Date: Mon, 3 Jun 2019 10:41:20 +0200 From: Kristof Provost <kp@freebsd.org> To: Matthew Seaman <matthew@freebsd.org> Cc: freebsd-questions@freebsd.org Subject: Re: to jail or not to jail Message-ID: <20190603084120.GA10541@vega.codepro.be> In-Reply-To: <5d9af532-45fc-b088-893d-ec413460b2ff@FreeBSD.org> References: <CAPORhP4pbfCC96PXOeErJgswX_2dh%2BmXcBb1TrH6F0f5oN-wDw@mail.gmail.com> <9783db6e-959e-b177-89d5-84af47fd5c3f@FreeBSD.org> <1231820b-830b-4a22-8b08-37242226d276@www.fastmail.com> <5d9af532-45fc-b088-893d-ec413460b2ff@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2019-06-03 09:33:25 (+0100), Matthew Seaman <matthew@FreeBSD.org> wrote: > On 02/06/2019 12:41, Dave Cottlehuber wrote: > >> think about using vimage jails on 12.0, as that makes the jails seem a > >> lot more like just regular VMs, and gives you the ability to effectively > >> create a private virtual switch inside your server, rather than having > >> services appear on external interfaces. Beware though that there are > >> currently some quite severe bandwidth limitations on this sort of > >> internally virtualized networking under FreeBSD, so this is not suitable > >> for a high-traffic system. > > > Matthew, anything you can point me to about this limitation? > > Kristof Provost talked about it during his presentation at BSDCAN -- the > video of that is not turning up in my searches, but here's probably a > very similar talk from linux.conf.au: > > https://www.youtube.com/watch?v=2neDPNIcrBk > > In short the problem is that there's a single thread for handling all > the internal traffic. (Possibly a single lock as well?) > if_bridge contends on a single mutex. Expect no more than ~1.2 million packets per second through a bridge, regardless of how many cores you have. That's actually a fairly substantial amount of traffic, it may or may not be a practical concern for you. Note that that's unrelated to vimage as such. It's just a very common way to set things up. If you avoid if_bridge the performance impact of vimage is trivial, and you pay it even if you don't use vimage jails. Best regards, Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190603084120.GA10541>