Slashdot Mirror

LXC is the core technology, and the part that's actually revolutionary (for linux).

LXC is not really revolutionary, OpenVZ and Linux-VServer provided linux containerization for many many years.

I expect someone to come along any minute now and say that Docker no longer uses LXC anyway, now it uses libcontainer. This isn't true, libcontainer is just another frontend to LXC, libvirt being the first project to run a LXC without using the LXC userland.

http://linux-vserver.org/

http://openvz.org/

Please, if your going to manufacture news get someone who's proficient in Linux to write so the source sounds somewhat credible,

FTA
"Unusually for Ubuntu, the server does have a root account, and the VPS provides you with root access, so no sudo command is needed."
thank god they went through the trouble of "sudo passwd nubjob"

No no don't stop testing our product before we start charging for it!
"Now that it’s set up, you can’t just ignore it. If you do, your website or worse your VPS may eventually fall over. Plesk auto-upgrades itself, and on the Windows VPS, that used to break a website. I was using PostgreSQL, and with every new update of Plesk, the PostgreSQL drivers were unhooked."

I can't wait to get my auto-breaking I mean updating server! And this is better than a free VirtualBox VM how?

Although I have to give them cu-do's for reminding me to look up the chroot jail equivalent for Linux! http://wiki.linux-vserver.org/Overview

For something similar for Linux, take a look at Linux-Vserver. I've been using it for a while, it's pretty good. A while ago, I wrote a howto showing how to install Linux-Vserver on Debian Etch, most of it would still apply today :)

Actually, Xen is not at all similar to a BSD jail, no matter how you look at it. Xen does full OS virtualization from the kernel and drivers on down to userland. A FreeBSD is basically chroot on steroids. The "virtualized" processes run exactly the same as "native" ones, they just have some restrictions on their system calls, that's all.

Precisely.

Similar products in the Linux space are Linux Vserver (which I use) and OpenVZ.

Linux has that with: http://linux-vserver.org/

Both linux vservers and bsd jails have existed for plenty of years before vmware, xen, virtualbox, etc.

And, on that subject, this http://en.wikipedia.org/wiki/LinuxPMI is based on 'mosix', which made your cluster of linux boxes appear as one single massive machine, with transparent process migration and all that.

There are lots of virtualization and clustering options out there.

According to the page about breaking out of chroot linked from the discussion, the seteuid() is not effective because the process still has a real UID of 0 and can call seteuid(0) at any time.

You can create a chroot without any directories with mode 7771 privileges (a la /tmp), that is free of any setuid binaries, and without "useful" utilities like wget or curl that can make exploiting the system child's play. If your program runs inside of a chroot as a non-root user, and your chroot has no setuid binaries, and your kernel has no privilege escalation vulns, then you can be reasonably sure that nobody will break the chroot or achieve privilege escalation.

Check out http://linux-vserver.org/

If you're using Debian Etch then there are prebuilt kernels with the patches applied. It seems basically the same concept as FreeBSD jails or Solaris Zones to me. I've been using it for a while with great success :)

On Debian, setup is like this:
# apt-get install linux-image-2.6-vserver-686 util-vserver vserver-debiantools
# reboot

You can build a new jail like this:
# vserver NAME build --force -m debootstrap -- -d etch -m http://ftp.debian.org/debian

Then set up a network interface for it according to the docs (put some stuff in /etc/vservers/NAME/interfaces)

Works great :)

Yes, they are all very different but at the same time quite similar from a user's perspective. All of them (unless I've missed something) more or less emulate a whole machine. This means you have to mess with disk images or dedicated drives/partitions/LVs, allocate a fixed amount of RAM to the guest, among other things.

Personally I like the approach of OpenVZ and VServer better. The main OS and the guests all share the same kernel, share the RAM and their root filesystems can be just subdirectories of the host's filesystem. When inside the virtual server you don't realize that though. You only see your own processes and everything works as if it was a dedicated server. You can run iptables, reboot and just about everything you could normally do in XEN/KVM/VMWare. Including live migration of virtual servers to other physical hosts. chroot on steroids.

