Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp46124imm; Tue, 17 Jul 2018 13:39:59 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcEUSCUtGK8GystePbuaW0ZYP3Z6jt+TcjHj7uJ/B1HfZ5TLaySvctsKly1UavU2vxbK8Ub X-Received: by 2002:a65:5141:: with SMTP id g1-v6mr2992269pgq.418.1531859999557; Tue, 17 Jul 2018 13:39:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531859999; cv=none; d=google.com; s=arc-20160816; b=IaYvivJT0DYdaW4Q5a5+q0ewgYevVyNwbrCfMfIVIQkiIkHIgW9vRbyPvEgu/BJfpA I2gs2Hz4jpd6CYX0i0uywVTNdPmMQEytwZOFMh8XvOLnsWzCKZ33F4kMC26FCbiQclXT ipykH5HACeX+2HWxguPhNQ53BKsl6jgUfTM6bGVHGop1cHj8lVyE+ycJ4xI7k25PjQ5Q tAv+7TlEWoQOYPRLb2uVtX+lwZKKDs85Vlc4a4TuzP4VLizGWYYFJDdw5tZxBi6xY5vf FUuMrCIT/X9lv7ZvsS6UVNd1EXo+QVfxqZtc1BVU4wpyE4n8d32ehn3cguAZXseSzCHF Xabg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature :arc-authentication-results; bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=; b=Q04sJwXvFEjV6KSVvnHn8G6nQ9S+Xl2IQYSaemUrukvOIC+oT7kqi1vTwHrwiAAVcj 7BxbUqM4AG3XEiV0/5djOShJNa8ELxQ/28zlC1jX2zb7OsGVt4sjQXdFA+Iv/FH4y24B Qv83GCiClHYj7ZhsfmKPr/yFB+sbpYzP8hzG+mNRcBjzgTCv83xN083GlkdQVCekImRH gkkbGUT3JsuM/dEOsYIUf0AEbLxiuHvZyB+PWJEitUb2/YA1dfgTOb7Deby1qqipUbn7 oy2UAbbHaDLAaR29f3Iv8KBIWcM4X9+6cfKwbS5G+9ZkXY5UwmxIffSMDrNL2Q6vwRxb vf4g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XbJ6Ixj1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t24-v6si1513198plr.240.2018.07.17.13.39.44; Tue, 17 Jul 2018 13:39:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=XbJ6Ixj1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730821AbeGQVLz (ORCPT + 99 others); Tue, 17 Jul 2018 17:11:55 -0400 Received: from mail-ed1-f67.google.com ([209.85.208.67]:44759 "EHLO mail-ed1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729714AbeGQVLz (ORCPT ); Tue, 17 Jul 2018 17:11:55 -0400 Received: by mail-ed1-f67.google.com with SMTP id f23-v6so2317259edr.11; Tue, 17 Jul 2018 13:37:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=; b=XbJ6Ixj1hMxStVgmxT6ijhOrSjIeGWflqqqaxQbXDwnpFrNlYNzmdxNQRIVJMudhQj tHBhSCYu+JVY2V1fBSicFcU8ogxD/zGtV1sOY6MJ0klWdIq9qYrKbvNxPDimw0HodYkw 6OyuBTnAcU/+PMFSjKSEry2TSKYZpQHiSCfhXQurQGpTDK8yziUoeo5XHA94tD/XYH/c X4NOR/Ohui4N/1OelfxG6Nvr3RrSsDngmpv1TEY4ta/KvtV/BmwB117KTcfgu5YCsbXy PWLRchA5jxQFf5xT15ewfAAmn2GPRh+Z00/UValW1ckJ5BToJHtv/4NIvv93fx362lx7 4MYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mq0wjIinXUIxJsBWkS5q5JkX0v0DbP74sXNxSL+VwNI=; b=TlSIB/5rxL9z/yQS84m6rVOz2Uv2EfLv+0bR5WcB9bz5Z6Xfd2W5DvJXY1KeCLVpRp ooaXS1XOffi52qAfDQh8qX57LKDSBeQyO7iKX8+cZ68RqoKbTT66wAquKWwlwY1H+/GR 1a0VxYi+6wbfTHe4t1FW+rlnrMdnJZLno1Wfil2IsqijoKRs/g/EwnQnrhiQYf3y+gmx 9oQ4K8UlqDc2kpK2ZVllhEDLgN67vmTEG7iRTW4R/b5W17j3QYa2PL6gMiXnvkQ4UBQo cBB39XOyQxVwWelgupTVU5C96Kie1pnwMq5zSL8ADB85CWeSLAMsQLJ+WGRFHUtBKEXw z7Kw== X-Gm-Message-State: AOUpUlHkjhvHBAXPl+oq61ImhDdoQHncWNQIqkMP9XAmKimu/EzQL654 ZnNTuzrxQ2AErWahsBlqVfpsJtzMdFN1mo39sss= X-Received: by 2002:a50:a166:: with SMTP id 93-v6mr3845041edj.184.1531859852816; Tue, 17 Jul 2018 13:37:32 -0700 (PDT) MIME-Version: 1.0 References: <20180717120651.15748-1-dsahern@kernel.org> <1a3f59a9-0ba5-c83f-16a6-f9550a84f693@gmail.com> <1a27e301-3275-b349-a2f8-afdfdc02f04f@gmail.com> In-Reply-To: <1a27e301-3275-b349-a2f8-afdfdc02f04f@gmail.com> From: Cong Wang Date: Tue, 17 Jul 2018 13:37:26 -0700 Message-ID: Subject: Re: [PATCH RFC/RFT net-next 00/17] net: Convert neighbor tables to per-namespace To: David Ahern Cc: Linux Kernel Network Developers , nikita.leshchenko@oracle.com, Roopa Prabhu , Stephen Hemminger , Ido Schimmel , Jiri Pirko , Saeed Mahameed , Alexander Aring , linux-wpan@vger.kernel.org, NetFilter , LKML Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 17, 2018 at 12:02 PM David Ahern wrote: > As for the per-namespace tables, it is 4 years later and over that time > Linux supports a number of features: EVPN which is very mac heavy, VRR > which doubles mac entries (one against the VRR device and one against > the lower device) and NOS level features such as mlxsw which has to > ensure mac entries for nexthop gateaways stay active. In addition there > are other features on the horizon - like the ability to use namespaces > to create virtual switches (what Cisco calls a VDC) where you absolutely > want isolation and not allowing entries from virtual switch to evict > entries from another. And of course the continued proliferation of > containerized workloads where isolation is desired. As long as no change in neigh table code base itself, these can't address the concern people raised before. > > I understand the concern about global resource and limits: as it stands > you have to increase the limits in init_net to the max expected and hope > for the best. With per namespace limits you can lower the limits of each > namespace better control the total impact on the total memory used. The problem is that the number of containers in a host is usually not predictable. Of course, you can say containers limit kernel memory too, but memcg is not part of netns. I once told David Miller cpuset is the isolation for isolating per-CPU softnet_data, he didn't like it. Based on that I don't think you can convince him with memcg as a solution here.