[HCoop-Discuss] Our ideal architecture?

Daniel Margolis dan at af0.net
Tue Jun 2 16:42:41 EDT 2009


It doesn't eliminate sandboxing. The sandboxing is just done at a different
level (i.e., the kernel enforces sandboxing at the syscall level, vs. having
multiple kernels and having the sandboxing enforced in the hypervisor).
Jails are an effective security mechanism.

That said, I think Xen provides a more desirable abstraction layer, but I'm
not an expert at this.
On Tue, Jun 2, 2009 at 11:28 AM, David Snider <david at davidsnider.net> wrote:

> It looks like OpenVZ has managed to make this not as much of a problem.
> This is still a problem with FreeBSD jails though. It does have per-server
> CPU\Memory\IO quotas. You still have the disadvantage of having all servers
> run the exact same OS w\ Kernel patch which seems to eliminate sandboxing.
>
> On Tue, 02 Jun 2009 13:42:23 -0400, Adam Chlipala <adamc at hcoop.net> wrote:
> > David Snider wrote:
> >> Operating System Level Virtualization: (Ex. OpenVZ, FreeBSD Jails,
> > Solaris
> >> Containers) The name "jail" that FreeBSD makes it pretty clear what this
> >> does. Each server shares an underlying operating system but it is
> >> partitioned in such a way to make it look and feel like it is on it's
> > own
> >> server. The advantage to this is that you don't have to duplicate a lot
> > of
> >> commonly shared resources. The disadvantage is that it is difficult to
> >> control individual utilization of each server. (I.E If your web server
> > is
> >> getting hammered your mail server's performance suffers too.)
> >>
> >
> > This last disadvantage, if accurate, kills the attractiveness of the
> > approach for me.  docelic, do you agree that OpenVZ has this problem?
> > If so, why do you think OpenVZ would still be a good choice for us?
> >
> > _______________________________________________
> > HCoop-Discuss mailing list
> > HCoop-Discuss at lists.hcoop.net
> > https://lists.hcoop.net/listinfo/hcoop-discuss
>
>
> _______________________________________________
> HCoop-Discuss mailing list
> HCoop-Discuss at lists.hcoop.net
> https://lists.hcoop.net/listinfo/hcoop-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20090602/d412fbea/attachment.htm 


More information about the HCoop-Discuss mailing list