[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)

To: <sage-members@usenix.org>
Subject: RE: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
From: "Dustin Puryear" <dpuryear@usa.net>
Date: Fri, 16 Jan 2004 12:07:06 -0600
In-Reply-To: <20040116042343.GA12131@snew.com>
Sender: owner-sage-members@usenix.org
Thread-Index: AcPb6XE69QsRVPOjQAaAiNBPXsSRSQAcE2Hg

> > need can be built using a set of scripts. (Nothing new to this crowd.)
> For
> > example, currently I can build a complete mail system in a jail with
> spam
> > filtering and AV on a host server using:
> 
> Sounds like a case for  vmware or other machine virtualization.

Most definitely. VMware is great for this kind of work as well. My example
here was specific to FreeBSD jails though.

> and virtual machines which cannot touch each other.
> 
> Chroot jails are as old as the sun (as is breaking out of them).
> Handy to slow generic errors, but a well planned attack with certain
> classes of bugs won't stop much.

Certainly. As you can see from my original post, however, I am speaking
merely of using jails as a management technique.

> Sounds like it could be run with depot or several other package
> installers.
> 
> How does that differ from:
> wget http://packageserver/sendmail.pkg
> pkgadd -d ./sendmail.pkg
> rm ./sendmail.pkg

A significant difference actually. This is like asking if there is a
difference between installing Postfix locally or installing it on a system
under VMware. With a FreeBSD jail I am able to maintain complete management
independence between services and packages. So if service X relies on a
certain version of a package, while service Y relies on another version, I
can reconcile that by using two jails on one server.

In addition, I can easily move a jail from one system to another. So if I
offer a client a jail to work in (perhaps running Tomcat, MySQL, and several
development packages) and I then decide to move her to another server, I can
just perform a 'scp -rp /her/jail newsvr:/her/new/jail` and I am essentially
done. Without the jail I would be forced to reinstall her software on the
new system. (And the newly installed software may require dependencies that
breaks other software.) 

It's the same idea as VMware. You build a virtual machine and move it around
as needed instead of building "the machine".

> > I then just run the jail.
> 
> Then I just start the app...

I wonder now if we are talking about the same thing. I am not talking about
simply chrooting a service. I am speaking specifically about FreeBSD jails.
While I haven't used it, I think that user-mode Linux can offer something
very similar in the Linux world.

> > This description is very simplified, but that's the general idea, and it
> > works. With a combination of this and NFS I'm pretty much set.
> >
> > My technique is in no way original. I would like to see how others do
> it.
> 
> nothing about what you call "jails" sounds different than any app/package,
> but I assume you left out instance information.

No doubt.

Follow-Ups:
- RE: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
  - From: "Robert Hajime Lanning" <lanning@lanning.cc>
- Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
  - From: Philip Brown <phil@bolthole.com>

References:
- [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
  - From: Chuck Yerkes <chuck+sage@snew.com>

Prev by Date: [SAGE] LISA Workshops 2004
Next by Date: RE: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Prev by thread: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadminsurvival)
Next by thread: RE: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Index(es):
- Date
- Thread