Containers/Network virtualization
There are a number of approaches to the network virtualization, caused by different requirements for different usages. This page is made in order to summarize them and create solution suitable for all.
Usages
Current known usages are:
- Virtual Environments - complete OS environment, with it's own users, groups, filesystems and devices;
- Application Containers - partly isolated environment with application inside.
Approaches
- virtualization on the 2nd level (OpenVZ);
- For input packets context switching is performed in device xmit code, requires virtual device for performing. For output, context is inherited from socket one.
- virtualization on the 3d level (IBM);
- For input packets context switching is performed in routing code, for output - inherited from socket one.
- socket virtualization (Linux-VServer).
- There is no context switching for packets at all, checks are performed between process and socket contexts.
Virtualization table
This is a summary table in order to show which core networking objects are virtualized/isolated in above approaches or not.
| Virtualization approach | network devices | routing tables | network sockets | netfilters | 
|---|---|---|---|---|
| 2d level virtualization | v | v/i | v | v | 
| 3d level virtualization | - | i | i | - | 
| bind filtering | - | - | i | - | 
Legend:
- 'v' - virtualized
- 'i' - isolated
- '-' - neither virtualized nor isolated
