crossbow discuss - Jun 2009 - TCP sockets buffer space release

Hello,

I had a question to ask the community. I have written as server and a client
using TCP. We have around thousands of clients contacting the server. For each
client connection I am opening a new thread to process the request. When the
client is done, the threads close and also the socket get freed up.

The question is , I am doing a "shutdown(sock) and then close(sock). But
still I am seeing that with every client connection and closing the memory
consumption of the server is increasing. I am using plain simple pmap -x pid to
see the memory usage.
Is there any way to check(Dtrace or MDB) that  the socket buffer being freed ?
Also does close free up the socket buffer itself ?
During the socket open can I give any option to free the buffer immediately ?

Regards
-- 
This message posted from opensolaris.org

Team,

I have one question if private vlan(or its equivalent) feature exists on 
cross bow for situation like below.

Host A.
    Global Zone: VLAN X
    Local Zone A: VLAN A
    Local Zone B: VLAN B
    Local Zone C: VLAN C
    Local Zone D: VLAN C

Physical cable is doing vlan tagging. How do I stop Zone C and Zone D to 
communicate to each other? With physical cables, it can be done on the 
switch using the Private VLAN feature.

I asked same question to some VMWARE experts how they handle it. The 
answer was, they use Cisco software switch Nexus 1000V on vmware esx 
instead of vswitch. Cisco software switch offers them netflow, pvlan, 
port security and other typical cisco features.

Do we have something equivalent on cross bow?

Thanks,


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sam Munzani
CCIE # 6479(R&S, Security), CISSP
Sun Remote Operations Management
Sun Microsystems, Inc.
sam.munzani at Sun.Com
Office: (630) 689-4165 / x66642
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Hi Sam,

On Jun 18, 2009, at 9:52 AM, Sam Munzani wrote:
> Team,
>
> I have one question if private vlan(or its equivalent) feature  
> exists on cross bow for situation like below.
>
> Host A.
>   Global Zone: VLAN X
>   Local Zone A: VLAN A
>   Local Zone B: VLAN B
>   Local Zone C: VLAN C
>   Local Zone D: VLAN C
>
> Physical cable is doing vlan tagging. How do I stop Zone C and Zone  
> D to communicate to each other? With physical cables, it can be done  
> on the switch using the Private VLAN feature.
>
> I asked same question to some VMWARE experts how they handle it. The  
> answer was, they use Cisco software switch Nexus 1000V on vmware esx  
> instead of vswitch. Cisco software switch offers them netflow,  
> pvlan, port security and other typical cisco features.
>
> Do we have something equivalent on cross bow?
Crossbow virtual switching provides VLAN separation built-in.

VNICs can be assigned a VLAN id during VNIC creation (see dladm -v  
option). VNICs created on top of the same NIC/aggr/etherstub can  
communicate with each other if they are on the same VLAN, i.e. are  
assigned the same VLAN id, and VNICs will not be able to communicate  
with each other if they are assigned a different VLAN id.

The Crossbow virtual switching does the separation, and also  
implements per-VLAN broadcast domains, i.e. broadcast or multicast  
packets sent by a VNIC will be seen only by VNICs belonging to the  
same VLAN. All of this out-of-the-box as part of OpenSolaris.

Nicolas.
>
> Thanks,
>
>
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Sam Munzani
> CCIE # 6479(R&S, Security), CISSP
> Sun Remote Operations Management
> Sun Microsystems, Inc.
> sam.munzani at Sun.Com
> Office: (630) 689-4165 / x66642
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> _______________________________________________
> crossbow-discuss mailing list
> crossbow-discuss at opensolaris.org
> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
-- 
Nicolas Droux - Solaris Kernel Networking - Sun Microsystems, Inc.
nicolas.droux at sun.com - http://blogs.sun.com/droux

