From owner-freebsd-stable@FreeBSD.ORG  Tue Mar 13 10:46:49 2007
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
X-Original-To: freebsd-stable@freebsd.org
Delivered-To: freebsd-stable@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 67D6516A401
	for <freebsd-stable@freebsd.org>; Tue, 13 Mar 2007 10:46:49 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from s200aog11.obsmtp.com (s200aog11.obsmtp.com [207.126.144.125])
	by mx1.freebsd.org (Postfix) with SMTP id C9ACD13C469
	for <freebsd-stable@freebsd.org>; Tue, 13 Mar 2007 10:46:48 +0000 (UTC)
	(envelope-from tom@tomjudge.com)
Received: from source ([217.206.187.80]) by eu1sys200aob011.postini.com
	([207.126.147.11]) with SMTP; Tue, 13 Mar 2007 10:46:47 UTC
Received: from [10.0.0.79] (bwb.mintel.co.uk [10.0.0.79])
	by rodney.mintel.co.uk (Postfix) with ESMTP id AD1EF18141B;
	Tue, 13 Mar 2007 10:20:20 +0000 (GMT)
Message-ID: <45F679EA.5000300@tomjudge.com>
Date: Tue, 13 Mar 2007 10:16:10 +0000
From: Tom Judge <tom@tomjudge.com>
User-Agent: Thunderbird 1.5.0.9 (X11/20070104)
MIME-Version: 1.0
To: Nikolas Britton <nikolas.britton@gmail.com>
References: <ef10de9a0703121216k1035481bwc7df222a92b44400@mail.gmail.com>	<op.to3c4aos8527sy@guido.klop.ws>	<ef10de9a0703121334t3af7daecw977dc1916d86ba52@mail.gmail.com>	<45F5C23B.8040303@antiszoc.hu>
	<ef10de9a0703121915x50e8bf8dx2d6a0836accdb7be@mail.gmail.com>
In-Reply-To: <ef10de9a0703121915x50e8bf8dx2d6a0836accdb7be@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit
Cc: FreeBSD Stable List <freebsd-stable@freebsd.org>,
	=?ISO-8859-1?Q?Andras_G=F3t?= <andrej@antiszoc.hu>
Subject: Re: Xen Dom0, are we making progress?
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>, 
	<mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
	<mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2007 10:46:49 -0000

Nikolas Britton wrote:
> On 3/12/07, Andras Gót <andrej@antiszoc.hu> wrote:
>> Nikolas Britton wrote:
>> > On 3/12/07, Ronald Klop <ronald-freebsd8@klop.yi.org> wrote:
>> >> On Mon, 12 Mar 2007 20:16:32 +0100, Nikolas Britton
>> >> <nikolas.britton@gmail.com> wrote:
>> >>
>> >> > Is FreeBSD making any progress in Xen Dom0 / Intel VT support? I'd
>> >> > really like to consolidate some underutilized FreeBSD servers. Are
>> >> > their any alternative solutions that will enable me to do this 
>> kind of
>> >> > stuff with FreeBSD, or would it be better to go with Solaris Dom0 +
>> >> > FreeBSD DomU?
>> >>
>> >> http://docs.freebsd.org/44doc/papers/jail/jail.html
>> >> google: jail freebsd
>> >>
>> >
>> > Yes I'd like to know more about jails, is there a high level /
>> > executive summary type document that I can read somewhere? From what I
>> > remember jails are mostly designed to partition stuff... for security
>> > reasons.
>> >
>> > What I'd really love to do is split up each service (httpd, postgres,
>> > samba/nfs,  ldap/nis, asterisk, etc.) into discrete virtual machines.
>> > It's too much work trying to make them all play nice on one system,
>> > especially during upgrades. As it is right now I don't upgrade any
>> > services once a system is in production use.
>>
>> Hi,
>>
>> For first read man jail. :) Apache, bind, mysql and postfix run fine in
>> a jail. For postgres you've to turn on the jail.ipc.
>> This is basicly not so bad, but definitely reduces security. For
>> samba/nfs/ldap/nis and asterisk I don't have the experience, but if they
>> not need ipc, they'll run fine out of the box. In jails I suggest that
>> you mount your ports tree with some nullfs mount. With this you'll save
>> some hd capacity. (The installed port list is in /var, not in
>> /usr/ports.) In jails you can't do resource control, so keep that in 
>> mind.
>>
> 
> Is their anyway to transfer jails on the fly between systems... For
> example, say I wanted to transfer the http service to a more powerful
> box because load was too high, can you do stuff like this?


You could export the jail file system via nfs, or use some other form of 
shared storage to share the file system.  I have seen systems that put 
the jail IP address onto the loop back interface and then use OSPF to 
advertise the service to your border routers.  If your storage subsystem 
supports if (NFS will) you can have both jails up and running at the 
same time and then just change the routing advertisements to move the 
service.

Just an idea,  I have never tried it,  but I did see some fail over 
project that used the methods above.  The project advertised the fact 
that not only can you move services between hosts but also you can move 
them between physical sites if your routers all run ospf.

Tom