| |||||||||||||
Does Linux support multi-user?Does Linux support multi-user?Posted Jul 18, 2011 16:25 UTC (Mon) by geuder (subscriber, #62854)In reply to: Does Linux support multi-user? by raven667 Parent article: Reactive vs. pro-active kernel security
> Just one point of fact, the cost of running VMs is not "orders of magnitude" higher than running on a single system image, it's maybe 1-5% on the high side.
You mean in terms of CPU overhead, when a small number of VMs is running? I can agree. That's what I do here on my desktop all the time, because I want to run both stable versions and bleeding edge versions of different distros on the same machine.
But suppose I want to build a multi-user system. I could have e.g. 1000 accounts with some 50 of them logged in concurrently. Not an issue with a single kernel resource wise (depending on the HW of course). But running 50 VMs just to get stronger privacy??? Or even 1000??? (With the 50 VM variant I'd still need some kind of "session router", to make sure everybody logging in get a VM for his own. Doesn't sound very standard if there isn't some miracle package for this purpose out there I might have missed.) Don't see your 1-5% here, I would call it no way you do that with VMs for any reasonable price or HW.
Or maybe you can? I have seen at least one 64GB server. 1GB for every VM, you could already support more than 50 VMs without even sharing common pages or swapping. But I think the overhead on memory consumption is 10s of percents, not 1-5%. And I guess the price curve for server memory in that size is not linear. (Haven't bought anything over 4GB myself, so not sure)
(Log in to post comments)
Does Linux support multi-user? Posted Jul 18, 2011 17:51 UTC (Mon) by raven667 (subscriber, #5198) [Link]
Actually what you are describing is currently one of the hot areas in VM systems right now, virtual desktop deployments. My guess, based on your comment about 64GB servers, is that you haven't much exposure to "Enterprise" VM systems like ESX, Xen or KVM. Just for a point of reference I dug around and looked at some ESX 4.1 VDI desktop benchmarks. The benchmark I found was for the storage system but the test harness they used had a density of 78 VMs/server (dual socket/6-core 96GB RAM, pretty average) and they could have gone higher but they wanted low latency and low memory/cpu contention. The VMs in the test were running Windows.
So your example of 50 VM hosts that there is no way you could do this isn't true, running desktop VMs at that level of density isn't even cutting edge and can be done on a modest dual-socket system, probably worth around $10-15k whereas 78 $500 desktops would be almost $40k.
In fact from a security perspective running desktops as virtual machines has some other benefits too in that may systems are run from snapshots off a central, read-only system image so infected machines can be easily and completely rolled back to a known good state.
Does Linux support multi-user? Posted Jul 19, 2011 3:51 UTC (Tue) by dlang (✭ supporter ✭, #313) [Link]
A $500 desktop system will be considerably more powerful than 1/50th of a 12 core box with 1G ram. for that matter, a $200 server will probably beat that.
remember that the users still need to have a machine with a display and keyboard.
the advantage of virtual desktops isn't hardware savings, it's centralized management/backup/etc
Does Linux support multi-user? Posted Jul 19, 2011 16:19 UTC (Tue) by raven667 (subscriber, #5198) [Link]
Yeah it would be more powerful in aggregate but it would also mostly go to waste being idle 99% of the time.
Yes, there needs to be something at the desk to display output but you have more flexibility on quality and speed, buying cheaper machines, keeping existing old machines or even allowing users to bring their privately-owned systems to use for display only.
Yes, the centralized management is a huge win for virtualization. I also wanted to point out that it isn't cost-prohibitive as well.
Does Linux support multi-user? Posted Jul 19, 2011 14:21 UTC (Tue) by geuder (subscriber, #62854) [Link]
> My guess, based on your comment about 64GB servers, is that you haven't much exposure to "Enterprise" VM systems like ESX, Xen or KVM.
True. Well, I got access to the 64GB for free already 2 years ago because it was kind of surplus for the owner organization. So I could have thought that it was no longer a high end machine.
Just checked the first Dell offer I could find and 96GB were 4000 EUR. Indeed cheaper than I thought, but still some 50 EUR per user just for RAM in such a VM installation.
But if I get your point right, you say it's getting that cheap that we can stop worrying about a single Linux being suitable for multiple users with privacy/security requirements. Just use VMs in that case.
Does Linux support multi-user? Posted Jul 19, 2011 16:38 UTC (Tue) by raven667 (subscriber, #5198) [Link]
Yes, right now that might be the simplest way to achieve the kind of separation you are looking for for multiple users. It's totally do-able, the infrastructure is there, it's even fashionable.
Now I will point out that running multiple OS kernels in a VM environment isn't the goal, hardware memory managers support strong separation but it's just currently easier to separate jobs into different OS kernels than build and configure the same level of separation within one OS kernel. Sooner or later we will get per-process checkpointing and live migration as well as containers and namespaces such that you will have a single system image across a cluster of machines which will have better scheduling and visibility of resources.
Does Linux support multi-user? Posted Jul 18, 2011 23:29 UTC (Mon) by njs (guest, #40338) [Link]
> But suppose I want to build a multi-user system. I could have e.g. 1000 accounts with some 50 of them logged in concurrently. Not an issue with a single kernel resource wise (depending on the HW of course). But running 50 VMs just to get stronger privacy???
I think you missed the part of his comment where he clarifies that he's talking about container-style virtualization (vserver/lxc), not emulated-hardware-style virtualization (kvm/xen).
You can indeed have 50 "VMs" that are all running under the same kernel, with almost no overhead versus running all the same processes in a single "VM". (The information about which VM each process belongs to is just some extra bits in the task struct in the kernel.)
|
|||||||||||||