Linux-VServer
Encyclopedia
Linux-VServer is a virtual private server
implementation that was created by adding operating system-level virtualization
capabilities to the Linux kernel. It is developed and distributed as open source
software.
The project was started by Jacques Gélinas. It is now maintained by Herbert Pötzl of Austria
and is not related to the Linux Virtual Server
project, which implements network load balancing
.
Linux-VServer is a jail mechanism in that it can be used to securely partition resources on a computer system (such as the file system
, CPU time, network addresses and memory) in such a way that processes
cannot mount a denial-of-service attack
on anything outside their partition.
Each partition is called a security context, and the virtualized system within it is the virtual private server. A chroot
-like utility for descending into security contexts is provided. Booting a virtual private server is then simply a matter of kickstarting init
in a new security context; likewise, shutting it down simply entails killing all processes with that security context. The contexts themselves are robust enough to boot many Linux distribution
s unmodified, including Debian
and Fedora
.
Virtual private servers are commonly used in web hosting services, where they are useful for segregating customer accounts, pooling resources and containing any potential security breaches. To save space on such installations, each virtual server's file system can be created as a tree of copy-on-write
hard link
s to a "template" file system. The hard link is marked with a special filesystem attribute and when modified, is securely and transparently replaced with a real copy of the file.
Linux-VServer provides two branches, stable (2.2.x), and devel (2.3.x) for 2.6-series kernels and a single stable branch for 2.4-series. A separate stable branch integrating the grsecurity
patch set is also available.
Virtual private server
Virtual private server is a term used by internet hosting services to refer to a virtual machine. The term is used for emphasizing that the virtual machine, although running in software on the same physical computer as other customers' virtual machines, is functionally equivalent to a separate...
implementation that was created by adding operating system-level virtualization
Operating system-level virtualization
Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
capabilities to the Linux kernel. It is developed and distributed as open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
software.
The project was started by Jacques Gélinas. It is now maintained by Herbert Pötzl of Austria
Austria
Austria , officially the Republic of Austria , is a landlocked country of roughly 8.4 million people in Central Europe. It is bordered by the Czech Republic and Germany to the north, Slovakia and Hungary to the east, Slovenia and Italy to the south, and Switzerland and Liechtenstein to the...
and is not related to the Linux Virtual Server
Linux Virtual Server
Linux Virtual Server is an advanced load balancing solution for Linux systems. It is an open source project started by Wensong Zhang in May 1998...
project, which implements network load balancing
Load balancing (computing)
Load balancing is a computer networking methodology to distribute workload across multiple computers or a computer cluster, network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid...
.
Linux-VServer is a jail mechanism in that it can be used to securely partition resources on a computer system (such as the file system
File system
A file system is a means to organize data expected to be retained after a program terminates by providing procedures to store, retrieve and update data, as well as manage the available space on the device which contain it. A file system organizes data in an efficient manner and is tuned to the...
, CPU time, network addresses and memory) in such a way that processes
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
cannot mount a denial-of-service attack
Denial-of-service attack
A denial-of-service attack or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users...
on anything outside their partition.
Each partition is called a security context, and the virtualized system within it is the virtual private server. A chroot
Chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
-like utility for descending into security contexts is provided. Booting a virtual private server is then simply a matter of kickstarting init
Init
init is a program for Unix-based computer operating systems that spawns all other processes. It runs as a daemon and typically has PID 1. The boot loader starts the kernel and the kernel starts init...
in a new security context; likewise, shutting it down simply entails killing all processes with that security context. The contexts themselves are robust enough to boot many Linux distribution
Linux distribution
A Linux distribution is a member of the family of Unix-like operating systems built on top of the Linux kernel. Such distributions are operating systems including a large collection of software applications such as word processors, spreadsheets, media players, and database applications...
s unmodified, including Debian
Debian
Debian is a computer operating system composed of software packages released as free and open source software primarily under the GNU General Public License along with other free software licenses. Debian GNU/Linux, which includes the GNU OS tools and Linux kernel, is a popular and influential...
and Fedora
Fedora (operating system)
Fedora is a RPM-based, general purpose collection of software, including an operating system based on the Linux kernel, developed by the community-supported Fedora Project and sponsored by Red Hat...
