> What's the point of "separating services into containers"?
What's the point of chroot?
In the end it's all about separation.
Be it security or in our case mostly management wise.
Each service inside an openvz instance can painlessly administrated by another admin without special care about stepping on the toes of 20 other administrator for the other services.
Some services are really bad in separation, be it syslog configuration of all the daemons, network configuration for additional ip addresses for the different services or even the reducing of necessary configuration!
As most things are done by policy with one service per container (or even done by e.g puppet).
As you see there are a _whole_ lot of reasons to split up services.
> Assuming no kernel bugs...
Assuming the earth is flat has about the same probability of being right.
> Hardware-level virtualization is a different matter though and can in principle improve security.
openVZ has near zero overhead both in terms of speed and resource usage.
Most of the time it's just one rsyslog process more per service, which is at the edge of rounding errors if you speak about 128GB being the minimal amount of ram in current intel dual cpu servers (16G sticks).