to jail or not to jail
Kristof Provost
kp at freebsd.org
Mon Jun 3 08:41:28 UTC 2019
On 2019-06-03 09:33:25 (+0100), Matthew Seaman <matthew at FreeBSD.org> wrote:
> On 02/06/2019 12:41, Dave Cottlehuber wrote:
> >> think about using vimage jails on 12.0, as that makes the jails seem a
> >> lot more like just regular VMs, and gives you the ability to effectively
> >> create a private virtual switch inside your server, rather than having
> >> services appear on external interfaces. Beware though that there are
> >> currently some quite severe bandwidth limitations on this sort of
> >> internally virtualized networking under FreeBSD, so this is not suitable
> >> for a high-traffic system.
>
> > Matthew, anything you can point me to about this limitation?
>
> Kristof Provost talked about it during his presentation at BSDCAN -- the
> video of that is not turning up in my searches, but here's probably a
> very similar talk from linux.conf.au:
>
> https://www.youtube.com/watch?v=2neDPNIcrBk
>
> In short the problem is that there's a single thread for handling all
> the internal traffic. (Possibly a single lock as well?)
>
if_bridge contends on a single mutex. Expect no more than ~1.2 million
packets per second through a bridge, regardless of how many cores you
have.
That's actually a fairly substantial amount of traffic, it may or may
not be a practical concern for you.
Note that that's unrelated to vimage as such. It's just a very common
way to set things up. If you avoid if_bridge the performance impact of
vimage is trivial, and you pay it even if you don't use vimage jails.
Best regards,
Kristof
More information about the freebsd-questions
mailing list