[RFC][PATCH] IP address restricting cgroup subsystem

Grzegorz Nosek root at localdomain.pl
Wed Jan 7 11:15:37 PST 2009


On śro, sty 07, 2009 at 12:07:52 -0600, Serge E. Hallyn wrote:
> Have you run a test, and found that in fact a network namespace
> is too heavyweight to do so?  If so, some numbers here would be
> far more pursuasive.

Is "how long it took me to set up and document this" a valid benchmark?
No, I haven't run any tests yet. However, the overhead I'm thinking of
isn't only related to raw speed, but also includes administrative tasks.

Overall, I'd like to have an environment where users are grouped in
containers but still have them slightly isolated from each other (things
outside normal Unix restrictions include e.g. not seeing others'
processes or not being able to step on their resources--like the IP
address assigned). In the end, I'd like to have up to a dozen or a few
"big" containers and hundreds+ of per-user cgroups (without additional
namespace divisions) per machine. Do you think a bridge together with
several hundred veths in the root namespace won't confuse admin tools
(or the admins themselves)? Or should I use macvlan for that, or
possibly something else altogether?

I'll try to get some numbers but my current dev. machine is a VMware
instance on my laptop and that runs rather abysmally, so they'll be
probably skewed one way or another.

> (Mind you I've written a few version of this - based on LSM -
> myself in the past, but that was before network namespaces
> existed)

Best regards,
 Grzegorz Nosek


More information about the Containers mailing list