Changes
Features
,no edit summary
== OS Virtualization ==
From the point of view of applications and [[Virtual Environmentcontainer]] users, each VE container is an independent system. This independency independence is provided by a virtualization layer in the kernel of the host OS. Note that only a negligible part of the CPU resources is spent on virtualization (around 1-2%). The main features of the virtualization layer implemented in OpenVZ are the following:
* A [[VEcontainer]] (CT) looks and behaves like a regular Linux system. It has standard startup scripts; software from vendors can run inside a VE container without OpenVZ-specific modifications or adjustment;
* A user can change any configuration file and install additional software;
* [[Virtual EnvironmentContainer]]s are completely isolated from each other (file system, processes, Inter Process Communication (IPC), sysctl variables);* Processes belonging to a [[VE]] container are scheduled for execution on all available CPUs. Consequently, VEs [[CT]]s are not bound to only one CPU and can use all available CPU power.
== Network virtualization ==
The OpenVZ network virtualization layer is designed to isolate VEs [[CT]]s from each other and from the physical network:
* Each VE [[CT]] has its own IP address; multiple IP addresses per VE CT are allowed;* Network traffic of a VE CT is isolated from the other VEsCTs. In other words, Virtual Environments containers are protected from each other in the way that makes traffic snooping impossible;* Firewalling may be used inside a VE CT (the user can create rules limiting access to some services using the canonical iptables tool inside the VEa CT). In other words, it is possible to set up firewall rules from inside a VECT;* Routing table manipulations and advanced routing features are supported for individual VEscontainers. For example, setting different maximum transmission units (MTUs) for different destinations, specifying different source addresses for different destinations, and so on.
== Resource Management ==
OpenVZ [[resource management]] controls the amount of resources available for Virtual Environmentscontainers. The controlled resources include such parameters as CPU power, disk space, a set of memory-related parameters, etc. Resource management allows OpenVZ to:
* Effectively share available Hardware Node [[host system]] resources among VEsCTs
* Guarantee Quality-of-Service (QoS)
* Provide performance and resource isolation and protect from denial-of-service attacks
Resource management is much more important for OpenVZ than for a standalone computer since computer resource utilization in a OpenVZ-based system is considerably higher than that in a typical system.
As all the VEs CTs are using the same kernel, resource management is of paramount importance. Really, each VE CT should stay within its boundaries and not affect other VEs CTs in any way — and this is what resource management does.
OpenVZ resource management consists of three four main components: two-level disk quota, fair CPU scheduler, disk I/O scheduler, and user beancounters. Please note that all those resources can be changed during VE CT runtime, there is no need to reboot. Say, if you want to give your VE CT less memory, you just change the appropriate parameters on the fly. This is either very hard to do or not possible at all with other virtualization approaches such as VM or hypervisor.
If you one want to give your VE a CT more disk space, you just increase its disk quota. No need to resize disk partitions etc.
CPU scheduler in OpenVZ is a two-level implementation of [[fair-share scheduling]] strategy.
On the first level scheduler decides which VE CT is give the CPU time slice to, based on per-VE CT cpuunits values. On the second level the standard Linux scheduler decides which process to run in that VEcontainer, using standard Linux process priorities and such.
OpenVZ administrator can set up different values of <code>cpuunits </code> for different VEscontainers, and the CPU time will be given to those proportionally.
Also there is a way to limit CPU time, e.g. say that this VE container is limited to, say, 10% of CPU time available.
====User Beancounters=I/O scheduler ===User Beancounters is a set of per-VE counters, limits, and guarantees. There is a set of about 20 parameters which are carefully chosen Similar to cover all the aspects of VE operationFair CPU scheduler described above, so no single VE can abuse any resource which I/O scheduler in OpenVZ is limited for the whole node and thus do harm to another VEsalso two-level, utilizing Jens Axboe's CFQ I/O scheduler on its second level.
Each container is assigned an I/O priority, and the I/O scheduler distributes the available I/O bandwidth according to the priorities assigned. Thus no single container can saturate an I/O channel. === User Beancounters === [[User beancounters]] is a set of per-CT counters, limits, and guarantees. There is a set of about 20 parameters which are carefully chosen to cover all the aspects of CT operation, so no single container can abuse any resource which is limited for the whole node and thus do harm to another CTs. Resources accounted and controlled are mainly memory and various in-kernel objects such as IPC shared memory segments, network buffers etc. etc. Each resource can be seen from <ttcode>/proc/user_beancounters</ttcode> and has five values assiciated with it: current usage, maximum usage (for the lifetime of a VEcontainer), barrier, limit, and fail counter. The meaning of barrier and limit is parameter-dependant; in short, those can be thought of as a soft limit and a hard limit. If any resource hits the limit, fail counter for it is increased, so VE owner CT administrator can see if something bad is happening by analyzing the output of <ttcode>/proc/user_beancounters</ttcode> in her VEcontainer.
== Checkpointing and live migration ==