Operating system-level virtualization

From Wikipedia, the free encyclopedia

(Redirected from Jail (computer security))
Jump to: navigation, search

Operating System Virtualization is a server virtualization technology which virtualizes servers on an operating system (kernel) layer. It can be thought of as partitioning a single physical server into multiple small computational partitions. Each such partition looks and feels like a real server, from the point of view of its owner. On Unix systems, this technology can be thought of as an advanced extension of the standard chroot mechanism.

There are many terms for the computational partitions, including virtual environments (VE), virtual private servers (VPS), jails, guests, zones, vservers and containers.

Contents

The operating system level architecture has low overhead that helps to maximize efficient use of server resources. Due to a single-kernel approach, this type of virtualization introduces only a negligible overhead and allows running hundreds of virtual private servers on a single physical server. In contrast, approaches such as emulation (like VMware) and paravirtualization (like Xen or UML) cannot achieve such level of density, due to overhead of running multiple kernels. On the other hand, operating system-level virtualization does not allow running different operating systems (i.e. different kernels), although different libraries, distributions etc. are possible.

Since there is a single OS kernel which maintains all the partitions, isolation and resource management become very important. Without proper isolation security can be compromised, and without proper resource management an application from one partition can abuse resources and thus cause a denial of service for other partitions. Resources controlled and limited can include: CPU time, disk space, I/O bandwidth, network access, and all the other finite resources like RAM, shared memory, locked pages, number of processes, socket buffers etc. For example, OpenVZ provide a set of more than 20 finite resources that are accounted and limited on a per-partition basis.

Compared to the hardware-assisted virtualization solutions (like IBM's LPAR), OS-level virtualization has the benefit of running on inexpensive commodity hardware.

OS level virtualization solutions initially gained popularly with service providers who needed a very low overhead, customizable, cost effective solution to provide hosting services to customers. The technology is now becoming more widely deployed as many different industries and customers are recognizing the benefits and differences between OS virtualization and hardware virtualization. The common uses and scenarios now include server and OS consolidation, business continuity (disaster recovery and high availability) and centralized desktop virtualization.

Mechanism Operating system License Features
File system isolation Disk quotas I/O rate limiting Memory limits CPU quotas Network isolation Partition checkpointing
and live migration
chroot most UNIX-like operating systems GNU GPL Yes No No No No No No
FreeVPS Linux GNU GPL Yes Yes No Yes Yes Yes No
Linux-VServer
(security context)		 Linux GNU GPL v.2 Yes Yes Yes/No [1] Yes Yes Yes No
OpenVZ
(virtualization, isolation and resource management)		 Linux GNU GPL v.2 Yes Yes Yes [2] Yes Yes Yes[3] Yes
SWsoft Virtuozzo Linux, Windows Proprietary Yes Yes Yes/No [1] Yes Yes Yes[3] Yes
Container/Zone Solaris Proprietary Yes Yes No Yes Yes Yes[3] No[4]
FreeBSD Jail FreeBSD BSD Yes No No No No Yes No
sysjail OpenBSD, NetBSD BSD Yes No No No No Yes No


  1. ^ a b Utilizing the CFQ scheduler, you get a separate queue per guest. Actually, the I/O queue is a per-process, not per-guest. So containers can still have arbitrary amount of disk I/O.
  2. ^ Available since kernel 2.6.18-028stable021. Implementation is based on CFQ disk I/O scheduler, but it is a two-level schema, so I/O priority is not per-process, but rather per-container. See OpenVZ wiki: I/O priorities for VE for details.
  3. ^ a b c Network is not isolated, but rather virtualized, meaning each virtual environment can have its own IP addresses, firewall rules, routing tables and so on.
  4. ^ Cold migration (shutdown-move-restart) is implemented.

Retrieved from "http://en.wikipedia.org/wiki/Operating_system-level_virtualization"
Advanced Search
Included Web Search Engines


Safe Search

close

Top Matching Results

Occasionally Search.com will highlight specialized results that are based on the context of your query. Examples of specialized results include specific links to news, images, or video.

Top Matching Results may highlight information from other Search.com pages, content from the CNET Network of sites, or third party content. The listings are based purely on relevance. Search.com does not receive payment for listings in this section but our partners that provide this data may get paid for listing these products.

Sponsored Links

This section contains paid listings which have been purchased by companies that want to have their sites appear for specific search terms and related content. These listings are administered, sorted and maintained by a third party and are not endorsed by Search.com.

Search Results

Search.com sends your search query to several search engines at one time and integrates the results into one list which has been sorted by relevance using Search.com's proprietary algorithm. You can customize the list of search engines included in your metasearch from the preferences.

The search engines that are used in your metasearch may allow companies to pay to have their Web sites included within the results. To view the Paid Inclusion policy for a specific search engine, please visit their Web site. Search.com does not accept payment or share revenue with any search engine partner for listings in this section.