I really hope OpenVZ and/or VServer will be merged at some point. VServer seem to keep up with current kernel releases so that wouldn't be too hard to merge I guess. OpenVZ usually have a lag of something like half a year.

Sorry,

ZFS not yet, DTrace not yet

Zones, virtualserver are available for linux since 2001 ;-) I used it since 2001 and very stable software. Very easy to maintain patch or rpm in zones.

you can check the ftp site for the first release that I know of
ftp://ftp.solucorp.qc.ca/pub/vserver/old//

patch-2.4.16ctx-4 42 KB 2001-11-26 00:00:00

New dev can be found here:

http://linux-vserver.org/Welcome_to_Linux-VServer. org/

- You can unify 2 Zones to uses less disk space in linux vservers can you do that with Solaris Zones ? ;-)

Xen
VMWare
linux-vserver
UML
OpenVZ
Plex86
Qemu
Bochs
lhype

and now

KVM

http://linuxvirtualization.com/ has some good linux to recent announcements regarding virtualisation software on Linux.

Are there any more?

Solution: Don't give your chroot jail access to the binfmt filesystem. I'm not sure how this can be done, though, as root is allowed to mount pretty much whatever it wants.

Didn`t check with the latest version, but with 4.0 I was unable to install Sarge, anyway I`m using vserver for any virtualization thingie, not so powerfull but more stable than Xen, atm.

Don't forget Linux-vserver - it's very good, and very fast - as root in a vserver is root on the actual host - processes just can't "see" or kill any outside their own context. Props to Bertl.

This is regarding Linux rather than Windows but:

Host machine with Vserver kernel running Tripwire or Aide
    with configuration adjustments to detect changes in client "machines"

Host machine well protected
  client machines doing ftp or web services or email or.....

Although Vserver is particular to Linux: Other schemes doing
reasonably strong virtualization can also do the job in Linux,
Solaris (Zones), BSD (Containers), Windows, etc.

It should greatly decrease the ability of something as clever as
BluePill to do damage if it was infecting a well-partitioned virtual
machine rather than a regular machine.

Vserver: http://linux-vserver.org/
AIDE: http://www.securityfocus.com/infocus/1424

A couple of months ago I was faced with the problem of needing to host multiple domains on one system. I initially considered Xen for my virtual servers need. However when I learned that this solution would not share the memory (each Vserver would have to have its dedicated memory) I decided to try out Linux Vserver. I have been a happy user of Linux Vserver since then.

With Linux Vserver you only run one kernel on your system where with Xen each virtual server runs its own kernel. This presents some limitations for Linux Vserver. For example the guest virtual servers cannot have the network loopback interface lo. But almost all of these I could live without.

Now if I want to start adding more virtual servers I can, without having to worry about running out of memory.

resource limits and cpu scheduling are part of Linux-VServer for a long time now ...
http://linux-vserver.org/Resource+Limits

Xen has caused major shifts in business direction for commercial virtualisation companies: VMWare suddenly released their VMWare player in part as an effort to make their "virtual machine file format" the standard one. Look they even want to support virtualisation standards now! SWSoft kicked off OpenVZ for similar motivation: because Xen is a competing solution and (they gamble) that it is going to be better to give away a corresponding part of their "crown jewels" to get more of a market share.

Getting your virtualiser into the kernel (or a vendor tree) isn't about control, it's about being in technical pole position to sell copies of their commercial products. Xen might be free, and might have started this all off, but they too have a commercial arm, XenSource, trying to sell Xen Optimizer, presumably as a coda to other products. SWSoft have Plesk, HSPComplete, PEM and others. And VMWare has ESX/GSX server. All of their selling would be made easier, and their marketing departments made very happy, if the king of open source projects, Linux, includes parts of their core technology.

