to jail or not to jail

Kristof Provost kp at freebsd.org
Mon Jun 3 08:41:28 UTC 2019


On 2019-06-03 09:33:25 (+0100), Matthew Seaman <matthew at FreeBSD.org> wrote:
> On 02/06/2019 12:41, Dave Cottlehuber wrote:
> >> think about using vimage jails on 12.0, as that makes the jails seem a
> >> lot more like just regular VMs, and gives you the ability to effectively
> >> create a private virtual switch inside your server, rather than having
> >> services appear on external interfaces.  Beware though that there are
> >> currently some quite severe bandwidth limitations on this sort of
> >> internally virtualized networking under FreeBSD, so this is not suitable
> >> for a high-traffic system.
> 
> > Matthew, anything you can point me to about this limitation?
> 
> Kristof Provost talked about it during his presentation at BSDCAN -- the 
> video of that is not turning up in my searches, but here's probably a 
> very similar talk from linux.conf.au:
> 
> https://www.youtube.com/watch?v=2neDPNIcrBk
> 
> In short the problem is that there's a single thread for handling all 
> the internal traffic.  (Possibly a single lock as well?)
> 
if_bridge contends on a single mutex. Expect no more than ~1.2 million
packets per second through a bridge, regardless of how many cores you
have.

That's actually a fairly substantial amount of traffic, it may or may
not be a practical concern for you.

Note that that's unrelated to vimage as such. It's just a very common
way to set things up. If you avoid if_bridge the performance impact of
vimage is trivial, and you pay it even if you don't use vimage jails.

Best regards,
Kristof


More information about the freebsd-questions mailing list