On Wed, 25 Oct 2006 17:51:28 +0200 Daniel Lezcano <[EMAIL PROTECTED]> wrote:
> Hi Stephen, > > currently the work to make the container enablement into the kernel is > doing good progress. The ipc, pid, utsname and filesystem system > ressources are isolated/virtualized relying on the namespaces concept. > > But, there is missing the network virtualization/isolation. Two > approaches are proposed: doing the isolation at the layer 2 and at the > layer 3. > > The first one instanciate a network device by namespace and add a peer > network device into the "root namespace", all the routing ressources are > relative to the namespace. This work is done by Andrey Savochkin from > the openvz project. > > The second relies on the routes and associates the network namespace > pointer with each route. When the traffic is incoming, the packet > follows an input route and retrieve the associated network namespace. > When the traffic is outgoing, the packet, identified from the network > namespace is coming from, follows only the routes matching the same > network namespace. This work is made by me. > > IMHO, we need the two approach, the layer-2 to be able to bring *very* > strong isolation for system container with a performance cost and a > layer-3 to be able to have good isolation for lightweight container or > application container when performances are more important. > > Do you have some suggestions ? What is your point of view on that ? > > Thanks in advance. > > -- Daniel Any solution should allow both and it should build on the existing netfilter infrastructure. -- Stephen Hemminger <[EMAIL PROTECTED]> - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html