While I'm not sure what the critiera are for acceptance into the kernel, I don't think it's going to happen for SWSoft. From an engineering standpoint, their technology is not much different from Linux vserver which has been around a while to do much the same job and I imagine its invasive kernel changes to keep everything partitioned are just as (un)appealing to kernel maintainers. On the other hand the Xen kernel changes implement a new "architecture", albeit a virtual one, and (last I looked) were only around 150K in size. So I would have thought that the Xen guys have more of a shot at this one because the bulk of their software is maintained outside of the Linux kernel, and seems like the better solution from an engineering standpoint.

But with CPU virtualisation extensions becoming all the rage this year, I think it'll be a while before the best solution shakes itself out engineering-wise: there is still too much vendor "buy-in" for any of these solutions to seem like a good bet for the mainline kernel.

Also NB from the article that SWSoft have made lots of money from selling a modified Linux kernel, and yes for years before OpenVZ they would give out the sources to Virtuozzo licensees. It's not clear to me whether Virtuozzo uses a forked OpenVZ codebase and they are continuing to develop virtuozzo's kernel bits in secret (which would seem like madness on top of running openvz, but that's commerce for you :) ).

I have 3 servers at rackspace. they came with redhat enterprise linux 3.0, which i couldn't stand despite being a die hard redhat guy (and stock purchaser) in the redhat7 days.

Each of those boxes runs http://www.linux-vserver.org/, which then spawns of 50 or so instances of debian sarge distributions to run our cluster (tomcat, apache, postgres, http://www.xcnetwork.com/, and others).

I wouldn't be surprised if rackspace is actually reporting this as a windows operating system, since the hardware probably came with a windows install originally. But how do you count it, really? 3 Redhat installs, even though all that distro does is run the kernel, ssh, and the vserver userland tools? Or is it 50 instances of debian sarge?

I have a strong gut feeling i'm not the only one playing with virtualization (vmware esx/gsx, xen, hell even ms now has some offerings)

The reality is we'll never really know how many linux servers there are. i'm guessing tens of thousands are running --routers and firewalls-- and hundreds of thousands (millions?) dont have a public ip address. on the other side of the fence you have microsoft, touting every license that they sell, even knowing full well that some percentage of them are not in use despite being purchased in some leverage deal.

Not that i really care, since I'm busy building a company around the concept of platform agnosticism and anti-lockin. So long as the innovation market is still fostering development in open source software i could care less how many licenses microsoft is reporting having sold. I dont need to be sold "Linux," what i need to be sold is support.

There are a few problems with Xen. First, it's i386 only. Second (and this is the biggest problem IMO) - Xen is venture-backed, and seems to be extremely eager to show their investors a return. Nothing wrong with that, but it's important to consider the motivation, and the consequence of a funding pull back. If XenSource does not turn out to be a great business, then will Xen still be developed and maintained? Why not wait a little bit, in the open source world quality over quantity matters and time pressure should not influence development.

Also, there is another project that I plug every chance I get - Linux Vserver. Unlike Xen, this is a purely volunteer effort, and is very innovative and attemtps to solve a difficult issue. Unlike Xen, these guys actually do not want to be in the mainline for now, becuase they think it will slow down development. Because Linux VServer is taking a different approach to virtualization (better known as separation, which was pioneered by FreeBSD jails and is also now supported in Solaris), the end result is cross-platform, i.e. runs on any architecture that Linux runs on.

Now in the past whenever I posted about Linux VServer a lot of folks said that Xen allows you to run multiple operating systems and that that is why it is so useful. I think that in reality running multiple OS's isn't all that valuable - the only case where it may be very useful is software development, but that's a tiny fraction of the Linux users. We've been using Linux VServer for hosting, and we are absolutely convinced that this is the right solution - for using Xen for example would introduce all kinds of problems (starting with resource bloat).

Yet unfortunately the OSS world has become PR driven lately. Very few people are technically capable of looking at things based on its merits and just go after the things that have the most buzz, not realizing that the buzz is artificially generated.

While Xen appears as a neat package, why choose Xen instead of vservers?

The hardware cost of running multiple copies of the same OS with vservers is smaller than Xen - there is one and only one copy of glibc in memory, one and only scheduler, and so on.

http://list.linux-vserver.org/archive/vserver/msg0 2546.html
http://groups.google.com/group/mlist.linux.kernel/ browse_frm/thread/50a838e9734da325/36f7c8badcb0675 2?lnk=st&q=unexplained+reiserfs+corruption&rnum=1& hl=en#36f7c8badcb06752
http://groups.google.com/group/alt.os.linux.slackw are/browse_frm/thread/9193d9ab458cbc91/61101e11a18 d28b5?lnk=st&q=unexplained+reiserfs+corruption&rnu m=2&hl=en#61101e11a18d28b5

Lots of people have weird problems with reiserfs that they never have anywhere else. They also never seem to get their questions answered.

It's is part of my job to stay informed about IT in general.

If you read Slashdot the "right" way, you can get some very interesting insights and ideas.

You can't imagine what I've seen on slashdot for the first time, which has become productive in the company I work for.

- The linux vserver project http://linux-vserver.org/
- subversion http://subversion.tigris.org/
- svg (see previous story)
- Phpcache http://www.php-accelerator.co.uk/
- Ajax (I know it's mainly a buzzword at the moment but my current project already bennefits)

And numerous discusions about security.

See, slashdot is not my main source of information, but it leads to information.

Though not part of the mainline kernel yet, there exists Linux Vservers project. I don't know much about Solaris zones not having any hands-on experience (though I did attend a talk on it), but I can say that Linux VServers beats the hell out of FreeBSD jails, which is sad IMO because in all other respects I prefer FreeBSD to Linux.

So I think it's the other way around - the Linux community will catch up much faster with Solaris, if only to show that they can.

Also this article looks like it could be Sun-sponsored PR - Sun seems to do very well comparing itself to Linux all the time.

With respect to Linux tree, based on this coment by Herbert who is the main VServer developer, probably not as soon as we all would like. I think at this point the main kernel developers do not understand the value a project like this brings to Linux.

As far as a major distro - it works with any distro already.

The Linux Vserver Project is the equivilent of Solaris' zones.

Has anybody done a 1-to-1 comparison between Solaris Zones and the features that Xen provides?

Solaris Zones and XEN are different products entirely. XEN is a low-level hardware monitor that is loaded before any O/S, and then provides a virtual machine for the actual O/S. XEN boots one or more slightly modified Linux kernels (or NetBSD, I seem to recall; with support for the "XEN Platform" which happens to be binary compatible with x86). These kernels are completely separated from each other, they do not even need to be the same kernel, nor the same O/S! This concept has a long tradition on mainframes like the IBM pSeries or zSeries, where you can run both AIX and Linux at the same time, on down to a tenth of a CPU.

Solaris Zones, on the other hand, provide kind of a generalized chroot(2) environment, so that processes can be better insulated from each other. There is, however, only one instance of the Solaris kernel running - no virtualisation. This of course saves a lot of resources, especially memory, since memory cannot be shared among the different kernels running under XEN. OTOH, if you need two different kernels (for whatever sinister reasons), well, you'll need two machines. BTW, an idea very similar to the Zones is pursued by the Linux-VServer project.

Xen is going to be a much better performer than UML. However, if you need maximum performance and are OK with running only one operating system (Linux), consider Linux VServer. It gives you most of the functionality of "virtualization" (even though it's not true virtualization since there is only _one_ kernel running on the machine) - a complete "virtual server" appearance with essentially no overhead.

There are numerous advantages to the VServer approach (a.k.a. as Zones on Solaris and Jails on FreeBSD, BTW), such as the ability to access the filesystem from host (very useful for backups), ability to view/control the virtual server processes from host, single VM and IO across all virtual servers thus providing much better optimization. The performance is stunning - you just don't feel "virtualized".

Linux VServer isn't backed by major universities and Microsoft Research and thus unfortunately does not get the publicity, even though it is one of the most revolutionary projects out there IMHO. I hope it becomes part of vanilla kernel some time soon.

How is this different from projects such as Linux-VServer? http://linux-vserver.org/

With Xen, you have to staticly partition physical memory among the domains, which can be wasteful if the domains have different workloads. With Zones, the resources can shift between zones dynamically based on usage.

Under Xen you can move memory between domains using the balloon driver. Unlike for Zones, this won't happen automagically at the moment but it wouldn't be difficult to implement simple autoballooning.

With Xen, each domain has a full install of the OS, which takes quite a bit of diskspace.

You can share things like /usr read-only between domains. There's also the possibility of using CoW block devices / filesystems, although we've yet to find an ideal solution for this.

Regarding the article, I think it's also worth pointing out that under Linux, vservers is much closer to BSD Jail / Solaris Zones than Xen or UML and would probably be a better comparison.

The servers fast SMP/RAID machines in a carrier-class above.net datacenter (east coast). The server hardware is shared, of course (it's a virtual server after all), but Linux VServer will always give you notably better performance than User-Mode Linux VPS. Speed-wise Virtuozzo-based hosters may give you similar peroformance, but they usually clamp down resources very low and do you really want to support a proprietary software company that is likely violating the GPL?

or other apps like FTP, bittorrent(legal of course)?

We don't care what apps you run, we provide a virtual server, you install/compile/run what you like. bittorent will surely run up a large bandwidth bill though ;-)

The bottom line is - I salute Sun open sourcing Solaris, but they still need to work on improving the attitude towards other open source OS's, particularly Linux and FreeBSD. The strategy of insisting that Solaris is just better, isn't going to get Sun very far, simply because it isn't true in many respects.

The idea behind Virtuozzo, VServer and the like is the introduction of yet another id in addition to the process id. VServer calls it "context id", FreeBSD calls it "jail id", don't know what Virtuozzo calls theirs, but the concept is the same. So now a process belongs to a context, and processes in one context cannot see processes in another context. Additionally, networking (specific ip) and other (CPU scheduling policy, filesystem, ...) restrictions can be applied to a context.

The concept is much better described than I can do it at this hour here and here.

Does anyone around has used Xen on a real production environment like, say, a VPS provider? What About Linux Vserver (http://www.linux-vserver.org/)?

What are the real differences, besides the technical paravirtualization of Xen and the fact that the guest OS must be 'ported' to it in order to run it, and that Linux Vserver is for running Linux only? I mean in terms of performance, feature-richness, security, stability and scalability of both the host and guest OS? What about work under non-x86 architecures, like PPC/PPC64 or native AMD64 support?

I haven't been able to decide yet which would present an ideal solution for a partitioned VPS environment, so any help from you would be greatly appreciated.

Also, don't forget about these Linux based methods:

Linux Vserver:
http://www.linux-vserver.org/

Xen
http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

User Mode Linux:
http://usermodelinux.org/

Linux Vserver appears to be almost the same thing as FreeBSD jails. I have not ran either so I cannot speak with authority on them.

I have ran Xen and UML, however.

Xen and UML are completely virtualized environments that boot a whole seperate machine inside of the host. UML is good to run on a server that has some 'extra' resources to dedicate to a VM as you can spec total ram on the command line and there are no modifications to the host machine kernel. Xen's hypervisor takes over the machine by only occupying the first 64-128M of ram, with the rest of ram dedicated to VMs, which makes it hard, but not impossible, to slap Xen onto an existing machine. Xen also requires that a patched kernel is installed on the host.


-ft

Yep, when I read that, the credibility of the article fell by 5 points...

But Linux does have a feature comparable to Zones (is that the same thing as grid containers?), it's called Linux VServer, it'd be nice if it became part of the stock kernel some day.

Another thing that Linux desparately needs IMO is something similar to FreeBSD union mount or the translucent filesystem. There are a few projects out there, but they seem abandoned, and this is something that should be part of ext3. LVM could use improvement also - AFAIK snapshots are broken in 2.6.9. Last, but not the least, umount needs an -f option which forces unmounting no matter what.

These are a few little things off the top of my head, I could probably come up with a ton more if I had the time to think about it....

My preference for this would be Linux VServer or jails on BSD which have practically no overhead. Xen would only be useful if the requirement is to run different OS's on the same machine.

The Linux VServer Project is a similar beast, if not the original inspiration. It's available as a kernel patch for linux-2.4 (and almost ready for 2.6), plus a handful of userspace utilities.

The idea revolves around isolated contexts, each with a different IP address - so in practice you access each of the vservers as a different machine, with its own filesystem, users, processes, semaphores, ...

As you can chroot your applications to make them see different parts of the filesystem as /, you use this patch to make each vserver see different parts of the global process table - so that each vserver doesn't know about the others. Should you want to access a vserver from another vserver, you must think like they're two different machines - use the network.

As the gist of it is the isolation between processes and NOT emulation, you experience absolutely no overhead (unlike UML). And if you worry about disk space (as each vserver owns in fact a complete /), you can hardlink files between vservers, so that the second, third and son on vservers may have a disk space cost as small as 30MB. Memory-wise, it's a bit more hungry as you'd like to have crond, sshd and so on running in every vserver.

Work is being done to circumvent one of the disadvantages: a vserver can drown the whole machine as resources are not really yet limited for a particular context.

Are you sure you are not confusing VServer hosts with Virtuozzo hosts such as GlobalServer or Spry? Virtuozzo costs several thousand dollars per server (even though VServer is slowly outnumbering it in number of features), so no wonder they are more expensive, though it does come with a nice control panel.

I respecfully disagree. While UML gives you excellent isolation, it is an extremely inefficient way to virtualize your server since it does not take advantage (by design) of all the optimizations that UN*X provides. UML is great for kernel developers and applications where isolation is far more important than performance.

In Linux virtual server hosting, the future will be Linux VServer Project

(ok, I'm somewhat biased, I admit)

A more appropriate tool might be linux-vserver, which lets you assign each virtual server its own disk quota, process space and IP addresses.

We provide VServer based virtual servers and by default we provison them with IMAP and POP SSL-enabled only.

As a side note - I've been using SSL for IMAP since 1997 or so and I cannot believe there still are people using unencrypted POP/IMAP, but there are. If you ever happen to be sitting with a laptop at a corporate meeting, one where everyone plugs into an old ethernet hub in the middle of the table, it is always a lot of fun to fire up a sniffer to get all the passwords from the non-technical people at the table checking their e-mail (probably using Outlook too). Then you blurb out the password in the middle of a conversation and whatch the person's reaction. (Be careful - what may be interpreted as a harmless joke in the late nineties, these days will probably get you fired!)

The corresponding technology in Linux is called "vservers". It has been around for a number of years now, as an external kernel patch.

You can find more info about it on linux-vserver.org.

This looks just like the Virtual Server project that Jacques Gelinas started a number of years ago. Possibly with some neat configuration utilities, but much the same. I'm not sure whether VServers can be allocated a dedicated CPU, or certain hardware exclusively, etc, but I think it can.

Xen, on the other hand is a much "heavier" approach, similar to VMWare, which virtualises the hardware, and emulates certain peripherals.

and also Linux-vserver. Great performance. Just like BSD jail.

Essentially the same as what the linux-vserver project http://www.linux-vserver.org/ or BSD jail feature provided. It sets up different contexts for different processes so that they are isolated from each other with a different root directory. The effect is that they acts each context acts like a separate sever, but in fact they are all running on the same kernel.

Linux-vserver is a great project. We have been running different services under differnt "virtual" servers for a while and its performance is stellar.

When will I see it in Debian stable? =b

I already have it on my woody boxes, thanks to Linux-Vserver. And it works a treat.

Don't forget about Linux Vservers. They allow you to have multiple virtual machines running on a single physical machine, all separated for security reasons. So you could run ftp on one, and a web server on another, and they would be as separate as physical machines. Also, I use VMware daily to run office-type applications, Outlook, and Remedy. I'm forced to by my employer, and the VMware solution let's me keep my regular linux wrapper around windows. Also, since the vpn connection takes control of the box, I still have "real" network access with my linux box.