Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp46124imm;
        Tue, 17 Jul 2018 13:39:59 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpcEUSCUtGK8GystePbuaW0ZYP3Z6jt+TcjHj7uJ/B1HfZ5TLaySvctsKly1UavU2vxbK8Ub
X-Received: by 2002:a65:5141:: with SMTP id g1-v6mr2992269pgq.418.1531859999557;
        Tue, 17 Jul 2018 13:39:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1531859999; cv=none;
        d=google.com; s=arc-20160816;
        b=IaYvivJT0DYdaW4Q5a5+q0ewgYevVyNwbrCfMfIVIQkiIkHIgW9vRbyPvEgu/BJfpA
         I2gs2Hz4jpd6CYX0i0uywVTNdPmMQEytwZOFMh8XvOLnsWzCKZ33F4kMC26FCbiQclXT
         ipykH5HACeX+2HWxguPhNQ53BKsl6jgUfTM6bGVHGop1cHj8lVyE+ycJ4xI7k25PjQ5Q
         tAv+7TlEWoQOYPRLb2uVtX+lwZKKDs85Vlc4a4TuzP4VLizGWYYFJDdw5tZxBi6xY5vf
         FUuMrCIT/X9lv7ZvsS6UVNd1EXo+QVfxqZtc1BVU4wpyE4n8d32ehn3cguAZXseSzCHF
         Xabg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature
         :arc-authentication-results;
        bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=;
        b=Q04sJwXvFEjV6KSVvnHn8G6nQ9S+Xl2IQYSaemUrukvOIC+oT7kqi1vTwHrwiAAVcj
         7BxbUqM4AG3XEiV0/5djOShJNa8ELxQ/28zlC1jX2zb7OsGVt4sjQXdFA+Iv/FH4y24B
         Qv83GCiClHYj7ZhsfmKPr/yFB+sbpYzP8hzG+mNRcBjzgTCv83xN083GlkdQVCekImRH
         gkkbGUT3JsuM/dEOsYIUf0AEbLxiuHvZyB+PWJEitUb2/YA1dfgTOb7Deby1qqipUbn7
         oy2UAbbHaDLAaR29f3Iv8KBIWcM4X9+6cfKwbS5G+9ZkXY5UwmxIffSMDrNL2Q6vwRxb
         vf4g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XbJ6Ixj1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t24-v6si1513198plr.240.2018.07.17.13.39.44;
        Tue, 17 Jul 2018 13:39:59 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XbJ6Ixj1;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730821AbeGQVLz (ORCPT <rfc822;noahbdev@gmail.com> + 99 others);
        Tue, 17 Jul 2018 17:11:55 -0400
Received: from mail-ed1-f67.google.com ([209.85.208.67]:44759 "EHLO
        mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729714AbeGQVLz (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 17 Jul 2018 17:11:55 -0400
Received: by mail-ed1-f67.google.com with SMTP id f23-v6so2317259edr.11;
        Tue, 17 Jul 2018 13:37:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=;
        b=XbJ6Ixj1hMxStVgmxT6ijhOrSjIeGWflqqqaxQbXDwnpFrNlYNzmdxNQRIVJMudhQj
         tHBhSCYu+JVY2V1fBSicFcU8ogxD/zGtV1sOY6MJ0klWdIq9qYrKbvNxPDimw0HodYkw
         6OyuBTnAcU/+PMFSjKSEry2TSKYZpQHiSCfhXQurQGpTDK8yziUoeo5XHA94tD/XYH/c
         X4NOR/Ohui4N/1OelfxG6Nvr3RrSsDngmpv1TEY4ta/KvtV/BmwB117KTcfgu5YCsbXy
         PWLRchA5jxQFf5xT15ewfAAmn2GPRh+Z00/UValW1ckJ5BToJHtv/4NIvv93fx362lx7
         4MYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=;
        b=TlSIB/5rxL9z/yQS84m6rVOz2Uv2EfLv+0bR5WcB9bz5Z6Xfd2W5DvJXY1KeCLVpRp
         ooaXS1XOffi52qAfDQh8qX57LKDSBeQyO7iKX8+cZ68RqoKbTT66wAquKWwlwY1H+/GR
         1a0VxYi+6wbfTHe4t1FW+rlnrMdnJZLno1Wfil2IsqijoKRs/g/EwnQnrhiQYf3y+gmx
         9oQ4K8UlqDc2kpK2ZVllhEDLgN67vmTEG7iRTW4R/b5W17j3QYa2PL6gMiXnvkQ4UBQo
