NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: NetBSD Jails

Am Dienstag, 19. Mai 2020, 03:15:53 CEST schrieb Greg A. Woods:
> (and what always dominates performance?  I/O dominates!)
As all parameters, I/O is just one of - if I/O would be really anything, 
VMware ESX would be not existing anymore...ß)

Dont get me wrong: i/O is "primary" for me in most of my setups to, but in 
practice i seems many different approaches to avoid bottlenecks in full virt 
too where other parameters seems more important (i.e. argument "RAM costs 
nothing" etc.)..

> (Other studies I've scanned suggest there is even less performance
> difference than most people seem to assume must be there.)
> I still think the security and complexity issues with containers, are a
> very much bigger concern than the pure efficiency losses of running full
> VMs.
This is - from my view - a bit outdated view, because of the development.

I.e. a known developer company of a even more known "blogging" software (LAMP 
stack) isolates each instance of their software installations into LXC 
containers (their principle would similiar work with jails or even better) 
while they have millions of users today (means millions of containers) while 
up to tenthousands of on single machines (bound to private LAN IPs behgind 
NAT and/or proxying / load balancing). This allows them to provide a relative 
"insecure" software setup (customers can install "potentially dangerous" 
third party plugins etc. while most "accidents" cant leave the "container" 
and the customer can restart (reset) his container easily etc.). The 
container around is "integral" part of the security concept of the software.

Shure, theoretically this could be done by Xen PV too (with a lot of trickery 
just to get near the same footprint size ballpark) or with "cheap single 
computers", but in practice this results in much more overhead in different 
ressources (incl. development ressources, time when booting - not only 
hardware etc.).

Curiously the most community users of that software doesnt use that level of 
isolation in shared hosting setups of that software (what makes them beloved 
attack vectors out there...).

I work with xen since very early versions and still use it (PV etc.), with 
"containers" on top (jails would be nice) as with NetBSD. I would switch over 
more setups to NetBSD if jails would be available, because i still prefer 
NetBSD over FreeBSD on such servers because it is more Xen (PV) "friendly" at 


 Niels Dettenbach
 Syndicat IT & Internet

Home | Main Index | Thread Index | Old Index