From owner-freebsd-net@freebsd.org Fri Dec 18 13:45:25 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 986B5A4BBDF for ; Fri, 18 Dec 2015 13:45:25 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from vps1.elischer.org (vps1.elischer.org [204.109.63.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 770B01FB2 for ; Fri, 18 Dec 2015 13:45:25 +0000 (UTC) (envelope-from julian@freebsd.org) Received: from Julian-MBP3.local (ppp121-45-234-233.lns20.per1.internode.on.net [121.45.234.233]) (authenticated bits=0) by vps1.elischer.org (8.15.2/8.15.2) with ESMTPSA id tBIDjKqa001747 (version=TLSv1.2 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Fri, 18 Dec 2015 05:45:23 -0800 (PST) (envelope-from julian@freebsd.org) Subject: Re: Per-jail private loopback To: freebsd-net@freebsd.org References: <22131.18881.757188.951230@hergotha.csail.mit.edu> From: Julian Elischer Message-ID: <56740DEA.8010704@freebsd.org> Date: Fri, 18 Dec 2015 21:45:14 +0800 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 13:45:25 -0000 On 18/12/2015 11:51 AM, Craig Rodrigues wrote: > On Thu, Dec 17, 2015 at 3:48 PM, Garrett Wollman > wrote: > >> Or is VIMAGE cheap >> enough that I won't notice the performance hit? Vimage is a negligable overhead in a 1 jail (base jail) system and can actually end up with a negative overhead (gain) in some scenarios. Most vimage systems use a bridge (either netgraph or if_bridge) to connect the jails together to the outside world which leads to some extra packet handling, but in a system with 24 CPUs it's often handled by an otherwise idle CPU so no performance hit is seen. It can be a nett gain if you have several interfaces and assign each interface to a different jail/VNET. In this case the different network stacks are not contending with each other for locks where in a single stack jail configuration they would be contending. Different vlan interfaces can be assigned to different VNETS for the same effect if you don't have multiple physical interfaces avaliable. Even with the extra packet handling of bridged VNETs there can be advantages.. For example you can put your jails behind an extra layer of routing WITHIN the host so that changes of routes and connectivity from the machine to the outside world are not seen by the applications. > Olivier did some measurements with VIMAGE: > https://lists.freebsd.org/pipermail/freebsd-arch/2014-October/016054.html > > I think you should give VIMAGE a shot, if you are doing any serious work > with jails. I run with VIMAGE configured by default in all my systems > running 10-STABLE > and CURRENT. > > -- > Craig > _______________________________________________ > freebsd-net@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" >