Mat, To your points:
1) I found KVM performance acceptable with both Windows and Linux guests. We use virtio for both disks and networking and also added an SSD based ARC to help with IO throughput on our ZFS pool. I’d suggest giving it a try. 2) We never had the need to look into this. But you might want to check out whether there’s something suitable in pkgsrc (for an OS zone install). I’d expect your choices to be limited, though; as those firewall distributions that I recall come completely preconfigured - as an appliance. 3) LX zones get updates just like a normal Linux OS install via apt-get, yum,... We haven’t had any issue with our Centos and Ubuntu LX zones so far. Peter > Am 16.01.2017 um 20:00 schrieb Mat Schreiber <[email protected]>: > > Hi Peter, hi Nahum, > > thanks. Yes that makes it more clearer in spite of the fact that it does not > make me happier. > Yes, like Nahim mentioned the appliance depends on iptables. So the LX brand > seems to be out. > So I still have some questions which you could perhaps enlighten... > > 1.) How bad is the performance of KVM really? I have a Quadcore Skylake > installed - do you think it's worth trying to install such a thing like that > Sophos Firewall in a KVM instance? (I just installed a Windows 8 KVM Zone - > and that performance is acceptable, but not more. It has quite a lot lags) > > 2.) Does anyone know of another Firewall Appliance which I could give a try > apart of the Sophos AND which runs in LX Brandz or in SmartOS/Solaris? (It > has the benefits that Proxy, Child protections and many other things are > preconfigrued, so I would prefer that the solution to set up all using > Solaris) > > 3.) As Peter said that the LX Brandz does not have its own Linus Kernel I am > still a bit confused about the images provided by Joyent: > Supposed I install now a LX Zone with Debian. Time passes and Joyent offers a > new Debian with a newer release - will there (and if yes, which) be a > difference between the LX Zone I installed now and that new one Joyent will > release in half a year - supposed that I did aptitude update and so on inside > that zone regulary? If yes - is there a way to update the Zone itself from > one Joyent release to another or has all be destroyed an reinstalled again? > The same thing is not quite clear to me with the smartos zones. Is there a > difference between a newer Smartos Image from imgadm to an older one which is > kept update with pkgin fug? > > Sorry for so much questions... > Mat > > Von: Peter Kelm <[email protected]> > An: [email protected]; Mat Schreiber > <[email protected]> > Gesendet: 18:24 Montag, 16.Januar 2017 > Betreff: Re: [smartos-discuss] LX Zone from CD/ISO Image > > Mat, > > You’d be (more or less) limited to a KVM zone if all you have is an ISO of an > appliance. In a nutshell an LX zone is a native zone („Solaris“) using a > Linux compatibility layer. It is not a full Linux OS, does not run its own > kernel… > > Theoretically you could build an LX zone that mimics the setup of that Sophos > appliance. > 1) Determine what distribution (and specific version) the Sophos appliance is > based on. Then start out with an LX dataset of the same distribution (on > SmartOS). > 2) „Diff“ the filesystems and replicate all changes (install packages, edit > config files,…) on that LX zone/machine. > > I looked at this a while ago for an AV appliance but found that it is too > cumbersome and completely unsupported anyway. Fortunately our AV vendor also > offered an RPM install in addition to the appliance ISO. So I spun up an > Ubuntu LX zone using the Joyent provided dataset and installed those RPMs per > the directions or the AV software supplier… > > Let me know if this makes it clearer. > > Peter > >> Am 16.01.2017 um 17:57 schrieb Mat Schreiber via smartos-discuss >> <[email protected] >> <mailto:[email protected]>>: >> >> >> >> Hi, >> >> sorry if my question is answered somewhere in the Joyent Wikis, but I found >> nothing clearly explaining it: >> >> I want to install the Sophos Firewall UTM in an LX Zone (as I assume LX >> Zones to be ways faster than KVM Zones). >> So far so good. But I do not know how to create a VM now, as I don't have an >> empty Image in imgadm. >> I just have instructions from Oracle wiht LX Zones and installation from CD: >> Installing and Booting lx Branded Zones (System Administration Guide: Oracle >> Solaris Containers-Resource Management and Oracle Solaris Zones) >> <https://docs.oracle.com/cd/E19044-01/sol.containers/817-1592/gdbhu/index.html> >> >> But I am not sure if it would be possible afterwards getting this thing >> again under control of vmadm... >> >> Or is it like that, that I should take an image (which one wouldn't matter) >> and when set up I do an unconfigure to that Zone and install it again from >> CD as described in the Oracle Instruction... >> What to do best? >> >> Sorry and thanks, >> Mat >> >> >> >> >> smartos-discuss | Archives >> <https://www.listbox.com/member/archive/184463/=now> >> <https://www.listbox.com/member/archive/rss/184463/25252853-72390e47> | >> Modify <https://www.listbox.com/member/?&;> Your Subscription >> <http://www.listbox.com/> > > ------------------------------------------- smartos-discuss Archives: https://www.listbox.com/member/archive/184463/=now RSS Feed: https://www.listbox.com/member/archive/rss/184463/25769125-55cfbc00 Modify Your Subscription: https://www.listbox.com/member/?member_id=25769125&id_secret=25769125-7688e9fb Powered by Listbox: http://www.listbox.com
