Per-jail private loopback
Julian Elischer
julian at freebsd.org
Fri Dec 18 13:45:25 UTC 2015
On 18/12/2015 11:51 AM, Craig Rodrigues wrote:
> On Thu, Dec 17, 2015 at 3:48 PM, Garrett Wollman <wollman at bimajority.org>
> wrote:
>
>> Or is VIMAGE cheap
>> enough that I won't notice the performance hit?
Vimage is a negligable overhead in a 1 jail (base jail) system and can
actually end up with a negative overhead (gain) in some scenarios.
Most vimage systems use a bridge (either netgraph or if_bridge) to
connect the jails together to the outside world which leads to some
extra packet handling, but in a system with 24 CPUs it's often handled
by an otherwise idle CPU so no performance hit is seen. It can be a
nett gain if you have several interfaces and assign each interface to
a different jail/VNET. In this case the different network stacks are
not contending with each other for locks where in a single stack jail
configuration they would be contending. Different vlan interfaces can
be assigned to different VNETS for the same effect if you don't have
multiple physical interfaces avaliable.
Even with the extra packet handling of bridged VNETs there can be
advantages.. For example you can put your jails behind an extra layer
of routing WITHIN the host so that changes of routes and connectivity
from the machine to the outside world are not seen by the applications.
> Olivier did some measurements with VIMAGE:
> https://lists.freebsd.org/pipermail/freebsd-arch/2014-October/016054.html
>
> I think you should give VIMAGE a shot, if you are doing any serious work
> with jails. I run with VIMAGE configured by default in all my systems
> running 10-STABLE
> and CURRENT.
>
> --
> Craig
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"
>
More information about the freebsd-net
mailing list