[{"id":1765635,"web_url":"http://patchwork.ozlabs.org/comment/1765635/","msgid":"","list_archive_url":null,"date":"2017-09-08T22:13:50","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":211,"url":"http://patchwork.ozlabs.org/api/people/211/","name":"Cong Wang","email":"xiyou.wangcong@gmail.com"},"content":"On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\n wrote:\n> Different namespace application might require different maximal number\n> of TCP sockets independently of the host.\n\nSo after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\nin a whole system, right? This just makes OOM easier to trigger.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"mSRJYXFx\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xps752hpkz9sBW\n\tfor ;\n\tSat, 9 Sep 2017 08:14:25 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1757132AbdIHWOM (ORCPT );\n\tFri, 8 Sep 2017 18:14:12 -0400","from mail-pg0-f45.google.com ([74.125.83.45]:38349 \"EHLO\n\tmail-pg0-f45.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1752999AbdIHWOL (ORCPT\n\t); Fri, 8 Sep 2017 18:14:11 -0400","by mail-pg0-f45.google.com with SMTP id v66so6839337pgb.5;\n\tFri, 08 Sep 2017 15:14:10 -0700 (PDT)","by 10.100.140.134 with HTTP; Fri, 8 Sep 2017 15:13:50 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc; bh=SL6ji37/vZWbXzwnTSXtF8ZcD+xEHSRzHTaqusJ513A=;\n\tb=mSRJYXFxgyqyGM8uGwicFRe0HVS6NH6CRWUYI0wvpUGv+ddn93WRpiXFqTOFcTRUUN\n\t1sffNqeI8AOtgl6p5iZ/cd/hQc1lKjDdjpH3HcfExXQZzBoWVBYjX+wj9rFX4VzSzINj\n\txIIJGDbGkwI89JX2JSMo46k1NOAe1tNV88kbdue6gEFsa4vGa0FfiaqtHcDtB9L8G5nq\n\t7jsTSLMMeq9XZi115mAaM2ugFePWw6edxLzk8FRyqotlv8kHN0D+h6llbB5CwXGtRZij\n\tDFP0E9SEHIsFCt84xrR6xDz1Z98jEIWTORV1D79fgsrMzVWLYgzWNRYgfBPYnj7W6I+7\n\tRuqg==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc;\n\tbh=SL6ji37/vZWbXzwnTSXtF8ZcD+xEHSRzHTaqusJ513A=;\n\tb=R+YKn62+J+HQ5LRjotAZ74vgeZ4GC7QWBNujklk+PR0+86zX7DIxmtYAdjoMXRYwam\n\tkc3Uf/bX0NoUQ4NwPptoftDlUBdQqYpM+ffc1gcU5fd+mkacLufZWW8fdBwL6iqmuc/q\n\to90wRAFoOkO0LrxQyGFWR9cjBvZstJ/n75tYNmXAtT9XWMGDOISDgZ3PZRLOANlEiQDt\n\tajihZoh9Z85OGBKSeb/iGQnHyLf2zdbaMV9aE8b+7znDVZT8DebammLOOz8K7SJJ2a/E\n\tXpvvGbP1n/Qu+85AITJivHKwi/Dgu7zHcpYXivt9TpQLNIqpQ8PQiMUDFRqu1yqftCzi\n\tgxyw==","X-Gm-Message-State":"AHPjjUhCsZ+oKDppTltW1EPqVuZKKWhIC1GnQ62HVQSI8EQRjGU2RVp9\n\t0diWoRhl66w5FsCL9VrKGIbuQ7SLCQ==","X-Google-Smtp-Source":"ADKCNb4qHViEXm4J78v7B0Ve50osIVaGKSBgkCuoUo0kiKhcF3om6d56esb+TQad2Ce9BOku2pd5f3m0sj0aU7LragQ=","X-Received":"by 10.84.132.98 with SMTP id 89mr5135337ple.19.1504908850630;\n\tFri, 08 Sep 2017 15:14:10 -0700 (PDT)","MIME-Version":"1.0","In-Reply-To":"<1504753808-13266-1-git-send-email-yanhaishuang@cmss.chinamobile.com>","References":"<1504753808-13266-1-git-send-email-yanhaishuang@cmss.chinamobile.com>","From":"Cong Wang ","Date":"Fri, 8 Sep 2017 15:13:50 -0700","Message-ID":"","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","To":"Haishuang Yan ","Cc":"\"David S. Miller\" ,\n\tAlexey Kuznetsov ,\n\tHideaki YOSHIFUJI ,\n\tEric Dumazet ,\n\tLinux Kernel Network Developers ,\n\tLKML ","Content-Type":"text/plain; charset=\"UTF-8\"","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1765676,"web_url":"http://patchwork.ozlabs.org/comment/1765676/","msgid":"<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>","list_archive_url":null,"date":"2017-09-09T01:25:40","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":68606,"url":"http://patchwork.ozlabs.org/api/people/68606/","name":"Haishuang Yan","email":"yanhaishuang@cmss.chinamobile.com"},"content":"> On 2017年9月9日, at 上午6:13, Cong Wang wrote:\n> \n> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\n> wrote:\n>> Different namespace application might require different maximal number\n>> of TCP sockets independently of the host.