[lxc-devel] limit the netwok traffic of container from the host

[Serge Hallyn]

Quoting lsmushroom (lsmushroom at 126.com):
> Hi All,
>       Recently , we have been trying to find out a suitable way to limit  network traffic generated from the process running in the container. The network  type we used for our container is veth. And we have tried TC combined with cgroup net_cls subsystem , which has successfully fulfill our goal . However ,  it requires to add the configurations inside the container. As we will provide the container as a service, and it is obviously unacceptable to allow the end user modify the bandwidth allocation . 
>  
>  Thus , we add a new option to tc command named as "peer", which is an optional option , followed keyword dev , and we made a small modification of the kernel  to support this option. 
>  
>  Below is an example of how to use it :
>  
>  related hardware infomation, two ends of the veth device , which is used by the container:
>  
>  lxc.network.name = eth0
>  lxc.network.veth.pair = veth-vps1
> 
> 
>  Add configuration:
>  tc qdisc add dev peer veth-vps1 root handle 1:0 htb default 4   
>  tc class add dev  peer veth-vps1 parent 1: classid 1:2 htb rate 3mbit    
>  tc class add dev  peer veth-vps1 parent 1: classid 1:3 htb rate 2mbit
>  tc class add dev  peer veth-vps1 parent 1: classid 1:4 htb rate 1000mbit
>  tc filter add dev  peer veth-vps1 protocol ip parent 1:0 prio 1 handle 1： cgroup

Hi,

so I've not really looked at tc in years, and then mainly looked at the
source...

If I understand the problem right, you can't do tc class add dev
veth-vps1 <...> because the container never tries to push packets
to that device itself?  Is that right?

What about simply ignoring cgroups, and limiting all veth-vps1 traffic?

Sorry I really should go read the tc details again and experiment a
bit.

-serge