david.golden at unison.ie
Sat Aug 4 14:14:35 IST 2007
On Saturday 04 August 2007, Belgarath wrote:
> What about xen ?
Xen does a somewhat different thing to openvz. OpenVZ is a bit more
like an (extremely) enhanced chroot or jail. So you can use OpenVZ for
VPS, because in many scenarios, it's not much of a restriction that all
virtual private servers must run the same kernel. But for kernel
development sandboxing or supporting VPSes running wholly different
OSes, or if you just think para- or full- virtualisation is likely to
be more secure, then you need the likes of Xen or QEMU/KVM.
So OpenVZ has noticeably lower performance overhead than full machine
virtualisation, at least without "sufficiently powerful" virtualisation
hardware support (which probably won't appear until >= AMD Barcelona in
x86land, barcelona introducing nested page table support), and even
then, I expect openvz to have lower administrative overhead - managing
a bunch of super-jails rather than a bunch of full virtual machines.
I really haven't investigated enough to form a hugely useful opinion on
openvz vs. linux-vserver, but the openvz guys say that their
isolation is better and they virtualise more:
Certainly, if it's still true that openvz virtualises netfilter and
vserver doesn't, and I was a service provider, I'd just go for openvz -
if I as a customer was paying for VPS hosting, I'd expect to be able to
write my own filter rules!
At a sufficiently vague level, all these things are
similar of course. Hey, once upon a time, unix memory-protected
processes themselves were often explained as virtualisation of the
machine. Of course, then people crashed through various abstraction
barriers in the name of efficiency (compare plan 9 and unix networking
8-( ). (I like KVM in particular because its virtual machines are
managed as linux processes, but of course KVM needs real hardware
support for virtualisation)
More information about the ILUG