[ILUG] Virtualisation

[David Golden]

On Saturday 04 August 2007, Belgarath wrote:


> What about xen ?

Xen does a somewhat different thing to openvz.   OpenVZ is a bit more 
like an (extremely) enhanced chroot or jail.  So you can use OpenVZ for 
VPS, because in many scenarios, it's not much of a restriction that all 
virtual private servers must run the same kernel.  But for kernel 
development sandboxing or supporting VPSes running wholly different 
OSes, or if you just think para- or full- virtualisation is likely to 
be more secure, then you need the likes of Xen or QEMU/KVM.

So OpenVZ has noticeably lower performance overhead than full machine 
virtualisation, at least without "sufficiently powerful" virtualisation 
hardware support (which probably won't appear until >= AMD Barcelona in 
x86land, barcelona introducing nested page table support), and even 
then, I expect openvz to have lower administrative overhead - managing 
a bunch of super-jails rather than a bunch of full virtual machines.

I really haven't investigated enough to form a hugely useful opinion on
openvz vs. linux-vserver, but the openvz guys say that their
isolation is better and they virtualise more: 
http://kerneltrap.org/node/6492
Certainly, if it's still true that openvz virtualises netfilter and
vserver doesn't, and I was a service provider, I'd just go for openvz -
if I as a customer was paying for VPS hosting, I'd expect to be able to 
write my own filter rules! 
 
At a sufficiently vague level, all these things are
similar of course. Hey, once upon a time, unix memory-protected 
processes themselves were often explained as virtualisation of the 
machine.  Of course, then people crashed through various abstraction 
barriers in the name of efficiency (compare plan 9 and unix networking 
8-( ).  (I like KVM in particular because its virtual machines are 
managed as linux processes, but of course KVM needs real hardware 
support for virtualisation)