Joesh Juphland writes: > I am going to be setting up four freeBSD servers as a test environment - > they need to be totally isolated machines. However, I would like to see if > I can do all of this on one server. The choice that comes to mind > immediately is vmware, but since I am required to use all freeBSD, I would > be using vmware via linux compatibility mode, which is somewhat slower than > native vmware on linux. Linux compatibility mode is not perfomanse loose, I have seen reports where linux binaries run faster on FreeBSD compatibility mode then linux with the same hardware.
I am using jail intensively on about 10 of my servers, for example: 0grimble~(2)>ps -ax | grep J | wc 101 627 5024 but I do not use vmware and know why. > I have two specific questions: > > 1. Is jail ready for prime time ? that is, taking into account stability, > performance, and _security_, would you feel comfortable running multiple > servers on a single machine where the relative contents of the machines were > sensitive (in terms of performance and security) ? performance: OK stability: OK after tuning security: not ideal, but best I know of. > 2. Any comments on the differences between using vmware and jail ? Why > would I choose vmware over jail ? Does jail offer the same memory usage > guarantees, etc. ? vmware has perfomanse loose no matter what host OS is. The reason is that some CPU comands are emulated, each vmware has its own copy of running OS and resourse management in this case in highly not optimal. But you can use different OSes simultaneosly. Jail share the same kernel and resourses beetween processes as if without jail. You can't start some service in vmware without full enough set of software in it. For example, it is almoust impossible to start some servise in vmware when not having shell it it. Jailed service can be started having the only executable in it (static linked). I usually copy minimal set from base system to jail and this set does not include any shell. This way I have rescued from vulnerability to stack overflow in some version of bind - I had some servers with this hole and none of attempt to execute /bin/sh using stack oferflow is successful. Starting up such a daemon in vmware do not rescue server from hacks via secure holes. > Any thoughts / comments on vmware vs. jail, and the viability of using > jail on a multi-system system are appreciated. In short: vmware is not a way to start any service if that service can execute on host system. PS Sorry, my English is bad enough. -- @BABOLO http://links.ru/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message