[nycbug-talk] Jail Performance

Sunny Dubey sunny-ml
Wed Jan 5 09:25:13 EST 2005


On Tuesday 04 January 2005 22:54, Pete Wright wrote:
> Hey nycbugers,
> 	I've been kicking around some ideas regarding jailing
> in an "enterprise" environment.  While jails do have the obvious
> benefit of added security; one thing that interests me are the
> possibilities of using jails to assist with server and app.
> management in distrubited envrionments.  The basic idea I am
> thinking of is creating jails for specific applications that
> get loaded to a farm of servers via PXE-TFTP.  One would netboot
> a server, and then dist a jail to that system after boot.

I have to admit, I don't see the security behind a single jail solution.  If I 
need to run httpd/maild/something-d whatever I run is going to touch XYZ.  
(In this case XYZ can be sensitive data, databases, etc).  Theoretically I 
already have a security issue by running whatever service/daemon/app.

The OS becomes nothing more than a management tool that provides for me to 
admin, provides the computing needed by whatever app, and the OS itself 
becomes a security risk.  That being said the host-OS must provide for the 
jail-OS which in turn provides for the app.  Each time you add an OS into the 
picture, I would assume it is another security risk.

(I'm thinking of data security greatly here, heh)

> Seems 
> simple enough...but what about performance.  Has anyone noticed
> any significant performance bottlenecks w/in jails.  I would not
> expect any, and have not seen any either.  But maybe there is
> something I'm missing?

The only bottle-neck would be I/O and physical devices (hard drives).  But if 
you are only running one jail, then you have little to worry about.  Just 
remember to change the times the daily cron scripts run on the host and jail.  
It can become super painful and ugly when you have multiple cpu/io-intensive 
cron scrips running at the same time, heh

Sunny Dubey




More information about the talk mailing list