Changes

Jump to: navigation, search

WP/What are containers

1,552 bytes added, 14:13, 21 March 2011
+networking
== Miscellaneous topics ==
 
[[Image:CT-networking.png|right]]
=== Networking ===
 
Each container have their own network stack. This includes network device(s), routing table, firewall rules (iptables), network caches, hash tables, etc.
 
Three major modes of operation are possible.
 
==== Route-based (venet) ====
 
This mode works in Layer 3 (network layer) of [[w:OSI model]]. That means that a container have a MAC-less network device (called <code>venet</code>), with the host system acting as a router. Each IP packet is traversing both host and container's IP stack.
 
The major features of this setup are:
* '''High security'''. It's the host system administrator who specifies container IP(s) and routing rule(s).
* '''High control'''. Host system administrator fully controls container networking, by means of routing, firewall, traffic shaper etc.
* '''NOARP'''. A container can not use broadcasts or multicasts (since these features are on Level 2 and require a MAC address).
 
==== Bridge-based (veth) ====
 
This mode works in OSI Layer 2. For container, a Virtual Ethernet (<code>veth</code>) device is used. This device can be thought of as a pipe with two ends -- one end in the host system and another end in a CT, so if a packet goes to one end it will come out from the other end. The host system acts as a bridge, so veth is usually bridged together with eth0 or similar interface.
 
The major features of this setup are:
* '''High configurability''': container administrator can setup all the networking.
* '''Ability to use broadcasts/multicasts'''
 
==== Real network device in a container ====
 
Host system administrator can move a network device (such as <code>eth1</code>) into a container. Container administrator can then manage it as usual.
 
Major features are:
* Best performance
* Low security
* Container is tied to hardware
=== Limitations ===
* Container does not have direct access to hardware such as hard drive, network card, or a PCI device. Such access can be granted by host system administrator if needed.
 
=== Containers overhead ===
 
OpenVZ works almost as fast as a usual Linux system. The only overhead is for networking and additional resource management (see below), and in most cases it is negligible.
=== OpenVZ host system scope ===
From the host system, all containers processes are visible.
 
=== Networking (routed/bridged) ===
 
Does it differ much from VMs?
Retrieved from "https://wiki.openvz.org/Special:MobileDiff/9994"

Navigation menu