Antw: [EXT] Re: [systemd‑devel] PrivateNetwork=yes is memory costly

["Ulrich Windl" <Ulrich.Windl@xxxxxxxxxxxxxxxxxxxx>]

>>> Lennart Poettering <lennart@xxxxxxxxxxxxxx> schrieb am 09.03.2022 um 16:18
in
Nachricht <YijFPs8eamXOaYsa@gardel-login>:
> On Mo, 07.03.22 15:10, Christopher Wong (Christopher.Wong@xxxxxxxx) wrote:
> 
>> Hi,
>>
>>
>> It seems that PrivateNetwork=yes is a memory consuming
>> directive. The kernel seems to allocate quite an amount of memory
>> for each service (~50 kB) that has this directive enabled. I wonder
>> if this is expected and if anyone has had similar experience?

Despite of that I'm tempted to ask: "How many 50kB are there in a GB?" ;-)

> 
> PrivateNetwork=yes means that a private network namespace is allocated
> for the service. If you think network namespaces are too expensive in
> their current implementation, please bring this up with the kernel
> people, because they are a kernel concept after all, we just allocate
> them if told so.
> 
> network namespaces are an effective way to disconnect a service from
> the network, if the service doesn't need it. It's probably one of the
> most relevant sandboxing options we offer, since disabling the attack
> surface called "network" for a service is of such major
> importance. That said, if you disable the network namespace
> functionality in the kernel systemd will handle this gracefully, and
> not use it. If the feature is available in the kernel we will however
> use it.
> 
>> Is there any ways to reduce the usage?
> 
> Besides turning it off? Nothing I was aware of.
> 
> Lennart
> 
> ‑‑
> Lennart Poettering, Berlin