Date: Mon, 31 Mar 2014 13:44:00 +0200 From: Palle Girgensohn <girgen@FreeBSD.org> To: dteske@freebsd.org Cc: freebsd-virtualization@FreeBSD.org Subject: Re: VIMAGE, epair/if_bridge or netgraph? Message-ID: <2E1F87DA-0CC6-4BEE-BF82-2210D49643BF@FreeBSD.org> In-Reply-To: <036601cf4b79$dc61d9c0$95258d40$@FreeBSD.org> References: <4FD66519.8030503@FreeBSD.org> <034a01cf4b78$6de95280$49bbf780$@FreeBSD.org> <036601cf4b79$dc61d9c0$95258d40$@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] 29 mar 2014 kl. 19:08 skrev dteske@freebsd.org: > > >> -----Original Message----- >> From: dteske@FreeBSD.org [mailto:dteske@FreeBSD.org] >> Sent: Saturday, March 29, 2014 10:58 AM >> To: 'Palle Girgensohn' >> Cc: freebsd-virtualization@FreeBSD.org; 'Devin Teske' >> Subject: RE: VIMAGE, epair/if_bridge or netgraph? >> >> >> >>> -----Original Message----- >>> From: owner-freebsd-virtualization@freebsd.org [mailto:owner-freebsd- >>> virtualization@freebsd.org] On Behalf Of Palle Girgensohn >>> Sent: Monday, June 11, 2012 2:37 PM >>> To: freebsd-virtualization@FreeBSD.org >>> Subject: VIMAGE, epair/if_bridge or netgraph? >>> >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>> >>> Hi, >>> >>> I'm updating some jail servers, and want to use VIMAGE. Compiled it >>> into the kernel, learned the hard way not to even include PF in the >>> same kernel [1], so now it works quite well. >>> >>> I am setting up many similar jails, some for testing, some for >>> production. The applications are web servers, som tomcat+apache's, and >>> some other standard type of services like email and ldap, simple stuff. >>> I need no fancy network control, I just need it to work. For each jail >>> there are two interfaces, one public, connected to a software bridge >>> (if_bridge or >>> ng_bridge) acting as a switch, and one internal, for maintenance, >>> connected to a different software bridge. To each software bridge, I >>> connect a physical external interface from the jail host. >>> >>> I am trying to decide whether to use epair and if_bridge, or to use >> netgraph. >>> For netgraph, there is a nice package at DruidBSD [3]. When I found >>> that, I had already rewritten the standard jail script, using the >>> v2 patches from polymorf [4]. They work equally fine for my purpose. >>> >>> So now I need to know which scales best, is there a difference in >>> performance or stability between netgraph and epair/if_bridge? >>> >>> Cheers, >>> Palle >>> >>> >>> [1] http://forums.freebsd.org/showthread.php?t=31765 >>> >>> [2] http://forums.freebsd.org/showthread.php?t=31949 >>> >>> [3] http://druidbsd.sourceforge.net/vimage.shtml >>> >>> [4] http://wiki.polymorf.fr/index.php?title=Howto:FreeBSD_jail_vnet >> >> [Devin Teske] >> >> Never saw a reply to this and I'm locating round-tuits to tackle e-mails that >> I've marked as "needing reply": >> >> I have not profiled > > Ugh, that was originally "I have not profiled [epair but I have profiled] netgraph" > -- > Cheers, > Devin > >> netgraph to have a limitation of 65530 eiface devices off a >> single if_bridge, but are allowed multiple bridges with that many devices. >> >> The problems that you run into with that many devices is that if all the >> interfaces are visible to a single jail or single host... your "ifconfig" >> command could take several hours (about 4) to enumerate each iface to the >> screen. >> >> I didn't mess much with epair because it failed to produce a situation where I >> could speak separate subnets over the same wire. Netgraph made it easy by >> way of being able to enable promiscuous and disable the "autosrc" feature >> (as you perhaps already found in my code you linked to above). >> -- >> Cheers, >> Devin >> Thanks for the response. I have since created a setup with epair, only to abandon it and pursue a setup with netgraph instead. I can't yet say which will best serve my needs, I can get back to that when I have more data. I do know that shutting down a jail that has epairs enabled very likely will panic the kernel. I'm not certain that netgraph is any different, but I have no data yey. I do know that some fixes have been made to kernel to avoid crashes. I'll get back with more info as I have more info to reveal. :) Cheers, Palle [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJTOVUAAAoJEIhV+7FrxBJDcVAH/25G7vo/KlIhR84aXVe+NB60 I6HABRYid8YdiYJ+Nz+IVwB0U7Ipr12020UJrwBWOz3IdTnnxu9hdE4XAYjRa8K3 3jGJ31RLWt7LPnirtAgr+nEwsGrj995AT0F0QRMP2yLuXQ5C0cDT/TGELO87lxLN rnjeh91TU9BkvaSVg1xZRDwoVyyBIjBQGrwKvDwXRgP+DSoW/khOWiJmnEelHeQ4 MtOiQGLo47b/DkgxwABZNXCvHKGdm/V7MO5DUUIcB9ct//KWul9ds0SrEAVhFdsw Q0pMPxnKwJcVhT3ZxdXi9bREj/oCCZ+rpZMmwa5PHGiGeyeQcc5uVxLmk97a8C4= =kmjg -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2E1F87DA-0CC6-4BEE-BF82-2210D49643BF>