[Devel] Re: [RFC][PATCH] IP address restricting cgroup subsystem
Benny Amorsen
benny+usenet at amorsen.dk
Thu Jan 8 04:43:15 PST 2009
"Serge E. Hallyn" <serue-r/Jw6+rmf7HQT0dZR+AlfA at public.gmane.org>
writes:
> Does anyone else (Eric? Pavel?) have experience with hundreds
> or thousands of network namespaces?
Hundreds aren't a problem with OpenVZ (I do that in production) and
the vanilla kernel namespaces shouldn't be heavier. I don't think
performance is a good argument for the patch.
However, I do see the appeal of patch anyway. It would be tempting to
use cgroups inside a network namespace for administrative reasons,
like Grzegorz Nosek proposed. I am not sure if you can create name
spaces with the semantics he proposed:
- INADDR_LOOPBACK is explicitly allowed (a special case)
- INADDR_ANY is remapped to _the_ IP address
- _the_ IP address is passed through unharmed
- everything else causes -EPERM
If you can get those semantics (or something close) already, then the
patch isn't useful.
/Benny
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list