Operating system-level virtualization
From Wikipedia, the free encyclopedia
Operating System Virtualization is a server virtualization technology which virtualizes servers on an operating system (kernel) layer. It can be thought of as partitioning a single physical server into multiple small computational partitions. Each such partition looks and feels like a real server, from the point of view of its owner. On Unix systems, this technology can be thought of as an advanced extension of the standard chroot mechanism.
There are many terms for the computational partitions: virtual environments (VE), virtual private servers (VPS), jails, guests, zones, vservers, containers etc.
Contents |
[edit] Comparison to other techniques
The operating system level architecture has low overhead that helps to maximize efficient use of server resources. Due to a single-kernel approach, this type of virtualization introduces only a negligible overhead and allows running hundreds of virtual private servers on a single physical server. In contrast, approaches such as emulation (like VMware) and paravirtualization (like Xen or UML) cannot achieve such level of density, due to overhead of running multiple kernels. On the other hand, operating system-level virtualization does not allow running different operating systems (i.e. different kernels), although different libraries, distributions etc. are possible.
Since there is a single OS kernel which maintains all the partitions, isolation and resource management become very important. Without proper isolation security can be compromised, and without proper resource management an application from one partition can abuse resources and thus cause a denial of service for other partitions. Resources controlled and limited can include: CPU time, disk space, I/O bandwidth, network access, and all the other finite resources like RAM, shared memory, locked pages, number of processes, socket buffers etc. For example, OpenVZ provide a set of more than 20 finite resources that are accounted and limited on a per-partition basis.
Compared to the hardware-assisted virtualization solutions (like IBM's LPAR), OS-level virtualization has the benefit of running on inexpensive commodity hardware.
[edit] Uses
OS level virtualization solutions initially gained popularly with service providers who needed a very low overhead, customizable, cost effective solution to provide hosting services to customers. The technology is now becoming more widely deployed as many different industries and customers are recognizing the benefits and differences between OS virtualization and hardware virtualization. The common uses and scenarios now include server and OS consolidation, business continuity (disaster recovery and high availability) and centralized desktop virtualization.
[edit] Implementations
| Mechanism | Operating system | Features | ||||||
|---|---|---|---|---|---|---|---|---|
| File system isolation | Disk quotas | I/O rate limiting | Memory limits | CPU quotas | Network isolation | Partition checkpointing and live migration |
||
| chroot | most UNIX-like operating systems | Yes | No | No | No | No | No | No |
| FreeVPS | Linux | Yes | Yes | No | Yes | Yes | Yes | No |
| Linux-VServer (security context) |
Linux | Yes | Yes | Yes/No [1] | Yes | Yes | Yes | No |
| OpenVZ (virtualization, isolation and resource management) |
Linux | Yes | Yes | Yes [2] | Yes | Yes | Yes[3] | Yes |
| SWsoft Virtuozzo | Linux, Windows | Yes | Yes | Yes/No [1] | Yes | Yes | Yes[3] | Yes |
| Container/Zone | Solaris | Yes | Yes | No | Yes | Yes | Yes[3] | No[4] |
| FreeBSD Jail | FreeBSD | Yes | No | No | No | No | Yes | No |
| Implemented Safety | Windows XP, Vista | No | No | No | No | No | No | No |
| Memory Isolation | Mac OS X | Yes | ? | ? | ? | ? | ? | ? |
[edit] Notes
- ^ a b Utilizing the CFQ scheduler, you get a separate queue per guest. Actually, the I/O queue is a per-process, not per-guest. So containers can still have arbitrary amount of disk I/O.
- ^ Available since kernel 2.6.18-028stable021. Implementation is based on CFQ disk I/O scheduler, but it is a two-level schema, so I/O priority is not per-process, but rather per-container (i.e. the way it should be). See OpenVZ wiki: I/O priorities for VE for details.
- ^ a b c Network is not isolated, but rather virtualized, meaning each virtual environment can have its own IP addresses, firewall rules, routing tables and so on.
- ^ Only cold migration (i.e. with need to shutdown/restart a container) is implemented.
