What's the better option to separate operating system from service with FreeBSD, jails or VMs?
Relevant criteria for my use case:
Relevant criteria for my use case:
- While being a Linux veteran, I have pretty little experience with FreeBSD.
- All software components need to be upgradable.
- Upgrades must not risk data loss.
- The machine must be safe against attacks from a malware-infested LAN, and from directed attacks by anybody who does not have a zero-day exploit.
To facilitate this, I plan to use a two-layer approach:- The base layer can only be managed using a physical console and never accepts any network connects.
- The services layer contains services that may accept network connects (but usually do not).
- Use FreeBSD and bhyve for the base layer, run the services in VMs.
- Use FreeBSD and ezjail for the base layer, run the services in jails.