Tue, Aug 06, 2019 at 08:27:17PM CEST, jakub.kicin...@netronome.com wrote: >On Tue, 6 Aug 2019 18:40:36 +0200, Jiri Pirko wrote: >> Hi all. >> >> I just discussed this with DavidA and I would like to bring this to >> broader audience. David wants to limit kernel resources in network >> namespaces, for example fibs, fib rules, etc. >> >> He claims that devlink api is rich enough to program this limitations >> as it already does for mlxsw hw resources for example. > >TBH I don't see how you changed anything to do with FIB notifications, >so the fact that the accounting is off now is a bit confusing. I don't >understand how devlink, FIB and namespaces mix :( > >> If we have this api for hardware, why don't to reuse it for the >> kernel and it's resources too? > >IMHO the netdevsim use of this API is a slight abuse, to prove the >device can fail the FIB changes, nothing more..
It's slightly bigger abuse :) But in this thread, we are not discussing netdevsim, but separate "dev". > >> So the proposal is to have some new device, say "kernelnet", that >> would implicitly create per-namespace devlink instance. This devlink >> instance would be used to setup resource limits. Like: >> >> devlink resource set kernelnet path /IPv4/fib size 96 >> devlink -N ns1name resource set kernelnet path /IPv6/fib size 100 >> devlink -N ns2name resource set kernelnet path /IPv4/fib-rules size 8 >> >> To me it sounds a bit odd for kernel namespace to act as a device, but >> thinking about it more, it makes sense. Probably better than to define >> a new api. User would use the same tool to work with kernel and hw. >> >> Also we can implement other devlink functionality, like dpipe. >> User would then have visibility of network pipeline, tables, >> utilization, etc. It is related to the resources too. >> >> What do you think? > >I'm no expert here but seems counter intuitive that device tables would >be aware of namespaces in the first place. Are we not reinventing >cgroup controllers based on a device API? IMHO from a perspective of >someone unfamiliar with routing offload this seems backwards :) Can we use cgroup for fib and other limitations instead?
