Kir Kolyshkin wrote: <snip> > I am not sure about "network isolation" (used by Linux-VServer), but as > it comes for level2 vs. level3 virtualization, I see a need for both. > Here is the easy-to-understand comparison which can shed some light: > http://wiki.openvz.org/Differences_between_venet_and_veth thanks kir, > Here are a couple of examples > * Do we want to let container's owner (i.e. root) to add/remove IP > addresses? Most probably not, but in some cases we want that. > * Do we want to be able to run DHCP server and/or DHCP client inside a > container? Sometimes...but not always. > * Do we want to let container's owner to create/manage his own set of > iptables? In half of the cases we do. > > The problem here is single solution will not cover all those scenarios. some would argue that there is one single solution : Xen or similar. IMO, I think containers should try to leverage their difference, performance, and not try to simulate a real hardware environment. Restricting the network environment of a container should be considered acceptable if this is for the sake of performance. The network interface(s) could be pre-configured and provided to the container. Protocol(s) could be forbidden. Now, if you need more network power in a container, you will need a real or a virtualized interface. But let's consider both alternatives. thanks, C.
