[RFC][PATCH] IP address restricting cgroup subsystem
Guenter Roeck
groeck at redback.com
Fri Jan 9 14:37:56 PST 2009
On Fri, Jan 09, 2009 at 10:12:24AM -0800, Dan Smith wrote:
> GR> I have tried something similar, only with
> GR> CLONE_FILES|CLONE_FS|CLONE_VM|CLONE_NEWNET, and actually creating
> GR> a virtual interface and controlling socket or thread in each new
> GR> network namespace.
>
> My initial test was to create a veth pair and move one end into the
> namespace during create. That failed in the same way, so I took the
> veth's out of the equation with the posted test.
>
> GR> This scales to a couple of thousand interfaces, though interface
> GR> creation takes a long time if more than 1,000 interfaces or so are
> GR> created.
>
This is at least to some degree due to the problems I mentioned earlier.
Enhancing the kernel name hash and the sysfs implementation improves
performance a lot.
> Yeah, just creating a bunch of pairs starts to slow down after a
> hundred veth's or so. I think that for thousands of network
> namespaces, things would be pretty painful.
>
> GR> I can send you the code if you like.
>
> I'd like to see it.
>
See attached. I used the "ctx" module in the attached code to create interfaces,
so you'll have to compile and insmod it if you want to create interfaces.
Guenter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: netclone.tar.gz
Type: application/octet-stream
Size: 3621 bytes
Desc: not available
Url : http://lists.linux-foundation.org/pipermail/containers/attachments/20090109/54b692a7/attachment.obj
More information about the Containers
mailing list