On 4/13/21 11:48 AM, Roberto Ragusa wrote:
On 4/10/21 6:13 PM, Nicolas Kovacs wrote:
I'd be curious to have your input, since I'm fairly new to this sort
of approach.
I would only separate things that for some reasons are "dirty", e.g.
require non packaged
installation.
All the rest (like bind, postfix, dovecot) can happily live in the same
machine.
Splitting things too much will increase the maintenance effort, every
stupid detail
like new kernel installation, clock syncing, log rotation, security
patching, etc.
gets duplicated. Not to mention the need to now maintain a network
connecting the pieces.
This is where what I do in jails on FreeBSD is different from what you
describe. All jails in FreeBSD have same base system. Thus, no extra
overhead for base system: it is updated for all jails in a single go.
Separate jails have only what is necessary for particular jail.
Therefore, I only put in the same jail "inseparable things (e.g. mailman
has to have web interface and postfix or sendmail, so this is minimal
sufficient bundle that has to be together). Services that do not have to
live in the same jail run in different jails. The separation of services
into different jails brings a lot of convenience:
1. If service "a" has to be worked on, only other services living in the
same jail may potentially be affected, nothing else
2. If service "a" and service "b" need incompatible dependencies, there
is no problem when they run in different jails
3. If you do upgrade (as in upgrade of base system), you can upgrade one
jail at a time, hence it is much smaller set of things that has to be
dealt with as a result of upgrade; the last helps to diminish downtime
of every service caused by upgrade
4. Suppose you have compromise (no one is guaranteed from that), that
came through some service, but then only that jail is affected, no mess
bad guys can do to other services.
5. And one more important thing: base system in jail is mounted
read-only: any mess due to compromise does not affect base system of
jail (any one of jails)
And the list can continue.
I hope, experts in Linux virtualization will chime in and outline how
similar (common for all virtual systems read-only base, etc) can be done
with one of Linux virtualization solutions, because I'm certain in must
be possible. And I for one would love to learn about that.
I hope, this helps.
Valeri
Same considerations when using containers instead of VMs, you only gain
some performance
by not dragging entire kernels for each service.
Start by isolating the service that is giving you most troubles.
Then with a bit of experience, you can evaluate if proceeding along that
road.
Best regards.
--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
