Choice for Virtual Private Servers?
Posted by Kellen on Sun 8 Jan 2006 at 12:43
For free virtual private servers on linux there are several available choices User Mode Linux (UML), Xen, Linux-VServer and probably many others. If you use one; which did you choose and why?
(We've covered a lot of different Xen articles recently, this seems to be the current favourite).
(We've covered a lot of different Xen articles recently, this seems to be the current favourite).Definitely Steve's current fav. :-)
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
It just works so very nicely. Low overhead, simple to install, trivial to automate and it has a cool name!
[ Parent | Reply to this comment ]
in search of a virtualization solution for purposes of security and modularization, but with the low overhead of not consuming memory (RAM & HD) on duplicate data, i recently settled on linux-vserver.
did i miss something in my personal research about xen's efficiency of memory usage or does "low overhead" refer to some other resource (CPU, admin's time, etc)?
thanks.
[ Parent | Reply to this comment ]
If vserver fits all your needs then it would be more efficient in terms of disk space and RAM to use that, but obviously these are different types of virtualisation and Xen does provide more partitioning.
Andy
[ Parent | Reply to this comment ]
Is it that with xen host system's root must trust guest system's root (x86)? The host kernel must be xen patched. The guest kernel can be almost anything,
And not sure what realy does vserver as it seems at first sight only to be ipv4 level separation + chroot. This comes with same requirement as xen. But single kernel at time.
Uml. How is the separation done on x86? Does host system's root has to trust guest system's root? I guess this might be the only quite fast setup where it's not needed. But both host and guest system kernel must be uml prepared.
qemu or bochs - no kernel changes. quite slow. no need to trust guest system's root.
vmware is somewhere around xen or qemu. not sure where. never seen how it rely works. And you get only machine player for free.
Conclusion? I guess this sorts the technology from least (in ascending order) cpu/memory/disk/context switches to most, If you don't need security then go vserver in case you run just ipv4 services and need to sort of separate the enviroments. In other case go for xen as it abstracts from the network only separation quite a bit. If you need extra security then probably uml but that has to be investigated further or qemu. Bochs so much pain compared to qemu that it's just good for SMP code testing on uniprocessor.
Please correct this if you find mistakes.
[ Parent | Reply to this comment ]
uml - kernel changes required only if you want to get extra speed.
qemu - kqemu module required only if you want to get extra speed.
this sorts like:
vserver then xen then uml with kernel changes or qemu with kqemu then uml or qemu without kernel changes then bochs
bochs and vmware should allow to have SMP guest. not sure about xen.
[ Parent | Reply to this comment ]
And because it's not very structured, neither centralized -the one-config-file didn't work with me-, I'd rather give first OpenVZ.
Plus, you can change the resource management parameters -and other stuffs- without having your virtual server restarted. In addition, OpenVZ provides a lot of tools like vzsplit which can create a conf-sample file for <number given> virtual servers.
So IMHO : OpenVZ vserver xen uml...
[ Parent | Reply to this comment ]
That is important issue. I'm planning some servers which will need virtualization - for developing and deployment. AFAIR Xen would be the best one (servers will be based on Debian or Ubuntu). I'd like to see your some words about your experiences.
Best Regards,
Luke Nowak
[ Parent | Reply to this comment ]
- UML is the easiest to install. At this time, it requires no kernel-space changes, it is a user space application. It is as easy as installing some UML linux kernel binary (apt-get install user-mode-linux). You create a new installation using rootstrap, which does not even require root access. So user-mode-linux is entirely a user-space solution. If you want to setup advanced networking or want to have part of your existing filesystem mounted under uml as root, you need root access, but it should require absolutely no kernel modifications or reboots at all. Best for playing with virtual machines. The downside: it's slower than anything else, it's a kernel in userpace running under your kernel, all system calls are emulated. Anyways, I know of several hosting companies using this approach for providing virtual machines, so it's at all not that bad. We also used this at school for linux lessons. Users who do not have root access can boot, reboot, etc. their machines. It's probably best as a learning tool.
- Linux-vserver is simply advanced chroot. Very advanced, that is, but essentially you are running one kernel, which is knows, that it hosts several virtual machines. So essentially you can not have different kernel under your virtual machine, but you have different user space, so you can essentially boot different operating systems.
