On 4/13/21 11:48 AM, Roberto Ragusa wrote: > On 4/10/21 6:13 PM, Nicolas Kovacs wrote: > >> I'd be curious to have your input, since I'm fairly new to this sort >> of approach. > > I would only separate things that for some reasons are "dirty", e.g. > require non packaged > installation. > > All the rest (like bind, postfix, dovecot) can happily live in the same > machine. > > Splitting things too much will increase the maintenance effort, every > stupid detail > like new kernel installation, clock syncing, log rotation, security > patching, etc. > gets duplicated. Not to mention the need to now maintain a network > connecting the pieces. This is where what I do in jails on FreeBSD is different from what you describe. All jails in FreeBSD have same base system. Thus, no extra overhead for base system: it is updated for all jails in a single go. Separate jails have only what is necessary for particular jail. Therefore, I only put in the same jail "inseparable things (e.g. mailman has to have web interface and postfix or sendmail, so this is minimal sufficient bundle that has to be together). Services that do not have to live in the same jail run in different jails. The separation of services into different jails brings a lot of convenience: 1. If service "a" has to be worked on, only other services living in the same jail may potentially be affected, nothing else 2. If service "a" and service "b" need incompatible dependencies, there is no problem when they run in different jails 3. If you do upgrade (as in upgrade of base system), you can upgrade one jail at a time, hence it is much smaller set of things that has to be dealt with as a result of upgrade; the last helps to diminish downtime of every service caused by upgrade 4. Suppose you have compromise (no one is guaranteed from that), that came through some service, but then only that jail is affected, no mess bad guys can do to other services. 5. And one more important thing: base system in jail is mounted read-only: any mess due to compromise does not affect base system of jail (any one of jails) And the list can continue. I hope, experts in Linux virtualization will chime in and outline how similar (common for all virtual systems read-only base, etc) can be done with one of Linux virtualization solutions, because I'm certain in must be possible. And I for one would love to learn about that. I hope, this helps. Valeri > Same considerations when using containers instead of VMs, you only gain > some performance > by not dragging entire kernels for each service. > > Start by isolating the service that is giving you most troubles. > Then with a bit of experience, you can evaluate if proceeding along that > road. > > Best regards. > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++