Subject: Re: Jail For NetBSD
To: Gordon Waidhofer <>
From: Thor Lancelot Simon <>
List: tech-kern
Date: 12/06/2004 10:35:51
On Mon, Dec 06, 2004 at 06:57:05AM -0800, Gordon Waidhofer wrote:
> When this thread started it peaked my curiosity.
> What's a FreeBSD jail? When I looked it up, it
> peaked my curiosity further. Why would anybody
> want somethink like that? And, yes, why wouldn't
> somebody just use Xen?

And, more importantly, if so many people want the hacked-together
set of random containment features that are "jails", why hasn't
someone written a systrace policy to provide that?  AFAICT systrace
is a superset of the "jail" functionality; it is general enough that
there is nothing that "jails" do that systrace cannot.

> It's all about Virtual Private Servers (VPS).
> Another cool term is "multitenancy".
> I'm guessing the misgivings about Xen is scalability.

Have you read the Xen papers (including the benchmark results)?  Xen can do
this and more (including hot migration of "virtual servers" from one physical
machine to another).  From my point of view, all this "multitenancy" stuff
is basically mainframe-VM envy; and Xen is as close to that on commodity
hardware as you're going to get.  If you don't want something that heavy,
again AFAICT systrace can be used to build this crusty "jail" stuff that
every once in a while someone pops up here to flame us for not having in
canned form.

FWIW, NetBSD/xen works well enough that we use it on some of the NetBSD
Proejct servers.  It has its rough edges (notably, timekeeping is a little
funny, even with the last batch of changes Christian and I made, and
heavy disk I/O can make the system response a little bursty) but it is
really really _good_ stuff.  It is easy to install (just install grub
instead of our native bootblocks, and copy Xen itself and a NetBSD/xen
kernel into the root of your NetBSD/i386 filesystem) and it performs
pretty much like they say it does -- really it is well worth giving a

We are looking for someone to write the necessary backend driver code
(the part that feeds blocks/network frames to other Xen domains) so that
we can run in domain 0 under Xen 2.0 (we already support running in
any domain with Xen 1.2, and in non-0 domains with 2.0).  NetBSD/xen
really is a pretty successful piece of work -- we need to find someone
else with time to write this particular code because the portmaster,
Christian Limpach, doesn't really have time to do it because the Xen
project hired him full time... :-)