The architecture of OpenVZ VEs is different from the traditional virtual machines architecture because it always runs the same OS kernel as the host system (while still allowing multiple Linux distributions in individual VEs). This single-kernel implementation technology enables running Virtual Environments with a near-zero overhead. Thus, OpenVZ offer an order of magnitude higher efficiency and manageability than traditional virtualization technologies.
Contents
OS Virtualization
From the point of view of applications and Virtual Environment users, each VE is an independent system. This independency is provided by a virtualization layer in the kernel of the host OS. Note that only a negligible part of the CPU resources is spent on virtualization (around 1-2%). The main features of the virtualization layer implemented in OpenVZ are the following:
- A VE looks and behaves like a regular Linux system. It has standard startup scripts; software from vendors can run inside a VE without OpenVZ-specific modifications or adjustment;
- A user can change any configuration file and install additional software;
- Virtual Environments are completely isolated from each other (file system, processes, Inter Process Communication (IPC), sysctl variables);
- Processes belonging to a VE are scheduled for execution on all available CPUs. Consequently, VEs are not bound to only one CPU and can use all available CPU power.
Network virtualization
The OpenVZ network virtualization layer is designed to isolate VEs from each other and from the physical network:
- Each VE has its own IP address; multiple IP addresses per VE are allowed;
- Network traffic of a VE is isolated from the other VEs. In other words, Virtual Environments are protected from each other in the way that makes traffic snooping impossible;
- Firewalling may be used inside a VE (the user can create rules limiting access to some services using the canonical iptables tool inside the VE). In other words, it is possible to set up firewall rules from inside a VE;
- Routing table manipulations and advanced routing features are supported for individual VEs. For example, setting different maximum transmission units (MTUs) for different destinations, specifying different source addresses for different destinations, and so on.
Resource Management
OpenVZ resource management controls the amount of resources available for Virtual Environments. The controlled resources include such parameters as CPU power, disk space, a set of memory-related parameters, etc. Resource management allows OpenVZ to:
- Effectively share available Hardware Node resources among VPSs:
- Guarantee Quality-of-Service (QoS);
- Provide performance and resource isolation and protect from denial-of-service attacks;
- Collect usage information for system health monitoring.
Resource management is much more important for OpenVZ than for a standalone computer since computer resource utilization in a OpenVZ-based system is considerably higher than that in a typical system.
Checkpointing and live migration
FIXME