One of the unsung advantages of LXC and OpenVZ, is that the disk cache is unified.<p>Full virtualization like KVM or VMWare, require you to give each VM extra RAM for use with disk cache. For instance, if you had a typical set of processes that used 1.5GB, and you gave it 1.7GB, that would hardly be enough, as you want more than 200MB of disk cache.<p>Under LXC and OpenVZ, any unused RAM becomes globally available for disk caching, giving a decent performance boost and further reducing the resouce commitments per-VM.<p>One example: a customer had some lousy queries in their SQL, but they really needed to have a good demo of their site. We moved them to a 32GB RAM system and gave the container 8GB.<p>As a result, nearly the entire 20GB database (or at least the parts that were needed), got loaded into the disk cache after the first batch of queries were run. It was enough to get them over the hump (they later figured out the nasty SQL that was getting them in trouble) and they had a good demo. After that, we live-migrated back to their regular server.
Does anyone have any good resources on how Linux LXC compares to BSD Jails from a security perspective? I've long been a fan of BSD jails because of how simple the security model is to understand, and how secure they've been in practice. Jail has long been a killer feature for BSD and very, very good reason to use a BSD-derivative for web servers, etc. as you can run each and every service that has the potential to be compromised in its own jail to minimize the overall risk; whereas the best Linux had to offer has traditionally been a chroot'd environment, which while good, has absolutely nothing on a BSD jail.<p>I'd imagine that LXC has the potential to change that, though I presume it'll take some time for a) adoption to increase and b) for it to prove itself after that.
For some context, I believe many/most people doing PAAS (e.g. Heroku, DotCloud, Cloudbees, Node*) are using LXC to create slices/dynos/shards/whatever.
LXC<p>- Is LXC friendly with IDS/IPS and alike?<p>- If I place a webserver or a database in a container - what would be the implications in terms of set-up?<p>- Networking? How it would interact with iptables? iptables only on host, or it is possible to set-up separate iptables in each container?<p>- How logging is dealt with?<p>- Can system user sitting in the container escalate to root?<p>I am looking for a solution to further harden the set of VPSs for a web site/app.<p>Is LXC a good fit for that? Or smth else might be a better fit?<p>thank you<p>P.S.: my CFO experience can not help me here :-(
Linux containers are a fantastic development tool and ready for production prime time. BSD has long had really good jails and having implemented this now for (development) purposes for cnx.org I can recommend them.