[HCoop-Discuss] Our ideal architecture?

David Snider david at davidsnider.net
Tue Jun 2 16:46:00 EDT 2009


Sorry, by sandboxing I mean being able to apply a kernel patch on one
server without applying it to all servers. Can you do that?

On Tue, 2 Jun 2009 13:42:41 -0700, Daniel Margolis <dan at af0.net> wrote:
> It doesn't eliminate sandboxing. The sandboxing is just done at a
different
> level (i.e., the kernel enforces sandboxing at the syscall level, vs.
> having
> multiple kernels and having the sandboxing enforced in the hypervisor).
> Jails are an effective security mechanism.
> 
> That said, I think Xen provides a more desirable abstraction layer, but
> I'm
> not an expert at this.
> On Tue, Jun 2, 2009 at 11:28 AM, David Snider <david at davidsnider.net>
> wrote:
> 
>> It looks like OpenVZ has managed to make this not as much of a problem.
>> This is still a problem with FreeBSD jails though. It does have
> per-server
>> CPU\Memory\IO quotas. You still have the disadvantage of having all
> servers
>> run the exact same OS w\ Kernel patch which seems to eliminate
> sandboxing.
>>
>> On Tue, 02 Jun 2009 13:42:23 -0400, Adam Chlipala <adamc at hcoop.net>
> wrote:
>> > David Snider wrote:
>> >> Operating System Level Virtualization: (Ex. OpenVZ, FreeBSD Jails,
>> > Solaris
>> >> Containers) The name "jail" that FreeBSD makes it pretty clear what
> this
>> >> does. Each server shares an underlying operating system but it is
>> >> partitioned in such a way to make it look and feel like it is on it's
>> > own
>> >> server. The advantage to this is that you don't have to duplicate a
> lot
>> > of
>> >> commonly shared resources. The disadvantage is that it is difficult
> to
>> >> control individual utilization of each server. (I.E If your web
> server
>> > is
>> >> getting hammered your mail server's performance suffers too.)
>> >>
>> >
>> > This last disadvantage, if accurate, kills the attractiveness of the
>> > approach for me.  docelic, do you agree that OpenVZ has this problem?
>> > If so, why do you think OpenVZ would still be a good choice for us?
>> >
>> > _______________________________________________
>> > HCoop-Discuss mailing list
>> > HCoop-Discuss at lists.hcoop.net
>> > https://lists.hcoop.net/listinfo/hcoop-discuss
>>
>>
>> _______________________________________________
>> HCoop-Discuss mailing list
>> HCoop-Discuss at lists.hcoop.net
>> https://lists.hcoop.net/listinfo/hcoop-discuss
>>




More information about the HCoop-Discuss mailing list