User: Password:
|
|
Subscribe / Log in / New account

CRtools 0.1 released

CRtools 0.1 released

Posted Jul 25, 2012 0:16 UTC (Wed) by theophrastus (guest, #80847)
Parent article: CRtools 0.1 released

so OpenVZ is vaguely similar in functionality to VMWare or Xen. but unlike VMWare runs 'only' linux images (can't switch to windows to play some windows only video game). so, (if i didn't already louse-up that much), what's a couple of practical reasons one would want to do that? security? testing security? swapping active web-servers for updates? proper (GPL) licensing? i'm honestly curious. (thankee!)


(Log in to post comments)

CRtools 0.1 released

Posted Jul 25, 2012 0:32 UTC (Wed) by price (guest, #59790) [Link]

The major advantages are about efficiency.

* You have only one kernel, so you're not duplicating the work and memory usage of the kernel.

* You have one memory manager, one scheduler, and one filesystem implemenation, so you can use resources more completely without having to give each VM an overallocation.

* You have one filesystem implementation (and one page cache), so you can give each VM a snapshot of a common filesystem and not duplicate all the system files (and not duplicate the in-memory cache of each of those files either.)

* When you create a new VM, its base system is already a filesystem snapshot and even its kernel is already running, so it comes up very quickly.

You can read more on the OpenVZ wiki: http://wiki.openvz.org/Introduction_to_virtualization or in marketing-speak at the page for Parallels Virtuozzo Containers for Linux, which is the commercial version from the primary sponsors of OpenVZ: http://www.parallels.com/products/pvc/#c2697

CRtools 0.1 released

Posted Jul 25, 2012 0:52 UTC (Wed) by theophrastus (guest, #80847) [Link]

I fear you've over-estimated the crude level of my question. I have a single image of linux running in front of me now, and it (more or less) fulfills each of those bullet points of yours. Perhaps if i rephrase: if one can switch between multiple linux kernels (all much alike) what practical uses can one put them to? (as opposed to a rack of clustered servers, for example)

CRtools 0.1 released

Posted Jul 25, 2012 1:41 UTC (Wed) by price (guest, #59790) [Link]

These advantages are in comparison to other forms of virtualization, like VMware or Xen (which your original post did mention.) If you're happy with a single image of Linux, then it's almost all moot. (You might still like, say, migration.)

Many people find they want to supply root-on-a-Linux-box to multiple mutually-untrusting users; VMware, Xen, and OpenVZ are all ways to do that (among other use cases.) Broadly, enterprises seem to like VMware, giant cloud providers Xen, and web hosters with their razor-thin margins like OpenVZ or its commercial version.

CRtools 0.1 released

Posted Jul 25, 2012 1:46 UTC (Wed) by TRS-80 (subscriber, #1804) [Link]

Who uses KVM then? Linux shops? REHV?

CRtools 0.1 released

Posted Jul 25, 2012 1:53 UTC (Wed) by theophrastus (guest, #80847) [Link]

and, dammit [wink], what specific use of they making of these? give me the name of a program/process/"application" that one is running in one image and another name (which i suppose could be the same) that's running in another image and how that's useful relative to just two processes in a single image.
(thankee!) (just trying to understand how multiple kernel images that are nearly the same are used)

CRtools 0.1 released

Posted Jul 25, 2012 2:09 UTC (Wed) by dskoll (subscriber, #1630) [Link]

OpenVZ containers are quite isolated. So you can give someone root in one container and that doesn't allow him/her any access in another container or in the host system (barring bugs, of course.)

You can also apply resource limits to OpenVZ containers so a fork bomb in one container doesn't bring down the system or affect other containers.

OpenVZ is analogous to Solaris Zones with similar use cases.

CRtools 0.1 released

Posted Jul 25, 2012 2:55 UTC (Wed) by theophrastus (guest, #80847) [Link]

ah. so it's "security". protecting the system (as a whole) against users who have root access. thank you! i think that answers my question as well as i've been able to express it.

CRtools 0.1 released

Posted Jul 25, 2012 12:17 UTC (Wed) by Lennie (guest, #49641) [Link]

It is like chroot yes.

LXC is a bit more flexible in what it can be I believe, but normally OpenVZ, Linux V-Server and other are like a seperate process- and filesystem-namespace with sometimes a seperate network stack (in the case of the filesystem, that just means, each container is a seperate directory).

Or as Jonathan Corbet described it on this site:

"Containers" can be thought of as a lightweight form of virtualization. Virtualized guests appear to be running on their own dedicated hardware; containers, instead, run on the host's kernel, but in an environment where they appear to have that kernel to themselves. The result is more efficient; it is typically possible to run quite a few more containerized guests than virtualized guests on a given system. The cost, from the user's point of view, is flexibility; since virtualized guests can run their own kernel, they can run any operating system while containerized guests are stuck with what the host is running."

CRtools 0.1 released

Posted Jul 25, 2012 15:04 UTC (Wed) by mathstuf (subscriber, #69389) [Link]

> So you can give someone root in one container and that doesn't allow him/her any access in another container or in the host system (barring bugs, of course.)

You can't give root to A in a container and access to the filesystem from the main system as any user. Simply make a suid executable in the container and execute from the main system. Unless uids are jailed as well (and appear on disk as some offset from "root" permissions).

CRtools 0.1 released

Posted Jul 25, 2012 16:22 UTC (Wed) by josh (subscriber, #17465) [Link]

Containers handle UIDs, yes; root in a container does not necessarily correspond to root in the parent container.

CRtools 0.1 released

Posted Jul 25, 2012 2:30 UTC (Wed) by cmccabe (guest, #60281) [Link]

You can think of openVZ and lxc as better versions of chroot. Unlike chroot, they were designed to be secure against root inside the container.

I know that shared hosting providers use openVZ to give multiple users accounts on the same machine that look like root, but which can't interfere with the other users too much.

You could use virtual machines for the same thing, but it isn't as efficient. The main advantage is that with VMs you can offer Windows hosting, or hosting on more than one Linux kernel version.

I don't know exactly why Amazon still uses Xen instead of KVM, but I think at least part of it has to do with the fact that Xen came out first.

CRtools 0.1 released

Posted Jul 25, 2012 2:00 UTC (Wed) by miguelzinho (guest, #40535) [Link]

CRtools 0.1 released

Posted Jul 25, 2012 9:32 UTC (Wed) by robert_s (subscriber, #42402) [Link]

It's probably best not to think of it as a desktop virtualization thing. Think cloud providers/IaaS. In theory someone like Amazon could use this type of virtualization on AWS and allow users to run pretty much any linux userspace they like (as long as it's compatible with the [single] running kernel) and waste a lot less memory. And cause a much smaller performance hit.

CRtools 0.1 released

Posted Jul 25, 2012 16:24 UTC (Wed) by raven667 (subscriber, #5198) [Link]

> * You have only one kernel, so you're not duplicating the work and memory usage of the kernel.

One other point is that a single kernel can make much better scheduling decisions for processes across multiple CPU cores than for virtualized SMP blobs. To run a vSMP blob you have to clear the decks on the assigned CPU cores, reset them to an expected state and then give exclusive access to the VM for its time slice, without really knowing what its doing.


Copyright © 2018, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds