[Devel] Re: [RFC][PATCH] IP address restricting cgroup subsystem
Guenter Roeck
groeck at redback.com
Fri Jan 9 15:37:25 PST 2009
On Fri, Jan 09, 2009 at 02:47:42PM -0800, Serge E. Hallyn wrote:
> Quoting Guenter Roeck (groeck at redback.com):
> > On Fri, Jan 09, 2009 at 10:12:24AM -0800, Dan Smith wrote:
> > > GR> I have tried something similar, only with
> > > GR> CLONE_FILES|CLONE_FS|CLONE_VM|CLONE_NEWNET, and actually creating
> > > GR> a virtual interface and controlling socket or thread in each new
> > > GR> network namespace.
> > >
> > > My initial test was to create a veth pair and move one end into the
> > > namespace during create. That failed in the same way, so I took the
> > > veth's out of the equation with the posted test.
> > >
> > > GR> This scales to a couple of thousand interfaces, though interface
> > > GR> creation takes a long time if more than 1,000 interfaces or so are
> > > GR> created.
> > >
> > This is at least to some degree due to the problems I mentioned earlier.
> > Enhancing the kernel name hash and the sysfs implementation improves
> > performance a lot.
>
> Is this something you've had a chance to start addressing? (Just wondering)
>
Yes - I have code for the name hash change (just one line, really), and two variants
of code for sysfs - one that uses a hash result as 1st step of comparison before
doing a strcmp, and another which uses a hash table per directory in sysfs.
The latter is of course more efficient, but also more expensive in terms of memory usage.
If there is interest, I can submit a patchset once I find out how exactly to do it ;-).
Guenter
_______________________________________________
Containers mailing list
Containers at lists.linux-foundation.org
https://lists.linux-foundation.org/mailman/listinfo/containers
More information about the Devel
mailing list