From owner-freebsd-questions@FreeBSD.ORG  Tue Apr 22 23:47:10 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0A8B41D4
 for <freebsd-questions@freebsd.org>; Tue, 22 Apr 2014 23:47:10 +0000 (UTC)
Received: from land.berklix.org (land.berklix.org [144.76.10.75])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 843431B39
 for <freebsd-questions@freebsd.org>; Tue, 22 Apr 2014 23:47:08 +0000 (UTC)
Received: from mart.js.berklix.net (p5DCBE067.dip0.t-ipconnect.de
 [93.203.224.103]) (authenticated bits=128)
 by land.berklix.org (8.14.5/8.14.5) with ESMTP id s3MN2fT2038268;
 Tue, 22 Apr 2014 23:02:41 GMT (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41])
 by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id s3MN2tPr058475;
 Wed, 23 Apr 2014 01:02:56 +0200 (CEST)
 (envelope-from jhs@berklix.com)
Received: from fire.js.berklix.net (localhost [127.0.0.1])
 by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id s3MN2brb059084;
 Wed, 23 Apr 2014 01:02:49 +0200 (CEST)
 (envelope-from jhs@berklix.com)
Message-Id: <201404222302.s3MN2brb059084@fire.js.berklix.net>
To: "edflecko ." <edflecko@gmail.com>
Subject: Re: FBSD jail versus VMWare? What services do YOU run in a jail?
From: "Julian H. Stacey" <jhs@berklix.com>
Organization: http://berklix.com BSD Unix Linux Consultants, Munich Germany
User-agent: EXMH on FreeBSD http://berklix.com/free/
X-URL: http://www.berklix.com
In-reply-to: Your message "Tue, 22 Apr 2014 14:47:45 -0700."
 <CAFS4T6apJ30_WPrV3-azuwr5LHFE8htEk5a_xqe7DRZ7Wy5XqQ@mail.gmail.com>
Date: Wed, 23 Apr 2014 01:02:37 +0200
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Apr 2014 23:47:10 -0000

"edflecko ." wrote:
> I'm really interested in the comparison of using a FBSD jail rather than
> VMWare in the context of virtualization.
> 
> At my business, we heavily use VMWare - you might say we consider ourselves
> a VMWare "shop". 99% of our servers are virtualized.
> 
> I've heard that it's possible to run hundreds, if not thousands, of
> services in FBSD jails on a given host server because of the sharing of
> resources that all of your jails take advantage of.

Yes, lots.
(If you really try a thousand, avoid a class C net interface though ;-)

> If I understand that
> correctly, that's one of the HUGE advantages of running services in jails

Yes

> as opposed to creating VM after VM after VM - each VM eats up disk space on
> the SAN as well as memory resources, etc. 

Yes.
Maybe if the prison (parent) host runs ZFS & there's sparse file detection
it could save space for (child) VMs & jails ? I don't know.


> Additionally, the jailed service
> is far better from a security perspective?

No. The opposite. I would expect a VM to be more secure.  I put my
finger on a security hole with jails last year, & raised it on a
freebsd list, it got considered, no solution, it'll be in archives,
but I cant remember detail, & no time to look, & when I do get time
to get back to it, I'd be aiming at list freebsd-jail@freebsd.org
not this general questions@ list.


> Having said all of that, I'm curious to hear from some of you who may be
> doing just this - are you running a FBSD server with some of your mission
> critical services (Apache, Bind, DHCP, etc., etc.) within jails and how do
> you like it versus running hundreds of VMs and VMWare?

As a mere VM user & jail owner, i run those services on both a VM
& a jail, they run functionaly the same, except in jail I've had
problems with chflags failing, & in jail I've had to take more care
with ifconfig flags.

A VM is a cleaner concept if one can spare the RAM.  A jail is a
cheaper: less security, less flexibility (eg No linux jail in a
FreeBSD prison), more efficiency of resources, thus cheaper. Both
useful, Analogy: I also use both a car & a bike.


> What type of services CAN be run from within a jail?

Try it! All I guess, certainly inc. httpd ftpd sshd smtpd popd named sasld etc.

> Thank you,
> Ed

Cheers,
Julian
-- 
Julian Stacey, BSD Unix Linux C Sys Eng Consultant, Munich http://berklix.com
 Interleave replies below like a play script.  Indent old text with "> ".
	Google breach privacy http://berklix.com/jhs/adverts/