Hi Stephen,
currently the work to make the container enablement into the kernel is
doing good progress. The ipc, pid, utsname and filesystem system
ressources are isolated/virtualized relying on the namespaces concept.
But, there is missing the network virtualization/isolation. Two
approaches are proposed: doing the isolation at the layer 2 and at the
layer 3.
The first one instanciate a network device by namespace and add a peer
network device into the "root namespace", all the routing ressources are
relative to the namespace. This work is done by Andrey Savochkin from
the openvz project.
The second relies on the routes and associates the network namespace
pointer with each route. When the traffic is incoming, the packet
follows an input route and retrieve the associated network namespace.
When the traffic is outgoing, the packet, identified from the network
namespace is coming from, follows only the routes matching the same
network namespace. This work is made by me.
IMHO, we need the two approach, the layer-2 to be able to bring *very*
strong isolation for system container with a performance cost and a
layer-3 to be able to have good isolation for lightweight container or
application container when performances are more important.
Do you have some suggestions ? What is your point of view on that ?
Thanks in advance.
-- Daniel
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at http://vger.kernel.org/majordomo-info.html
