Subject: Re: Jail For NetBSD
To: Gordon Waidhofer <>
From: Dick Davies <>
List: tech-kern
Date: 12/06/2004 16:36:19
* Gordon Waidhofer <> [1209 15:09]:

>     4. Separation. This is Linux VServer, which is a fantastic
>     project that doesn't have the publicity engine and funding
>     of a big university behind it. This isn't really virtualization
>     as much as it is separation. This approach is also shared by
>     SwSoft's Virtuozzo, FreeBSD jails and Solaris containers. Since
>     there is only one kernel in this scenario, this method is not
>     OS-independent, i.e. VServer only runs Linux, Jails are only
>     for FreeBSD, etc. Performance-wise, this approach should far
>     outrun any other method as it carries practically no overhead
>     and takes advantage of all the existing UN*X optimization. It
>     is also very secure, possibly most secure of all

I did'nt agree with this when i read it on slashdot, and still don't.

One of the big wins with xen versus jail-like approaches (this may
apply to solaris 10 containers/zones, I've not researched them much yet)
is that you can apply resource limits to a domain, so for example you
run your mysql databases in a linux xen domain and your postgresqls
in a BSD one - if one domain gets forkbombed, the others barely notice.

See the paper 'Xen and the Art of Virtualization'
(probably already posted by Thor, but doesn't hurt to repeat):

...and then we wrote scripts to write the configs for us, and using
these scripts, we made mistakes in a faster, more automated manner.
		- 'A Gentle Introduction to Cricket', on MRTG configuration
Rasputin :: Jack of All Trades - Master of Nuns