Am Dienstag, 19. Mai 2020, 03:15:53 CEST schrieb Greg A. Woods: > (and what always dominates performance? I/O dominates!) As all parameters, I/O is just one of - if I/O would be really anything, VMware ESX would be not existing anymore...ß)
Dont get me wrong: i/O is "primary" for me in most of my setups to, but in practice i seems many different approaches to avoid bottlenecks in full virt too where other parameters seems more important (i.e. argument "RAM costs nothing" etc.).. > (Other studies I've scanned suggest there is even less performance > difference than most people seem to assume must be there.) > > I still think the security and complexity issues with containers, are a > very much bigger concern than the pure efficiency losses of running full > VMs. This is - from my view - a bit outdated view, because of the development. I.e. a known developer company of a even more known "blogging" software (LAMP stack) isolates each instance of their software installations into LXC containers (their principle would similiar work with jails or even better) while they have millions of users today (means millions of containers) while up to tenthousands of on single machines (bound to private LAN IPs behgind NAT and/or proxying / load balancing). This allows them to provide a relative "insecure" software setup (customers can install "potentially dangerous" third party plugins etc. while most "accidents" cant leave the "container" and the customer can restart (reset) his container easily etc.). The container around is "integral" part of the security concept of the software. Shure, theoretically this could be done by Xen PV too (with a lot of trickery just to get near the same footprint size ballpark) or with "cheap single computers", but in practice this results in much more overhead in different ressources (incl. development ressources, time when booting - not only hardware etc.). Curiously the most community users of that software doesnt use that level of isolation in shared hosting setups of that software (what makes them beloved attack vectors out there...). I work with xen since very early versions and still use it (PV etc.), with "containers" on top (jails would be nice) as with NetBSD. I would switch over more setups to NetBSD if jails would be available, because i still prefer NetBSD over FreeBSD on such servers because it is more Xen (PV) "friendly" at all. niels. -- --- Niels Dettenbach Syndicat IT & Internet http://www.syndicat.com PGP: https://syndicat.com/pub_key.asc ---
