Linux-VServer
From Wikipedia, the free encyclopedia
Developer: | Herbert Pötzl (Community Project) |
---|---|
OS: | Linux 2.6 and 2.4 |
Platform: | x86, x86 64, Sparc/64, PA-RISC, S390/x, MIPS/64, ARM, PowerPC/64 |
Use: | OS-level virtualization |
License: | GNU GPL v.2 |
Website: | Linux-VServer.org |
Linux-VServer is a virtual private server implementation done by adding operating system-level virtualization capabilities to the Linux kernel. It is developed and distributed as open source software, licensed under the terms of the GNU General Public License (GPL).
The project was started by Jacques Gélinas. It is now maintained by Herbert Pötzl in Austria and is not related to the Linux Virtual Server project, which implements network load balancing.
Linux-VServer is a jail mechanism in that it can be used to securely partition resources on a computer system (such as the file system, CPU time, network addresses and memory) in such a way that processes cannot mount a denial-of-service attack on anything outside their partition.
Each partition is called a security context, and the virtualized system within it is the virtual private server. A chroot-like utility for descending into security contexts is provided. The contexts themselves are robust enough to boot many Linux distributions unmodified, including Debian and Fedora Core.
Virtual private servers are commonly used in web hosting services, where they are useful for segregating customer accounts, pooling resources and containing any potential security breaches.
Linux-VServer provides two branches, stable (2.0.x), and devel (2.1.x) for 2.6-series kernels and a single stable branch for 2.4-series.
Conceptually Linux-VServer is similar to the Solaris Containers (including Solaris Zones isolation technology), or FreeBSD Jail, or OpenVZ.
Contents |
[edit] Advantages
- Very fast and lightweight: virtual servers share the same system call interface and do not have any emulation overhead.
- Virtual servers can share a common file system and do not have to be backed by opaque disk images. This makes it easier to back up and to pool disk space among virtual servers.
- Processes within the virtual server run as regular processes on the host system. This is somewhat more memory-efficient and I/O-efficient than whole-system emulation, which cannot return "unused" memory or share a disk cache with the host.
- Networking is based on isolation rather than virtualization, so no additional overhead for packets.
- Very modular design, allows sysadmins to “build” their own guests from basic building blocks.
[edit] Disadvantages
- Requires that the host kernel be patched.
- All virtual servers share the same kernel and hence expose similar bugs and potential security holes.
- No clustering or process migration capability is included, so the host kernel and host computer is still a single point of failure for all virtual servers (similar to Xen and UML).
- Networking is based on isolation, not virtualization. This prevents each virtual server from creating its own internal routing or firewalling setup.
- Some system calls (mostly hardware-related: for example, those dealing with the real-time clock) and parts of the /proc and /sys filesystems are left unvirtualized.
- No IPv6 support inside guests.
[edit] Similar technologies
Other implementations of operating system-level virtualization technology are OpenVZ, FreeBSD Jails, Solaris Containers, and FreeVPS (an early fork of Linux-VServer).
[edit] External links
- Linux-VServer site
- Official Releases
- Implementation paper
- VServer with Asterisk
- Sample /etc/init.d/bind9 rc file that uses capabilities and security contexts to minimize the damage a cracker could do if they broke into the BIND nameserver.
- Howtoforge: Linux-Vserver on Debian Sarge by themachine, 2005-11-11