OpenVZ has a number of unique features that can be effectively used in the following scenarios:
Consider a Linux server used to serve mail, web site, and DNS. There are at least three different applications listening to and handling network requests, and any of them can contain security holes. Using OpenVZ, a server can be divided into three VEs, one for each application. Thus, if the DNS server is compromised, the other applications will still be left intact due to complete isolation between VEs.
Having a separate physical server for each application is generally a good approach, it increases availability and improves security. However, separate servers lead to increased costs of hardware and collocation, and modern hardware is often underutilized in this scenario.
With OpenVZ, you can enjoy the benefits of dedicated server without such drawbacks. Create a VE for each application and use the existing hardware more efficiently. This approach can be deployed totally transparently to users using OpenVZ.
Development and testing
Developers often need access to several different Linux distributions to develop an application. Testing also needs to be performed on various software configurations. Therefore, testing and development groups often require a lot of hardware.
Alternatively, using OpenVZ developers and QAs can create multiple partitions with different Linux distributions and configurations residing on one physical server. Each VE can have its own set of packages, system libraries, configuration files. You can do snapshots and rollbacks.
- Isolated users
- A VE is like a real server, just very cheap
- Each user can have his own versions of applications
- Much easier to admin
Question: On a real server, I could run several apps, each one in its own VE, for security. "A VE is like a real server..." So, can I also do this inside a VE? In other words: Can a VE support another, inner VE?
If that is possible, I'd like to see that advertised fiercely. If not, please be honest and say so.
With OpenVZ, a separate VE can be created for every student. Thus, each student gets their own root account and can do everything on their own server, e.g. experiment with firewall configuration rules (iptables).