From owner-freebsd-security@FreeBSD.ORG Fri Jul 11 00:57:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE46D37B401 for ; Fri, 11 Jul 2003 00:57:35 -0700 (PDT) Received: from geminix.org (gen129.n001.c02.escapebox.net [213.73.91.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF7FD43FBD for ; Fri, 11 Jul 2003 00:57:32 -0700 (PDT) (envelope-from gemini@geminix.org) Message-ID: <3F0E6DE6.90605@geminix.org> Date: Fri, 11 Jul 2003 09:57:26 +0200 From: Uwe Doering Organization: Private UNIX Site User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030701 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "V. Jones" References: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> In-Reply-To: <1007042.1057880975396.JavaMail.nobody@kermit.psp.pas.earthlink.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Received: from gemini by geminix.org with asmtp (TLSv1:AES256-SHA:256) (Exim 3.36 #1) id 19asmW-000PAH-00; Fri, 11 Jul 2003 09:57:28 +0200 cc: freebsd-security@freebsd.org Subject: Re: jail performance questions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Jul 2003 07:57:36 -0000 V. Jones wrote: > I'm thinking of using jails to improve security on a server > I am setting up. Specifically, I would like to put Apache/PHP > in a jail, but I might like to set up 2-3 different jails for > different purposes. > > I've found several examples showing how to set the jails up. > My questions involve system requirements. Assuming plenty of > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > how many jails can I run? Would I notice a significant > performance hit if, for example, I run three jails? Running processes in a jail just marks them as belonging to the respective jail, so they are restricted in what they can do to resources outside the scope of that jail. If you have 100 jails with one process each it is basically the same as if you had 100 processes running in a non-jail environment. There is, of course, the slight overhead of the jail(2) system call, but if you don't start new jails all the time you won't notice that at all. So, as to server performance, it all depends on how much processes you have, and how much work they have to do. For the server there is no difference between jailed and non-jailed environments in this regard. The load will be the same. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net