When the number of conntracks is reached ip_conntrack_max limit, early_drop() is
called and tries to free one of already used conntracks in one of the hash
buckets. If it does not find any conntracks that may be freed, it
leads to transmission errors.
However it is not fair because of current hash
When the number of conntracks is reached ip_conntrack_max limit, early_drop() is
called and tries to free one of already used conntracks in one of the hash
buckets. If it does not find any conntracks that may be freed, it
leads to transmission errors.
However it is not fair because of current hash
Daniel Lezcano [EMAIL PROTECTED] writes:
Hi,
as suggested Rick, I added the Service Demand results to the matrix.
A couple of random thoughts in trying to understand the numbers you are
seeing.
- Checksum offloading?
You have noted that with the bridge netfilter support disabled you
are
Eric Dumazet wrote:
On Fri, 06 Apr 2007 12:00:29 +0400
Vasily Averin [EMAIL PROTECTED] wrote:
When the number of conntracks is reached ip_conntrack_max limit,
early_drop() is
called and tries to free one of already used conntracks in one of the hash
buckets. If it does not find any
Hi,
Eric Biederman has posted a few weeks ago a RFC-patchset concerning the
network namespace.
I ported it to the 2.6.20 kernel and uploaded the patchset to
http://lxc.sourceforge.net/network.php
For the part I had to used (TCP/UDP-IPV4 with usual ethernet device), I
found the patchset pretty
Benjamin Thery [EMAIL PROTECTED] writes:
Eric W. Biederman wrote:
A couple of random thoughts in trying to understand the numbers you are
seeing.
- Checksum offloading?
You have noted that with the bridge netfilter support disabled you
are still seeing additional checksum overhead.
Vasily Averin wrote:
No, I've not investigated this scenario. It looks like you are right and my
patch can leads to a long delays.
In my experiments I've decreased ip_conntrack_max lower than number of hash
buckets and got the table full, dropping packet errors in logs. I've looked
on
the
Hello, I am using patch patch-ovz028stab023.1-combined, and expected to
see this io accounting code in it:
http://git.openvz.org/?p=linux-2.6.18-openvz;a=commitdiff;h=0526b6634bb00e23ab37f2eda7b9a5a2b02ee3cc
Is patch-ovz028stab023.1-combined the most recent patch to be using for
2.6.18? I
The following patchset has been tested on 2.6.21-rc6 + Kay's
driver-core-fix-namespace-issue-with-devices-assigned-to-classes.patch
It has been tested both with CONFIG_SYSFS_DEPRECATED set and
unset. Although more testing has been involved with CONFIG_SYSFS_DEPRECATED
unset because that was the
While shadow directories appear to be a good idea, the current scheme
of controlling their creation and destruction outside of sysfs appears
to be a locking and maintenance nightmare in the face of sysfs directories
dynamically coming and going. Which can now occur for directories containing
The problem. When implementing a network namespace I need to be able
to have multiple network devices with the same name. Currently this
is a problem for /sys/class/net/*, /sys/devices/virtual/net/*, and
potentially a few other directories of the form /sys/ ... /net/*.
What I want is for each
When removing a symlink sysfs_remove_link does not provide enough
information to figure out which shadow directory the symlink falls in.
So I need sysfs_delete_link which is passed the target of the symlink
to delete.
Further half the time when we are removing a symlink the code is
actually
etun is a simple two headed tunnel driver that at the link layer looks
like ethernet. It's target audience is communicating between network
namespaces but it is general enough it has other valid uses as well.
Ben Greear implemented a similar device called redir-dev, for network
emulation.
Stephen Hemminger wrote:
Why not implement a true virtual network rather than simple
tunnel pairs?
What would a true virtual network do? You mean with routers and such?
I use my redirect device (basically same as etun) to join virtual
routers together,
but all of the virtual routing (and
On Fri, 06 Apr 2007 14:38:50 -0700
Ben Greear [EMAIL PROTECTED] wrote:
Stephen Hemminger wrote:
Why not implement a true virtual network rather than simple
tunnel pairs?
What would a true virtual network do? You mean with routers and such?
Rather than just a pair, you could do
On 4/6/07, Pavel Emelianov [EMAIL PROTECTED] wrote:
Well, it's less ugly than resetting pointer but it's worse from
performance POV. See, we have an if (xxx) that is true only once
during system lifetime. This is not that good...
Adding an extra comparison in the container creation path
On Wed, 04 Apr 2007 20:30:12 +0200 Miklos Szeredi [EMAIL PROTECTED] wrote:
This patchset adds support for keeping mount ownership information in
the kernel, and allow unprivileged mount(2) and umount(2) in certain
cases.
No replies, huh?
My knowledge of the code which you're touching is not
On Apr 6 2007 16:16, H. Peter Anvin wrote:
- users can use bind mounts without having to pre-configure them in
/etc/fstab
This is by far the biggest concern I see. I think the security implication of
allowing anyone to do bind mounts are poorly understood.
$ whoami
miklos
$ mount
--
This is an update to my multi-hierarchy multi-subsystem generic
process containers patch. Changes since V7 (12th Feb) include:
- Removed the config-time choice of the number of supported
hierarchies - this is now completely dynamic; new hierarchies are
allocated on demand, and freed when no
This example demonstrates how to use the generic container subsystem
for a simple resource tracker that counts, for the processes in a
container, the total CPU time used and the %CPU used in the last
complete 10 second interval.
Portions contributed by Balbir Singh [EMAIL PROTECTED]
This patch implements the BeanCounter resource control abstraction
over generic process containers. It contains the beancounter core
code, plus the numfiles resource counter. It doesn't currently contain
any of the memory tracking code or the code for switching beancounter
context in interrupts.
This is intended as a simple illustration of how a virtual server
system could be integrated with generic containers, and hence take
advantage of other resource-control efforts. A real implementation
would probably allow parameters such as configuring what kinds of
namespace creations triggered
This patch creates a generic process container system based on (and
parallel top) the cpusets code. At a coarse level it was created by
copying kernel/cpuset.c, doing s/cpuset/container/g, and stripping out any
code that was cpuset-specific rather than applicable to any process
container
Ben Greear [EMAIL PROTECTED] writes:
I guess that will do, but then if you ever change the strings, any user-space
that is
depending on this will break or have to be modified with additional cruft. It
seems
cleaner to me to have an ioctl or a specific place in /proc or some other
virtual
24 matches
Mail list logo