Linux-vserver needs kernel patch. All utilities are in Debian, nice howto for sarge is here.
You can limit the usage of ip addresses inside of vserver, you can boot your virtual machines, have different root user, etc. All is safe and sexy. Only downside is, that you are not running different kernel for each virtual machine, which is also the biggest advantage: it's the fastest and most efficient approach.
- Xen allows you to run different operating systems. It's a hypervisor, can be farly compared to vmware or qemu, but it essentially does only virtualization, it does not emulate anything. You can either use latest Intel chips, which support virtualization, or you need a patch into both host and "guest" kernels. But you can do things like migrating the machine live from one physical machine to the other, work with hardware resources.
Since Xen guests run their own kernel, it's not as efficient as Linux-vserver, but it's faster than user mode linux, because there's no emulation.
Currently, the biggest downside is patching (or installing binary kernels, which I would like to avoid), but it's going to mainstream kernel, so I hope that Xen will be standard under Etch.
- Qemu. To be complete, there's also a free processor emulator, called Qemu. It's very useful for testing. I used it for example to build openbsd userland for embedded machine, etc. It runs from userspace. There's also accelerator module, which makes it a lot faster, if running x86 guest on x86 machine. Actually, there are two. One free and one from the original author of qemu, which is proprietary. I have not tried the open-source module, I have not known about the Free one when I needed it, but building proprietary module is as easy as apt-get build-dep qemu && apt-get source qemu, untarring the module in the qemu source directory, enabling it in debian/rules (adding --with-kqemu) and doing fakeroot ./debian/rules binary for creating debian package.
The main advantage of qemu is, that it allows you to emulate any architecture on any other. So you can run i386 debian userland on PowerPC, etc. I know, that there's a Debian port of it, but in cases you are developing specially targeted userland for one processor, it's quite useful. Networking is also not so easy to setup (different than user-space networking, which does not grant the userland it's own ip address, but for outgoing connections, it works).
If you don't need advanced networking or accelerator module, you can run qemu entirely from userland, which is very useful - you don't need root access.
Juraj.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Send Message | View Steve's Scratchpad | View Weblogs ]
That does seem like a good choice, but having a single shared-kernel does give you some drawbacks. You cannot develop custom kernel modules, for example, without the risk of taking down the complete system.
Also you do have to take precautions when using it. (Minor things such as binding daemons to particular interfaces, rather than all of them).
Personally I rate things, for my needs in the order:
- Xen
- VMWare
- Qemu
- Linux-vserver
- UML
VMWare is tied with Xen as the leader - but slips behind because of its closed nature, and price.
It is certainly nice to see more "competition" in this area, and I'm sure we'll all benefit from it regardless of which system we use.
[ Parent | Reply to this comment ]
I said, that for developing, it's better not to use linux-vserver, but for production, it is ideal, because of little overhead (not having multiple kernels).
Depends on the use, that's why it's great to have different approaches and solutions (which would not occur in proprietary world -- in Solaris, you have Zones and you can quite hardly choose anything else -- ok, Solaris is now open-source, but it wasn't for a long time. And it seems we'll have Xen port to solaris sometime soon)...
[ Parent | Reply to this comment ]
anyways...
i wanted virtualization of user-land, like a super-chroot, extending into networking. i wanted to separate my daemons so a root exploit in one doesn't compromise all of them. but i also wanted the implementation to be as efficient as possible in terms of system memory and persistent storage. if i run 10 apache instances in 10 different virtual environments it should be as efficient as running 10 apaches instances in a single environment. i also wanted to provide different environments for thin clients (remote x, nx, or vnc), so that i could use debian testing while others use ubuntu or debian stable, but this is a lesser requirement yet untested.
so far i have only implemented linux-vserver for daemon separation and for this linux-vserver works well. i currently have apache (dynamic content), thttpd (static content), mysql, jabber, and exim set up, with courier-imap, samba, cups, and others to follow. apache is installed in several vservers, one for each web application (moin, webcalendar, squirrelmail, phpmyadmin, cacti, etc), but it's actually the same apache by way of hardlinks (automatically using vhashify). as currently all my vservers are based on sarge, the basic filesystem (/usr, /bin, /lib) is mostly shared between all the vservers. this means reduced duplication on the hard drive and in memory (like with shared libraries).
and migrating vservers from one server to another is as easy as stopping the vserver, tarballing its installation and configuration directories, moving the tarball to another machine, extracting the tarball, and starting it back up. that's mobile enough for me to migrate to a new server on an application basis.
hopefully elaborating on my needs, requirements, and experiences with linux-vserver will help somebody determine if linux-vserver is right for them.
