Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752332AbdIIFQv (ORCPT ); Sat, 9 Sep 2017 01:16:51 -0400 Received: from shards.monkeyblade.net ([184.105.139.130]:44460 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751048AbdIIFQt (ORCPT ); Sat, 9 Sep 2017 01:16:49 -0400 Date: Fri, 08 Sep 2017 22:16:48 -0700 (PDT) Message-Id: <20170908.221648.186026315535806669.davem@davemloft.net> To: yanhaishuang@cmss.chinamobile.com Cc: xiyou.wangcong@gmail.com, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, edumazet@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob From: David Miller In-Reply-To: References: <798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com> X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=utf-8 X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Fri, 08 Sep 2017 22:16:49 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id v895Gseb015798 Content-Length: 1632 Lines: 43 From: 严海双 Date: Sat, 9 Sep 2017 13:09:57 +0800 > > >> On 2017年9月9日, at 下午12:35, Cong Wang wrote: >> >> On Fri, Sep 8, 2017 at 6:25 PM, 严海双 wrote: >>> >>> >>>> On 2017年9月9日, at 上午6:13, Cong Wang wrote: >>>> >>>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan >>>> wrote: >>>>> Different namespace application might require different maximal number >>>>> of TCP sockets independently of the host. >>>> >>>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans >>>> in a whole system, right? This just makes OOM easier to trigger. >>>> >>> >>> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans, >>> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans >>> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing. >> >> Nope, by N I mean the number of containers. Before your patch, the limit >> is global, after your patch it is per container. >> > > Yeah, for example, if there is N containers, before the patch, I mean the limit is: > > N * net->ipv4.sysctl_tcp_max_orphans > > After the patch, the limit is: > > ns1. net->ipv4.sysctl_tcp_max_orphans + ns2. net->ipv4.sysctl_tcp_max_orphans + … Not true. Please remove "N" from your equation of the current situation. "sysctl_tcp_max_orphans" applies to entire system, it is a global limit, comparing one limit against all orphans in the system, there is no N.