From owner-freebsd-virtualization@FreeBSD.ORG Sat Mar 29 18:08:24 2014 Return-Path: Delivered-To: freebsd-virtualization@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BEACB841; Sat, 29 Mar 2014 18:08:24 +0000 (UTC) Received: from mx1.fisglobal.com (mx1.fisglobal.com [199.200.24.190]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mx1.fisglobal.com", Issuer "VeriSign Class 3 Secure Server CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 8928BC51; Sat, 29 Mar 2014 18:08:24 +0000 (UTC) Received: from smarthost.fisglobal.com ([10.132.206.193]) by ltcfislmsgpa03.fnfis.com (8.14.5/8.14.5) with ESMTP id s2TI8NPh019453 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Sat, 29 Mar 2014 13:08:23 -0500 Received: from THEMADHATTER (10.242.181.54) by smarthost.fisglobal.com (10.132.206.193) with Microsoft SMTP Server id 14.3.174.1; Sat, 29 Mar 2014 13:08:22 -0500 From: Sender: Devin Teske To: , "'Palle Girgensohn'" References: <4FD66519.8030503@FreeBSD.org> <034a01cf4b78$6de95280$49bbf780$@FreeBSD.org> In-Reply-To: <034a01cf4b78$6de95280$49bbf780$@FreeBSD.org> Subject: RE: VIMAGE, epair/if_bridge or netgraph? Date: Sat, 29 Mar 2014 11:08:16 -0700 Message-ID: <036601cf4b79$dc61d9c0$95258d40$@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 15.0 Thread-Index: AQGojnTtmr+0A7SxHiVcb6yw3Zz8PgLj99Ormy62pIA= Content-Language: en-us X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.87, 1.0.14, 0.0.0000 definitions=2014-03-29_02:2014-03-28,2014-03-29,1970-01-01 signatures=0 Cc: freebsd-virtualization@FreeBSD.org X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 18:08:24 -0000 > -----Original Message----- > From: dteske@FreeBSD.org [mailto:dteske@FreeBSD.org] > Sent: Saturday, March 29, 2014 10:58 AM > To: 'Palle Girgensohn' > Cc: freebsd-virtualization@FreeBSD.org; 'Devin Teske' > Subject: RE: VIMAGE, epair/if_bridge or netgraph? >=20 >=20 >=20 > > -----Original Message----- > > From: owner-freebsd-virtualization@freebsd.org [mailto:owner-freebsd- > > virtualization@freebsd.org] On Behalf Of Palle Girgensohn > > Sent: Monday, June 11, 2012 2:37 PM > > To: freebsd-virtualization@FreeBSD.org > > Subject: VIMAGE, epair/if_bridge or netgraph? > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hi, > > > > I'm updating some jail servers, and want to use VIMAGE. Compiled it > > into the kernel, learned the hard way not to even include PF in the > > same kernel [1], so now it works quite well. > > > > I am setting up many similar jails, some for testing, some for > > production. The applications are web servers, som tomcat+apache's, and > > some other standard type of services like email and ldap, simple stuff. > > I need no fancy network control, I just need it to work. For each jail > > there are two interfaces, one public, connected to a software bridge > > (if_bridge or > > ng_bridge) acting as a switch, and one internal, for maintenance, > > connected to a different software bridge. To each software bridge, I > > connect a physical external interface from the jail host. > > > > I am trying to decide whether to use epair and if_bridge, or to use > netgraph. > > For netgraph, there is a nice package at DruidBSD [3]. When I found > > that, I had already rewritten the standard jail script, using the > > v2 patches from polymorf [4]. They work equally fine for my purpose. > > > > So now I need to know which scales best, is there a difference in > > performance or stability between netgraph and epair/if_bridge? > > > > Cheers, > > Palle > > > > > > [1] http://forums.freebsd.org/showthread.php?t=3D31765 > > > > [2] http://forums.freebsd.org/showthread.php?t=3D31949 > > > > [3] http://druidbsd.sourceforge.net/vimage.shtml > > > > [4] http://wiki.polymorf.fr/index.php?title=3DHowto:FreeBSD_jail_vnet >=20 > [Devin Teske] >=20 > Never saw a reply to this and I'm locating round-tuits to tackle e-mails = that > I've marked as "needing reply": >=20 > I have not profiled Ugh, that was originally "I have not profiled [epair but I have profiled] n= etgraph" --=20 Cheers, Devin > netgraph to have a limitation of 65530 eiface devices off a > single if_bridge, but are allowed multiple bridges with that many devices. >=20 > The problems that you run into with that many devices is that if all the > interfaces are visible to a single jail or single host... your "ifconfig" > command could take several hours (about 4) to enumerate each iface to the > screen. >=20 > I didn't mess much with epair because it failed to produce a situation wh= ere I > could speak separate subnets over the same wire. Netgraph made it easy by > way of being able to enable promiscuous and disable the "autosrc" feature > (as you perhaps already found in my code you linked to above). > -- > Cheers, > Devin >=20 >=20 >=20 > _____________ > The information contained in this message is proprietary and/or confident= ial. > If you are not the intended recipient, please: (i) delete the message and= all > copies; (ii) do not disclose, distribute or use the message in any manner= ; and > (iii) notify the sender immediately. In addition, please be aware that any > message addressed to our domain is subject to archiving and review by > persons other than the intended recipient. Thank you. _____________ The information contained in this message is proprietary and/or confidentia= l. If you are not the intended recipient, please: (i) delete the message an= d all copies; (ii) do not disclose, distribute or use the message in any ma= nner; and (iii) notify the sender immediately. In addition, please be aware= that any message addressed to our domain is subject to archiving and revie= w by persons other than the intended recipient. Thank you.