VIKAS MR wrote:
> Hello,
>
> I had a question to ask the community. I have written as server and a
client using TCP. We have around thousands of clients contacting the server. For
each client connection I am opening a new thread to process the request. When
the client is done, the threads close and also the socket get freed up.
>
> The question is , I am doing a "shutdown(sock) and then close(sock).
But still I am seeing that with every client connection and closing the memory
consumption of the server is increasing. I am using plain simple pmap -x pid to
see the memory usage.
> Is there any way to check(Dtrace or MDB) that  the socket buffer being
freed ? Also does close free up the socket buffer itself ?
> During the socket open can I give any option to free the buffer immediately
?
>
> Regards
>   
It seems  that you are using fork and not closing the descriptor in the 
parent.

BTW this question is not crossbow specific so you should really be 
asking this question on networking discuss.

Rao.

Comments inline,
>>
>> I have one question if private vlan(or its equivalent) feature exists 
>> on cross bow for situation like below.
>>
>> Host A.
>>   Global Zone: VLAN X
>>   Local Zone A: VLAN A
>>   Local Zone B: VLAN B
>>   Local Zone C: VLAN C
>>   Local Zone D: VLAN C
>>
>> Physical cable is doing vlan tagging. How do I stop Zone C and Zone D 
>> to communicate to each other? With physical cables, it can be done on 
>> the switch using the Private VLAN feature.
>>
>> I asked same question to some VMWARE experts how they handle it. The 
>> answer was, they use Cisco software switch Nexus 1000V on vmware esx 
>> instead of vswitch. Cisco software switch offers them netflow, pvlan, 
>> port security and other typical cisco features.
>>
>> Do we have something equivalent on cross bow?
>
> Crossbow virtual switching provides VLAN separation built-in.
>
> VNICs can be assigned a VLAN id during VNIC creation (see dladm -v 
> option). VNICs created on top of the same NIC/aggr/etherstub can 
> communicate with each other if they are on the same VLAN
That''s what we want to stop. 2 virtual hosts in same VLAN/subnet but we
don''t want them to talk to each other. With physical connections, I can
do that via private vlan feature of cisco or Force 10 switches. I am 
sure private vlan feature exists on other vendor switches too but those 
are the 2 vendors I mainly deal with.
> , i.e. are assigned the same VLAN id, and VNICs will not be able to 
> communicate with each other if they are assigned a different VLAN id.
>
> The Crossbow virtual switching does the separation, and also 
> implements per-VLAN broadcast domains
That''s pretty normal. Each VLAN would have its own broadcast domain. 
What I am trying to achieve is something explained at following URL but 
on virtual layer(not switches). I can''t do on switch because its not a 
physical interface.

http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
> , i.e. broadcast or multicast packets sent by a VNIC will be seen only 
> by VNICs belonging to the same VLAN. All of this out-of-the-box as 
> part of OpenSolaris.
>
> Nicolas.
>
>>
>> Thanks,
>>
>>
>> -- 
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> Sam Munzani
>> CCIE # 6479(R&S, Security), CISSP
>> Sun Remote Operations Management
>> Sun Microsystems, Inc.
>> sam.munzani at Sun.Com
>> Office: (630) 689-4165 / x66642
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> _______________________________________________
>> crossbow-discuss mailing list
>> crossbow-discuss at opensolaris.org
>> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sam Munzani
CCIE # 6479(R&S, Security), CISSP
Sun Remote Operations Management
Sun Microsystems, Inc.
sam.munzani at Sun.Com
Office: (630) 689-4165 / x66642
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Sam,

Crossbow implements Virtual networking in such a way that it is
analogous to the physical world. More inline ...

