From owner-freebsd-questions@FreeBSD.ORG Wed Apr 23 02:43:55 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5397CA00 for ; Wed, 23 Apr 2014 02:43:55 +0000 (UTC) Received: from mail-we0-x234.google.com (mail-we0-x234.google.com [IPv6:2a00:1450:400c:c03::234]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id D2E651CB6 for ; Wed, 23 Apr 2014 02:43:54 +0000 (UTC) Received: by mail-we0-f180.google.com with SMTP id k48so254613wev.39 for ; Tue, 22 Apr 2014 19:43:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Ij3a9aC8cHHcCeFcEVUHymtHBWcxeo+blJvyj+75TsY=; b=pu6+CUC86bM75Ua1TPZwXO4gligjHNpxjZ5/5EFl7kaGGuYdKUI20EVp3QKgr3ibWB IGxuuksO8Z7db8WYpXQxNcfywN6TLMmjosnoNyGpnEw5FGFjplbtHR6l9aQx0dtf9JgI G/N6QNobwUSUs8kzeFTloYtPjTL/UaUSkiJdG+TC1m/5hYJlw8LvjyrfInnGTKVEawIg y/i/FK4ECUCYkI1kLmDYjnOOqaMdeWmxLG0ky3x1WABgn3350lernBV3RYvhJRFSwVd1 C0VsQQKVVIjlmaqK6o8Lj+ntjeeBSkq1SQHXBGMM3ODX2u8wJUxrj21eNz2vT0T14Dmo twow== MIME-Version: 1.0 X-Received: by 10.180.89.1 with SMTP id bk1mr903281wib.35.1398221032989; Tue, 22 Apr 2014 19:43:52 -0700 (PDT) Received: by 10.194.203.106 with HTTP; Tue, 22 Apr 2014 19:43:52 -0700 (PDT) In-Reply-To: <201404222302.s3MN2brb059084@fire.js.berklix.net> References: <201404222302.s3MN2brb059084@fire.js.berklix.net> Date: Tue, 22 Apr 2014 22:43:52 -0400 Message-ID: Subject: Re: FBSD jail versus VMWare? What services do YOU run in a jail? From: Boris To: "Julian H. Stacey" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: "edflecko ." , FreeBSD Mailing List X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Apr 2014 02:43:55 -0000 'VMware' does not tell much of what you want to compare jails against. The have Fusion on Mac, ESXi for hosts, vCenter for ESXi host management, VSAN.... That can run on top of VERY complex datacenter architectures with fabric and L2 network and could potentially work for multiple clusters/DC across the world. AFAIK, jails do not offer anything beyond the same physical server. Don't get me wrong, jails are a lot easier to spin in my opinion and make more sense when it comes to sticking to a full FreeBSD environment. For anything a bit more heterogenous, VMware products will help. Now, you can keep an eye on is Opencontrail, sponsored by Juniper who already released this as a product name Contrail. Opencontrail project details on FreeBSD: http://www.freebsd.org/news/status/report-2013-10-2013-12.html#FreeBSD-Host-Support-for-OpenStack-and-OpenContrail And Juniper ref to their product: http://www.juniper.net/us/en/products-services/sdn/contrail/ HTH Boris On Tue, Apr 22, 2014 at 7:02 PM, Julian H. Stacey wrote: > "edflecko ." wrote: > > I'm really interested in the comparison of using a FBSD jail rather than > > VMWare in the context of virtualization. > > > > At my business, we heavily use VMWare - you might say we consider > ourselves > > a VMWare "shop". 99% of our servers are virtualized. > > > > I've heard that it's possible to run hundreds, if not thousands, of > > services in FBSD jails on a given host server because of the sharing of > > resources that all of your jails take advantage of. > > Yes, lots. > (If you really try a thousand, avoid a class C net interface though ;-) > > > If I understand that > > correctly, that's one of the HUGE advantages of running services in jails > > Yes > > > as opposed to creating VM after VM after VM - each VM eats up disk space > on > > the SAN as well as memory resources, etc. > > Yes. > Maybe if the prison (parent) host runs ZFS & there's sparse file detection > it could save space for (child) VMs & jails ? I don't know. > > > > Additionally, the jailed service > > is far better from a security perspective? > > No. The opposite. I would expect a VM to be more secure. I put my > finger on a security hole with jails last year, & raised it on a > freebsd list, it got considered, no solution, it'll be in archives, > but I cant remember detail, & no time to look, & when I do get time > to get back to it, I'd be aiming at list freebsd-jail@freebsd.org > not this general questions@ list. > > > > Having said all of that, I'm curious to hear from some of you who may be > > doing just this - are you running a FBSD server with some of your mission > > critical services (Apache, Bind, DHCP, etc., etc.) within jails and how > do > > you like it versus running hundreds of VMs and VMWare? > > As a mere VM user & jail owner, i run those services on both a VM > & a jail, they run functionaly the same, except in jail I've had > problems with chflags failing, & in jail I've had to take more care > with ifconfig flags. > > A VM is a cleaner concept if one can spare the RAM. A jail is a > cheaper: less security, less flexibility (eg No linux jail in a > FreeBSD prison), more efficiency of resources, thus cheaper. Both > useful, Analogy: I also use both a car & a bike. > > > > What type of services CAN be run from within a jail? > > Try it! All I guess, certainly inc. httpd ftpd sshd smtpd popd named sasld > etc. > > > Thank you, > > Ed > > Cheers, > Julian > -- > Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich > http://berklix.com > Interleave replies below like a play script. Indent old text with "> ". > Google breach privacy http://berklix.com/jhs/adverts/ > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" >