.
Virtual private servers are commonly used in web hosting services, where they are useful for segregating customer accounts, pooling resources and containing any potential security breaches. To save space on such installations, each virtual server's file system can be created as a tree of copy-on-write
Copy-on-write
Copy-on-write is an optimization strategy used in computer programming. The fundamental idea is that if multiple callers ask for resources which are initially indistinguishable, they can all be given pointers to the same resource...
hard link
Hard link
In computing, a hard link is a directory entry that associates a name with a file on a file system. . The term is used in file systems which allow multiple hard links to be created for the same file. This has the effect of creating multiple names for the same file, causing an aliasing effect: e.g...
s to a "template" file system. The hard link is marked with a special filesystem attribute and when modified, is securely and transparently replaced with a real copy of the file.
Linux-VServer provides two branches, stable (2.2.x), and devel (2.3.x) for 2.6-series kernels and a single stable branch for 2.4-series. A separate stable branch integrating the grsecurity
Grsecurity
grsecurity is a set of patches for the Linux kernel with an emphasis on enhancing security. Its typical application is in computer systems that accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users.Released under the GNU General...
patch set is also available.
Similar virtualization mechanisms
- Other implementations of operating system-level virtualization technology
Advantages
- Virtual servers share the same system callSystem callIn computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
interface and do not have any emulationEmulatorIn computing, an emulator is hardware or software or both that duplicates the functions of a first computer system in a different second computer system, so that the behavior of the second system closely resembles the behavior of the first system...
overhead. - Virtual servers do not have to be backed by opaque disk imageDisk imageA disk image is a single file or storage device containing the complete contents and structure representing a data storage medium or device, such as a hard drive, tape drive, floppy disk, CD/DVD/BD, or USB flash drive, although an image of an optical disc may be referred to as an optical disc image...
s, but can share a common file system and common sets of files (through copy-on-write hard links). This makes it easier to back-up a system and to pool disk space amongst virtual servers. - Processes within the virtual server run as regular processes on the host system. This is somewhat more memory-efficient and I/O-efficient than whole-system emulation, which cannot return "unused" memory or share a disk cache with the host and other virtual servers.
- Processes within the virtual server are queued on the same scheduler as on the host, allowing guests processes to run concurrently on SMPSymmetric multiprocessingIn computing, symmetric multiprocessing involves a multiprocessor computer hardware architecture where two or more identical processors are connected to a single shared main memory and are controlled by a single OS instance. Most common multiprocessor systems today use an SMP architecture...
systems. This is not trivial to implement with whole-system emulation. - Networking is based on isolation rather than virtualization, so there is no additional overhead for packets.
- Smaller plane for security bugs. Only one kernel with small additional code-base compared to 2+ kernels and large interfaces between them.
- Rich Linux scheduling features such as real-time priorities.
Disadvantages
- Requires that the host kernel be patched.
- All virtual servers share the same kernel so all must be Linux. (Because of backwards compatibility in user-space API, this does not impair use of old Linux programs/distributions.)
- No clustering or process migrationProcess migrationProcess migration is when processes in computer clusters are able to move from machine to machine. Process migration is implemented in, among others, OpenMosix....
capability is included, so the host kernel and host computer is still a single point of failure for all virtual servers. - Networking is based on isolation, not virtualization. This prevents each virtual server from creating its own internal routing or firewalling setup.
- Some system calls (mostly hardware-related: e.g. real-time clockReal-time clockA real-time clock is a computer clock that keeps track of the current time. Although the term often refers to the devices in personal computers, servers and embedded systems, RTCs are present in almost any electronic device which needs to keep accurate time.-Terminology:The term is used to avoid...
) and parts of the /procProcfsprocfs is a special filesystem in UNIX-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized method for dynamically accessing process data held in the kernel than traditional...
and /sysSysfsSysfs is a virtual file system provided by Linux 2.6. Sysfs exports information about devices and drivers from the kernel device model to user space, and is also used for configuration...
filesystems are left unvirtualized. - Does not allow disk I/O bandwidth to be allocated on a per-virtual server basis.
See also
- Operating system-level virtualizationOperating system-level virtualizationOperating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
- Comparison of platform virtual machines