\n> \n> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\n> in a whole system, right? This just makes OOM easier to trigger.\n> \n\nFrom my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans,\nand after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans\n+ ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xpxNf1HgKz9sBZ\n\tfor ;\n\tSat, 9 Sep 2017 11:26:26 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1757275AbdIIBZq convert rfc822-to-8bit (ORCPT\n\t);\n\tFri, 8 Sep 2017 21:25:46 -0400","from cmccmta3.chinamobile.com ([221.176.66.81]:19292 \"EHLO\n\tcmccmta3.chinamobile.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1757173AbdIIBZp (ORCPT\n\t); Fri, 8 Sep 2017 21:25:45 -0400","from spf.mail.chinamobile.com (unknown[172.16.121.5]) by\n\trmmx-syy-dmz-app10-12010 (RichMail) with SMTP id\n\t2eea59b343155e2-ca593; Sat, 09 Sep 2017 09:25:42 +0800 (CST)","from [10.0.0.249] (unknown[112.23.111.238])\n\tby rmsmtp-syy-appsvr03-12003 (RichMail) with SMTP id\n\t2ee359b34313c59-8afda; Sat, 09 Sep 2017 09:25:42 +0800 (CST)"],"X-RM-TRANSID":["2eea59b343155e2-ca593","2ee359b34313c59-8afda"],"X-RM-SPAM-FLAG":"00000000","Content-Type":"text/plain; charset=gb2312","Mime-Version":"1.0 (Mac OS X Mail 10.3 \\(3273\\))","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","From":"=?gb2312?b?0c+6o8ur?= ","In-Reply-To":"","Date":"Sat, 9 Sep 2017 09:25:40 +0800","Cc":"\"David S. Miller\" ,\n\tAlexey Kuznetsov ,\n\tHideaki YOSHIFUJI ,\n\tEric Dumazet ,\n\tLinux Kernel Network Developers ,\n\tLKML ","Content-Transfer-Encoding":"8BIT","Message-Id":"<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>","References":"<1504753808-13266-1-git-send-email-yanhaishuang@cmss.chinamobile.com>\n\t","To":"Cong Wang ","X-Mailer":"Apple Mail (2.3273)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1765706,"web_url":"http://patchwork.ozlabs.org/comment/1765706/","msgid":"","list_archive_url":null,"date":"2017-09-09T04:35:02","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":211,"url":"http://patchwork.ozlabs.org/api/people/211/","name":"Cong Wang","email":"xiyou.wangcong@gmail.com"},"content":"On Fri, Sep 8, 2017 at 6:25 PM, 严海双 wrote:\n>\n>\n>> On 2017年9月9日, at 上午6:13, Cong Wang wrote:\n>>\n>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\n>> wrote:\n>>> Different namespace application might require different maximal number\n>>> of TCP sockets independently of the host.\n>>\n>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\n>> in a whole system, right? This just makes OOM easier to trigger.\n>>\n>\n> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans,\n> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans\n> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing.\n\nNope, by N I mean the number of containers. Before your patch, the limit\nis global, after your patch it is per container.