From owner-freebsd-net@freebsd.org Fri Dec 18 15:09:45 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id C27ECA4BECF for ; Fri, 18 Dec 2015 15:09:45 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from mail.ijs.si (mail.ijs.si [IPv6:2001:1470:ff80::25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 814A51BDC for ; Fri, 18 Dec 2015 15:09:45 +0000 (UTC) (envelope-from Mark.Martinec@ijs.si) Received: from amavis-ori.ijs.si (localhost [IPv6:::1]) by mail.ijs.si (Postfix) with ESMTP id 3pMYWn6MZrz8w for ; Fri, 18 Dec 2015 16:09:41 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ijs.si; h= content-transfer-encoding:content-type:content-type:in-reply-to :mime-version:user-agent:date:date:message-id:from:from :references:subject:subject:received:received:received; s= jakla4; t=1450451378; x=1453043379; bh=mBJkRyp0KwzQKS+a2AdtwKfwP 5NKfPFi7/Nte0cfdzc=; b=nhBideIMF1LfpS8d25HGDZn734c4t6pDJ9S7yyyzP G83Dbz88ngBu/c0RVZNIFJov/fP6w3gM+VAee3BbSVXCB9kiHE8CRhM5CySFadVM sA0kUceMi41H2spbnWryUKlXolXWIpTNTASfHIbdvBkq5LV6kqiR7QXgSVEzZ+bQ Wo= X-Virus-Scanned: amavisd-new at ijs.si Received: from mail.ijs.si ([IPv6:::1]) by amavis-ori.ijs.si (mail.ijs.si [IPv6:::1]) (amavisd-new, port 10026) with LMTP id DEmlTOcccv2v for ; Fri, 18 Dec 2015 16:09:38 +0100 (CET) Received: from mildred.ijs.si (mailbox.ijs.si [IPv6:2001:1470:ff80::143:1]) by mail.ijs.si (Postfix) with ESMTP id 3pMYWk6QWrz8r for ; Fri, 18 Dec 2015 16:09:38 +0100 (CET) Received: from [IPv6:2001:1470:ff80:4:b895:1d:211c:2746] (unknown [IPv6:2001:1470:ff80:4:b895:1d:211c:2746]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mildred.ijs.si (Postfix) with ESMTPSA id 3pMYWk52YQz6X for ; Fri, 18 Dec 2015 16:09:38 +0100 (CET) Subject: Re: Per-jail private loopback To: freebsd-net@freebsd.org References: <22131.18881.757188.951230@hergotha.csail.mit.edu> <56740DEA.8010704@freebsd.org> From: Mark Martinec Message-ID: <567421B4.6020302@ijs.si> Date: Fri, 18 Dec 2015 16:09:40 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 MIME-Version: 1.0 In-Reply-To: <56740DEA.8010704@freebsd.org> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Dec 2015 15:09:45 -0000 It would be nice to use VIMAGE, but is not in a GENERIC kernel. Using a custom kernel voids a comfort of using freebsd-update for installing patch revisions and upgrades. Mark On 2015-12-18 14:45, Julian Elischer wrote: > On 18/12/2015 11:51 AM, Craig Rodrigues wrote: >> On Thu, Dec 17, 2015 at 3:48 PM, Garrett Wollman >> wrote: >> >>> Or is VIMAGE cheap >>> enough that I won't notice the performance hit? > Vimage is a negligable overhead in a 1 jail (base jail) system and can > actually end up with a negative overhead (gain) in some scenarios. > > Most vimage systems use a bridge (either netgraph or if_bridge) to > connect the jails together to the outside world which leads to some > extra packet handling, but in a system with 24 CPUs it's often handled > by an otherwise idle CPU so no performance hit is seen. It can be a > nett gain if you have several interfaces and assign each interface to a > different jail/VNET. In this case the different network stacks are not > contending with each other for locks where in a single stack jail > configuration they would be contending. Different vlan interfaces can be > assigned to different VNETS for the same effect if you don't have > multiple physical interfaces avaliable. > Even with the extra packet handling of bridged VNETs there can be > advantages.. For example you can put your jails behind an extra layer of > routing WITHIN the host so that changes of routes and connectivity from > the machine to the outside world are not seen by the applications. > >> Olivier did some measurements with VIMAGE: >> https://lists.freebsd.org/pipermail/freebsd-arch/2014-October/016054.html >> >> I think you should give VIMAGE a shot, if you are doing any serious work >> with jails. I run with VIMAGE configured by default in all my systems >> running 10-STABLE >> and CURRENT. >> >> -- >> Craig