|
|
Benefits
A vserver is a virtual server running on top of an actual server. Because each vserver shares the same kernel, unlike User Mode Linux, there is no additional overhead to using vservers. User Mode Linux (UML) is useful when you actually need different kernels, a virtual machine which looks exactly like a real machine, or to set up virtual networks. Otherwise, vservers are much easier to set up and much faster.
To use vservers you must patch the kernel and have multiple IPs available to use. Without multiple IPs, networking is very difficult. With multiple IPs, it is trivial.
Complete Isolation
A vserver provides isolation, what you isolate is up to you. It is
a good idea to isolate things that are potential security problems.
If an attacker is able to compromise something hosted in a vserver
they only compromise that vserver, the entire host and the other
vservers that are configured on the host are isolated from the
attack.
Isolation is good for other things besides security. You can also
create complete development environments in vservers that are
isolated from others. This way you can really screw things up and
not have to worry about others.
Limited resource overhead
You can expect vserver instances to have the same performance as
compared with the host server because processes running in
a vserver are talking directly with the kernel itself.
There is only one kernel running on the host system, not one in each
vserver. The interface between the processes and the kernel is
virtualized so that each process gets a limited view of reality, these
are called contexts.
Enhanced chroot/jail
Vservers operate through "context separation", this is basically
an enhanced chroot. The Vserver project fixes some fundamental flaws
in typical chroot/jails that would otherwise compromise security.
The chroot concept is enhanced so that processes and networking is
isolated. The context separation makes it so processes have a limited
view or scope that prohibit them from interacting and seeing other
processes and network traffic that happen in other vservers. A typical
chroot/jail does not separate these things. This means that the
processes that are in a vserver are isolated from the host system
as well as the other vservers on the system.
Additional enhancements are virtualized environment which allows
each vserver to have a separate uptime, host and domain name, machine
type and kernel version than other vservers and the host. Also
memory availability and disk space are also virtualized.
Management
Maintaining ten virtual instances of a service, application, or
system that are very similar to each other is much easier than
maintaining ten separate machines with ten different installations,
patches, security updates, etc. Keeping all of the vservers on
one machine is much more resource efficient and easier to manage.
It is easy to backup a vserver and replicate it on another machine
without needing to worry about kernel compatability, you simply
can tar up an entire vserver and move it elsewhere and untar it.
Additionally, you can manage all vservers from the host in convenient
ways. You can see which processes belong to what vserver, and you
can specify limits to CPU and disk usage for each vserver.
Resource sharing
Besides the management resource sharing, resources are also sharable
between vservers. Files that are common between different vservers are
shared in a way that does not reduce the isolation security. Files
that don't change frequently, such as libraries or binaries can be
shared so that disk space and memory can be shared in a secure way.
The vserver unification process performs the necessary steps to find
common files and then hard link them between contexts protecting them
against unwanted modification while still allowing them to be removed
in the process of updating software inside the vserver
|
