From owner-freebsd-questions@FreeBSD.ORG Sat Jan 1 02:52:55 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0676F106566B for ; Sat, 1 Jan 2011 02:52:55 +0000 (UTC) (envelope-from amvandemore@gmail.com) Received: from mail-fx0-f54.google.com (mail-fx0-f54.google.com [209.85.161.54]) by mx1.freebsd.org (Postfix) with ESMTP id 861EA8FC18 for ; Sat, 1 Jan 2011 02:52:54 +0000 (UTC) Received: by fxm16 with SMTP id 16so12012664fxm.13 for ; Fri, 31 Dec 2010 18:52:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=RHU4kgFRDO1o7XrNgjjALAhPirLjScfFeft28fZP01w=; b=f+uFivizARKFL/nqAQdVFk6FffqJ2joK4jNH14bqfiuAMvcMT2IJaoZKlsIUa/wqRp j2JAZsmwEDq7uClP6ekyBVJvwPkrms6pDfjEn191qFWSir7CEuoNRLHERi+GE4WEcAu2 ixDTSEOTAIwouFaC6WZluSepJ1jxa8RkYD0RY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=EBFFhmbrB0e03YeaFWJg8wlaKboAE6m23mOgFTa9qt7USubzhv1hEpJ5PC1CjEaqb+ iPYptJn3IPLwSpdc2/I+zSXdMkUslvW9o6BHvfjw3o/NujxGS1X4xgvPJgZMjozskmg/ 2ApGSUam0MkRCfwalzvybfjWult6p4NJwGJZs= MIME-Version: 1.0 Received: by 10.223.85.204 with SMTP id p12mr128326fal.146.1293850373548; Fri, 31 Dec 2010 18:52:53 -0800 (PST) Received: by 10.223.114.4 with HTTP; Fri, 31 Dec 2010 18:52:53 -0800 (PST) In-Reply-To: <4D1E9120.1070604@mgwigglesworth.net> References: <4D1E061E.9070306@mgwigglesworth.net> <4D1E68BA.9080001@herveybayaustralia.com.au> <4D1E74B5.8030100@herveybayaustralia.com.au> <4D1E78D9.6090103@mgwigglesworth.net> <4D1E7BDA.3080909@mgwigglesworth.net> <4D1E7D8C.7060606@herveybayaustralia.com.au> <4D1E9120.1070604@mgwigglesworth.net> Date: Fri, 31 Dec 2010 20:52:53 -0600 Message-ID: From: Adam Vande More To: mailinglistmember@mgwigglesworth.net Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: How can I implement true vps with FreeBSD as a host? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Jan 2011 02:52:55 -0000 On Fri, Dec 31, 2010 at 8:27 PM, Martes G Wigglesworth < mailinglistmember@mgwigglesworth.net> wrote: > > On 12/31/2010 08:04 PM, Da Rock wrote: > >> Depends on what you mean by 'fair'. I think you can now determine CPU >> usage in jails, even allocate cores. I think the man pages can tell you more >> about that, and the docs on freebsd.org. You can unmask some devices >> within the jail and allow only certain jails and users to access it. And >> finally I think you can jail a jail now, so that might be useful- especially >> in CPU allocation. >> > > I was thinking about possible DoS issues with memory management, however, I > have not read far enough into the Jails docs to find out if there is > anything new in this arena. I was actually considering the security aspects > of memory overflows, etc.... That's why you should read the link I posted which is what the current plan of action to allow jail resource limiting. It's simply not possible currently. There were a couple of different patches for this functionality for 7.x series but aren't supported officially(see wiki jails for more info). You also have to worry about IO and cpu starvation from runaway processes/attacks as well. Cpu issues can be mitigated with cpuset(1) and jails but you have no way to control IO other than renice(8). Xen gives similar cpu ability plus IO bandwidth feature. Virtualbox 4 has smp cpu assignment feature and a new IO bandwidth limiter but is not in ports yet. So as already said, if FreeBSD is your host Virtualbox is your only choice(qemu doesn't count for performance reasons). If Virtualbox does not meet your needs, you'll have to find another OS as jails don't provide the isolation you'll need. -- Adam Vande More