Re: [zones-discuss] Inter-Zone Networking Question
On 04/24/09 00:06, Erik Nordmark wrote: Patrick Pinchera wrote: I'm working with a customer who wants to put 16 containers in an M8000 server. Each of these containers will have the need to have a "private network" that they all share so that they can all talk to each other, and the network traffic DOES NOT have to go outside of the server. Some of it is broadcast traffic. What isolation requirements does the customer have for the other external IP communication? For instance, will all the zones be connected to the same external LANs or VLANs, or are there security requirements that require them to be on isolated LANs or VLANs? If they are on the same LANs or VLANs, then the zones can be configured as shared-ip zones, and the local IP addresses can be used. (The loopback address - 127.0.0.1 - stays within the same zone, but the IP address assigned to zoneA can be used to reach it from zoneB, C, etc without going outside of the box.) The above places no load on the NIC (the packets are looped back inside TCP/IP), and continues to work even if the NIC fails, as long as the IP addresses are still assigned and up. If they have security requirements that require separate LANs or VLANs for the zone's external communication, then they should use exclusive-IP zones and the lack of vnic and etherstub support in S10 becomes a stumbling block. Perhaps Steffen has a workaround for that. Ooh, a light bulb went off. If you need some separation of the zones, such a A to B to C to D, you could potentially use a single NIC, and use VLAN interfaces on that one NIC to for A to go through B and C to get to D. That is if otherwise the kernel would send it straight away. I may have to try this out. Pat, what is your configuration? Steffen Erik I would like to know some details on how to implement this, and what the performance benefits are. I've been told the following, and would like to hear some clarifications, or if there is an issue I'm unaware of. * the global zone will recognize that the network traffic is staying inside of the global zone, and will only go down so far in the network stack, never having to go out the physical ethernet port. * This Inter-Zone networking ends up being a memory copy to transfer data from one zone to the other. * Do I use the loopback interface for configuring this? Or do I need to share a physical port among the zones? * If the port is shared among the 16 containers, this will reduce the total number of physical gigabit ethernet ports I need for the system. * If I need a physical port, is there a particular ethernet card I should use over another? I know some cards have more "processing power" than others. * Can I use two ports and get some redundancy in case one port fails? * What kind of performance benefits can I expect, vs. having to go outside the box to an ethernet switch? Has anyone benchmarked this? I know it would be dependent upon the system architecture (clock speed, bus speed, etc.) Thanks in advance, Pat ___ zones-discuss mailing list zones-discuss@opensolaris.org ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Inter-Zone Networking Question
On 04/23/09 23:15, Patrick Pinchera wrote: I'm working with a customer who wants to put 16 containers in an M8000 server. Each of these containers will have the need to have a "private network" that they all share so that they can all talk to each other, and the network traffic DOES NOT have to go outside of the server. Some of it is broadcast traffic. Hi Patrick, I blogged about how I used shared IP to resolve a customer issue with an initial need for dual default routers pointing in different directions. blogs.sun.com/stw/ Note that IP does things 'regardless' of where the traffic came from, so if there are choices, it may not make one that is in line with what you think! I would like to know some details on how to implement this, and what the performance benefits are. I've been told the following, and would like to hear some clarifications, or if there is an issue I'm unaware of. * the global zone will recognize that the network traffic is staying inside of the global zone, and will only go down so far in the network stack, never having to go out the physical ethernet port. Technically, the kernel/IP. * This Inter-Zone networking ends up being a memory copy to transfer data from one zone to the other. After TCP/UDP and some IP processing, there may be a memory copy. I focus on the former as it is not as fast as an IPC using shared memory. * Do I use the loopback interface for configuring this? Or do I need to share a physical port among the zones? You need one physical interface to use of ifconfig(1M) all the addresses on. It does not have to be plugged in (that was the trick in the workaround in the blog). * If the port is shared among the 16 containers, this will reduce the total number of physical gigabit ethernet ports I need for the system. It may. * If I need a physical port, is there a particular ethernet card I should use over another? I know some cards have more "processing power" than others. It never gets that low. It could be a 100Mbps NIC. * Can I use two ports and get some redundancy in case one port fails? Well, if you are actually using the port, maybe. * What kind of performance benefits can I expect, vs. having to go outside the box to an ethernet switch? Has anyone benchmarked this? I know it would be dependent upon the system architecture (clock speed, bus speed, etc.) I have an older blog entry on some FTP testing. I hope it still shows up. Thanks in advance, Pat ___ zones-discuss mailing list zones-discuss@opensolaris.org
Re: [zones-discuss] Inter-Zone Networking Question
Patrick Pinchera wrote: I'm working with a customer who wants to put 16 containers in an M8000 server. Each of these containers will have the need to have a "private network" that they all share so that they can all talk to each other, and the network traffic DOES NOT have to go outside of the server. Some of it is broadcast traffic. What isolation requirements does the customer have for the other external IP communication? For instance, will all the zones be connected to the same external LANs or VLANs, or are there security requirements that require them to be on isolated LANs or VLANs? If they are on the same LANs or VLANs, then the zones can be configured as shared-ip zones, and the local IP addresses can be used. (The loopback address - 127.0.0.1 - stays within the same zone, but the IP address assigned to zoneA can be used to reach it from zoneB, C, etc without going outside of the box.) The above places no load on the NIC (the packets are looped back inside TCP/IP), and continues to work even if the NIC fails, as long as the IP addresses are still assigned and up. If they have security requirements that require separate LANs or VLANs for the zone's external communication, then they should use exclusive-IP zones and the lack of vnic and etherstub support in S10 becomes a stumbling block. Perhaps Steffen has a workaround for that. Erik I would like to know some details on how to implement this, and what the performance benefits are. I've been told the following, and would like to hear some clarifications, or if there is an issue I'm unaware of. * the global zone will recognize that the network traffic is staying inside of the global zone, and will only go down so far in the network stack, never having to go out the physical ethernet port. * This Inter-Zone networking ends up being a memory copy to transfer data from one zone to the other. * Do I use the loopback interface for configuring this? Or do I need to share a physical port among the zones? * If the port is shared among the 16 containers, this will reduce the total number of physical gigabit ethernet ports I need for the system. * If I need a physical port, is there a particular ethernet card I should use over another? I know some cards have more "processing power" than others. * Can I use two ports and get some redundancy in case one port fails? * What kind of performance benefits can I expect, vs. having to go outside the box to an ethernet switch? Has anyone benchmarked this? I know it would be dependent upon the system architecture (clock speed, bus speed, etc.) Thanks in advance, Pat ___ zones-discuss mailing list zones-discuss@opensolaris.org
