2
edits
Changes
added Linux-VServer
For input packets context switching is inherited from the routing entry, for output - inherited from the socket one.
=== Socket virtualization (Linux-VServer) ===
'''Requirements''':
# implementation overhead for established tcp connections should be zero;
There is no context switching for packets at all, checks are performed between process and socket contexts.
=== Network Isolation (Linux-VServer) ===
# all interfaces and IPs are visible on the host
# routing and iptables is configured on the host
# guest has a subset of IPs assigned for 'binding'
# source ip (of guest packets) is within the assigned set
# 'local' guest traffic is isolated from other guests
# no measurable overhead on packet routing
# normal routing not impaired (same behaviour as without)
# Guest-Guest and Guest-Host traffic via Loopback
'''Current implementation''':
Network Context with 'assigned' set of IPs, which are used for 'collision' checks at bind
time, 'source' checks at send time and 'destination' checks at receive time. The first
assigned IPs is handled special as it is used for routing decisions outside the IP set.
Loopback traffic isolation is done via IP 'remapping'.
== Virtualization table ==
{| class="wikitable"
! width="20%" | Virtualization approach
! width="1310%" | network devices! Width="1310%" | routing tables! Width="1310%" | network sockets! Width="1310%" | loopback! Width="10%" | netfilters|-| 2d level virtualization || v || v/i || v || v || v
|-
| 2d 3d level virtualization || v - || v/i || v i || i || v -
|-
| 3d level virtualization bind filtering || - || - || i || i - || -
|-
| bind filtering network isolation || - i/m || - i || i || i /m || -
|}
* 'v' - virtualized
* 'i' - isolated
* 'm' - mapped
* '-' - neither virtualized nor isolated
[[Category:Containers]]