         cBB39XOyQxVwWelgupTVU5C96Kie1pnwMq5zSL8ADB85CWeSLAMsQLJ+WGRFHUtBKEXw
         z7Kw==
X-Gm-Message-State: AOUpUlHkjhvHBAXPl+oq61ImhDdoQHncWNQIqkMP9XAmKimu/EzQL654
        ZnNTuzrxQ2AErWahsBlqVfpsJtzMdFN1mo39sss=
X-Received: by 2002:a50:a166:: with SMTP id 93-v6mr3845041edj.184.1531859852816;
 Tue, 17 Jul 2018 13:37:32 -0700 (PDT)
MIME-Version: 1.0
References: <20180717120651.15748-1-dsahern@kernel.org> <CAM_iQpW4g2v6xk49Gz+WBasKaO9VUk3Q-umX7iBRK-mAhn21Fw@mail.gmail.com>
 <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> <CAM_iQpWabZorkMNswyfHyS4KT=f_bgMtK8K35=84uah6Kfqxew@mail.gmail.com>
 <1a27e301-3275-b349-a2f8-afdfdc02f04f@gmail.com>
In-Reply-To: <1a27e301-3275-b349-a2f8-afdfdc02f04f@gmail.com>
From:   Cong Wang <xiyou.wangcong@gmail.com>
Date:   Tue, 17 Jul 2018 13:37:26 -0700
Message-ID: <CAM_iQpX-wZooTDqWeqtqAc=a-S2HVcJJtkKdn6gxZx-2YmXpmA@mail.gmail.com>
Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace
To:     David Ahern <dsahern@gmail.com>
Cc:     Linux Kernel Network Developers <netdev@vger.kernel.org>,
        nikita.leshchenko@oracle.com,
        Roopa Prabhu <roopa@cumulusnetworks.com>,
        Stephen Hemminger <stephen@networkplumber.org>,
        Ido Schimmel <idosch@mellanox.com>,
        Jiri Pirko <jiri@mellanox.com>,
        Saeed Mahameed <saeedm@mellanox.com>,
        Alexander Aring <alex.aring@gmail.com>,
        linux-wpan@vger.kernel.org,
        NetFilter <netfilter-devel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Jul 17, 2018 at 12:02 PM David Ahern <dsahern@gmail.com> wrote:
> As for the per-namespace tables, it is 4 years later and over that time
> Linux supports a number of features: EVPN which is very mac heavy, VRR
> which doubles mac entries (one against the VRR device and one against
> the lower device) and NOS level features such as mlxsw which has to
> ensure mac entries for nexthop gateaways stay active. In addition there
> are other features on the horizon - like the ability to use namespaces
> to create virtual switches (what Cisco calls a VDC) where you absolutely
> want isolation and not allowing entries from virtual switch to evict
> entries from another. And of course the continued proliferation of
> containerized workloads where isolation is desired.

As long as no change in neigh table code base itself, these can't
address the concern people raised before.


>
> I understand the concern about global resource and limits: as it stands
> you have to increase the limits in init_net to the max expected and hope
> for the best. With per namespace limits you can lower the limits of each
> namespace better control the total impact on the total memory used.

The problem is that the number of containers in a host is usually
not predictable.

Of course, you can say containers limit kernel memory too, but
memcg is not part of netns. I once told David Miller cpuset is the
isolation for isolating per-CPU softnet_data, he didn't like it. Based
on that I don't think you can convince him with memcg as a solution
here.