[RFC] per-containers tcp buffer limitation

Glauber Costa glommer at parallels.com
Thu Aug 25 11:11:37 PDT 2011

On 08/25/2011 12:44 PM, Stephen Hemminger wrote:
> You seem to have forgotten the work of your forefathers. When appealing
> to history you must understand it first.
> What about using netfilter (with extensions)? We already have iptables
> module to match on uid or gid. It wouldn't be hard to extend this to
> other bits of meta data like originating and target containers.
> You could also use this to restrict access to ports and hosts on
> a per container basis.

Hello Stephen,

I am pretty sure netfilter can provide us with amazing functionality 
that will help our containers implementation a lot.

I don't think, however, that memory limitation belongs in there. First 
of all, IIRC, we are not dropping packets, re-routing, dealing with any
low level characteristic, etc. We're just controlling buffer size. This 
seems orthogonal to the work of netfilter.

Think for instance, in the soft limit: When we hit it, we enter a memory 
pressure scenario. How would netfilter handle that?

So I guess cgroup is still better suited for this very specific task we 
have in mind here. For most of the others, I have no doubt that 
netfilter would come handy.

Thanks for your time!

More information about the Containers mailing list