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":["ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","ozlabs.org; dkim=pass (2048-bit key;\n\tunprotected) header.d=gmail.com header.i=@gmail.com\n\theader.b=\"H2WY6dT2\"; dkim-atps=neutral"],"Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xq1b21Zsdz9sBZ\n\tfor ;\n\tSat, 9 Sep 2017 14:35:42 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751362AbdIIEfZ (ORCPT );\n\tSat, 9 Sep 2017 00:35:25 -0400","from mail-pf0-f169.google.com ([209.85.192.169]:34563 \"EHLO\n\tmail-pf0-f169.google.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1750899AbdIIEfX (ORCPT\n\t); Sat, 9 Sep 2017 00:35:23 -0400","by mail-pf0-f169.google.com with SMTP id e1so7241999pfk.1;\n\tFri, 08 Sep 2017 21:35:23 -0700 (PDT)","by 10.100.140.134 with HTTP; Fri, 8 Sep 2017 21:35:02 -0700 (PDT)"],"DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=gmail.com; s=20161025;\n\th=mime-version:in-reply-to:references:from:date:message-id:subject:to\n\t:cc:content-transfer-encoding;\n\tbh=t/M9+d4KeXWoANU4er832Q2bvBpjRysoc3B4F1UVIYk=;\n\tb=H2WY6dT2OH3aetrb7MW557tCMLw12k5b6qpgiX8eHFnyJ6CeZouPd0F1sREgv/vgAj\n\tEOL7nlaipGI2gvhMYSr6MDdDQ/HBkcZeJupFgsrNNRlKYB1hyU08XhGGTR2MP5+SYdrB\n\tnGF7Dk3p62xSyEwPZh5upDMlXt52sO5SihNVhz62EY5IWWXleVJksKNwgXe3Z+ZYg8k4\n\tM2FS/EZmRA16Sgdkv+/YblqWwyRwtvMqbj3HB9CgUF1NaN3q8NgsXJKbZ6KZUrHWR3tq\n\tR1Me4LZ6493hqO3qX/cCUC4R7saVEapyN57d0+gXmIa8gOR9usW+KtsAfdZYK5KYePPK\n\toyvw==","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n\td=1e100.net; s=20161025;\n\th=x-gm-message-state:mime-version:in-reply-to:references:from:date\n\t:message-id:subject:to:cc:content-transfer-encoding;\n\tbh=t/M9+d4KeXWoANU4er832Q2bvBpjRysoc3B4F1UVIYk=;\n\tb=ggMsFMwi2+cD65CXv2mMdRJu6/blGR75eDWGeyX4mg4T5wud9Qp00gv3FZOKGRUPCJ\n\tJNWL5mfneNlamvgBXZJxc6FStEw9xCzp2alaEsUzB4XgESHfOsYhJ3H5IWvWaOB3frpb\n\tmpuxeUMllwZ59q0+K89Lfu0dCCNwY876pV2Xk55+ILZzhlL5eKkRaRBPfOnJgZ9ej37I\n\tUlaz/iuznYqkVBR0p9KJlnXFBovZKIbwx4SssFEmpzl6bDsWr79eBRTL/Ws6wo4jzaIw\n\tkQcChnmR0asdhR8XthYGkiigpRNNenLio/OZkGy6iT6lVg5U7HiIk5PuXTO77PwO/K5p\n\tOFkQ==","X-Gm-Message-State":"AHPjjUg3JyZuiYU/BciV/N2C6kt8zJkElNAXE4ZY5j6fL6pwTbkV9BrY\n\tOIGw+jmSdwPi4C/jOwwtGTweLApmqQ==","X-Google-Smtp-Source":"ADKCNb7hftsT5mi/dN1onTsFhys1Sk4jySLI8A57m9f6JtRa7b++Z3HaMr0DNKt9sO15ipfYkhJP7TRuW4bxkLVVOMo=","X-Received":"by 10.101.85.4 with SMTP id f4mr5228486pgr.10.1504931723150; Fri,\n\t08 Sep 2017 21:35:23 -0700 (PDT)","MIME-Version":"1.0","In-Reply-To":"<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>","References":"<1504753808-13266-1-git-send-email-yanhaishuang@cmss.chinamobile.com>\n\t\n\t<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>","From":"Cong Wang ","Date":"Fri, 8 Sep 2017 21:35:02 -0700","Message-ID":"","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","To":"=?utf-8?b?5Lil5rW35Y+M?= ","Cc":"\"David S. Miller\" ,\n\tAlexey Kuznetsov ,\n\tHideaki YOSHIFUJI ,\n\tEric Dumazet ,\n\tLinux Kernel Network Developers ,\n\tLKML ","Content-Type":"text/plain; charset=\"UTF-8\"","Content-Transfer-Encoding":"quoted-printable","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1765733,"web_url":"http://patchwork.ozlabs.org/comment/1765733/","msgid":"","list_archive_url":null,"date":"2017-09-09T05:09:57","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":68606,"url":"http://patchwork.ozlabs.org/api/people/68606/","name":"Haishuang Yan","email":"yanhaishuang@cmss.chinamobile.com"},"content":"> On 2017年9月9日, at 下午12:35, Cong Wang wrote:\n> \n> On Fri, Sep 8, 2017 at 6:25 PM, 严海双 wrote:\n>> \n>> \n>>> On 2017年9月9日, at 上午6:13, Cong Wang wrote:\n>>> \n>>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\n>>> wrote:\n>>>> Different namespace application might require different maximal number\n>>>> of TCP sockets independently of the host.