Containers/Network virtualization

From OpenVZ Virtuozzo Containers Wiki
< Containers
Revision as of 11:28, 8 November 2006 by Dim (talk | contribs) (Approaches)
Jump to: navigation, search

There are a number of approaches to the network virtualization, caused by different requirements for different usages. This page is made in order to summarize them and create solution suitable for all.

Usages

Current known usages are:

  • Virtual Environments - complete OS environment, with it's own users, groups, filesystems and devices;
  • Application Containers - partly isolated environment with application inside.

Approaches

Virtualization on the 2nd level (OpenVZ)

Requirements:

The main requirement is that containers should have close to standalone servers networking capabilities. In details:

  1. containers should have own loopback;
  2. containers should have ability to setup their own level 3 addresses;
  3. containers should have ability to sniff their traffic;
  4. containers should have ability to setup their own routes;
  5. containers should have ability to receive multicast/broadcast packets;
  6. containers should have their own netfilters;
  7. containers should have at least one level 2 device;


Current implementation:

For input packets context switching is performed in netif_receive_skb(), inherited from the device context. For output, context is inherited from the socket one.

Virtualization on the 3d level (IBM)

Requirements:

  1. One can ran servers in several containers listening on *:port without conflict and __without__ forcing the bind to use the IP address assigned to the container;
  2. The source address will be filled with the container IP address;
  3. Keep sockets isolated by namespace;
  4. have the loopback isolated;
  5. have the performance near to native as possible;
  6. have broadcast and multicast working.

Current implementation:

For input packets context switching is inherited from the routing entry, for output - inherited from the socket one.

Socket virtualization (Linux-VServer)

Requirements:

  1. implementation overhead for established tcp connections should be zero;
  2. FIXME

Current implementation:

There is no context switching for packets at all, checks are performed between process and socket contexts.

Virtualization table

This is a summary table in order to show which core networking objects are virtualized/isolated in above approaches or not.

Virtualization approach network devices routing tables network sockets netfilters
2d level virtualization v v/i v v
3d level virtualization - i i -
bind filtering - - i -

Legend:

  • 'v' - virtualized
  • 'i' - isolated
  • '-' - neither virtualized nor isolated
Retrieved from "https://wiki.openvz.org/index.php?title=Containers/Network_virtualization&oldid=2476"