Subject: Re: Jail For NetBSD
To: Gordon Waidhofer <email@example.com>
From: Dick Davies <firstname.lastname@example.org>
Date: 12/06/2004 16:36:19
* Gordon Waidhofer <email@example.com> [1209 15:09]:
> 4. Separation. This is Linux VServer, which is a fantastic
> project that doesn't have the publicity engine and funding
> of a big university behind it. This isn't really virtualization
> as much as it is separation. This approach is also shared by
> SwSoft's Virtuozzo, FreeBSD jails and Solaris containers. Since
> there is only one kernel in this scenario, this method is not
> OS-independent, i.e. VServer only runs Linux, Jails are only
> for FreeBSD, etc. Performance-wise, this approach should far
> outrun any other method as it carries practically no overhead
> and takes advantage of all the existing UN*X optimization. It
> is also very secure, possibly most secure of all
I did'nt agree with this when i read it on slashdot, and still don't.
One of the big wins with xen versus jail-like approaches (this may
apply to solaris 10 containers/zones, I've not researched them much yet)
is that you can apply resource limits to a domain, so for example you
run your mysql databases in a linux xen domain and your postgresqls
in a BSD one - if one domain gets forkbombed, the others barely notice.
See the paper 'Xen and the Art of Virtualization'
(probably already posted by Thor, but doesn't hurt to repeat):
...and then we wrote scripts to write the configs for us, and using
these scripts, we made mistakes in a faster, more automated manner.
- 'A Gentle Introduction to Cricket', on MRTG configuration
Rasputin :: Jack of All Trades - Master of Nuns