Sam Munzani wrote:
> Comments inline,
>>>
>>> I have one question if private vlan(or its equivalent) feature
exists
>>> on cross bow for situation like below.
>>>
>>> Host A.
>>>   Global Zone: VLAN X
>>>   Local Zone A: VLAN A
>>>   Local Zone B: VLAN B
>>>   Local Zone C: VLAN C
>>>   Local Zone D: VLAN C
>>>
>>> Physical cable is doing vlan tagging. How do I stop Zone C and Zone
D
>>> to communicate to each other? With physical cables, it can be done
on
>>> the switch using the Private VLAN feature.
>>>
>>> I asked same question to some VMWARE experts how they handle it.
The
>>> answer was, they use Cisco software switch Nexus 1000V on vmware
esx
>>> instead of vswitch. Cisco software switch offers them netflow,
pvlan,
>>> port security and other typical cisco features.
>>>
>>> Do we have something equivalent on cross bow?
>>
>> Crossbow virtual switching provides VLAN separation built-in.
>>
>> VNICs can be assigned a VLAN id during VNIC creation (see dladm -v 
>> option). VNICs created on top of the same NIC/aggr/etherstub can 
>> communicate with each other if they are on the same VLAN
> That''s what we want to stop. 2 virtual hosts in same VLAN/subnet
but we
> don''t want them to talk to each other. With physical connections,
I can
> do that via private vlan feature of cisco or Force 10 switches. I am 
> sure private vlan feature exists on other vendor switches too but those 
> are the 2 vendors I mainly deal with.
So similar to physical world, you can set filters or firewall rules to
stop this communication from happening and we do support that with
zones and IPFilter today. We are also working on L2/L3 link properties
via dladm such that you can set simple filters using dladm itself
(and have a very minimal performance impact).

The private VLAN (pvlan) also termed as secondary VLAN is a Cisco
specific feature and not a standard protocol. But Force10 just joined
the Crossbow community and if they already implement the pvlan feature,
we can look at enabling it.

For the current set of bits, I would recommend configuring the filters
using IPfilter to stop the Zone to Zone communication on the same VLAN.
http://opensolaris.org/os/community/zones/faq

Cheers,
Sunay
>> , i.e. are assigned the same VLAN id, and VNICs will not be able to 
>> communicate with each other if they are assigned a different VLAN id.
>>
>> The Crossbow virtual switching does the separation, and also 
>> implements per-VLAN broadcast domains
> That''s pretty normal. Each VLAN would have its own broadcast
domain.
> What I am trying to achieve is something explained at following URL but 
> on virtual layer(not switches). I can''t do on switch because its
not a
> physical interface.
> 
>
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
> 
>> , i.e. broadcast or multicast packets sent by a VNIC will be seen only 
>> by VNICs belonging to the same VLAN. All of this out-of-the-box as 
>> part of OpenSolaris.
>>
>> Nicolas.
>>
>>>
>>> Thanks,
>>>
>>>
>>> -- 
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> Sam Munzani
>>> CCIE # 6479(R&S, Security), CISSP
>>> Sun Remote Operations Management
>>> Sun Microsystems, Inc.
>>> sam.munzani at Sun.Com
>>> Office: (630) 689-4165 / x66642
>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> _______________________________________________
>>> crossbow-discuss mailing list
>>> crossbow-discuss at opensolaris.org
>>> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
>>
> 
> 

-- 
Sunay Tripathi
Distinguished Engineer
Solaris Core Operating System
Sun MicroSystems Inc.

Solaris Networking:     http://www.opensolaris.org/os/community/networking
Project Crossbow:       http://www.opensolaris.org/os/project/crossbow

