Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757471AbdIIKWG convert rfc822-to-8bit (ORCPT ); Sat, 9 Sep 2017 06:22:06 -0400 Received: from cmccmta2.chinamobile.com ([221.176.66.80]:6009 "EHLO cmccmta2.chinamobile.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756989AbdIIKWE (ORCPT ); Sat, 9 Sep 2017 06:22:04 -0400 X-RM-TRANSID: 2ee559b3c0c9634-d1742 X-RM-SPAM-FLAG: 00000000 X-RM-TRANSID: 2eea59b3c0c7497-51700 Content-Type: text/plain; charset=gb2312 Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Subject: Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob From: =?gb2312?B?0c+6o8ur?= In-Reply-To: <20170908.221648.186026315535806669.davem@davemloft.net> Date: Sat, 9 Sep 2017 18:21:59 +0800 Cc: xiyou.wangcong@gmail.com, kuznet@ms2.inr.ac.ru, yoshfuji@linux-ipv6.org, edumazet@google.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: <88CEA297-30A9-4F4A-B5BB-92E37E85A842@cmss.chinamobile.com> References: <798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com> <20170908.221648.186026315535806669.davem@davemloft.net> To: David Miller X-Mailer: Apple Mail (2.3273) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1878 Lines: 55 > On 2017??9??9??, at ????1:16, David Miller wrote: > > From: ?Ϻ?˫ > Date: Sat, 9 Sep 2017 13:09:57 +0800 > >> >> >>> On 2017??9??9??, at ????12:35, Cong Wang wrote: >>> >>> On Fri, Sep 8, 2017 at 6:25 PM, ?Ϻ?˫ wrote: >>>> >>>> >>>>> On 2017??9??9??, at ????6:13, Cong Wang wrote: >>>>> >>>>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan >>>>> wrote: >>>>>> Different namespace application might require different maximal number >>>>>> of TCP sockets independently of the host. >>>>> >>>>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans >>>>> in a whole system, right? This just makes OOM easier to trigger. >>>>> >>>> >>>> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans, >>>> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans >>>> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing. >>> >>> Nope, by N I mean the number of containers. Before your patch, the limit >>> is global, after your patch it is per container. >>> >> >> Yeah, for example, if there is N containers, before the patch, I mean the limit is: >> >> N * net->ipv4.sysctl_tcp_max_orphans >> >> After the patch, the limit is: >> >> ns1. net->ipv4.sysctl_tcp_max_orphans + ns2. net->ipv4.sysctl_tcp_max_orphans + ?? > > Not true. > > Please remove "N" from your equation of the current situation. > > "sysctl_tcp_max_orphans" applies to entire system, it is a global limit, > comparing one limit against all orphans in the system, there is no N. Yes, it??s right. I browse the source code and found that it??s a global limit, sorry for my mistake. Thanks David and Cong.