From: Michael H. Warfield (mhw_at_wittsend.com)
Date: Mon 28 Apr 2003 - 17:35:32 BST
On Mon, Apr 28, 2003 at 07:49:07AM +0200, Herbert Poetzl wrote:
> On Thu, Apr 24, 2003 at 06:39:03PM -0400, Michael H. Warfield wrote:
> > On Wed, Apr 02, 2003 at 09:02:58PM +0200, Herbert Poetzl wrote:
> > > On Wed, Apr 02, 2003 at 09:07:37AM -0800, James Maxwell - Systems Administrator wrote:
> > > > Is the vserver kernel capable of greater than 16 ips per vserver? I
> > > > like to move about all my domains from 2 boxes to just one. The ip
> > > > total for each box is 200. Or 400 domains. Is there a workaround?
> > > as far as I remember, the limit is arbitrarily chosen
> > > (some define or something within the kernel), so
> > > it shouldn't be hard to change ...
> > > there also was some discussion about a dynamic limit
> > > (this might be an option too)
> > > I'm just curious ...
> > > why do you need so many ips for so few domains?
> > I also have such a need. The need is for multiple addresses
> > going to a common security context. In this particular case, building
> > massive honeynets. At minimum, I need to assign 64 addresses to each
> > security context. I'm doing that, currently, with VMware. I have some
> > systems where a single interface has a /24 address space or larger
> > assigned. The specific application where I'm applying vserver, I have
> > a /20 (4096) addresses available on an interface and I'm distributing
> > sets of 64 random IP addresses to sets of vservers and VMware engines
> > for honeypots.
> > I just slammed into this limit. Now I have to hunt down bogons
> > in the sources to fix...
> *sigh* no hunt, just change #define NB_IPV4ROOT 16
> to the value you consider appropriate ..
Yup... Found that one in the kernel sources.
Actually, I also found it in chbind.c as well as in the kernel
patch. That's not real good having a dependency like that where two
numbers have to be maintained in sync like that. Might be better if
chbind could determine what the limit is from the kernel if they aren't
both dynamic. Including the value from the kernel header file is ugly
but extracting it dynamically via /proc (or an ioctl) seems like a bit
of overkill. Could have chbind be dynamic and run until it gets an error
back from the kernel indicating too many addresses...
The kernel patch also had what looks like a hard limit of 16
on the number of security contexts. Needed more of them too. :-)
A few very large boxes with lots of addresses. Limit of 16 contexts
(dropping 0 and 1 leaves 14 usuable) with a limit of 16 addresses each
limits the total number of usable IPs under vserver control to 224.
A bit less than what I have deployed. :-)
> > > the only situation where this would be required
> > > is ssl per domain ...
> > Your imagination is limited... The mind boggles at the possiblities.
> > Any application where you would want more than 16 IP addresses on an
> > interface could be extrapolated to more than 16 IP addresses in a vserver.
> well, unfortunately I still can not imagine any good
> (read useful) application, which would require more than
> 16 ip addresses on one interface ....
Funny... My bosses find my applications extremely useful. :-)
So do a number of certain government agencies. :-/
> > > best,
> > > Herbert
> > > > James Maxwell
> > > > Interwerx Communications Inc.
> > > > V: 250 383-6178
> > > > F: 250 383-6808
> > > > C: 250 885-8203
> > > > E: support_at_interwerx.com
> > > >
> > > > ---
> > > > Outgoing mail is certified Virus Free.
> > > > Checked by AVG anti-virus system (http://www.grisoft.com).
> > > > Version: 6.0.465 / Virus Database: 263 - Release Date: 3/25/03
> > > >
> > > > References
> > > >
> > > > 1. mailto:support_at_interwerx.com
> > > > 2. http://www.grisoft.com/
-- Michael H. Warfield | (770) 985-6132 | mhw_at_WittsEnd.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!