FBSD jail versus VMWare? What services do YOU run in a jail?
Julian H. Stacey
jhs at berklix.com
Tue Apr 22 23:47:10 UTC 2014
"edflecko ." wrote:
> I'm really interested in the comparison of using a FBSD jail rather than
> VMWare in the context of virtualization.
> At my business, we heavily use VMWare - you might say we consider ourselves
> a VMWare "shop". 99% of our servers are virtualized.
> I've heard that it's possible to run hundreds, if not thousands, of
> services in FBSD jails on a given host server because of the sharing of
> resources that all of your jails take advantage of.
(If you really try a thousand, avoid a class C net interface though ;-)
> If I understand that
> correctly, that's one of the HUGE advantages of running services in jails
> as opposed to creating VM after VM after VM - each VM eats up disk space on
> the SAN as well as memory resources, etc.
Maybe if the prison (parent) host runs ZFS & there's sparse file detection
it could save space for (child) VMs & jails ? I don't know.
> Additionally, the jailed service
> is far better from a security perspective?
No. The opposite. I would expect a VM to be more secure. I put my
finger on a security hole with jails last year, & raised it on a
freebsd list, it got considered, no solution, it'll be in archives,
but I cant remember detail, & no time to look, & when I do get time
to get back to it, I'd be aiming at list freebsd-jail at freebsd.org
not this general questions@ list.
> Having said all of that, I'm curious to hear from some of you who may be
> doing just this - are you running a FBSD server with some of your mission
> critical services (Apache, Bind, DHCP, etc., etc.) within jails and how do
> you like it versus running hundreds of VMs and VMWare?
As a mere VM user & jail owner, i run those services on both a VM
& a jail, they run functionaly the same, except in jail I've had
problems with chflags failing, & in jail I've had to take more care
with ifconfig flags.
A VM is a cleaner concept if one can spare the RAM. A jail is a
cheaper: less security, less flexibility (eg No linux jail in a
FreeBSD prison), more efficiency of resources, thus cheaper. Both
useful, Analogy: I also use both a car & a bike.
> What type of services CAN be run from within a jail?
Try it! All I guess, certainly inc. httpd ftpd sshd smtpd popd named sasld etc.
> Thank you,
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
Interleave replies below like a play script. Indent old text with "> ".
Google breach privacy http://berklix.com/jhs/adverts/
More information about the freebsd-questions