[nycbug-talk] Jail Performance
sunny-ml at opencurve.org
Wed Jan 5 09:25:13 EST 2005
On Tuesday 04 January 2005 22:54, Pete Wright wrote:
> Hey nycbugers,
> I've been kicking around some ideas regarding jailing
> in an "enterprise" environment. While jails do have the obvious
> benefit of added security; one thing that interests me are the
> possibilities of using jails to assist with server and app.
> management in distrubited envrionments. The basic idea I am
> thinking of is creating jails for specific applications that
> get loaded to a farm of servers via PXE-TFTP. One would netboot
> a server, and then dist a jail to that system after boot.
I have to admit, I don't see the security behind a single jail solution. If I
need to run httpd/maild/something-d whatever I run is going to touch XYZ.
(In this case XYZ can be sensitive data, databases, etc). Theoretically I
already have a security issue by running whatever service/daemon/app.
The OS becomes nothing more than a management tool that provides for me to
admin, provides the computing needed by whatever app, and the OS itself
becomes a security risk. That being said the host-OS must provide for the
jail-OS which in turn provides for the app. Each time you add an OS into the
picture, I would assume it is another security risk.
(I'm thinking of data security greatly here, heh)
> simple enough...but what about performance. Has anyone noticed
> any significant performance bottlenecks w/in jails. I would not
> expect any, and have not seen any either. But maybe there is
> something I'm missing?
The only bottle-neck would be I/O and physical devices (hard drives). But if
you are only running one jail, then you have little to worry about. Just
remember to change the times the daily cron scripts run on the host and jail.
It can become super painful and ugly when you have multiple cpu/io-intensive
cron scrips running at the same time, heh
More information about the talk