Sunay Tripathi wrote:
> Sam,
>
> Crossbow implements Virtual networking in such a way that it is
> analogous to the physical world. More inline ...
>
> Sam Munzani wrote:
>> Comments inline,
>>>>
>>>> I have one question if private vlan(or its equivalent) feature 
>>>> exists on cross bow for situation like below.
>>>>
>>>> Host A.
>>>>   Global Zone: VLAN X
>>>>   Local Zone A: VLAN A
>>>>   Local Zone B: VLAN B
>>>>   Local Zone C: VLAN C
>>>>   Local Zone D: VLAN C
>>>>
>>>> Physical cable is doing vlan tagging. How do I stop Zone C and
Zone
>>>> D to communicate to each other? With physical cables, it can be
>>>> done on the switch using the Private VLAN feature.
>>>>
>>>> I asked same question to some VMWARE experts how they handle
it.
>>>> The answer was, they use Cisco software switch Nexus 1000V on 
>>>> vmware esx instead of vswitch. Cisco software switch offers
them
>>>> netflow, pvlan, port security and other typical cisco features.
>>>>
>>>> Do we have something equivalent on cross bow?
>>>
>>> Crossbow virtual switching provides VLAN separation built-in.
>>>
>>> VNICs can be assigned a VLAN id during VNIC creation (see dladm -v 
>>> option). VNICs created on top of the same NIC/aggr/etherstub can 
>>> communicate with each other if they are on the same VLAN
>> That''s what we want to stop. 2 virtual hosts in same
VLAN/subnet but
>> we don''t want them to talk to each other. With physical
connections,
>> I can do that via private vlan feature of cisco or Force 10 switches. 
>> I am sure private vlan feature exists on other vendor switches too 
>> but those are the 2 vendors I mainly deal with.
>
> So similar to physical world, you can set filters or firewall rules to
> stop this communication from happening and we do support that with
> zones and IPFilter today. We are also working on L2/L3 link properties
> via dladm such that you can set simple filters using dladm itself
> (and have a very minimal performance impact).
>
> The private VLAN (pvlan) also termed as secondary VLAN is a Cisco
> specific feature and not a standard protocol. But Force10 just joined
> the Crossbow community and if they already implement the pvlan feature,
> we can look at enabling it.
I agree. Its not a standard protocol and all I found by google on that 
is IETF draft(http://tools.ietf.org/html/draft-sanjib-private-vlan-10). 
What this particular customer is facing today would be a challenge for 
any customer with virtualization. Typically when zones in use are for 
DMZ. There might be 4-5 zones sitting in same DMZ subnet but they don''t
want them to communicate to each other.

As you said, now that Force10 is in crossbow community, anything they 
can share to bundle such feature would be greatly
beneficial.
>
> For the current set of bits, I would recommend configuring the filters
> using IPfilter to stop the Zone to Zone communication on the same VLAN.
> http://opensolaris.org/os/community/zones/faq
I will surely review these and see if that''s an option.

Thanks,
Sam
>
> Cheers,
> Sunay
>
>>> , i.e. are assigned the same VLAN id, and VNICs will not be able to
>>> communicate with each other if they are assigned a different VLAN
id.
>>>
>>> The Crossbow virtual switching does the separation, and also 
>>> implements per-VLAN broadcast domains
>> That''s pretty normal. Each VLAN would have its own broadcast
domain.
>> What I am trying to achieve is something explained at following URL 
>> but on virtual layer(not switches). I can''t do on switch
because its
>> not a physical interface.
>>
>>
http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a008013565f.shtml
>>
>>> , i.e. broadcast or multicast packets sent by a VNIC will be seen 
>>> only by VNICs belonging to the same VLAN. All of this
out-of-the-box
>>> as part of OpenSolaris.
>>>
>>> Nicolas.
>>>
>>>>
>>>> Thanks,
>>>>
>>>>
>>>> -- 
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> Sam Munzani
>>>> CCIE # 6479(R&S, Security), CISSP
>>>> Sun Remote Operations Management
>>>> Sun Microsystems, Inc.
>>>> sam.munzani at Sun.Com
>>>> Office: (630) 689-4165 / x66642
>>>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>>> _______________________________________________
>>>> crossbow-discuss mailing list
>>>> crossbow-discuss at opensolaris.org
>>>> http://mail.opensolaris.org/mailman/listinfo/crossbow-discuss
>>>
>>
>>
>
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sam Munzani
CCIE # 6479(R&S, Security), CISSP
Sun Remote Operations Management
Sun Microsystems, Inc.
sam.munzani at Sun.Com
Office: (630) 689-4165 / x66642
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~