Subject: RE: Jail For NetBSD
To: NetBSD Kernel <tech-kern@NetBSD.org>
From: Gordon Waidhofer <gww@traakan.com>
List: tech-kern
Date: 12/06/2004 06:57:05
When this thread started it peaked my curiosity.
What's a FreeBSD jail? When I looked it up, it
peaked my curiosity further. Why would anybody
want somethink like that? And, yes, why wouldn't
somebody just use Xen?

It's all about Virtual Private Servers (VPS).
Another cool term is "multitenancy".

I'm guessing the misgivings about Xen is scalability.
Folks looking for VPS may want dozens, scores, hundreds
of virtual private servers. The jail approach including
Linux Vserver (similar to jail I think) can do so.
The Xen approach probably can't, though I'd be curious
how many virtual machines folks have achieved with Xen.
Another approach that seems to be expedient for
webhosters is UML (User Mode Linux) that somehow
magically emulates in a userland process a machine suitable
for running the kernel. As a kernel hack, UML sounds
interesting though I tend to find the Xen approach
more appealing.

The following excerpt is from

    http://linux.slashdot.org/article.pl?sid=04/12/02/2238253&from=rss

which is well worth a quick read.

    There are 4 ways (I think) to provide what is loosely
    referred to as "virtualization":

    1. Hardware emulation. QEMU, VMWare, Bochs all fall in
    that category. QEMU is open source and is actually pretty
    cool - a great way to test kernels during development
    or testing that new ISO you're trying to put together.
    This method is the slowest of all since all hardware is
    simulated in software.

    2. User Mode Linux. In this scenario the kernel is run
    as a user process. This method has the second most
    overhead. Security-wise, it is only as secure as the host
    system, so if there is a known userland exploit, it is
    vulnerable.

    3. Xen. To the best of my understanding, Xen is a kernel
    which runs other kernels. So this architecturally similar
    to UML, but (if you believe them) is much better optimized.
    And if Xen is as exploit-free as is claimed, it should also
    be pretty pretty secure, though I believe only time will tell.

    4. Separation. This is Linux VServer, which is a fantastic
    project that doesn't have the publicity engine and funding
    of a big university behind it. This isn't really virtualization
    as much as it is separation. This approach is also shared by
    SwSoft's Virtuozzo, FreeBSD jails and Solaris containers. Since
    there is only one kernel in this scenario, this method is not
    OS-independent, i.e. VServer only runs Linux, Jails are only
    for FreeBSD, etc. Performance-wise, this approach should far
    outrun any other method as it carries practically no overhead
    and takes advantage of all the existing UN*X optimization. It
    is also very secure, possibly most secure of all (short of
    hardware emulation like QEMU) since it directly addresses all
    known virtualization exploits such as chroot escapes. But,
    perhaps I'm biased...

Microsoft's Xen-like thing:

    http://www.nwfusion.com/news/2004/0908virtual.html

Good exchange about VPS, empahsis on cost analysis.
The CEO of SWSoft, makers of Virtuozzo, participates.
Virtuozzo is a commercial version of jails/Vserver.

    http://www.webhostingtalk.com/archive/thread/222656-1.html

A handful of links, don't know how good they are

    http://uml.harlowhill.com/index.php/Related

The upshot is this.... adding VPS support to NetBSD could
follow the jail/Vserver approach, or lean on Xen, or, or, or.....

As a propeller-head, Xen just sounds cool. As a matter of
expediency, I have to wonder if something like UML couldn't
be done very quickly with negligible kernel code impact.
The momentum seems to be with then jail/Vserver approach.

Scaling Xen to 100 VPS on a modest machine would be
sensational..... and a (way cool) challenge.

Regards,
        -gww


> -----Original Message-----
> From: tech-kern-owner@NetBSD.org [mailto:tech-kern-owner@NetBSD.org]On
> Behalf Of Dick Davies
> Sent: Monday, December 06, 2004 2:20 AM
> To: NetBSD Kernel
> Subject: Re: Jail For NetBSD
> 
> 
> * kamel derouiche <derouiche_dz@yahoo.fr> [1228 03:28]:
> >  --- "Mike M. Volokhov" <mishka@apk.od.ua> a ?crit : 
> > > On Sat, 4 Dec 2004 05:56:45 -0800 (PST)
> > > kamel derouiche <derouiche_dz@yahoo.fr> wrote:
> > > 
> > > > Hi, 
> > > > Is what it exist an equivalent of jail in NetBSD ?
> > > 
> > > You may try out systrace(4) framework. But it is not
> > > "jail", tough.
> 
> No-one mentioned xen ( http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ )
> yet - the netbsd port sounds like its usable,
> it wizzes all over jail from a process isolation point of view, and if you
> need wider binary support you just run linux/plan9/freebsd alongside netbsd...
> 
> -- 
> Bender, Ship, stop arguing or I'll come back there and change
> your opinions manually. - Leela
> Rasputin :: Jack of All Trades - Master of Nuns
>