[ On Sunday, November 7, 2004 at 16:47:06 (-0500), Steven M. Bellovin wrote: ]
> Subject: Re: FreeBSD-like jail? And virtual hosting management interface? 
>
> 
> Xen is great for heavy-weight confinement, but it takes a lot of effort 
> -- you have to build (and maintain) an entire extra NetBSD image for 
> each such app.

I don't agree about the amount of effort it takes -- indeed from what
little I've seen, both with Xen and with other VM systems across the
years, it takes _far_ less effort to set up and use a full virtual
machine environment than it does to set up and use a "chroot" or "jail"
style environment.

With Xen you don't actually have to build and maintain an extra NetBSD
image for each vitual environment, just one for them all -- there are
several techniques to share all the common elements and with Xen in
particular if I'm not mistaken I believe the scripting possible during
VM cloning can take care of all the critial configuration differences
between VMs (leaving the rest up to the users who the VMs are assigned
to).

The setup of "jail" environments can obviously be scripted too, but in
the end you pretty much have to create whole OS images for each env too.

However a full VM is indeed a heavy-weight confinement tool -- you do
indeed have to run a full kernel and user-land in each virtual machine
and the VM itself can only do so much to share various resources under
the hood.

-- 
						Greg A. Woods

+1 416 218-0098                  VE3TCP            RoboHack <woods@robohack.ca>
Planix, Inc. <woods@planix.com>          Secrets of the Weird <woods@weird.com>