On Apr 23, 2014, at 9:08 AM, arjan tijms <arjan.tijms(a)gmail.com> wrote:
> Hi,
>
> On Wed, Apr 23, 2014 at 3:38 PM, Bill Burke <bburke(a)redhat.com> wrote:
> As much as we like to think the app server is an operating system, it
> isn't. The app server isn't a place where untrusted apps run.
>
> I'm a big fan of this view. I know that originally the AS may have been seen as a
kind of OS for server apps, but in practice this just hasn't worked out. The
protection model of the OS with its isolating processes is just much more powerful.
>
> Running a single app per AS gives you better protection, even more if each AS runs
inside its own virtual server (which makes it even easier to limit the CPU usage of
individual apps). Additionally, a lot of problems associated with updating either the JVM,
the entire AS, or one or more libraries of the AS just go away in the one-app-per-AS
setup. Adam Bien wrote a good article about this:
http://adam-bien.com/roller/abien/entry/why_not_one_application_per
>
> I think Red Hat/JBoss shares the same belief. I mean, why else would OpenShift use
SELinux to isolate apps and not just run a bunch of them on a single JBoss AS?
Yes that is our recommended security model, and yes thats precisely what we do on
OpenShift because otherwise one customer could potentially access another’s data, which
would be very very bad :)
We do hope that one day a multi-tenant JVM will come around, since it would reduce the
memory cost of multiple JVMs (base JVM heap + class code memory which ideally you could
share but can’t currently). Although this is only really a problem when you have thousands
of instances on a box (you are running a PAAS).
Just cross-process/cross-OS-VM shared jars would probably be really
huge. Not something we can really focus on in the middleware side of
development though.
--
Bill Burke
JBoss, a division of Red Hat