On śro, sty 07, 2009 at 12:07:52 -0600, Serge E. Hallyn wrote:> Have you run a test, and found that in fact a network namespace> is too heavyweight to do so? If so, some numbers here would be> far more pursuasive. Is "how long it took me to set up and document this" a valid benchmark?No, I haven't run any tests yet. However, the overhead I'm thinking ofisn't only related to raw speed, but also includes administrative tasks. Overall, I'd like to have an environment where users are grouped incontainers but still have them slightly isolated from each other (thingsoutside normal Unix restrictions include e.g. not seeing others'processes or not being able to step on their resources--like the IPaddress assigned). In the end, I'd like to have up to a dozen or a few"big" containers and hundreds+ of per-user cgroups (without additionalnamespace divisions) per machine. Do you think a bridge together withseveral hundred veths in the root namespace won't confuse admin tools(or the admins themselves)? Or should I use macvlan for that, orpossibly something else altogether? I'll try to get some numbers but my current dev. machine is a VMwareinstance on my laptop and that runs rather abysmally, so they'll beprobably skewed one way or another. > (Mind you I've written a few version of this - based on LSM -> myself in the past, but that was before network namespaces> existed) Best regards, Grzegorz Nosek_______________________________________________Containers mailing listContainers@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx://lists.linux-foundation.org/mailman/listinfo/containers
