I want to back up a little bit and ask what your specific goal is currently. I would like to get a better handle on your intended use case, as exploring new features and use cases for TNSR is something I am quite interested in.
As I understand it currently, your goal was to create a container on to run iperf3 from? Is your reasoning for the container because you didn't see a way of running the iperf3 binary in a way that was accessible from the dataplane networks? Or was your goal to provide isolation to the iperf3 service AND have it be accessible from the dataplane networks?
Are you using iperf3 in these posts as just an example of a generic application to run in a container or link to the dataplane, with the intention of running other applications after you found a solution to an example application?
I would say all of the above.
My self built test box that has enough cores to support multiple services. So I was looking to put those cores and memory to some use, such that I don't need another system. TNSR AIO if you want. Ideally those services running should support some sort of resource contention. The linux kernel provides that via cgroups with a multitude of implementation. Docker being just one of them. Of course we should isolate/reserve/dedicate some cores for TNSR and DPDK only.
iperf was indeed an example. This would eventually imply that our monitoring system performs and records regular tests. I work for a Swiss university so we already use that to measure different parts of our network. Nothing out of ordinary here.
Anyway the generic application sounds more likely to what I would like to achieve. I was thinking to expose a webserver for an not so trustworthy containerized App through the TNSR dataplane. If this gets compromised it should not be possible to influence the TNSR router.
I saw on the VPP wiki they have nginx examples
I would try that next.
I am not sure(I forgot to check) if that iperf port is exposed on all TNSR interfaces. I would probably need to apply some ACLs. Btw. do the TNSR ACLs protect/work against packet fragmentation attacks?
Are the TNSR ACLs the VPP ones? The TNSR Docu is not clear about that...
I hope it explains a bit more my use case.