[HCoop-Discuss] Our ideal architecture?
Daniel Margolis
dan at af0.net
Tue Jun 2 16:57:52 EDT 2009
With FreeBSD jails, there's only one kernel. In UML, the guest has its own
kernel. OpenVZ looks to have a single shared kernel.
On Tue, Jun 2, 2009 at 1:46 PM, David Snider <david at davidsnider.net> wrote:
> Sorry, by sandboxing I mean being able to apply a kernel patch on one
> server without applying it to all servers. Can you do that?
>
> On Tue, 2 Jun 2009 13:42:41 -0700, Daniel Margolis <dan at af0.net> wrote:
> > It doesn't eliminate sandboxing. The sandboxing is just done at a
> different
> > level (i.e., the kernel enforces sandboxing at the syscall level, vs.
> > having
> > multiple kernels and having the sandboxing enforced in the hypervisor).
> > Jails are an effective security mechanism.
> >
> > That said, I think Xen provides a more desirable abstraction layer, but
> > I'm
> > not an expert at this.
> > On Tue, Jun 2, 2009 at 11:28 AM, David Snider <david at davidsnider.net>
> > wrote:
> >
> >> It looks like OpenVZ has managed to make this not as much of a problem.
> >> This is still a problem with FreeBSD jails though. It does have
> > per-server
> >> CPU\Memory\IO quotas. You still have the disadvantage of having all
> > servers
> >> run the exact same OS w\ Kernel patch which seems to eliminate
> > sandboxing.
> >>
> >> On Tue, 02 Jun 2009 13:42:23 -0400, Adam Chlipala <adamc at hcoop.net>
> > wrote:
> >> > David Snider wrote:
> >> >> Operating System Level Virtualization: (Ex. OpenVZ, FreeBSD Jails,
> >> > Solaris
> >> >> Containers) The name "jail" that FreeBSD makes it pretty clear what
> > this
> >> >> does. Each server shares an underlying operating system but it is
> >> >> partitioned in such a way to make it look and feel like it is on it's
> >> > own
> >> >> server. The advantage to this is that you don't have to duplicate a
> > lot
> >> > of
> >> >> commonly shared resources. The disadvantage is that it is difficult
> > to
> >> >> control individual utilization of each server. (I.E If your web
> > server
> >> > is
> >> >> getting hammered your mail server's performance suffers too.)
> >> >>
> >> >
> >> > This last disadvantage, if accurate, kills the attractiveness of the
> >> > approach for me. docelic, do you agree that OpenVZ has this problem?
> >> > If so, why do you think OpenVZ would still be a good choice for us?
> >> >
> >> > _______________________________________________
> >> > HCoop-Discuss mailing list
> >> > HCoop-Discuss at lists.hcoop.net
> >> > https://lists.hcoop.net/listinfo/hcoop-discuss
> >>
> >>
> >> _______________________________________________
> >> HCoop-Discuss mailing list
> >> HCoop-Discuss at lists.hcoop.net
> >> https://lists.hcoop.net/listinfo/hcoop-discuss
> >>
>
>
> _______________________________________________
> HCoop-Discuss mailing list
> HCoop-Discuss at lists.hcoop.net
> https://lists.hcoop.net/listinfo/hcoop-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.hcoop.net/pipermail/hcoop-discuss/attachments/20090602/bcf5facf/attachment-0001.htm
More information about the HCoop-Discuss
mailing list