best done with TC? but then you need a new bridge for each container..

I'm not 100% sure, but I think that tc could be applied to the veth interfaces.

Another possibility is to use iptables -m limit (in a limited way).

oh, apparently, with cgroup net_cls you can classify traffic from/to each container and let tc shape that class, no need for multiple bridges..

Sorry to dig this up - but what exactly is the current best way of doing this from Docker?

Do we find the veth interface for the Docker container, and apply tc rules to it?

Or we can use the cgroup system directly to set net_cls on the containers, and then apply rules to that?

Are there any plans for tighter integration of Docker with per-container bandwidth controls?

@victorhooi : there are many ways to do it. Ideally it might have to be bound to network strategies (i.e. the new feature in libcontainer that lets containers have multiple interfaces and different interface types), since one will not use the same technique to limit traffic on a veth and on a macvlan interface (even though in that case, tc will get us pretty far). I have no experience with net_cls but I wonder what would be possible with it?

FYI: net_cls only sets a classid/flag on outgoing packets so that they can be identified in tc or iptables, ie. not usable to control incoming bandwidth.

On Tuesday 25 March 2014 at 07:16, Jérôme Petazzoni wrote:

@victorhooi (https://github.com/victorhooi) : there are many ways to do it. Ideally it might have to be bound to network strategies (i.e. the new feature in libcontainer that lets containers have multiple interfaces and different interface types), since one will not use the same technique to limit traffic on a veth and on a macvlan interface (even though in that case, tc will get us pretty far). I have no experience with net_cls but I wonder what would be possible with it?

—
Reply to this email directly or view it on GitHub (#37 (comment)).