[RFC/Review] Prevent network namespace memory exhaution
Stefan Bader
stefan.bader at canonical.com
Tue Mar 29 15:13:48 UTC 2011
On 03/29/2011 04:51 PM, Tim Gardner wrote:
> On 03/28/2011 02:05 AM, Stefan Bader wrote:
>> On 03/25/2011 03:43 PM, John Johansen wrote:
>>> On 03/25/2011 07:36 AM, Tim Gardner wrote:
>>>> On 03/25/2011 08:30 AM, John Johansen wrote:
>>>>> On 03/25/2011 06:49 AM, Tim Gardner wrote:
>>>>>> On 03/25/2011 07:16 AM, John Johansen wrote:
>>>>>>
>>>>>>>> I'm still not convinced that CONFIG_NET_NS=n isn't the best
>>>>>>>> solution, despite the complaints that change might elicit. I'd
>>>>>>>> like to hear from the consumers of network name spaces about
>>>>>>>> how they are using the feature, and possible workarounds if it
>>>>>>>> were to go away.
>>>>>>>>
>>>>>>> That is the solution I would like but I think that at least for
>>>>>>> the server that is going to be problematic. Container are seeing
>>>>>>> a lot of use.
>>>>>>>
>>>>>>
>>>>>> While containers in general are in use, are network name spaces
>>>>>> pro-actively being used? Is there some workload that is _dependent_
>>>>>> on NET_NS ? I'm not proposing that we disable containers or other
>>>>>> name space features, only NET_NS.
>>>>>>
>>>>> I don't know the answer to that, it is worth exploring. It is
>>>>> pro-actively being used in that some applications are requesting the
>>>>> CLONE_NEWNET flag, and I have seen container workloads that could
>>>>> claim to require NET_NS (essentially replacing virtual machines with
>>>>> containers) but I am not sure what kernel they were using. I
>>>>> actually would like to turn NET_NS off too, my concern is that it is
>>>>> a regression of the feature that some (unquantifiable) set of users
>>>>> are using.
>>>>>
>>>>>>> If we were to go with an SRU of this I would lean towards the
>>>>>>> smaller patchset that is enough to prevent memory being eaten (7
>>>>>>> of the 13), and then if speed is a problem the remain 6 could be
>>>>>>> SRUed afterwards.
>>>>>>
>>>>>> I'm not keen on releasing a kernel that reduces connection
>>>>>> setup/teardown by an order of magnitude. Surely this'll have an
>>>>>> adverse impact on web servers and the like.
>>>>>>
>>>>> Neither am I but, but my perhaps flawed understanding was it should
>>>>> only affect the connection setup/teardown if a new network namespace
>>>>> is being created, and I doubt most use cases actually do this. This
>>>>> is actually something we should get a better handle on, what work
>>>>> loads that use NET_NS are noticeably impacted by this.
>>>>
>>>> Well, there is an alternative for those folks that _are_ dependent on NET_NS:
>>>>
>>>> sudo apt-get install linux-image-server-lts-backport-maverick
>>>>
>>> oh right, that convinces me. Turn it off.
>>
>> Sorry for stepping back into this discussion late. I think as long as it ok to
>> go with a Maverick kernel, this clearly would be better than any partial
>> backport for NET_NS. At least in the one specific case it was suggested that
>> doing this was (at least for the moment) not possible as Maverick caused other
>> problems. There was however only very vague hints about what those other
>> problems really are, so it is hard to tell whether and how those could be solved.
>>
>> Just for the record, it is my understanding (as John already mentioned) that the
>> slowdown only affects connections made with network namspace cloning involved.
>> If that feature is not used, there should be no real slowdown.
>>
>> Summarizing, I think the safest solution is to turn the feature off. But we need
>> to be careful about it. This being a LTS release there could also be people
>> using it and for various reasons (sw cert) not be able to move to a newer kernel
>> that simple. Unfortunately it is hard to find out before doing.
>>
>> -Stefan
>
> So, are you gonna send a patch disabling NET_NS ?
>
Oh well, yeah. Knowingly break something just scares me. But I'll send something
out and let the stable guys decide. :-P
-Stefan
More information about the kernel-team
mailing list