[nycbug-talk] shared hosting

alex at pilosoft.com alex
Wed Jan 26 19:08:57 EST 2005 

On Wed, 26 Jan 2005, Isaac Levy wrote:

> I don't mean to be confrontational with what folows, seeing as you and 
> I have a decent dialouge with some lively banter, but I gotta ask you 
> to put your money where your mouth is with XEN here man.

<snip>
> Question:
> 
> Sunny- for the purposes of the archive for this BSD oriented list, can
> you please explain *why* XEN is more powerful/flexible than jail(8)?
Apples and oranges. Xen runs another OS, jail restricts a "root" user to
less-than-root privileges in a single OS environment OS. Can't compare
that. If anything, it is like comparing separation offered by having 
multiple users to a separation offered by having multiple hosts.

> I'm not sure, but for a BSD based mailing list, I'd think that it should
> be clearly stated that you'd be running a NetBSD Virtual Machine image,
> running inside of XEN, on a Linux distro?
And why does it matter for you?

> - Does XEN support VM's of other OS's, or does only NetBSD fit the bill
> due to it's rep. for hardware compatability?  (i.e. to meet some funky
> stuff in the VM?)
XEN supports lots of things, including windows.

> - Are there any fundamental differences in how the VM accesses devices,
> memory, networking, etc... which is different than in jail(8)'ing or
> User Mode Linux (UML)?
Xen is *similar* to UML. Xen is also similar to vmware/bochs. Xen is
somewhere in the middle between vmware/bochs and UML - in other words,
explicit support for Xen is necessary for a 'guest OS' (like UML but not
like vmware) and explicit support for Xen is necessary for host (like 
vmware but not like UML). Those tradeoffs give Xen significant performance 
boost compared to either vmware or UML.

> - How long has XEN existed, and beyond the commercial backing, what kind
> of history does XEN have for stability and maturity in production-level
> environments, especially large-scale systems running on the public
> internet?
Meh. What kind of history does vmware or bochs have? apples to apples, 
please.

> jail(8) is fundamentally ridiculously simple by design, which I see as
> an important factor when working with the complexity which arises, in
> the context of virtualizing services as complex as Operating Systems.
And ridiculously insecure. If there is a kernel bug in host OS, very high
chance you can be bitten by it if are running in a jail(8). If there is 
local ddos exploit, you will be able to exploit it in jail(8). With Xen, 
to do that, you need to 1) find a bug in guest kernel that would allow you 
to execute code in Xen context 2) find a bug in Xen that would allow you 
to execute code in host context 3) find a bug in host kernel that would 
screw up the machine.

> How does XEN help an administrator manage the complexity, and how
> complex is the actual virtualization mechanism itself?  (i.e. is it a
> 'large' software like VMWare and the like? [I'm asking in the context of
> the relatively few lines of kernel code that make up the whole of
> Jail(8)])
You'd be surprised how many lines of kernel code actually deal with "root 
but not really superuser thanks to possibility of being in jail". It is 
not a few.

Again, apples and oranges. To virtualize a x86 processor takes lots of 
code.


-alex

More information about the talk mailing list