Date: Tue, 27 Nov 2001 01:58:25 +0300 (MSK) From: "."@babolo.ru To: part_lion@hotmail.com (Joesh Juphland) Cc: hackers@FreeBSD.ORG Subject: Re: compare and contrast vmware and jail ? Message-ID: <200111262258.BAA06510@aaz.links.ru> In-Reply-To: <F183jKoMFYsDSzhxRz300010a60@hotmail.com> from "Joesh Juphland" at "Nov 26, 1 02:11:42 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Joesh Juphland writes:
> I am going to be setting up four freeBSD servers as a test environment -
> they need to be totally isolated machines. However, I would like to see if
> I can do all of this on one server. The choice that comes to mind
> immediately is vmware, but since I am required to use all freeBSD, I would
> be using vmware via linux compatibility mode, which is somewhat slower than
> native vmware on linux.
Linux compatibility mode is not perfomanse loose,
I have seen reports where linux binaries run faster
on FreeBSD compatibility mode then linux with
the same hardware.
I am using jail intensively on about 10 of my servers, for example:
0grimble~(2)>ps -ax | grep J | wc
101 627 5024
but I do not use vmware and know why.
> I have two specific questions:
>
> 1. Is jail ready for prime time ? that is, taking into account stability,
> performance, and _security_, would you feel comfortable running multiple
> servers on a single machine where the relative contents of the machines were
> sensitive (in terms of performance and security) ?
performance: OK
stability: OK after tuning
security: not ideal, but best I know of.
> 2. Any comments on the differences between using vmware and jail ? Why
> would I choose vmware over jail ? Does jail offer the same memory usage
> guarantees, etc. ?
vmware has perfomanse loose no matter what host OS is.
The reason is that some CPU comands are emulated,
each vmware has its own copy of running OS and resourse
management in this case in highly not optimal.
But you can use different OSes simultaneosly.
Jail share the same kernel and resourses
beetween processes as if without jail.
You can't start some service in vmware without full enough
set of software in it. For example, it is almoust impossible
to start some servise in vmware when not having shell it it.
Jailed service can be started having the only executable
in it (static linked).
I usually copy minimal set from base system to jail
and this set does not include any shell.
This way I have rescued from vulnerability to stack
overflow in some version of bind - I had some servers
with this hole and none of attempt to execute
/bin/sh using stack oferflow is successful.
Starting up such a daemon in vmware do not rescue
server from hacks via secure holes.
> Any thoughts / comments on vmware vs. jail, and the viability of using
> jail on a multi-system system are appreciated.
In short: vmware is not a way to start any service
if that service can execute on host system.
PS Sorry, my English is bad enough.
--
@BABOLO http://links.ru/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111262258.BAA06510>