Date: Mon, 31 Mar 2014 13:44:00 +0200 From: Palle Girgensohn <girgen@FreeBSD.org> To: dteske@freebsd.org Cc: freebsd-virtualization@FreeBSD.org Subject: Re: VIMAGE, epair/if_bridge or netgraph? Message-ID: <2E1F87DA-0CC6-4BEE-BF82-2210D49643BF@FreeBSD.org> In-Reply-To: <036601cf4b79$dc61d9c0$95258d40$@FreeBSD.org> References: <4FD66519.8030503@FreeBSD.org> <034a01cf4b78$6de95280$49bbf780$@FreeBSD.org> <036601cf4b79$dc61d9c0$95258d40$@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--Apple-Mail=_22885038-3993-4C64-A244-C5F55FE221EE Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii 29 mar 2014 kl. 19:08 skrev dteske@freebsd.org: >=20 >=20 >> -----Original Message----- >> From: dteske@FreeBSD.org [mailto:dteske@FreeBSD.org] >> Sent: Saturday, March 29, 2014 10:58 AM >> To: 'Palle Girgensohn' >> Cc: freebsd-virtualization@FreeBSD.org; 'Devin Teske' >> Subject: RE: VIMAGE, epair/if_bridge or netgraph? >>=20 >>=20 >>=20 >>> -----Original Message----- >>> From: owner-freebsd-virtualization@freebsd.org = [mailto:owner-freebsd- >>> virtualization@freebsd.org] On Behalf Of Palle Girgensohn >>> Sent: Monday, June 11, 2012 2:37 PM >>> To: freebsd-virtualization@FreeBSD.org >>> Subject: VIMAGE, epair/if_bridge or netgraph? >>>=20 >>> -----BEGIN PGP SIGNED MESSAGE----- >>> Hash: SHA1 >>>=20 >>> Hi, >>>=20 >>> I'm updating some jail servers, and want to use VIMAGE. Compiled it >>> into the kernel, learned the hard way not to even include PF in the >>> same kernel [1], so now it works quite well. >>>=20 >>> I am setting up many similar jails, some for testing, some for >>> production. The applications are web servers, som tomcat+apache's, = and >>> some other standard type of services like email and ldap, simple = stuff. >>> I need no fancy network control, I just need it to work. For each = jail >>> there are two interfaces, one public, connected to a software bridge >>> (if_bridge or >>> ng_bridge) acting as a switch, and one internal, for maintenance, >>> connected to a different software bridge. To each software bridge, I >>> connect a physical external interface from the jail host. >>>=20 >>> I am trying to decide whether to use epair and if_bridge, or to use >> netgraph. >>> For netgraph, there is a nice package at DruidBSD [3]. When I found >>> that, I had already rewritten the standard jail script, using the >>> v2 patches from polymorf [4]. They work equally fine for my purpose. >>>=20 >>> So now I need to know which scales best, is there a difference in >>> performance or stability between netgraph and epair/if_bridge? >>>=20 >>> Cheers, >>> Palle >>>=20 >>>=20 >>> [1] http://forums.freebsd.org/showthread.php?t=3D31765 >>>=20 >>> [2] http://forums.freebsd.org/showthread.php?t=3D31949 >>>=20 >>> [3] http://druidbsd.sourceforge.net/vimage.shtml >>>=20 >>> [4] http://wiki.polymorf.fr/index.php?title=3DHowto:FreeBSD_jail_vnet >>=20 >> [Devin Teske] >>=20 >> Never saw a reply to this and I'm locating round-tuits to tackle = e-mails that >> I've marked as "needing reply": >>=20 >> I have not profiled >=20 > Ugh, that was originally "I have not profiled [epair but I have = profiled] netgraph" > --=20 > Cheers, > Devin >=20 >> netgraph to have a limitation of 65530 eiface devices off a >> single if_bridge, but are allowed multiple bridges with that many = devices. >>=20 >> The problems that you run into with that many devices is that if all = the >> interfaces are visible to a single jail or single host... your = "ifconfig" >> command could take several hours (about 4) to enumerate each iface to = the >> screen. >>=20 >> I didn't mess much with epair because it failed to produce a = situation where I >> could speak separate subnets over the same wire. Netgraph made it = easy by >> way of being able to enable promiscuous and disable the "autosrc" = feature >> (as you perhaps already found in my code you linked to above). >> -- >> Cheers, >> Devin >>=20 Thanks for the response. I have since created a setup with epair, only to abandon it and pursue a = setup with netgraph instead. I can't yet say which will best serve my = needs, I can get back to that when I have more data.=20 I do know that shutting down a jail that has epairs enabled very likely = will panic the kernel. I'm not certain that netgraph is any different, = but I have no data yey. I do know that some fixes have been made to = kernel to avoid crashes. I'll get back with more info as I have more info to reveal. :) Cheers, Palle --Apple-Mail=_22885038-3993-4C64-A244-C5F55FE221EE Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJTOVUAAAoJEIhV+7FrxBJDcVAH/25G7vo/KlIhR84aXVe+NB60 I6HABRYid8YdiYJ+Nz+IVwB0U7Ipr12020UJrwBWOz3IdTnnxu9hdE4XAYjRa8K3 3jGJ31RLWt7LPnirtAgr+nEwsGrj995AT0F0QRMP2yLuXQ5C0cDT/TGELO87lxLN rnjeh91TU9BkvaSVg1xZRDwoVyyBIjBQGrwKvDwXRgP+DSoW/khOWiJmnEelHeQ4 MtOiQGLo47b/DkgxwABZNXCvHKGdm/V7MO5DUUIcB9ct//KWul9ds0SrEAVhFdsw Q0pMPxnKwJcVhT3ZxdXi9bREj/oCCZ+rpZMmwa5PHGiGeyeQcc5uVxLmk97a8C4= =kmjg -----END PGP SIGNATURE----- --Apple-Mail=_22885038-3993-4C64-A244-C5F55FE221EE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2E1F87DA-0CC6-4BEE-BF82-2210D49643BF>