<html> <head> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii"> <meta name="Generator" content="Microsoft Exchange Server"> <style></style> </head> <body> <meta content="text/html; charset=UTF-8"> <style type="text/css" style="">  </style> <div dir="ltr"> <div id="x_divtagdefaultwrapper" dir="ltr" style="font-size:12pt; color:#000000; font-family:Calibri,Helvetica,sans-serif"> <p>Hi Lennart,</p> <p><br> </p> <p>It is <span style="font-family:Calibri,Helvetica,sans-serif,EmojiFont,"Apple Color Emoji","Segoe UI Emoji",NotoColorEmoji,"Segoe UI Symbol","Android Emoji",EmojiSymbols; font-size:16px"> definitely </span>a functionality we want to use. However, the memory came as an unexpected side effect. Since we are not only enabling this for one single service, instead we are applying it globally for all services.</p> <p><br> </p> <p>Now due to this huge memory consumption we are trying to put everything into the same namespace using JoinsNamespaceOf=<some-service>. It seems to consume less memory.</p> <p><br> </p> <p>Best Regards,</p> <div id="x_Signature"> <div name="x_divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0"> Christopher Wong</div> </div> </div> <hr tabindex="-1" style="display:inline-block; width:98%"> <div id="x_divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Lennart Poettering <lennart@poettering.net><br> <b>Sent:</b> Wednesday, March 9, 2022 4:18:22 PM<br> <b>To:</b> Christopher Wong<br> <b>Cc:</b> systemd-devel@lists.freedesktop.org<br> <b>Subject:</b> Re: [systemd-devel] PrivateNetwork=yes is memory costly</font> <div> </div> </div> </div> <font size="2"><span style="font-size:10pt;"> <div class="PlainText">On Mo, 07.03.22 15:10, Christopher Wong (Christopher.Wong@axis.com) wrote:<br> <br> > Hi,<br> ><br> ><br> > It seems that PrivateNetwork=yes is a memory consuming<br> > directive. The kernel seems to allocate quite an amount of memory<br> > for each service (~50 kB) that has this directive enabled. I wonder<br> > if this is expected and if anyone has had similar experience?<br> <br> PrivateNetwork=yes means that a private network namespace is allocated<br> for the service. If you think network namespaces are too expensive in<br> their current implementation, please bring this up with the kernel<br> people, because they are a kernel concept after all, we just allocate<br> them if told so.<br> <br> network namespaces are an effective way to disconnect a service from<br> the network, if the service doesn't need it. It's probably one of the<br> most relevant sandboxing options we offer, since disabling the attack<br> surface called "network" for a service is of such major<br> importance. That said, if you disable the network namespace<br> functionality in the kernel systemd will handle this gracefully, and<br> not use it. If the feature is available in the kernel we will however<br> use it.<br> <br> > Is there any ways to reduce the usage?<br> <br> Besides turning it off? Nothing I was aware of.<br> <br> Lennart<br> <br> --<br> Lennart Poettering, Berlin<br> </div> </span></font> </body> </html>