Date: Fri, 18 Dec 2015 16:09:40 +0100 From: Mark Martinec <Mark.Martinec@ijs.si> To: freebsd-net@freebsd.org Subject: Re: Per-jail private loopback Message-ID: <567421B4.6020302@ijs.si> In-Reply-To: <56740DEA.8010704@freebsd.org> References: <22131.18881.757188.951230@hergotha.csail.mit.edu> <CAG=rPVeuq8DM9wnaNAGrDKeMZs=DtcPh-5ZL46mi3apQ=ER3rg@mail.gmail.com> <56740DEA.8010704@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
It would be nice to use VIMAGE, but is not in a GENERIC kernel. Using a custom kernel voids a comfort of using freebsd-update for installing patch revisions and upgrades. Mark On 2015-12-18 14:45, Julian Elischer wrote: > On 18/12/2015 11:51 AM, Craig Rodrigues wrote: >> On Thu, Dec 17, 2015 at 3:48 PM, Garrett Wollman <wollman@bimajority.org> >> wrote: >> >>> Or is VIMAGE cheap >>> enough that I won't notice the performance hit? > Vimage is a negligable overhead in a 1 jail (base jail) system and can > actually end up with a negative overhead (gain) in some scenarios. > > Most vimage systems use a bridge (either netgraph or if_bridge) to > connect the jails together to the outside world which leads to some > extra packet handling, but in a system with 24 CPUs it's often handled > by an otherwise idle CPU so no performance hit is seen. It can be a > nett gain if you have several interfaces and assign each interface to a > different jail/VNET. In this case the different network stacks are not > contending with each other for locks where in a single stack jail > configuration they would be contending. Different vlan interfaces can be > assigned to different VNETS for the same effect if you don't have > multiple physical interfaces avaliable. > Even with the extra packet handling of bridged VNETs there can be > advantages.. For example you can put your jails behind an extra layer of > routing WITHIN the host so that changes of routes and connectivity from > the machine to the outside world are not seen by the applications. > >> Olivier did some measurements with VIMAGE: >> https://lists.freebsd.org/pipermail/freebsd-arch/2014-October/016054.html >> >> I think you should give VIMAGE a shot, if you are doing any serious work >> with jails. I run with VIMAGE configured by default in all my systems >> running 10-STABLE >> and CURRENT. >> >> -- >> Craig
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?567421B4.6020302>