On 1/13/2014 9:11 PM, Christopher Ahrens wrote: > Jack Woehr wrote: >> Christopher Ahrens wrote: >>> >>> Wish I could split everything off to physical, but all I have for >>> space for is a mini-rack that fits under my desk in my apartment >> >> Sounds like you have answered your own question! >> > > What I meant by bare-metal was if I should run a bunch of services on the same > installation of OpenBSD.
Well, hardware failures on a small pool of machines are still hardware failures on a small pool of machines, whether you have virtual servers or not. For security, chroot (especially with privilege separation) accomplishes a lot of what virtualization claims to offer, with a much longer history of auditing and better understood weaknesses. It is usually easier, in my experience, to manage one system running many services in individual chroot environments than to manage many (virtual) systems. Files in chroot environments will sometimes need to be updated when you change the main system, but in my experience this is a much easier task to identify and manage than applying those changes en masse to a collection of virtual hosts. Plus, there will be plenty of system updates to the main system that don't need to trickle down to the chroot environments, but will almost always need to be applied individually to each virtual host. You may still want to physically separate some concerns if you have enough machines (e.g., build machines vs. service machines, spreading out disk-intensive services, etc.), but in general I don't think virtualization will particularly help you. -- Matthew Weigel hacker unique & idempot . ent
