Per-jail private loopback
Mark Martinec
Mark.Martinec at ijs.si
Fri Dec 18 15:09:45 UTC 2015
It would be nice to use VIMAGE, but is not in a GENERIC kernel.
Using a custom kernel voids a comfort of using freebsd-update
for installing patch revisions and upgrades.
Mark
On 2015-12-18 14:45, Julian Elischer wrote:
> On 18/12/2015 11:51 AM, Craig Rodrigues wrote:
>> On Thu, Dec 17, 2015 at 3:48 PM, Garrett Wollman <wollman at bimajority.org>
>> wrote:
>>
>>> Or is VIMAGE cheap
>>> enough that I won't notice the performance hit?
> Vimage is a negligable overhead in a 1 jail (base jail) system and can
> actually end up with a negative overhead (gain) in some scenarios.
>
> Most vimage systems use a bridge (either netgraph or if_bridge) to
> connect the jails together to the outside world which leads to some
> extra packet handling, but in a system with 24 CPUs it's often handled
> by an otherwise idle CPU so no performance hit is seen. It can be a
> nett gain if you have several interfaces and assign each interface to a
> different jail/VNET. In this case the different network stacks are not
> contending with each other for locks where in a single stack jail
> configuration they would be contending. Different vlan interfaces can be
> assigned to different VNETS for the same effect if you don't have
> multiple physical interfaces avaliable.
> Even with the extra packet handling of bridged VNETs there can be
> advantages.. For example you can put your jails behind an extra layer of
> routing WITHIN the host so that changes of routes and connectivity from
> the machine to the outside world are not seen by the applications.
>
>> Olivier did some measurements with VIMAGE:
>> https://lists.freebsd.org/pipermail/freebsd-arch/2014-October/016054.html
>>
>> I think you should give VIMAGE a shot, if you are doing any serious work
>> with jails. I run with VIMAGE configured by default in all my systems
>> running 10-STABLE
>> and CURRENT.
>>
>> --
>> Craig
More information about the freebsd-net
mailing list