Difference between revisions of "Containers/Network virtualization"
m |
(→Approaches) |
||
| Line 7: | Line 7: | ||
== Approaches == | == Approaches == | ||
| − | + | === Virtualization on the 2nd level (OpenVZ) === | |
| − | : For input packets context switching is performed in | + | '''Requirements''': |
| − | + | ||
| − | : For input packets context switching is | + | The main requirement is that containers should have close to standalone servers networking capabilities. In details: |
| − | + | # containers should have own loopback; | |
| − | : There is no context switching for packets at all, checks are performed between process and socket contexts. | + | # containers should have ability to setup their own level 3 addresses; |
| + | # containers should have ability to sniff their traffic; | ||
| + | # containers should have ability to setup their own routes; | ||
| + | # containers should have ability to receive multicast/broadcast packets; | ||
| + | # containers should have their own netfilters; | ||
| + | # containers should have at least one level 2 device; | ||
| + | |||
| + | |||
| + | '''Current implementation''': | ||
| + | |||
| + | For input packets context switching is performed in netif_receive_skb(), inherited from the device context. For output, context is inherited from the socket one. | ||
| + | |||
| + | === Virtualization on the 3d level (IBM) === | ||
| + | '''Requirements''': | ||
| + | # One can ran servers in several containers listening on *:port without conflict and __without__ forcing the bind to use the IP address assigned to the container; | ||
| + | # The source address will be filled with the container IP address; | ||
| + | # Keep sockets isolated by namespace; | ||
| + | # have the loopback isolated; | ||
| + | # have the performance near to native as possible; | ||
| + | # have broadcast and multicast working. | ||
| + | |||
| + | '''Current implementation''': | ||
| + | |||
| + | For input packets context switching is inherited from the routing entry, for output - inherited from the socket one. | ||
| + | |||
| + | === Socket virtualization (Linux-VServer) === | ||
| + | '''Requirements''': | ||
| + | # implementation overhead for established tcp connections should be zero; | ||
| + | # FIXME | ||
| + | |||
| + | '''Current implementation''': | ||
| + | |||
| + | There is no context switching for packets at all, checks are performed between process and socket contexts. | ||
== Virtualization table == | == Virtualization table == | ||
Revision as of 11:28, 8 November 2006
There are a number of approaches to the network virtualization, caused by different requirements for different usages. This page is made in order to summarize them and create solution suitable for all.
Contents
Usages
Current known usages are:
- Virtual Environments - complete OS environment, with it's own users, groups, filesystems and devices;
- Application Containers - partly isolated environment with application inside.
Approaches
Virtualization on the 2nd level (OpenVZ)
Requirements:
The main requirement is that containers should have close to standalone servers networking capabilities. In details:
- containers should have own loopback;
- containers should have ability to setup their own level 3 addresses;
- containers should have ability to sniff their traffic;
- containers should have ability to setup their own routes;
- containers should have ability to receive multicast/broadcast packets;
- containers should have their own netfilters;
- containers should have at least one level 2 device;
Current implementation:
For input packets context switching is performed in netif_receive_skb(), inherited from the device context. For output, context is inherited from the socket one.
Virtualization on the 3d level (IBM)
Requirements:
- One can ran servers in several containers listening on *:port without conflict and __without__ forcing the bind to use the IP address assigned to the container;
- The source address will be filled with the container IP address;
- Keep sockets isolated by namespace;
- have the loopback isolated;
- have the performance near to native as possible;
- have broadcast and multicast working.
Current implementation:
For input packets context switching is inherited from the routing entry, for output - inherited from the socket one.
Socket virtualization (Linux-VServer)
Requirements:
- implementation overhead for established tcp connections should be zero;
- FIXME
Current implementation:
There is no context switching for packets at all, checks are performed between process and socket contexts.
Virtualization table
This is a summary table in order to show which core networking objects are virtualized/isolated in above approaches or not.
| Virtualization approach | network devices | routing tables | network sockets | netfilters |
|---|---|---|---|---|
| 2d level virtualization | v | v/i | v | v |
| 3d level virtualization | - | i | i | - |
| bind filtering | - | - | i | - |
Legend:
- 'v' - virtualized
- 'i' - isolated
- '-' - neither virtualized nor isolated
