With the popularization of Internet technologies, the amount of data produced grows exponentially. Resources required for data processing has also increased tremendously. Nowadays, with the development of cloud computing platforms, efficient use of resources is critical. To achieve the goal of highly efficient use of resources, resource isolation technologies play an important part. Resource isolation technology provides different tasks with computing resources that can be used independently, thereby avoiding that the resources interfere with each other.
Among existing resource isolation technologies, process-based Cgroups (Control groups) are commonly used. Cgroups is a mechanism provided by a Linux kernel, which can isolate physical resources (such as CPU, memory, and IO) of the processes. Cgroups integrate the existing cpuset, Memory, net_cls and other subsystems, so that Cgroups are applicable to a variety of application scenarios from resource control for a single process to virtualization at an operating system level.
The net_cls subsystem is used to control network bandwidth of a single process. Net-cls subsysm does not directly control network reading and writing, but marks a network data packet by using a class identifier classid, so that a linux Traffic Control (TC) program identifies a data packet generated by a task in Cgroups in order to limit traffic.
However, linux Cgroups and a Traffic Control module have to be configured before net_cls can be used. In some experimental tests, the network isolation effect is not very good when only Cgroups are used, and the network bandwidth usage fluctuates greatly. Moreover, as Cgroups are built-in modules of the kernel, the flexibility thereof is inherently limited. Diversified requirements on network resources cannot be well met.
Therefore, there is a need for proposals of network isolation solutions with high applicability to improve the stability of network isolation.