[RFC] per-containers tcp buffer limitation
glommer at parallels.com
Thu Aug 25 11:11:37 PDT 2011
On 08/25/2011 12:44 PM, Stephen Hemminger wrote:
> You seem to have forgotten the work of your forefathers. When appealing
> to history you must understand it first.
> What about using netfilter (with extensions)? We already have iptables
> module to match on uid or gid. It wouldn't be hard to extend this to
> other bits of meta data like originating and target containers.
> You could also use this to restrict access to ports and hosts on
> a per container basis.
I am pretty sure netfilter can provide us with amazing functionality
that will help our containers implementation a lot.
I don't think, however, that memory limitation belongs in there. First
of all, IIRC, we are not dropping packets, re-routing, dealing with any
low level characteristic, etc. We're just controlling buffer size. This
seems orthogonal to the work of netfilter.
Think for instance, in the soft limit: When we hit it, we enter a memory
pressure scenario. How would netfilter handle that?
So I guess cgroup is still better suited for this very specific task we
have in mind here. For most of the others, I have no doubt that
netfilter would come handy.
Thanks for your time!
More information about the Containers