\n>>> \n>>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\n>>> in a whole system, right? This just makes OOM easier to trigger.\n>>> \n>> \n>> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans,\n>> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans\n>> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing.\n> \n> Nope, by N I mean the number of containers. Before your patch, the limit\n> is global, after your patch it is per container.\n> \n\nYeah, for example, if there is N containers, before the patch, I mean the limit is:\n\n\tN * net->ipv4.sysctl_tcp_max_orphans\n\nAfter the patch, the limit is:\n\n\tns1. net->ipv4.sysctl_tcp_max_orphans + ns2. net->ipv4.sysctl_tcp_max_orphans + …","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xq2Lx6nc9z9sBZ\n\tfor ;\n\tSat, 9 Sep 2017 15:10:17 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1753761AbdIIFKD convert rfc822-to-8bit (ORCPT\n\t);\n\tSat, 9 Sep 2017 01:10:03 -0400","from cmccmta3.chinamobile.com ([221.176.66.81]:25804 \"EHLO\n\tcmccmta3.chinamobile.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751048AbdIIFKC (ORCPT\n\t); Sat, 9 Sep 2017 01:10:02 -0400","from spf.mail.chinamobile.com (unknown[172.16.121.13]) by\n\trmmx-syy-dmz-app09-12009 (RichMail) with SMTP id\n\t2ee959b377a3b23-cdae9; Sat, 09 Sep 2017 13:09:58 +0800 (CST)","from [10.0.0.249] (unknown[112.23.111.238])\n\tby rmsmtp-syy-appsvr07-12007 (RichMail) with SMTP id\n\t2ee759b377a56c2-82e39; Sat, 09 Sep 2017 13:09:58 +0800 (CST)"],"X-RM-TRANSID":["2ee959b377a3b23-cdae9","2ee759b377a56c2-82e39"],"X-RM-SPAM-FLAG":"00000000","Content-Type":"text/plain; charset=gb2312","Mime-Version":"1.0 (Mac OS X Mail 10.3 \\(3273\\))","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","From":"=?gb2312?b?0c+6o8ur?= ","In-Reply-To":"","Date":"Sat, 9 Sep 2017 13:09:57 +0800","Cc":"\"David S. Miller\" ,\n\tAlexey Kuznetsov ,\n\tHideaki YOSHIFUJI ,\n\tEric Dumazet ,\n\tLinux Kernel Network Developers ,\n\tLKML ","Content-Transfer-Encoding":"8BIT","Message-Id":"","References":"<1504753808-13266-1-git-send-email-yanhaishuang@cmss.chinamobile.com>\n\t\n\t<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>\n\t","To":"Cong Wang ","X-Mailer":"Apple Mail (2.3273)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1765739,"web_url":"http://patchwork.ozlabs.org/comment/1765739/","msgid":"<20170908.221648.186026315535806669.davem@davemloft.net>","list_archive_url":null,"date":"2017-09-09T05:16:48","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":15,"url":"http://patchwork.ozlabs.org/api/people/15/","name":"David Miller","email":"davem@davemloft.net"},"content":"From: 严海双 \r\nDate: Sat, 9 Sep 2017 13:09:57 +0800\r\n\r\n> \r\n> \r\n>> On 2017年9月9日, at 下午12:35, Cong Wang wrote:\r\n>> \r\n>> On Fri, Sep 8, 2017 at 6:25 PM, 严海双 wrote:\r\n>>> \r\n>>> \r\n>>>> On 2017年9月9日, at 上午6:13, Cong Wang wrote:\r\n>>>> \r\n>>>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\r\n>>>> wrote:\r\n>>>>> Different namespace application might require different maximal number\r\n>>>>> of TCP sockets independently of the host.