I have a 5.4-S box running apache2 that's serving data from mysql running on the same box. I'm thinking about putting both in seperate jails, partly for security and partly for practice. Would this impact network performance between the two? Currently the mysql connection is using localhost which I understand to be faster than a network socket. Does jail-to-jail traffic use the same mechanism? or something else? Thanks
Brandon Fosdick wrote:> I have a 5.4-S box running apache2 that's serving data from mysql running on the same box. I'm thinking about putting both in seperate jails, partly for security and partly for practice. Would this impact network performance between the two? Currently the mysql connection is using localhost which I understand to be faster than a network socket. Does jail-to-jail traffic use the same mechanism? or something else?In MySQL 'localhost' is a hard-wired shortcut that uses domain sockets instead of TCP sockets. Since domain sockets live in the namespace of a filesystem this requires that both server and client have access to the same filesystem. Now, for security reasons jails normally are confined in separate filesystems, or at least in separate parts of a common one. So in case of MySQL you would have to use TCP sockets to communicate between jails. This socket type typically consumes more CPU because of TCP's protocol overhead. However, whether you would actually notice any difference in speed basically depends on how much excess CPU power there is available on that server. Uwe -- Uwe Doering | EscapeBox - Managed On-Demand UNIX Servers gemini@geminix.org | http://www.escapebox.net
On Sun, 25 Sep 2005, Brandon Fosdick wrote:> Robert Watson wrote: >> There are several ways you can do it, but they generally fall into two >> classes of activies: >> >> (1) Modifying the name space exclusion assumption for jails, so that the >> file system name spaces overlap. One way to do this is with nullfs. >> >> (2) Having a daemon or tool that runs outside of the jail and brokers >> communication between the jails. One example might be a daemon that >> inserts a UNIX domain socket into both jails and then provides >> references to shared IPC objects between the two "by request". >> Another example might be a daemon or tool that responds to a request >> and creates a hard link from a socket/fifo endpoint visible in one >> jail to a name visible in another jail, perhaps when setting up the >> jail. The former requires more infrastructure, but the latter is less >> flexible. > > The jail(8) man page says that if the MIB > security.jail.sysvipc_allowed=1 processes inside a jail can use IPC to > talk to stuff in other jails. How does that affect mysql in a jail? Do I > need this enabled to run mysql?Last I checked, MySQL used solely TCP and UNIX domain sockets for communication, and not System V IPC. I believe PostgreSQL, however, used System V IPC. Robert N M Watson
Robert Watson wrote:> Last I checked, MySQL used solely TCP and UNIX domain sockets for > communication, and not System V IPC. I believe PostgreSQL, however, > used System V IPC.For some reason I was thinking that domain sockets and System V IPC were the same thing. Now I know better. Thanks.
Ok, here's what I've decided. But first, thanks for all of the help. Currently the MySQL databases are on a seperate RAID volume, and I'd like to keep it that way for performance purposes. In general I want to avoid putting anything on the raid that isn't a database. I don't want the raid volme to get hit for both database access and regular httpd/system use. In order to make a hardlink to the mysql socket it would have to be on the same volume as the httpd jail, which would then mean both jails have to be on the raid volume, which is what I want to avoid. However, if mysql isn't jailed it has access to both system and raid volumes and can put it's socket someplace accessible to the httpd jail. Since I've already set mysql to only accept domain socket connections I can probably get away without putting it in a jail. So I've decided to jail httpd and friends and leave mysql running in the host environment. I would have liked to use Robert Watson's suggested socket brokering daemon, and I stumbled on socat which appears to do the trick. But as far as I can tell socat just copies between two sockets, which seems like it might have performance issues. Albeit less so than using TCP sockets. Ideally I would like a daemon like socat that can connect/merge two sockets into one, effectively creating a direct connection and eliminating a copy. But AFAICT that isn't possible with the current interface. I don't know enough about the kernel to know if such a thing is even possible, but intuitively it seems like it should be. If somebody where to make socket merging possible, or tell me how to do it, I would be happy to write the daemon to make use of it. Until then I'm using an unjailed mysql. Thanks for the help.