On 08/25/2011 12:44 PM, Stephen Hemminger wrote: > You seem to have forgotten the work of your forefathers. When appealing > to history you must understand it first. > > What about using netfilter (with extensions)? We already have iptables > module to match on uid or gid. It wouldn't be hard to extend this to > other bits of meta data like originating and target containers. > > You could also use this to restrict access to ports and hosts on > a per container basis. > Hello Stephen, I am pretty sure netfilter can provide us with amazing functionality that will help our containers implementation a lot. I don't think, however, that memory limitation belongs in there. First of all, IIRC, we are not dropping packets, re-routing, dealing with any low level characteristic, etc. We're just controlling buffer size. This seems orthogonal to the work of netfilter. Think for instance, in the soft limit: When we hit it, we enter a memory pressure scenario. How would netfilter handle that? So I guess cgroup is still better suited for this very specific task we have in mind here. For most of the others, I have no doubt that netfilter would come handy. Thanks for your time! _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/containers
