[Devel] Re: [RFC][PATCH] IP address restricting cgroup subsystem
Dan Smith
danms at us.ibm.com
Fri Jan 9 10:12:24 PST 2009
GR> I have tried something similar, only with
GR> CLONE_FILES|CLONE_FS|CLONE_VM|CLONE_NEWNET, and actually creating
GR> a virtual interface and controlling socket or thread in each new
GR> network namespace.
My initial test was to create a veth pair and move one end into the
namespace during create. That failed in the same way, so I took the
veth's out of the equation with the posted test.
GR> This scales to a couple of thousand interfaces, though interface
GR> creation takes a long time if more than 1,000 interfaces or so are
GR> created.
Yeah, just creating a bunch of pairs starts to slow down after a
hundred veth's or so. I think that for thousands of network
namespaces, things would be pretty painful.
GR> I can send you the code if you like.
I'd like to see it.
Thanks!
--
Dan Smith
IBM Linux Technology Center
email: danms at us.ibm.com
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list