Dmitry Mishin wrote:
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
fine _without_ CAP_NET_ADMIN, as you do not want the
guest to be able to mess with the 'configured' ips at
all (not to speak of interfaces here)
It was only an
On Mon, Sep 11, 2006 at 04:40:59PM +0200, Daniel Lezcano wrote:
Dmitry Mishin wrote:
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
fine _without_ CAP_NET_ADMIN, as you do not want the
guest to be able to mess with the
Herbert Poetzl wrote:
On Mon, Sep 11, 2006 at 04:40:59PM +0200, Daniel Lezcano wrote:
I am currently working on this and I am finishing a prototype bringing
isolation at the ip layer. The prototype code is very closed to
Andrey's patches at TCP/UDP level. So the next step is to merge the
On Monday 11 September 2006 18:57, Herbert Poetzl wrote:
I completely agree here, we need a separate namespace
for that, so that we can combine isolation and virtualization
as needed, unless the bind restrictions can be completely
expressed with an additional mangle or filter table (as
was
On Sunday 10 September 2006 06:47, Herbert Poetzl wrote:
well, I think it would be best to have both, as
they are complementary to some degree, and IMHO
both, the full virtualization _and_ the isolation
will require a separate namespace to work,
[snip]
I do not think that folks would want
On Sunday 10 September 2006 07:41, Eric W. Biederman wrote:
I certainly agree that we are not at a point where a final decision
can be made. A major piece of that is that a layer 2 approach has
not shown to be without a performance penalty.
But it is required. Why to limit possible usages?
On Sat, Sep 09, 2006 at 09:41:35PM -0600, Eric W. Biederman wrote:
Herbert Poetzl [EMAIL PROTECTED] writes:
On Sat, Sep 09, 2006 at 11:57:24AM +0400, Dmitry Mishin wrote:
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
On Sun, Sep 10, 2006 at 11:45:35AM +0400, Dmitry Mishin wrote:
On Sunday 10 September 2006 06:47, Herbert Poetzl wrote:
well, I think it would be best to have both, as
they are complementary to some degree, and IMHO
both, the full virtualization _and_ the isolation
will require a separate
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
fine _without_ CAP_NET_ADMIN, as you do not want the
guest to be able to mess with the 'configured' ips at
all (not to speak of interfaces here)
It was only an example. I'm thinking
On Sat, Sep 09, 2006 at 11:57:24AM +0400, Dmitry Mishin wrote:
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
fine _without_ CAP_NET_ADMIN, as you do not want the
guest to be able to mess with the 'configured' ips at
all (not
Herbert Poetzl [EMAIL PROTECTED] writes:
On Sat, Sep 09, 2006 at 11:57:24AM +0400, Dmitry Mishin wrote:
On Friday 08 September 2006 22:11, Herbert Poetzl wrote:
actually the light-weight ip isolation runs perfectly
fine _without_ CAP_NET_ADMIN, as you do not want the
guest to be able to
On Thursday 07 September 2006 21:27, Herbert Poetzl wrote:
well, who said that you need to have things like RAW sockets
or other protocols except IP, not to speak of iptable and
routing entries ...
folks who _want_ full network virtualization can use the
more complete virtual setup and be
On Fri, Sep 08, 2006 at 05:10:08PM +0400, Dmitry Mishin wrote:
On Thursday 07 September 2006 21:27, Herbert Poetzl wrote:
well, who said that you need to have things like RAW sockets
or other protocols except IP, not to speak of iptable and
routing entries ...
folks who _want_ full
Herbert Poetzl wrote:
my point (until we have an implementation which clearly
shows that performance is equal/better to isolation)
is simply this:
of course, you can 'simulate' or 'construct' all the
isolation scenarios with kernel bridging and routing
and tricky injection/marking of packets,
On Thu, Sep 07, 2006 at 08:23:53PM +0400, Kirill Korotaev wrote:
Herbert Poetzl wrote:
my point (until we have an implementation which clearly
shows that performance is equal/better to isolation)
is simply this:
of course, you can 'simulate' or 'construct' all the
isolation scenarios
Herbert Poetzl [EMAIL PROTECTED] writes:
On Thu, Sep 07, 2006 at 08:23:53PM +0400, Kirill Korotaev wrote:
well, who said that you need to have things like RAW sockets
or other protocols except IP, not to speak of iptable and
routing entries ...
folks who _want_ full network virtualization
Kirill Korotaev wrote:
I think classifying network virtualization by Layer X is not good enough.
OpenVZ has Layer 3 (venet) and Layer 2 (veth) implementations, but
in both cases networking stack inside VE remains fully virtualized.
Let's describe all those (three?) approaches at
Herbert Poetzl wrote:
my point (until we have an implementation which clearly
shows that performance is equal/better to isolation)
is simply this:
of course, you can 'simulate' or 'construct' all the
isolation scenarios with kernel bridging and routing
and tricky injection/marking of
Kir Kolyshkin wrote:
Herbert Poetzl wrote:
my point (until we have an implementation which clearly
shows that performance is equal/better to isolation)
is simply this:
of course, you can 'simulate' or 'construct' all the
isolation scenarios with kernel bridging and routing
and tricky
19 matches
Mail list logo