[Devel] Re: [RFC][PATCH] IP address restricting cgroup subsystem

Serge E. Hallyn serue at us.ibm.com
Wed Jan 7 11:32:34 PST 2009


Quoting Grzegorz Nosek (root at localdomain.pl):
> On śro, sty 07, 2009 at 12:07:52 -0600, Serge E. Hallyn wrote:
> > Have you run a test, and found that in fact a network namespace
> > is too heavyweight to do so?  If so, some numbers here would be
> > far more pursuasive.
> 
> Is "how long it took me to set up and document this" a valid benchmark?
> No, I haven't run any tests yet. However, the overhead I'm thinking of
> isn't only related to raw speed, but also includes administrative tasks.
> 
> Overall, I'd like to have an environment where users are grouped in
> containers but still have them slightly isolated from each other (things
> outside normal Unix restrictions include e.g. not seeing others'
> processes or not being able to step on their resources--like the IP
> address assigned). In the end, I'd like to have up to a dozen or a few
> "big" containers and hundreds+ of per-user cgroups (without additional
> namespace divisions) per machine. Do you think a bridge together with
> several hundred veths in the root namespace won't confuse admin tools
> (or the admins themselves)? Or should I use macvlan for that, or
> possibly something else altogether?
> 
> I'll try to get some numbers but my current dev. machine is a VMware
> instance on my laptop and that runs rather abysmally, so they'll be
> probably skewed one way or another.
> 
> > (Mind you I've written a few version of this - based on LSM -
> > myself in the past, but that was before network namespaces
> > existed)
> 
> Best regards,
>  Grzegorz Nosek

Does anyone else (Eric? Pavel?) have experience with hundreds
or thousands of network namespaces?

-serge
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers




More information about the Devel mailing list