index]

		[RFC] network namespaces By: Andrey Savochkin on Tue, 15 August 2006 14:20
		[PATCH 1/9] network namespaces: core and device list By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 1/9] network namespaces: core and device list By: Dave Hansen on Wed, 16 August 2006 14:46
		Re: [PATCH 1/9] network namespaces: core and device list By: Stephen Hemminger on Wed, 16 August 2006 16:45
		[PATCH 2/9] network namespaces: IPv4 routing By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 6/9] allow proc_dir_entries to have destructor By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 5/9] network namespaces: async socket operations By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 5/9] network namespaces: async socket operations By: Daniel Lezcano on Fri, 22 September 2006 15:33
		Re: [PATCH 5/9] network namespaces: async socket operations By: Andrey Savochkin on Sat, 23 September 2006 13:16
		[PATCH 7/9] net_device seq_file By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 8/9] network namespaces: device to pass packets between namespaces By: Andrey Savochkin on Tue, 15 August 2006 14:48
		[PATCH 4/9] network namespaces: socket hashes By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [PATCH 4/9] network namespaces: socket hashes By: Daniel Lezcano on Mon, 18 September 2006 15:12
		Re: [PATCH 4/9] network namespaces: socket hashes By: Andrey Savochkin on Wed, 20 September 2006 16:32
		Re: [PATCH 4/9] network namespaces: socket hashes By: Daniel Lezcano on Thu, 21 September 2006 12:34
		[PATCH 9/9] network namespaces: playing with pass-through device By: Andrey Savochkin on Tue, 15 August 2006 14:48
		Re: [RFC] network namespaces By: serue on Wed, 16 August 2006 11:53
		Re: [RFC] network namespaces By: Alexey Kuznetsov on Wed, 16 August 2006 15:12
		Re: [RFC] network namespaces By: ebiederm on Wed, 16 August 2006 17:35
		Re: [RFC] network namespaces By: dev on Thu, 17 August 2006 08:28
		Re: [RFC] network namespaces By: Daniel Lezcano on Tue, 05 September 2006 13:34
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 14:45
		Re: [RFC] network namespaces By: Herbert Poetzl on Tue, 05 September 2006 16:53
		Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 06 September 2006 09:10
		Re: [RFC] network namespaces By: Herbert Poetzl on Wed, 06 September 2006 16:56
		Re: Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 17:36
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 18:34
		Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 18:56
		Re: [RFC] network namespaces By: Cedric Le Goater on Wed, 06 September 2006 20:53
		RE: [RFC] network namespaces By: Caitlin Bestler on Wed, 06 September 2006 23:06
		Re: [RFC] network namespaces By: Daniel Lezcano on Thu, 07 September 2006 08:25
		Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 18:29
		Re: [RFC] network namespaces By: Herbert Poetzl on Fri, 08 September 2006 06:02
		Re: Re: [RFC] network namespaces By: dev on Thu, 07 September 2006 16:20
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Thu, 07 September 2006 17:27
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Fri, 08 September 2006 13:10
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Fri, 08 September 2006 18:11
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sat, 09 September 2006 07:57
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 02:47
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sun, 10 September 2006 07:45
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 19:22
		Re: [RFC] network namespaces By: ebiederm on Tue, 12 September 2006 03:26
		Re: Re: [RFC] network namespaces By: ebiederm on Sun, 10 September 2006 03:41
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Sun, 10 September 2006 08:11
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Sun, 10 September 2006 19:19
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Mon, 11 September 2006 14:40
		Re: Re: [RFC] network namespaces By: Herbert Poetzl on Mon, 11 September 2006 14:57
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Mon, 11 September 2006 15:04
		Re: Re: [RFC] network namespaces By: Mishin Dmitry on Mon, 11 September 2006 15:10
		Re: [RFC] network namespaces By: ebiederm on Tue, 12 September 2006 03:28
		Re: [RFC] network namespaces By: Mishin Dmitry on Tue, 12 September 2006 07:38
		Re: Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 19:50
		Re: Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 06 September 2006 21:44
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 17:58
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 18:27
		Re: [RFC] network namespaces By: dev on Wed, 06 September 2006 14:52
		Re: [RFC] network namespaces By: Daniel Lezcano on Tue, 05 September 2006 15:32
		Re: [RFC] network namespaces By: dev on Tue, 05 September 2006 15:44
		Re: [RFC] network namespaces By: ebiederm on Tue, 05 September 2006 17:09
		Re: [RFC] network namespaces By: Cedric Le Goater on Wed, 06 September 2006 20:25
		Re: Re: [RFC] network namespaces By: kir on Wed, 06 September 2006 15:09
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 20:40
		Re: [RFC] network namespaces By: ebiederm on Wed, 06 September 2006 23:25
		Re: [RFC] network namespaces By: Stephen Hemminger on Thu, 07 September 2006 00:53
		Re: [RFC] network namespaces By: ebiederm on Thu, 07 September 2006 05:11
		Re: [RFC] network namespaces By: Daniel Lezcano on Wed, 04 October 2006 09:40
		Re: [RFC] network namespaces By: ebiederm on Sun, 10 September 2006 11:48

Previous Topic:	[PATCH 2.6.18] ext2: errors behaviour fix
Next Topic:	64bit DMA in i2o_block

Goto Forum:

-=] Back to Top [=-

[ Syndicate this forum (XML) ] [

] [

]

Current Time: Sun Jul 20 14:10:32 GMT 2025

Total time taken to generate the page: 0.06981 seconds