OpenVZ
Encyclopedia
OpenVZ is an operating system-level virtualization
technology based on the Linux kernel
and operating system. OpenVZ allows a physical server to run multiple isolated operating system instances, known as containers, Virtual Private Servers
(VPSs), or Virtual Environments (VEs). It is similar to FreeBSD Jails
and Solaris Zones.
As compared to virtual machines such as VMware
and paravirtualization
technologies like Xen
, OpenVZ is limited in that it requires both the host and guest OS to be Linux
(although Linux distributions can be different in different containers). However, OpenVZ claims a performance advantage; according to its website, there is only a 1–3% performance penalty for OpenVZ as compared to using a standalone server. One independent performance evaluation confirms this. Another shows more significant performance penalties depending on the metric used.
OpenVZ is the basis of Virtuozzo Containers, a proprietary software product provided by Parallels, Inc.
OpenVZ is licensed under the GPL
version 2 and is supported and sponsored by Parallels whereas the company does not offer commercial end-user support for OpenVZ.
The OpenVZ is divided into a custom kernel and user-level tools.
. Technologies like VMWare
and Xen
are more flexible in that they virtualize the entire machine and can run multiple operating systems. OpenVZ uses a single patched
Linux kernel and therefore can run only Linux. However because it doesn't have the overhead of a true hypervisor
, it is very fast and efficient. The disadvantage with this approach is the single kernel. All guests must function with the same kernel version that the host uses.
The advantages, however, are that memory allocation is soft in that memory not used in one virtual environment can be used by others or for disk caching. OpenVZ uses a common file system so each virtual environment is just a directory of files that is isolated using chroot
. Thus a virtual machine can be cloned by just copying the files in one directory to another and creating a config file for the virtual machine and starting it.
, modified to add support for OpenVZ containers. The modified kernel provides virtualization, isolation, resource management, and checkpointing
.
Files
Users and groups
Process tree
Network
Devices
IPC objects
.
s, measured in terms of disk blocks and inodes (roughly number of files). Within the container, it is possible to use standard tools to set UNIX per-user and per-group disk quota
s.
strategy.
On the first level, the scheduler decides which container it is to give the CPU time slice to, based on per-container cpuunits values. On the second level the standard Linux scheduler decides which process to run in that container, using standard Linux process priorities.
It is possible to set different values for the CPUs in each container. Real CPU time will be distributed proportionally to these values.
Strict limits, such as 10% of total CPU time, are also possible.
in OpenVZ is also two-level, utilizing Jens Axboe
's CFQ
I/O scheduler on its second level.
Each container is assigned an I/O priority, and the scheduler distributes the available I/O bandwidth according to the priorities assigned. Thus no single container can saturate an I/O channel.
These resources primarily consist of memory and various in-kernel objects such as IPC
shared memory
segments, and network buffers. Each resource can be seen from /proc/user_beancounters and has five values associated with it: current usage, maximum usage (for the lifetime of a container), barrier, limit, and fail counter. The meaning of barrier and limit is parameter-dependent; in short, those can be thought of as a soft limit and a hard limit. If any resource hits the limit, the fail counter for it is increased. This allows the owner to detect problems by monitoring /proc/user_beancounters in the container.
and checkpointing
feature was released for OpenVZ in the middle of April 2006. This makes it possible to move a container from one physical server to another without shutting down the container. The process is known as checkpointing: a container is frozen and its whole state is saved to a file on disk. This file can then be transferred to another machine and a container can be unfrozen (restored) there; the delay is roughly a few seconds. Because state is usually preserved completely, this pause may appear to be an ordinary computational delay.
as the Linux kernel; that is, it supports up to 4096 CPUs and up to 64 GB of RAM. (on 32-bit with PAE; please note that 64-bit kernels are strongly recommended for production) A single container can scale up to the whole physical system, i.e. use all the CPUs and all the RAM.
