The Penguin in the Sandbox (Part 2)
From chroot jails to Xen, there are plenty of virtualization solutions to consider for sandboxed Linux services.
Last week we flew over the virtualization landscape and got a peek at the lay of the land. Today we'll look at some of the Linux applications for implementing virtualization: Xen, User-Mode Linux, VMWare, chroot jails, and OpenVZ.
As the current darling of virtualization, Xen gets to go first. Everyone wants Xen, especially version 3.0 which runs unmodified guest operating systems on supported hardware. How can you get your hands on it and start testing it? The easy way is to use a Linux distribution that supports Xen out of the box. You'll find it in Novell's SUSE Linux Enterprise Server, Fedora Core 6 and the Xen LiveCD Demo. Mandriva Corporate Server outdoes everyone by including Xen, VMWare, and OpenVZ.
In addition, Debian Unstable and Testing users can apt-get their way into Xen, with a sizable number of Xen 3.0 packages to choose from. Mandriva and XenSource offer 30-day free trials. (Plea to XenSource: please, for the love of getting information without going insane, quit with the .PDFs and Webinars already. Nice fast plain old HTML pages do the job just fine.)
Is Xen ready for production servers and workstations? It may depend on the implementation – obviously Novell, Mandriva, and XenSource think it's ready for prime-time, and Red Hat is not far behind. I'm not so confident. It's still a baby, and users are reporting various problems. But there's no reason to not set up a test box and start getting acquainted.
User-Mode Linux runs multiple guest Linuxes on a host Linux system. The guest Linuxes run as applications in userspace. These days most distributions should have kernel support for UML built-in, or have packages that contain UML-enabled kernels. You can run any Linux distribution as a guest.
UML has all kinds of uses: shared Web hosting, cross-distribution development, kernel testing and debugging, network testing, honeypots, and running many services on a single machine in safe discrete environments. It's free of cost and free software, licensed under the GPL. It is plenty stout and stable, and while I've not seen any slick management consoles for it, it's pretty easy to use.
The big gorilla of virtualization. VMWare has not been napping while other vendors and technologies are trying to push ahead. VMWare uses a different approach to virtualization than Xen. VMWare is an emulator; it creates a virtualized hardware environment for the guest operating systems. Emulation is resource-intensive, but VMWare claims equal or superior performance to Xen. You can bet your last glass of microbrew that they are busily at work taking advantage of Intel's and AMD's hardware support for virtualization for even better performance.
VMWare's bigtime enterprise editions are predictably spendy, but you can download VMware Player and VMware Server for free. Then presumably get hooked, and start writing checks for the expensive stuff.
Don't laugh, these still have a place in your sandboxing schemes. Every Linux (and BSD and Unix) have chroots (change root) built-in, just waiting to be put to work. Chroots isolate applications from the root filesystem and from each other, so you can do dangerous things without endangering the whole system. Like run several Internet-facing servers on the same box, or test and develop software. BIND, Apache, and Postfix are examples of servers that are commonly run in chroot jails for added security, even when they're not sharing the box with other services.
Chroots are also used to run 32-bit applications on 64-bit systems when 64-bit versions don't exist. The most famous example is the Flash browser plugin, and various other closed-source plugins and multimedia codecs.
Chroots are not perfect protection, and it seems there is always one more important file that you forgot to put inside the jail. But there is no performance hit like there is with User-Mode Linux, and they're easy to set up. They're great for smaller networks where you have just a few servers to ride herd on, and don't feel like getting sucked into the virtualization vortex.
Virtuozzo and OpenVZ
SWsoft's Virtuozzo uses operating system-level virtualization to divvy up server resources and build homes for guest operating systems. This is more efficient and kinder of hardware resources than emulation. Virtuozzo is a popular product, second only to VMWare.
SWsoft sponsors OpenVZ, which is released under the GPL. OpenVZ is on its way to being included in the major Linux distributions. It requires a custom kernel as well as some userland utilities. There is a Yum repo, and it's in Debian Unstable. Building it from sources isn't too hard- real geeks can patch kernels, and there are good howtos on the OpenVZ Wiki.
What You Get With Commercial Products
The commercial virtualization products are expensive, and as we Linux geeks are spoiled by the abundance of high-quality free-of-cost software, the idea of actually paying money for software can take some getting used to. The main differences between the expensive stuff and the free stuff are the management consoles and administration utilities, or perhaps I should say the lack thereof.
The commercial products all have excellent front-ends that can do everything: monitoring, cloning, provisioning, disaster recovery, scaling both upwards and downwards, and moving operating systems and applications around on both physical and logical servers. You get some fine-grained resource management, right down to CPU, memory, and storage allocations. There's a great little Virtualization Solutions Flash demo at Dell that shows how it all works.
For the free-of-cost set, Fedora's Virt-Manager for Xen is promising, but for now it has a very limited feature set. I've seen the odd PHP frontend here and there for different projects, but nothing I can recommend even for testing. (Hint to any bored FOSS coders looking for something to do: there's a good project to consider.)
Some more virtualization projects worth investigating:
Linux guests on a host Linux system, using operating-system level virtualization. It uses what it calls "security contexts" to create virtual private servers in userspace. These security contexts are built with ordinary Linux tools like chroot, quotas, and routing. The kernel is unaffected- the virtual private servers share hardware efficiently, so there is very little performance hit. Users see only their own little virtual spaces. GPL and free of cost.
- QEMU and Bochs are emulators that replicate hardware functions in software, even hardware that is not physically present. So you can run unmodified guest operating systems in all manner of virtual hardware configurations. QEMU is GPL except for the QEMU Accelerator Module, which is a proprietary product. Bochs is LGPL.
- Ensim is a closed-source commercial family of products designed for Web hosting and delivering Web applications. Ensim uses a "private server technology" that sounds a lot like the concept behind Linux-VServer and Virtuozzo, operating-system level virtualization.