Re: NetBSD Jails

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Sun, 17 May 2020 12:06:36 -0700
"Greg A. Woods" <woods%planix.com@localhost> wrote:

> If you actually really need a fully isolated and completely full
> featured environment where you can run complex applications in
> "reasonably secure" sandbox style isolation then why not choose the
> best possible hardware you can afford that supports a full virtual
> machine environment such as Xen, or nvmm/bhyve with qemu or
> virtualbox, etc.? (e.g. I bought a used Dell server for about $500
> and I can run Xen with many domUs on it very efficiently)

Your main gripe about jails/zones/containers is added complexity, well
guess what, with Xen/VMware/VirtualBox the complexity is still there,
you just pushed it over to the hypervisor vendor.

If you run multiple instances of the same OS version in Xen/VMware,
that is a pretty inefficient way to partition your application domains.
Each instance has a duplicate copy of the kernel, drivers, libraries,
etc. The overhead and latency of scheduling and context switching
various processes in multiple OSes is also not insignificant. Also
forget about chroot, it is not an enterprise solution.

Containers scale much better, lower memory usage and less CPU overhead.
For a home network server, it doesn't matter so much, but if you are in
the business of selling cloud services, then containers is the way to
go. Yes you need a solid container OS with virtualized network and
storage implementation, so for NetBSD it probably means re-writing
parts of those subsystems from scratch. It has been done for other OSes
and works quite well.