Subject: RE: Jail For NetBSD
To: NetBSD Kernel <tech-kern@NetBSD.org>
From: Gordon Waidhofer <firstname.lastname@example.org>
Date: 12/06/2004 06:57:05
When this thread started it peaked my curiosity.
What's a FreeBSD jail? When I looked it up, it
peaked my curiosity further. Why would anybody
want somethink like that? And, yes, why wouldn't
somebody just use Xen?
It's all about Virtual Private Servers (VPS).
Another cool term is "multitenancy".
I'm guessing the misgivings about Xen is scalability.
Folks looking for VPS may want dozens, scores, hundreds
of virtual private servers. The jail approach including
Linux Vserver (similar to jail I think) can do so.
The Xen approach probably can't, though I'd be curious
how many virtual machines folks have achieved with Xen.
Another approach that seems to be expedient for
webhosters is UML (User Mode Linux) that somehow
magically emulates in a userland process a machine suitable
for running the kernel. As a kernel hack, UML sounds
interesting though I tend to find the Xen approach
The following excerpt is from
which is well worth a quick read.
There are 4 ways (I think) to provide what is loosely
referred to as "virtualization":
1. Hardware emulation. QEMU, VMWare, Bochs all fall in
that category. QEMU is open source and is actually pretty
cool - a great way to test kernels during development
or testing that new ISO you're trying to put together.
This method is the slowest of all since all hardware is
simulated in software.
2. User Mode Linux. In this scenario the kernel is run
as a user process. This method has the second most
overhead. Security-wise, it is only as secure as the host
system, so if there is a known userland exploit, it is
3. Xen. To the best of my understanding, Xen is a kernel
which runs other kernels. So this architecturally similar
to UML, but (if you believe them) is much better optimized.
And if Xen is as exploit-free as is claimed, it should also
be pretty pretty secure, though I believe only time will tell.
4. Separation. This is Linux VServer, which is a fantastic
project that doesn't have the publicity engine and funding
of a big university behind it. This isn't really virtualization
as much as it is separation. This approach is also shared by
SwSoft's Virtuozzo, FreeBSD jails and Solaris containers. Since
there is only one kernel in this scenario, this method is not
OS-independent, i.e. VServer only runs Linux, Jails are only
for FreeBSD, etc. Performance-wise, this approach should far
outrun any other method as it carries practically no overhead
and takes advantage of all the existing UN*X optimization. It
is also very secure, possibly most secure of all (short of
hardware emulation like QEMU) since it directly addresses all
known virtualization exploits such as chroot escapes. But,
perhaps I'm biased...
Microsoft's Xen-like thing:
Good exchange about VPS, empahsis on cost analysis.
The CEO of SWSoft, makers of Virtuozzo, participates.
Virtuozzo is a commercial version of jails/Vserver.
A handful of links, don't know how good they are
The upshot is this.... adding VPS support to NetBSD could
follow the jail/Vserver approach, or lean on Xen, or, or, or.....
As a propeller-head, Xen just sounds cool. As a matter of
expediency, I have to wonder if something like UML couldn't
be done very quickly with negligible kernel code impact.
The momentum seems to be with then jail/Vserver approach.
Scaling Xen to 100 VPS on a modest machine would be
sensational..... and a (way cool) challenge.
> -----Original Message-----
> From: tech-kern-owner@NetBSD.org [mailto:tech-kern-owner@NetBSD.org]On
> Behalf Of Dick Davies
> Sent: Monday, December 06, 2004 2:20 AM
> To: NetBSD Kernel
> Subject: Re: Jail For NetBSD
> * kamel derouiche <email@example.com> [1228 03:28]:
> > --- "Mike M. Volokhov" <firstname.lastname@example.org> a ?crit :
> > > On Sat, 4 Dec 2004 05:56:45 -0800 (PST)
> > > kamel derouiche <email@example.com> wrote:
> > >
> > > > Hi,
> > > > Is what it exist an equivalent of jail in NetBSD ?
> > >
> > > You may try out systrace(4) framework. But it is not
> > > "jail", tough.
> No-one mentioned xen ( http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ )
> yet - the netbsd port sounds like its usable,
> it wizzes all over jail from a process isolation point of view, and if you
> need wider binary support you just run linux/plan9/freebsd alongside netbsd...
> Bender, Ship, stop arguing or I'll come back there and change
> your opinions manually. - Leela
> Rasputin :: Jack of All Trades - Master of Nuns