Originally posted by oiaohm
View Post
You can be critical of Jails.. but remember Jails invented the idea and inspired Zones 20 years ago. The purpose of Jails and Zones are different than Linux cgroups. The intention for jails wasn't virtualization as much as it was security. Hence the name, Jail.. and yes.. it started out with a lot of incomplete parts. I believe FreeBSD 10 finally isolated System V IPC, and FreeBSD 11 finally isolated the network stack making it mostly a feature complete implementation now. You can say this development was slow.. but containers weren't really very popular till recent times too so.. they were far ahead of the curve in a world where most people were doing hardware based virtualization to solve this problem.
Before Jails was chroot, (if this counts) it's main goal was probably ease of development. (So it shares that with Docker and Linux. and thus shares the security shortcomings)
Sun, Inspired by Jails created Zones and engineered it from the ground up to be full isolation for security. They did this to sell big iron and do multi tenant. Memory isolation is intentional due to the goal being security. Although I don't even know if that is true in the case of shared libraries may in fact not be duplicated, a jail doesn't appear to take any memory.. and if it does it's very small (like kb small). personally I put 6 jails on a host with 1024 megs of ram, each running services and it still had 50% to spare. There was no difference in memory usage from running those same processes on the host. Jails are a lot of things.. slow and bloated they are not. They are extremely thin compared to hardware based virtualization.
KVM is never faster, two OS's are never faster than one. The idea it can be is absurd. OS level virtualization is always going to be faster.
All of this really highlights the major single biting problem with Linux is that it evolves with small chunks of stuff cobbled together to make larger constructs. It isn't designed by in large like FreeBSD, Solaris or Redox because nobody is in control leading engineering projects. They just throw stuff at the wall and that is why you get cgroups/namespace being called a "container" or btrfs as opposed to ZFS or systemd as opposed to launchd. That model works clearly if you want to get something easy done fast.. but when you get to hard topics like containers or filesystems or process accounting it falls apart and NEEDS engineering.
Leave a comment: