Quoting Grzegorz Nosek ([email protected]): > On śro, sty 07, 2009 at 12:07:52 -0600, Serge E. Hallyn wrote: > > Have you run a test, and found that in fact a network namespace > > is too heavyweight to do so? If so, some numbers here would be > > far more pursuasive. > > Is "how long it took me to set up and document this" a valid benchmark? > No, I haven't run any tests yet. However, the overhead I'm thinking of > isn't only related to raw speed, but also includes administrative tasks. > > Overall, I'd like to have an environment where users are grouped in > containers but still have them slightly isolated from each other (things > outside normal Unix restrictions include e.g. not seeing others' > processes or not being able to step on their resources--like the IP > address assigned). In the end, I'd like to have up to a dozen or a few > "big" containers and hundreds+ of per-user cgroups (without additional > namespace divisions) per machine. Do you think a bridge together with > several hundred veths in the root namespace won't confuse admin tools > (or the admins themselves)? Or should I use macvlan for that, or > possibly something else altogether? > > I'll try to get some numbers but my current dev. machine is a VMware > instance on my laptop and that runs rather abysmally, so they'll be > probably skewed one way or another. > > > (Mind you I've written a few version of this - based on LSM - > > myself in the past, but that was before network namespaces > > existed) > > Best regards, > Grzegorz Nosek
Does anyone else (Eric? Pavel?) have experience with hundreds or thousands of network namespaces? -serge _______________________________________________ Containers mailing list [email protected] https://lists.linux-foundation.org/mailman/listinfo/containers _______________________________________________ Devel mailing list [email protected] https://openvz.org/mailman/listinfo/devel
