LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Linux VServer Project is doing just fine now

Linux VServer Project is doing just fine now

Posted Dec 6, 2005 15:59 UTC (Tue) by micah (subscriber, #20908)
In reply to: Linux VServer Project is doing just fine now by gvy
Parent article: The first stable OpenVZ release

Linux-vserver's 2.6.12.4-vs2.0 is the most recent stable release, there are patches available for 2.6.13 and 2.6.14, but they are not "blessed" as stable (although they contain bugfixes, and are very likely *stable*).

From the mailing list on the subject of the differences:

(will use Z for OpenVZ and S for Linux-VServer)

>> Factors of interest are
>> - stability,

Z: the announcement reads "first stable OVZ version"
S: we are at version 2.0.1 (> two years stable releases)

>> - Debian support,

Z: afaik they are redhat oriented (and recently
trying to get gentoo support done)
S: L-VS is in sarge (although with older/broken packages), etch and sid
but either using recent packages or compiling the tool
yourself works pretty fine on debian

>> - hardware utilization,

Z: no idea
S: support for 90% of all kernel archs at (almost) native
speed (utilization? I'd say 100% if required)

>> - documentation and

Z: no idea
S: the wiki, the L-VS paper(s) and google

>> - community support,

Z: irc channel and forum/bug tracker
S: ML, irc channel (I guess we have excellent support)

>> - security.

guess both projects are trying to keep high security
and IMHO the security is at least as high as with the
vanilla kernel release ...

(Log in to post comments)

OpenVZ is doing fine as well ;)

Posted Dec 6, 2005 19:00 UTC (Tue) by kolyshkin (subscriber, #34342) [Link]

Let me comment on these claims.

- stability,

Z: the announcement reads "first stable OVZ version"
S: we are at version 2.0.1 (> two years stable releases)

Although this is indeed the first stable OpenVZ release, OpenVZ is essentially Virtuozzo (without its bells and whistles), and Virtuozzo for Linux is available for more than five years already.

- Debian support,

Z: afaik they are redhat oriented (and recently trying to get gentoo support done)
S: L-VS is in sarge (although with older/broken packages), etch and sid but either using recent packages or compiling the tool yourself works pretty fine on debian

Certainly you can compile OpenVZ from sources and use it on any Linux distro. And yes, we are a part of Gentoo for about two months already (with all the recent releases making their way into Gentoo in a very timely fashion). Debian is one of our goals (see roadmap), although personally I am not a Debian expert, still with some help from the Debian community we will make it.

- hardware utilization,

Z: no idea
S: support for 90% of all kernel archs at (almost) native speed (utilization? I'd say 100% if required)

We are supporting x86 (i386), x86_64 (AMD64, EM64T) and ia64 platforms. "Supporting" here means we have enough hardware for all the three platforms, and do an extensive quality testing (functionality, performance and stress tests) and security audit on all of them. It's a pity but we can not provide the same level of support for other platforms than those three.

Speaking of specific hardware, we are supporting the same set of hardware that RHEL4 does, achieving this by backporting newer drivers from mainstream, vendors and RHEL4 kernels. There is an official Virtuozzo/OpenVZ HCL.

- documentation and

Z: no idea
S: the wiki, the L-VS paper(s) and google

We have an extensive 100-pages user's guide. Also all utilities has man pages, and there are some short to-the-point howtos on the site and the forum.

- community support,

Z: irc channel and forum/bug tracker
S: ML, irc channel (I guess we have excellent support)

There is a bug tracking (Bugzilla) and quite an active support forums, also we have mailing lists and IRC channel (#openvz at freenode). We also provide fee-based support for OpenVZ, done by the same excellent team who supports Virtuozzo.

- security.

guess both projects are trying to keep high security and IMHO the security is at least as high as with the vanilla kernel release ...

I can definitely say our security is higher than that of vanilla kernel. We achieve that by two means: (1) sticking to older kernel and backporting all the fixes from mainstream and (2) hiring top-rated security specialists to do OpenVZ security audit.

OpenVZ is doing fine as well ;)

Posted Dec 7, 2005 12:47 UTC (Wed) by nnnn (guest, #34393) [Link]

Are you saying that when these "top-notch security people" find new
bugs you are keeping the patches private and not send them back
to the upstream maintainers?

That would be the only way for your offering to be more secure
than a vanilla kernel or other package. And it would be quite
bad if true.

OpenVZ is doing fine as well ;)

Posted Dec 7, 2005 14:37 UTC (Wed) by kolyshkin (subscriber, #34342) [Link]

First of all, we do always send fixes we have upstream, and external people who do security audit for us are also sending their relevant findings upstream.

Second, as I have already tried to explain by my first comment here, our security can indeed be better than that of vanilla kernel. We achieve this by sticking to older (=more stable) kernel and backporting all the relevant fixes from vanilla and RHEL kernels (currently there are about 200 such patches, not counting driver updates).

So, we fix bugs and security holes, but do not introduce any new ones, that _might_ be coming with newer kernels. This is essentially the same model used by Red Hat Enterprise Linux.

OpenVZ is doing fine as well ;)

Posted Dec 16, 2005 18:02 UTC (Fri) by dev (guest, #34359) [Link]

No, we are not hiding security fixes and participate in security@kernel.org.
But as you can see both OpenVZ and vserver add additional layer inside the kernel and to some extent actually introduce a new security model. And this security model should be review/checked/thinked over. For example, when you have a kernel bug which allows 'root' user to crash your node it is usually ok, since root is a priviledges and trusted user. In OpenVZ/vserver model root is untrusted user. See the difference? Just an example...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds