Not logged in
Log in now
Create an account
Subscribe to LWN
An unexpected perf feature
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
Who uses KVM then? Linux shops? REHV?
CRtools 0.1 released
Posted Jul 25, 2012 1:53 UTC (Wed) by theophrastus (guest, #80847)
Posted Jul 25, 2012 2:09 UTC (Wed) by dskoll (subscriber, #1630)
OpenVZ containers are quite isolated. So you can give someone root in one container and that doesn't allow him/her any access in another container or in the host system (barring bugs, of course.)
You can also apply resource limits to OpenVZ containers so a fork bomb in one container doesn't bring down the system or affect other containers.
OpenVZ is analogous to Solaris Zones with similar use cases.
Posted Jul 25, 2012 2:55 UTC (Wed) by theophrastus (guest, #80847)
Posted Jul 25, 2012 12:17 UTC (Wed) by Lennie (subscriber, #49641)
LXC is a bit more flexible in what it can be I believe, but normally OpenVZ, Linux V-Server and other are like a seperate process- and filesystem-namespace with sometimes a seperate network stack (in the case of the filesystem, that just means, each container is a seperate directory).
Or as Jonathan Corbet described it on this site:
"Containers" can be thought of as a lightweight form of virtualization. Virtualized guests appear to be running on their own dedicated hardware; containers, instead, run on the host's kernel, but in an environment where they appear to have that kernel to themselves. The result is more efficient; it is typically possible to run quite a few more containerized guests than virtualized guests on a given system. The cost, from the user's point of view, is flexibility; since virtualized guests can run their own kernel, they can run any operating system while containerized guests are stuck with what the host is running."
Posted Jul 25, 2012 15:04 UTC (Wed) by mathstuf (subscriber, #69389)
You can't give root to A in a container and access to the filesystem from the main system as any user. Simply make a suid executable in the container and execute from the main system. Unless uids are jailed as well (and appear on disk as some offset from "root" permissions).
Posted Jul 25, 2012 16:22 UTC (Wed) by josh (subscriber, #17465)
Posted Jul 25, 2012 2:30 UTC (Wed) by cmccabe (guest, #60281)
I know that shared hosting providers use openVZ to give multiple users accounts on the same machine that look like root, but which can't interfere with the other users too much.
You could use virtual machines for the same thing, but it isn't as efficient. The main advantage is that with VMs you can offer Windows hosting, or hosting on more than one Linux kernel version.
I don't know exactly why Amazon still uses Xen instead of KVM, but I think at least part of it has to do with the fact that Xen came out first.
Posted Jul 25, 2012 2:00 UTC (Wed) by miguelzinho (subscriber, #40535)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds