On Wed, 17 Oct 2012, Peter Ross <Peter.Ross@bogen.in-berlin.de> wrote:
It just feels more like an "add-on".. You may use your SE Linux wizardry to increase security if you don't trust it enough.
AFAIK none of the LXC type things support different SE Linux policies on a per- jail basis. But in the past I've written policy for chroot environments and could use that. Another option is to use different MCS categories for the various jails. But for the case where I'm running a single set of applications (mail delivery, IMAP, and POP servers) I can just use the same policy. It would only be if I had entirely different mail servers in different chroots that there would be a need for different policies.
The disks are files on a "normal" zfs so they profit from snapshoting, zfs send/receive mechanism for off-site backup etc.
So you can't do that with a zvol?
But I don't think it is a really good setup, it is just "good enough" here, and as I have all other stuff running in jails native on FreeBSD, I keep it.
In what way isn't it "really good"?
I don't think you win much if you use NFS over ZFS instead.
Yes, there are significant issues, but it's a matter of whether the other issues are worse.
You may increase performance if you use "raw zpool" underneath but then you don't have the "cool stuff" (snapshots, cloning etc.) that wants you to use ZFS in the first place.
What is a "raw zpool"? Is that a zvol?
I could imagine using LVM on Dom0 and giving partitions to the DomUs and running ZFS inside.
That means you lose the contiguous write feature of ZFS which is essential to good performance. Ext3/4 on LVM volumes gives somewhat contiguous reads where possible, ZFS when it owns the disks gives contiguous writes, but ZFS on multiple LVM volumes gives neither.
That way you can snapshot the partitions with LVM outside (to get "disk images") and ZFS management inside.
Why would you want to do that? As ZFS owns the devices and the mount points it's surely not going to be easy to have multiple snapshots of a ZFS filesystem active at once. It would probably be like trying to take a snapshot of a PV that's used for LVM - something that can theoretically be usable if you take the snapshot to another system but otherwise will be a massive PITA and probably cause data loss. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/