I'm thinking of using jails to improve security on a server I am setting up. Specifically, I would like to put Apache/PHP in a jail, but I might like to set up 2-3 different jails for different purposes. I've found several examples showing how to set the jails up. My questions involve system requirements. Assuming plenty of disk space, 1GB ram and a dual processor PIII 1.13Ghz system, how many jails can I run? Would I notice a significant performance hit if, for example, I run three jails?
On Thu, Jul 10, 2003 at 04:48:21PM -0400, V. Jones wrote:> I've found several examples showing how to set the jails up. > My questions involve system requirements. Assuming plenty of > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > how many jails can I run? Would I notice a significant > performance hit if, for example, I run three jails?I haven't noticed performance degradation, but my jails aren't doing much. There are several providers selling jail-based virtual servers. I didn't consult the source, but my understanding is that a jail marks individual processes, so, e.g., if a jail runs just one process, that's the (operational, I don't know about startup) overhead for that jail. -- Ng Pheng Siong <ngps@netmemetic.com> http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://www.post1.com/home/ngps -+- Open Source Python Crypto & SSL
V. Jones wrote:> I'm thinking of using jails to improve security on a server > I am setting up. Specifically, I would like to put Apache/PHP > in a jail, but I might like to set up 2-3 different jails for > different purposes. > > I've found several examples showing how to set the jails up. > My questions involve system requirements. Assuming plenty of > disk space, 1GB ram and a dual processor PIII 1.13Ghz system, > how many jails can I run? Would I notice a significant > performance hit if, for example, I run three jails?Running processes in a jail just marks them as belonging to the respective jail, so they are restricted in what they can do to resources outside the scope of that jail. If you have 100 jails with one process each it is basically the same as if you had 100 processes running in a non-jail environment. There is, of course, the slight overhead of the jail(2) system call, but if you don't start new jails all the time you won't notice that at all. So, as to server performance, it all depends on how much processes you have, and how much work they have to do. For the server there is no difference between jailed and non-jailed environments in this regard. The load will be the same. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net