\r\n>>>> \r\n>>>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\r\n>>>> in a whole system, right? This just makes OOM easier to trigger.\r\n>>>> \r\n>>> \r\n>>> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans,\r\n>>> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans\r\n>>> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing.\r\n>> \r\n>> Nope, by N I mean the number of containers. Before your patch, the limit\r\n>> is global, after your patch it is per container.\r\n>> \r\n> \r\n> Yeah, for example, if there is N containers, before the patch, I mean the limit is:\r\n> \r\n> \tN * net->ipv4.sysctl_tcp_max_orphans\r\n> \r\n> After the patch, the limit is:\r\n> \r\n> \tns1. net->ipv4.sysctl_tcp_max_orphans + ns2. net->ipv4.sysctl_tcp_max_orphans + …\r\n\r\nNot true.\r\n\r\nPlease remove \"N\" from your equation of the current situation.\r\n\r\n\"sysctl_tcp_max_orphans\" applies to entire system, it is a global limit,\r\ncomparing one limit against all orphans in the system, there is no N.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xq2WH53RKz9sBZ\n\tfor ;\n\tSat, 9 Sep 2017 15:17:31 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1751892AbdIIFQu (ORCPT );\n\tSat, 9 Sep 2017 01:16:50 -0400","from shards.monkeyblade.net ([184.105.139.130]:44460 \"EHLO\n\tshards.monkeyblade.net\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1751048AbdIIFQt (ORCPT\n\t); Sat, 9 Sep 2017 01:16:49 -0400","from localhost (74-93-104-98-Washington.hfc.comcastbusiness.net\n\t[74.93.104.98]) (using TLSv1 with cipher AES256-SHA (256/256 bits))\n\t(Client did not present a certificate)\n\t(Authenticated sender: davem-davemloft)\n\tby shards.monkeyblade.net (Postfix) with ESMTPSA id 31E0B136BCE24;\n\tFri, 8 Sep 2017 22:16:49 -0700 (PDT)"],"Date":"Fri, 08 Sep 2017 22:16:48 -0700 (PDT)","Message-Id":"<20170908.221648.186026315535806669.davem@davemloft.net>","To":"yanhaishuang@cmss.chinamobile.com","Cc":"xiyou.wangcong@gmail.com, kuznet@ms2.inr.ac.ru,\n\tyoshfuji@linux-ipv6.org, edumazet@google.com,\n\tnetdev@vger.kernel.org, linux-kernel@vger.kernel.org","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","From":"David Miller ","In-Reply-To":"","References":"<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>\n\t\n\t","X-Mailer":"Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)","Mime-Version":"1.0","Content-Type":"Text/Plain; charset=utf-8","Content-Transfer-Encoding":"base64","X-Greylist":"Sender succeeded SMTP AUTH, not delayed by\n\tmilter-greylist-4.5.12 (shards.monkeyblade.net\n\t[149.20.54.216]); Fri, 08 Sep 2017 22:16:49 -0700 (PDT)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}},{"id":1765780,"web_url":"http://patchwork.ozlabs.org/comment/1765780/","msgid":"<88CEA297-30A9-4F4A-B5BB-92E37E85A842@cmss.chinamobile.com>","list_archive_url":null,"date":"2017-09-09T10:21:59","subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","submitter":{"id":68606,"url":"http://patchwork.ozlabs.org/api/people/68606/","name":"Haishuang Yan","email":"yanhaishuang@cmss.chinamobile.com"},"content":"> On 2017年9月9日, at 下午1:16, David Miller wrote:\n> \n> From: 严海双 \n> Date: Sat, 9 Sep 2017 13:09:57 +0800\n> \n>> \n>> \n>>> On 2017年9月9日, at 下午12:35, Cong Wang wrote:\n>>> \n>>> On Fri, Sep 8, 2017 at 6:25 PM, 严海双 wrote:\n>>>> \n>>>> \n>>>>> On 2017年9月9日, at 上午6:13, Cong Wang wrote:\n>>>>> \n>>>>> On Wed, Sep 6, 2017 at 8:10 PM, Haishuang Yan\n>>>>> wrote:\n>>>>>> Different namespace application might require different maximal number\n>>>>>> of TCP sockets independently of the host.