From owner-freebsd-virtualization@FreeBSD.ORG Sat Mar 29 17:58:16 2014 Return-Path: Delivered-To: freebsd-virtualization@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0262D70F; Sat, 29 Mar 2014 17:58:16 +0000 (UTC) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx1.fisglobal.com", Issuer "VeriSign Class 3 Secure Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B6486B8E; Sat, 29 Mar 2014 17:58:12 +0000 (UTC) Received: from smarthost.fisglobal.com ([10.132.206.193]) by ltcfislmsgpa04.fnfis.com (8.14.5/8.14.5) with ESMTP id s2THw8NV013930 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 29 Mar 2014 12:58:08 -0500 Received: from THEMADHATTER (10.242.181.54) by smarthost.fisglobal.com (10.132.206.193) with Microsoft SMTP Server id 14.3.174.1; Sat, 29 Mar 2014 12:58:07 -0500 From: Sender: Devin Teske To: "'Palle Girgensohn'" References: <4FD66519.8030503@FreeBSD.org> In-Reply-To: <4FD66519.8030503@FreeBSD.org> Subject: RE: VIMAGE, epair/if_bridge or netgraph? Date: Sat, 29 Mar 2014 10:58:01 -0700 Message-ID: <034a01cf4b78$6de95280$49bbf780$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQGojnTtmr+0A7SxHiVcb6yw3Zz8PptF0jlA Content-Language: en-us X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-03-29_02:2014-03-28,2014-03-29,1970-01-01 signatures=0 Cc: 'Devin Teske' , freebsd-virtualization@FreeBSD.org X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 17:58:16 -0000 > -----Original Message----- > From: owner-freebsd-virtualization@freebsd.org [mailto:owner-freebsd- > virtualization@freebsd.org] On Behalf Of Palle Girgensohn > Sent: Monday, June 11, 2012 2:37 PM > To: freebsd-virtualization@FreeBSD.org > Subject: VIMAGE, epair/if_bridge or netgraph? >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 > Hi, >=20 > I'm updating some jail servers, and want to use VIMAGE. Compiled it into = the > kernel, learned the hard way not to even include PF in the same kernel [1= ], > so now it works quite well. >=20 > I am setting up many similar jails, some for testing, some for production= . The > applications are web servers, som tomcat+apache's, and some other > standard type of services like email and ldap, simple stuff. > I need no fancy network control, I just need it to work. For each jail th= ere are > two interfaces, one public, connected to a software bridge (if_bridge or > ng_bridge) acting as a switch, and one internal, for maintenance, connect= ed > to a different software bridge. To each software bridge, I connect a phys= ical > external interface from the jail host. >=20 > I am trying to decide whether to use epair and if_bridge, or to use netgr= aph. > For netgraph, there is a nice package at DruidBSD [3]. When I found that,= I > had already rewritten the standard jail script, using the > v2 patches from polymorf [4]. They work equally fine for my purpose. >=20 > So now I need to know which scales best, is there a difference in > performance or stability between netgraph and epair/if_bridge? >=20 > Cheers, > Palle >=20 >=20 > [1] http://forums.freebsd.org/showthread.php?t=3D31765 >=20 > [2] http://forums.freebsd.org/showthread.php?t=3D31949 >=20 > [3] http://druidbsd.sourceforge.net/vimage.shtml >=20 > [4] http://wiki.polymorf.fr/index.php?title=3DHowto:FreeBSD_jail_vnet [Devin Teske]=20 Never saw a reply to this and I'm locating round-tuits to tackle e-mails that I've marked as "needing reply": I have not profiled netgraph to have a limitation of 65530 eiface devices off a single if_bridge, but are allowed multiple bridges with that many devices. The problems that you run into with that many devices is that if all the interfaces are visible to a single jail or single host... your "ifconfig" command could take several hours (about 4) to enumerate each iface to the screen. I didn't mess much with epair because it failed to produce a situation where I could speak separate subnets over the same wire. Netgraph made it easy by way of being able to enable promiscuous and disable the "autosrc" feature (as you perhaps already found in my code you linked to above). --=20 Cheers, Devin _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.