[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: NetBSD Jails
Am Dienstag, 19. Mai 2020, 03:15:53 CEST schrieb Greg A. Woods:
> (and what always dominates performance? I/O dominates!)
As all parameters, I/O is just one of - if I/O would be really anything,
VMware ESX would be not existing anymore...ß)
Dont get me wrong: i/O is "primary" for me in most of my setups to, but in
practice i seems many different approaches to avoid bottlenecks in full virt
too where other parameters seems more important (i.e. argument "RAM costs
> (Other studies I've scanned suggest there is even less performance
> difference than most people seem to assume must be there.)
> I still think the security and complexity issues with containers, are a
> very much bigger concern than the pure efficiency losses of running full
This is - from my view - a bit outdated view, because of the development.
I.e. a known developer company of a even more known "blogging" software (LAMP
stack) isolates each instance of their software installations into LXC
containers (their principle would similiar work with jails or even better)
while they have millions of users today (means millions of containers) while
up to tenthousands of on single machines (bound to private LAN IPs behgind
NAT and/or proxying / load balancing). This allows them to provide a relative
"insecure" software setup (customers can install "potentially dangerous"
third party plugins etc. while most "accidents" cant leave the "container"
and the customer can restart (reset) his container easily etc.). The
container around is "integral" part of the security concept of the software.
Shure, theoretically this could be done by Xen PV too (with a lot of trickery
just to get near the same footprint size ballpark) or with "cheap single
computers", but in practice this results in much more overhead in different
ressources (incl. development ressources, time when booting - not only
Curiously the most community users of that software doesnt use that level of
isolation in shared hosting setups of that software (what makes them beloved
attack vectors out there...).
I work with xen since very early versions and still use it (PV etc.), with
"containers" on top (jails would be nice) as with NetBSD. I would switch over
more setups to NetBSD if jails would be available, because i still prefer
NetBSD over FreeBSD on such servers because it is more Xen (PV) "friendly" at
Syndicat IT & Internet
Main Index |
Thread Index |