Quoting Grzegorz Nosek (root@xxxxxxxxxxxxxx):> On śro, sty 07, 2009 at 12:07:52 -0600, Serge E. Hallyn wrote:> > Have you run a test, and found that in fact a network namespace> > is too heavyweight to do so? If so, some numbers here would be> > far more pursuasive.> > Is "how long it took me to set up and document this" a valid benchmark?> No, I haven't run any tests yet. However, the overhead I'm thinking of> isn't only related to raw speed, but also includes administrative tasks.> > Overall, I'd like to have an environment where users are grouped in> containers but still have them slightly isolated from each other (things> outside normal Unix restrictions include e.g. not seeing others'> processes or not being able to step on their resources--like the IP> address assigned). In the end, I'd like to have up to a dozen or a few> "big" containers and hundreds+ of per-user cgroups (without additional> namespace divisions) per machine. Do you think a bridge together with> several hundred veths in the root namespace won't confuse admin tools> (or the admins themselves)? Or should I use macvlan for that, or> possibly something else altogether?> > I'll try to get some numbers but my current dev. machine is a VMware> instance on my laptop and that runs rather abysmally, so they'll be> probably skewed one way or another.> > > (Mind you I've written a few version of this - based on LSM -> > myself in the past, but that was before network namespaces> > existed)> > Best regards,> Grzegorz Nosek Does anyone else (Eric? Pavel?) have experience with hundredsor thousands of network namespaces? -serge_______________________________________________Containers mailing listContainers@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx://lists.linux-foundation.org/mailman/listinfo/containers