) of an OpenVZ physical server (also known as a hardware node or host system) can see all the running processes and files of all the containers on the system, and this has convenience implications. Some fixes (such as a kernel update) will affect all containers automatically, while other changes can simply be "pushed" to all the containers by a simple shell script.
Compare this with managing a VMware- or Xen-based virtualized environment: in order to apply a security update to 10 virtual servers, one either needs a more elaborate pull system (on all the virtual servers) for such updates, or an administrator is required to log in to each virtual server and apply the update. This makes OpenVZ more convenient in those cases where a pull system has not been or can not be implemented.
is not supported inside containers. L2TP secured with IPsec is unsupported as well. Full virtualization
solutions don't have this limitation.
Operating system-level virtualization
Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...
technology based on the Linux kernel
Linux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
and operating system. OpenVZ allows a physical server to run multiple isolated operating system instances, known as containers, Virtual Private Servers
Virtual private server
Virtual private server is a term used by internet hosting services to refer to a virtual machine. The term is used for emphasizing that the virtual machine, although running in software on the same physical computer as other customers' virtual machines, is functionally equivalent to a separate...
(VPSs), or Virtual Environments (VEs). It is similar to FreeBSD Jails
FreeBSD Jail
The FreeBSD jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a FreeBSD-based computer system into several independent mini-systems called jails....
and Solaris Zones.
As compared to virtual machines such as VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
and paravirtualization
Paravirtualization
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware....
technologies like Xen
Xen
Xen is a virtual-machine monitor providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently....
, OpenVZ is limited in that it requires both the host and guest OS to be Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
(although Linux distributions can be different in different containers). However, OpenVZ claims a performance advantage; according to its website, there is only a 1–3% performance penalty for OpenVZ as compared to using a standalone server. One independent performance evaluation confirms this. Another shows more significant performance penalties depending on the metric used.
OpenVZ is the basis of Virtuozzo Containers, a proprietary software product provided by Parallels, Inc.
Parallels, Inc.
Parallels, Inc. is a privately held virtualization technology company with offices in the USA, Germany, UK, France, Japan, China, Russia and Ukraine. Parallels' US offices are in Renton, WA.The company has more than 700 employees as of 2010....
OpenVZ is licensed under the GPL
GNU General Public License
The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....
version 2 and is supported and sponsored by Parallels whereas the company does not offer commercial end-user support for OpenVZ.
The OpenVZ is divided into a custom kernel and user-level tools.
OpenVZ compared to other Virtualization Technologies
OpenVZ is not true virtualization but really containerization like BSD JailsFreeBSD Jail
The FreeBSD jail mechanism is an implementation of operating system-level virtualization that allows administrators to partition a FreeBSD-based computer system into several independent mini-systems called jails....
. Technologies like VMWare
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
and Xen
Xen
Xen is a virtual-machine monitor providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently....
are more flexible in that they virtualize the entire machine and can run multiple operating systems. OpenVZ uses a single patched
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
Linux kernel and therefore can run only Linux. However because it doesn't have the overhead of a true hypervisor
Hypervisor
In computing, a hypervisor, also called virtual machine manager , is one of many hardware virtualization techniques that allow multiple operating systems, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program...
, it is very fast and efficient. The disadvantage with this approach is the single kernel. All guests must function with the same kernel version that the host uses.
The advantages, however, are that memory allocation is soft in that memory not used in one virtual environment can be used by others or for disk caching. OpenVZ uses a common file system so each virtual environment is just a directory of files that is isolated using chroot
Chroot
A chroot on Unix operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name files outside the designated directory tree. The term "chroot" may refer to the chroot...
. Thus a virtual machine can be cloned by just copying the files in one directory to another and creating a config file for the virtual machine and starting it.
Kernel
The OpenVZ kernel is a Linux kernelLinux kernel
The Linux kernel is an operating system kernel used by the Linux family of Unix-like operating systems. It is one of the most prominent examples of free and open source software....
, modified to add support for OpenVZ containers. The modified kernel provides virtualization, isolation, resource management, and checkpointing
Application checkpointing
Checkpointing is a technique for inserting fault tolerance into computing systems. It basically consists of storing a snapshot of the current application state, and later on, use it for restarting the execution in case of failure.- Technique properties :...
.
Virtualization and isolation
Each container is a separate entity, and behaves largely as a physical server would. Each has its own:Files
- System libraries, applicationsApplication softwareApplication software, also known as an application or an "app", is computer software designed to help the user to perform specific tasks. Examples include enterprise software, accounting software, office suites, graphics software and media players. Many application programs deal principally with...
, virtualized/procand/sys, virtualized locksLock (computer science)In computer science, a lock is a synchronization mechanism for enforcing limits on access to a resource in an environment where there are many threads of execution. Locks are one way of enforcing concurrency control policies.-Types:...
, etc.
Users and groups
- Each container has its own root userSuperuserOn many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
, as well as other usersUser (computing)A user is an agent, either a human agent or software agent, who uses a computer or network service. A user often has a user account and is identified by a username , screen name , nickname , or handle, which is derived from the identical Citizen's Band radio term.Users are...
and groupsGroup (computing)In computing, the term group generally refers to a grouping of users. In principle, users may belong to none, one, or many groups The primary purpose of user groups is to simplify access control to computer systems.Suppose a computer science department has a network which is shared by students and...
.
Process tree
- A container only sees its own processesProcess (computing)In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
(starting from initInitinit is a program for Unix-based computer operating systems that spawns all other processes. It runs as a daemon and typically has PID 1. The boot loader starts the kernel and the kernel starts init...
). PIDProcess identifierIn computing, the process identifier is a number used by most operating system kernels to uniquely identify a process...
s are virtualized, so that the initInitinit is a program for Unix-based computer operating systems that spawns all other processes. It runs as a daemon and typically has PID 1. The boot loader starts the kernel and the kernel starts init...
PID is 1 as it should be.
Network
- Virtual network deviceComputer networking device'Computer networking devices are units that mediate data in a computer network. Computer networking devices are also called network equipment, Intermediate Systems or InterWorking Unit...
, which allows a container to have its own IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
es, as well as a set of netfilter (iptables)Netfilter/iptablesNetfilter is a framework that provides hook handling within the Linux kernel for intercepting and manipulating network packets. Put more concretely, Netfilter is invoked, for example, by the packet reception and send routines from/to network interfaces...
, and routingRoutingRouting is the process of selecting paths in a network along which to send network traffic. Routing is performed for many kinds of networks, including the telephone network , electronic data networks , and transportation networks...
rules.
Devices
- If needed, any container can be granted access to real devices like network interfaceNetwork interfaceNetwork interface may refer to:* Network interface controller, the device a computer uses to connect to a computer network* Network interface device, a demarcation point for a telephone network...
s, serial portSerial portIn computing, a serial port is a serial communication physical interface through which information transfers in or out one bit at a time...
s, disk partitions, etc.
IPC objects
- Shared memoryShared memoryIn computing, shared memory is memory that may be simultaneously accessed by multiple programs with an intent to provide communication among them or avoid redundant copies. Depending on context, programs may run on a single processor or on multiple separate processors...
, semaphoresSemaphore (programming)In computer science, a semaphore is a variable or abstract data type that provides a simple but useful abstraction for controlling access by multiple processes to a common resource in a parallel programming environment....
, messagesMessage passingMessage passing in computer science is a form of communication used in parallel computing, object-oriented programming, and interprocess communication. In this model, processes or objects can send and receive messages to other processes...
.
Resource management
OpenVZ resource management consists of three components: two-level disk quota, fair CPU scheduler, and user beancounters. These resources can be changed during container run time, eliminating the need to rebootBooting
In computing, booting is a process that begins when a user turns on a computer system and prepares the computer to perform its normal operations. On modern computers, this typically involves loading and starting an operating system. The boot sequence is the initial set of operations that the...
.
Two-level disk quota
Each container can have its own disk quotaDisk quota
A disk quota is a limit set by a system administrator that restricts certain aspects of file system usage on modern operating systems. The function of using disk quotas is to allocate limited disk space in a reasonable way.-Types of quotas:...
s, measured in terms of disk blocks and inodes (roughly number of files). Within the container, it is possible to use standard tools to set UNIX per-user and per-group disk quota
Disk quota
A disk quota is a limit set by a system administrator that restricts certain aspects of file system usage on modern operating systems. The function of using disk quotas is to allocate limited disk space in a reasonable way.-Types of quotas:...
s.
CPU scheduler
The CPU scheduler in OpenVZ is a two-level implementation of fair-share schedulingFair-share scheduling
Fair-share scheduling is a scheduling strategy for computer operating systems in which the CPU usage is equally distributed among system users or groups, as opposed to equal distribution among processes....
strategy.
On the first level, the scheduler decides which container it is to give the CPU time slice to, based on per-container cpuunits values. On the second level the standard Linux scheduler decides which process to run in that container, using standard Linux process priorities.
It is possible to set different values for the CPUs in each container. Real CPU time will be distributed proportionally to these values.
Strict limits, such as 10% of total CPU time, are also possible.
I/O scheduler
Similar to the CPU scheduler described above, I/O schedulerI/O scheduling
Input/output scheduling is a term used to describe the method computer operating systems decide the order that block I/O operations will be submitted to storage volumes...
in OpenVZ is also two-level, utilizing Jens Axboe
Jens Axboe
Jens Axboe is a Linux kernel hacker. He is the current Linux kernel maintainer of the block layer and other block devices, along with contributing the CFQ I/O scheduler, Noop scheduler, Deadline scheduler and splice IO architecture. Jens is also the author of the blktrace utility and kernel parts,...
's CFQ
CFQ
Completely Fair Queuing is an I/O scheduler for the Linux kernel which was written in 2003 by Jens Axboe.-Description:CFQ places synchronous requests submitted by processes into a number of per-process queues and then allocates timeslices for each of the queues to access the disk...
I/O scheduler on its second level.
Each container is assigned an I/O priority, and the scheduler distributes the available I/O bandwidth according to the priorities assigned. Thus no single container can saturate an I/O channel.
User Beancounters
User Beancounters is a set of per-container counters, limits, and guarantees. There is a set of about 20 parameters which is meant to control all the aspects of container operation. This is meant to prevent a single container from monopolizing system resources.These resources primarily consist of memory and various in-kernel objects such as IPC
Inter-process communication
In computing, Inter-process communication is a set of methods for the exchange of data among multiple threads in one or more processes. Processes may be running on one or more computers connected by a network. IPC methods are divided into methods for message passing, synchronization, shared...
shared memory
Shared memory
In computing, shared memory is memory that may be simultaneously accessed by multiple programs with an intent to provide communication among them or avoid redundant copies. Depending on context, programs may run on a single processor or on multiple separate processors...
segments, and network buffers. Each resource can be seen from /proc/user_beancounters and has five values associated with it: current usage, maximum usage (for the lifetime of a container), barrier, limit, and fail counter. The meaning of barrier and limit is parameter-dependent; in short, those can be thought of as a soft limit and a hard limit. If any resource hits the limit, the fail counter for it is increased. This allows the owner to detect problems by monitoring /proc/user_beancounters in the container.
| Value | Meaning |
|---|---|
| lockedpages | The memory not allowed to be swapped out (locked with the mlock system call), in pages. |
| shmpages | The total size of shared memory (including IPC, shared anonymous mappings and tmpfs objects) allocated by the processes of a particular VPS, in pages. |
| privvmpages | The size of private (or potentially private) memory allocated by an application. The memory that is always shared among different applications is not included in this resource parameter. |
| numfile | The number of files opened by all VPS processes. |
| numflock | The number of file locks created by all VPS processes. |
| numpty | The number of pseudo-terminals, such as an ssh session, the screen or xterm applications, etc. |
| numsiginfo | The number of siginfo structures (essentially, this parameter limits the size of the signal delivery queue). |
| dcachesize | The total size of dentry and inode structures locked in the memory. |
| physpages | The total size of RAM used by the VPS processes. This is an accounting-only parameter currently. It shows the usage of RAM by the VPS. For the memory pages used by several different VPSs (mappings of shared libraries, for example), only the corresponding fraction of a page is charged to each VPS. The sum of the physpages usage for all VPSs corresponds to the total number of pages used in the system by all the accounted users. |
| numiptent | The number of IP packet filtering entries |
Checkpointing and live migration
A live migrationLive Migration
Live migration allows a server administrator to move a running virtual machine or application between different physical machines without disconnecting the client or application...
and checkpointing
Application checkpointing
Checkpointing is a technique for inserting fault tolerance into computing systems. It basically consists of storing a snapshot of the current application state, and later on, use it for restarting the execution in case of failure.- Technique properties :...
feature was released for OpenVZ in the middle of April 2006. This makes it possible to move a container from one physical server to another without shutting down the container. The process is known as checkpointing: a container is frozen and its whole state is saved to a file on disk. This file can then be transferred to another machine and a container can be unfrozen (restored) there; the delay is roughly a few seconds. Because state is usually preserved completely, this pause may appear to be an ordinary computational delay.
Scalability
As OpenVZ employs a single kernel model, it is as scalableScalability
In electronics scalability is the ability of a system, network, or process, to handle growing amount of work in a graceful manner or its ability to be enlarged to accommodate that growth...
as the Linux kernel; that is, it supports up to 4096 CPUs and up to 64 GB of RAM. (on 32-bit with PAE; please note that 64-bit kernels are strongly recommended for production) A single container can scale up to the whole physical system, i.e. use all the CPUs and all the RAM.
Performance
The virtualization overhead observed in OpenVZ is limited, and is negligible in most scenarios.Density
By decreasing the overhead required for each container, it is possible to serve more containers from a given physical server, so long as the computational demands do not exceed the physical availability.Mass-management
An administrator (i.e. rootSuperuser
On many computer operating systems, the superuser is a special user account used for system administration. Depending on the operating system, the actual name of this account might be: root, administrator or supervisor....
) of an OpenVZ physical server (also known as a hardware node or host system) can see all the running processes and files of all the containers on the system, and this has convenience implications. Some fixes (such as a kernel update) will affect all containers automatically, while other changes can simply be "pushed" to all the containers by a simple shell script.
Compare this with managing a VMware- or Xen-based virtualized environment: in order to apply a security update to 10 virtual servers, one either needs a more elaborate pull system (on all the virtual servers) for such updates, or an administrator is required to log in to each virtual server and apply the update. This makes OpenVZ more convenient in those cases where a pull system has not been or can not be implemented.
Similar technologies
- Other implementations of operating system-level virtualization technology
Limitations
Using OpenVZ it's only possible to use some VPN technologies based on PPP (such as PPTP/L2TP) and TUN/TAP. IPsecIPsec
Internet Protocol Security is a protocol suite for securing Internet Protocol communications by authenticating and encrypting each IP packet of a communication session...
is not supported inside containers. L2TP secured with IPsec is unsupported as well. Full virtualization
Full virtualization
In computer science, full virtualization is a virtualization technique used to provide a certain kind of virtual machine environment, namely, one that is a complete simulation of the underlying hardware...
solutions don't have this limitation.
See also
- Comparison of platform virtual machines
- Operating system-level virtualizationOperating system-level virtualizationOperating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances may look and feel like a real server, from the point of view of its owner...