\n>>>>> \n>>>>> So after your patch we could have N * net->ipv4.sysctl_tcp_max_orphans\n>>>>> in a whole system, right? This just makes OOM easier to trigger.\n>>>>> \n>>>> \n>>>> From my understanding, before the patch, we had N * net->ipv4.sysctl_tcp_max_orphans,\n>>>> and after the patch, we could have ns1.sysctl_tcp_max_orphans + ns2.sysctl_tcp_max_orphans\n>>>> + ns3.sysctl_tcp_max_orphans, is that right? Thanks for your reviewing.\n>>> \n>>> Nope, by N I mean the number of containers. Before your patch, the limit\n>>> is global, after your patch it is per container.\n>>> \n>> \n>> Yeah, for example, if there is N containers, before the patch, I mean the limit is:\n>> \n>> \tN * net->ipv4.sysctl_tcp_max_orphans\n>> \n>> After the patch, the limit is:\n>> \n>> \tns1. net->ipv4.sysctl_tcp_max_orphans + ns2. net->ipv4.sysctl_tcp_max_orphans + …\n> \n> Not true.\n> \n> Please remove \"N\" from your equation of the current situation.\n> \n> \"sysctl_tcp_max_orphans\" applies to entire system, it is a global limit,\n> comparing one limit against all orphans in the system, there is no N.\n\nYes, it’s right. I browse the source code and found that it’s a global limit, \nsorry for my mistake.\n\nThanks David and Cong.","headers":{"Return-Path":"","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xq9H045XGz9s82\n\tfor ;\n\tSat, 9 Sep 2017 20:22:20 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1757460AbdIIKWG convert rfc822-to-8bit (ORCPT\n\t);\n\tSat, 9 Sep 2017 06:22:06 -0400","from cmccmta2.chinamobile.com ([221.176.66.80]:6009 \"EHLO\n\tcmccmta2.chinamobile.com\" rhost-flags-OK-OK-OK-OK) by vger.kernel.org\n\twith ESMTP id S1756989AbdIIKWE (ORCPT\n\t); Sat, 9 Sep 2017 06:22:04 -0400","from spf.mail.chinamobile.com (unknown[172.16.121.19]) by\n\trmmx-syy-dmz-app05-12005 (RichMail) with SMTP id\n\t2ee559b3c0c9634-d1742; Sat, 09 Sep 2017 18:22:01 +0800 (CST)","from [10.0.0.249] (unknown[223.64.119.44])\n\tby rmsmtp-syy-appsvr10-12010 (RichMail) with SMTP id\n\t2eea59b3c0c7497-51700; Sat, 09 Sep 2017 18:22:01 +0800 (CST)"],"X-RM-TRANSID":["2ee559b3c0c9634-d1742","2eea59b3c0c7497-51700"],"X-RM-SPAM-FLAG":"00000000","Content-Type":"text/plain; charset=gb2312","Mime-Version":"1.0 (Mac OS X Mail 10.3 \\(3273\\))","Subject":"Re: [PATCH] ipv4: Namespaceify tcp_max_orphans knob","From":"=?gb2312?b?0c+6o8ur?= ","In-Reply-To":"<20170908.221648.186026315535806669.davem@davemloft.net>","Date":"Sat, 9 Sep 2017 18:21:59 +0800","Cc":"xiyou.wangcong@gmail.com, kuznet@ms2.inr.ac.ru,\n\tyoshfuji@linux-ipv6.org, edumazet@google.com,\n\tnetdev@vger.kernel.org, linux-kernel@vger.kernel.org","Content-Transfer-Encoding":"8BIT","Message-Id":"<88CEA297-30A9-4F4A-B5BB-92E37E85A842@cmss.chinamobile.com>","References":"<798CA25A-CA09-4D06-A9B6-7C5791A6EEC1@cmss.chinamobile.com>\n\t\n\t\n\t<20170908.221648.186026315535806669.davem@davemloft.net>","To":"David Miller ","X-Mailer":"Apple Mail (2.3273)","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"","X-Mailing-List":"netdev@vger.kernel.org"}}]