[ Parent | Reply to this comment ]
linux-vserver, compared to xen, seems to have a smaller development team. xen has a company supporting it; linux-vserver has a smaller number of developers. assuming all developers are equal, a fewer number of developers would have to leave linux-vserver than xen to disrupt, or even halt, the project.
xen is part of the official linux kernel sources; linux-vserver is not. linux-vserver is maintained as a patch to the official kernel. this paired with the frequent changes in the 2.6 kernel means that the linux-vserver patch lags behind the official kernel releases by a few days and doesn't apply cleanly to any other version. the patch also rarely applies cleanly to distributions' kernels as distributions do not account for linux-vserver when merging their own patches into their kernel for release.
the size of the development team and the out-of-tree nature of linux-vserver are not necessarily problems, but can cause problems in the long-term (if this is a technology a company wants to standardize on for years).
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Also, Xen wasn't working against testing when using udev - udev is experiencing a high turn over in code and improvements which makes it a slippery dependency.
I ened up using vserver as it's good enough for my needs and actually worked :-)
John.
[ Parent | Reply to this comment ]
http://www.golden-gryphon.com/software/security/selinux-uml.xhtml
[ Parent | Reply to this comment ]
BertJan
[ Parent | Reply to this comment ]
---/etc/network/interfaces
# The loopback network interface
auto lo
iface lo inet loopback
# The primary bridged network interface
auto br0
iface br0 inet dhcp
bridge_ports eth0
bridge_ageing 30
bridge_fd 1
bridge_hello 1
bridge_maxage 2
bridge_maxwait 3
---cut here
exec qemu -hda /qemu/qemu-hda.img -hdc /qemu/q1swap -boot c -n /usr/local/bin/qemutun -m 255 -nographic -macaddr whatever
---/usr/local/bin/qemutun
sudo /sbin/ifconfig $1 up
sudo /usr/sbin/brctl delif br0 $1
sleep 1
sudo /usr/sbin/brctl addif br0 $1
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
With this combination I would have Xen supporting a mix of different Linux or BSD virtual machines (e.g., one running Ubuntu for my desktop using VNC, one with Debian Stable for production services, one with Debian Unstable for development), while using VServer inside the "production services" Xen domain to keep my Apache services securely separated from my Exim services by using separate security contexts.
I haven't gotten around to implementing myself, so I'm curious if anyone has first-hand experience to report.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
i'm using linux v-server since few times for testing, i think it's an easy to install solution for virtualization especially for services which don't need advanced networking features like web hosting, smtp, pop/imap server. You can find good documentations (like step-by-step) on http://linux-vserver.org/ and mailing-list is pretty active.
At present, i don't use linux v-server in production environnement , but i plan to do it as soon as possible. My essential use is for doing some tests with copies of production servers and it's very useful !
What about openVZ, Free version based on Virtozzo ?
http://openvz.org/
Does anyone have some good/bad testing/production experiences with openvz ?
best regards,
Arnaud
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
Cya :3
KXan
[ Parent | Reply to this comment ]
Having only such exotic parisc-linux to test many linux stuff, I don't have yet a lot of choise?
Since a month, I run so Linux-Vserver (development release) with success on 2 32bit up parisc boxes :<), though.
hth,
Joel
[ Parent | Reply to this comment ]
Do someone has done such tests ?
Cheers,
[ Parent | Reply to this comment ]
http://www.linuxjournal.com/article/8812
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
The machines are 24h x 7d running under heavy load. I made a failover-configuration using rsync by myself. As I'm about to upgrade these servers I'm still thinking of using vserver (using san this time).
In these 3 years we had no (0) problems with the servers (except of hardware-issues) at all.
vserver is stable.
regards, daniel
[ Parent | Reply to this comment ]