Linux-VServer is a
virtual private server
A virtual private server (VPS) is a virtual machine sold as a service by an Internet hosting service. The virtual dedicated server (VDS) also has a similar meaning.
A virtual private server runs its own copy of an operating system (OS), and cus ...
implementation that was created by adding
operating system-level virtualization
OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called ''containers'' ( LXC, Solaris containers, Docker, Podman), ''zones'' (Solaris containers), ' ...
capabilities to the
Linux kernel
The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ...
. It is developed and distributed as
open-source software
Open-source software (OSS) is computer software that is released under a license in which the copyright holder grants users the rights to use, study, change, and distribute the software and its source code to anyone and for any purpose. ...
.
Details
The project was started by
Jacques Gélinas. It is now maintained by Herbert Pötzl. It is not related to the
Linux Virtual Server
Linux Virtual Server (LVS) is load balancing software for Linux kernel–based operating systems.
LVS is a free and open-source project started by Wensong Zhang in May 1998, subject to the requirements of the GNU General Public License (GPL ...
project, which implements network
load balancing.
Linux-VServer is a
jail mechanism in that it can be used to securely partition resources on a computer system (such as the
file system
In computing, file system or filesystem (often abbreviated to fs) is a method and data structure that the operating system uses to control how data is stored and retrieved. Without a file system, data placed in a storage medium would be one larg ...
, CPU time, network addresses and memory) in such a way that
processes
A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic.
Things called a process include:
Business and management
*Business process, activities that produce a specific se ...
cannot mount a
denial-of-service attack
In computing, a denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host conne ...
on anything outside their partition.
Each partition is called a ''security context'', and the virtualized system within it is the ''virtual private server''. A
chroot
A chroot on Unix and Unix-like operating systems is an operation that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normal ...
-like utility for descending into security contexts is provided. Booting a virtual private server is then simply a matter of kickstarting
init
In Unix-based computer operating systems, init (short for ''initialization'') is the first process started during booting of the computer system. Init is a daemon process that continues running until the system is shut down. It is the direc ...
in a new security context; likewise, shutting it down simply entails killing all processes with that security context. The contexts themselves are robust enough to boot many
Linux distribution
A Linux distribution (often abbreviated as distro) is an operating system made from a software collection that includes the Linux kernel and, often, a package management system. Linux users usually obtain their operating system by downloading one ...
s unmodified, including
Debian
Debian (), also known as Debian GNU/Linux, is a Linux distribution composed of free and open-source software, developed by the community-supported Debian Project, which was established by Ian Murdock on August 16, 1993. The first version of De ...
and
Fedora
A fedora () is a hat with a soft brim and indented crown.Kilgour, Ruth Edwards (1958). ''A Pageant of Hats Ancient and Modern''. R. M. McBride Company. It is typically creased lengthwise down the crown and "pinched" near the front on both side ...
.
Virtual private servers are commonly used in
web hosting
A web hosting service is a type of Internet hosting service that hosts websites for clients, i.e. it offers the facilities required for them to create and maintain a site and makes it accessible on the World Wide Web. Companies providing we ...
services, where they are useful for segregating customer accounts, pooling resources and containing any potential security breaches. To save space on such installations, each virtual server's file system can be created as a tree of
copy-on-write
Copy-on-write (COW), sometimes referred to as implicit sharing or shadowing, is a resource-management technique used in computer programming to efficiently implement a "duplicate" or "copy" operation on modifiable resources. If a resource is dupl ...
hard link
In computing, a hard link is a directory entry (in a directory-based file system) that associates a name with a file. Thus, each file must have at least one hard link. Creating additional hard links for a file makes the contents of that file ac ...
s to a "template" file system. The hard link is marked with a special filesystem attribute and when modified, is securely and transparently replaced with a real copy of the file.
Linux-VServer provides two branches, stable (2.2.x), and devel (2.3.x) for 2.6-series kernels and a single stable branch for 2.4-series. A separate stable branch integrating the
grsecurity patch set is also available.
Advantages
* Virtual servers share the same
system call
In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...
interface and do not have any
emulation
Emulation may refer to:
*Emulation (computing), imitation of behavior of a computer or other electronic system with the help of another type of system
:*Video game console emulator, software which emulates video game consoles
*Gaussian process em ...
overhead.
* Virtual servers do not have to be backed by opaque
disk image
A disk image, in computing, is a computer file containing the contents and structure of a disk volume or of an entire data storage device, such as a hard disk drive, tape drive, floppy disk, optical disc, or USB flash drive. A disk image i ...
s, but can share a common file system and common sets of files (through copy-on-write hard links). This makes it easier to back up a system and to pool disk space amongst virtual servers.
* Processes within the virtual server run as regular processes on the host system. This is somewhat more memory-efficient and I/O-efficient than whole-system emulation, although memory ballooning and modern VMs allow returning unused memory and sharing disk cache with the host and other virtual servers.
* Processes within the virtual server are queued on the same scheduler as on the host, allowing guest's processes to run concurrently on
SMP systems. This is not trivial to implement with whole-system emulation.
* Networking is based on isolation rather than virtualization, so there is no additional overhead for packets.
* Smaller plane for security bugs. Only one kernel with small additional code-base compared to 2+ kernels and large interfaces between them.
* Rich Linux scheduling features such as real-time priorities.
Disadvantages
* Requires that the host kernel be patched.
* No
clustering or
process migration
In computing, process migration is a specialized form of process management whereby processes are moved from one computing environment to another. This originated in distributed computing, but is now used more widely. On multicore machines (multip ...
capability is included, so the host kernel and host computer is still a single point of failure for all virtual servers.
* Networking is based on isolation, not virtualization. This prevents each virtual server from creating its own internal routing or firewalling setup.
* Some system calls (mostly hardware-related: e.g.
real-time clock
A real-time clock (RTC) is an electronic device (most often in the form of an integrated circuit) that measures the passage of time.
Although the term often refers to the devices in personal computers, servers and embedded systems, RTCs are pr ...
) and parts of the
/proc
The proc filesystem (procfs) is a special filesystem in Unix-like operating systems that presents information about processes and other system information in a hierarchical file-like structure, providing a more convenient and standardized meth ...
and
/sys filesystems are left unvirtualized.
* Does not allow disk I/O bandwidth to be allocated on a per-virtual server basis.
See also
*
Comparison of platform virtualization software
Platform virtualization software, specifically emulators and hypervisors, are software packages that emulate the whole physical computer machine, often providing multiple virtual machines on one physical platform. The table below compares basic ...
*
Operating system-level virtualization
OS-level virtualization is an operating system (OS) paradigm in which the kernel allows the existence of multiple isolated user space instances, called ''containers'' ( LXC, Solaris containers, Docker, Podman), ''zones'' (Solaris containers), ' ...
References
External links
*
Official releasesImplementation paper
{{DEFAULTSORT:Linux-Vserver
Linux security software
Linux kernel features
Free virtualization software
Linux-only free software
Virtualization software for Linux