Re: [SAGE] JAILS (Re: Respondents needed for article on sysadminsurvival)

["Brandon S. Allbery KF8NH" <allbery@ece.cmu.edu>]

On Sun, 2004-01-18 at 18:59, Philip Brown wrote:
> so, conceptually, and disk space wise, identical to just taking a system
> snapshot of a normal system (eg flash archive), and installing to another
> system.

True, except that it's a bit faster.

> For same-system images, the difference with vmware vs other methods being
> that you're using double memory and disk space for everything, whereas with
> jails or zones, you get to have some amount of sharing for OS binaries, and
> core kernel driver memory

Yes.  On the flip side, though, you have better isolation of the
subsystem; enough that the subsystem need not have anything in common
with the host other than running the same CPU.  Depending on what you're
doing, you may be willing to pay the price of vmware's higher overhead
in order to be able to e.g. run a FreeBSD (or Windows, etc.) guest on a
Linux host, or run potentially insecure services with lower risk to the
host than with jails.  (See "or Windows" :)  And consider that either
the undo log or copying in a pristine disk image gives you a convenient
way to restore such a machine to a known-"clean" state, and the latter
lets you examine a compromised guest vm while it's disconnected from the
network (or completely offline; you can mount a vmware virtual disk
image on Linux).

-- 
brandon s. allbery    [linux,solaris,freebsd,perl]     allbery@kf8nh.com
system administrator      [WAY too many hats]        allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ.         KF8NH