Jail performance overhead

[kniveton]

Hello,

I have a question about jail performance, specifically in terms of running production large scale services inside a jail. Can anyone give a description, or better yet, point to an article that explains the performance implications of running services inside a jail, vs. just running them on a host machine?

For instance, if I am receiving a large amount of web traffic to a server, would there be a lot of context switching involved in routing the traffic from the host machine interface to the jail's network stack? Or is it simply a matter of data structure manipulation in the kernel?

Sorry if this question has been asked but I wasn't able to find anything on search. I have run jails for a while with great success, but wanting to know what would happen if I start putting them in performance critical parts of my system.

Thanks-

 

[lme@]

The perfomance overhead is zero because a process in a jail can access the kernel just like every other non-jailed process.

 

[kniveton]

So there's just a slight bit of scheduling overhead, no?

 

[graudeejs]

You won't notice any difference

 

[alphajim]

So there's just a slight bit of scheduling overhead, no?

Jails are more like a chroot on steroids. There's no VM overhead or special scheduling going on. It just allows you to set up a user context with very high "fences" around it. I would imagine there is some small overhead for additional code to run, but I can't imagine it would show up as a significant amount of cpu time.

you mostly want to be looking at jails when you have a user or process which could be used to attack the system. Lets say you have a daemon or user that needs to run as root. Even if the jail is compromised, the main system is still ok and you can limit (by default) the types of network things the jail can do