Jan Kokoska

Linux Virtualization: OpenVZ vs. Vserver

By: Jan Kokoska, 7th of December 2007

7th of December 2007

Article version: 1.1 (incorporated feedback from Herbert Poetzl)

Today I will compare relative merits of the two main players in opensource Linux OS virtualization (note the differences to para- or full virtualization explained previously), the venerable Linux-VServer project and a relative new-comer, the commercially backed OpenVZ.

The following is written from perspective of having run Linux OS virtualization in production for several years, powering all of Fry-IT server infrastructure since 2005.

Resource Management

It is crucial how contexts (in Linux-VServer's terminology) or virtual environments (VEs, is OpenVZ's talk) are separated in terms of resource allocation. We're talking about OS virtualization where everything runs on (and would fail with) one Linux kernel. Linux-VServer has traditional ulimit-based resource limits (such as total memory allocation, amount of shared memory, number of open files, etc), plus CPU buckets that set the ratios in which contexts will be allocated time quanta. Additionally, it is possible to switch on virtualization of resources such as memory, CPU and system load, akin to what OpenVZ has built in. These are very useful features and it's a pity that a sizeable part of Linux-VServer users might miss them by simply running the default configuration where these are disabled.

Lets make a digression and explain how to switch these on in Linux-VServer:

cat << EOF > /etc/vservers/<name>/flags
VIRT_MEM
VIRT_UPTIME
VIRT_CPU
VIRT_LOAD
EOF

This is just a basic change, see the above linked documentation for more options to set. Now we can compare like for like in resulting VM behaviour of Linux-VServer and OpenVZ.

Linux-VServer limits are set by modifying text files under /etc/vservers which applies on next VM start. Online change can be achieved through vlimit, though this tool doesn't appear to be as smooth to use as the one system that OpenVZ uses for both one-time and persistent resource limits modification (in either case applied with immediate effect), vzctl (with or without the --save, respectively).

OpenVZ provides a well-balanced set of custom resource limits that include kernel memory size, number of unswappable (locked) memory pages, shared memory pages, number of processes, number of TCP sockets, size of TCP send buffers and size of receive buffers, and about a dozen of other resource limits. It is in practice possible to throttle the virtual machine using these limits as if it in fact was on a slower, smaller machine than it really is, without affecting other virtual machines in any significant way. I believe the OpenVZ resource limiting system gives the system administrator slightly more power but I have managed to run hosts with 50 VMs on Linux-VServer without many practical issues, too. The OpenVZ limits have potential to prevent several classes of DOS attacks (TCP, IPC resources, kernel memory etc), that could come into focus as soon as we're unfortunate enough for any of these to occur on our systems.

However, OpenVZ resource limits can be confusing and the failure counts of hitting these limits needs to be monitored and the operator alerted in a timely manner to resolve the situation. Also, OpenVZ limits are quite a balancing act to get right in combination (however all the important relationships between them are sufficiently described in the documentation. Despite the noted balancing complexity, I would rank OpenVZ slightly higher on the topic of resource management.

Development and Maintenance Style

The Linux-VServer development process was described by Herbert Poetzl, the main developer, as mainly event-driven (i.e. they make Linux-VServer patch work on new kernels as soon as these come out, with the infrastructure that they provide, while keeping the patch lean). OpenVZ design, on the other hand, is clearly more roadmap-driven, they only fork the official kernel about once per year and assume responsibility of maintaining security patches on top of it. OpenVZ team contributes to profiling and security auditing of the kernel, fixing numerous bugs in the process, so OpenVZ kernel can be arguably sometimes more up-to-date than vanilla kernel itself. However, it is vastly more modified, so a peaceful coexistence with another patch, if such need arises (and it does), is far less likely than in the case of Linux-VServer. Even compiling OpenVZ with customized .config settings very frequently fails, so the simplest way out is to run their default configuration, or very close to it. OpenVZ team are however fast to patch these issues, so at least vanilla kernel configuration options should be eventually supportable in any reasonable combination. Applying patches from other parties is still a major problem though (e.g. swsusp2).

OpenVZ narrowly wins when it comes to code stability and maintainability of a large deployment. Linux-VServer eclipses OpenVZ in ease of configuration for custom kernels and availability for very latest kernel versions. For a laptop that needs to support hibernation via swsusp2 and OS virtualization for testing/development purposes, I would recommend Linux-VServer. But where servers are concerned, we're gradually migrating away from Linux-VServer and to OpenVZ.

To this effect, I wrote a vs2ovz migration procedure that takes a running Linux-VServer VM, an SSH-accessible physical host running OpenVZ and leaves the user with running OpenVZ VM with the same parameters as the original Linux-VServer one. This includes the IP, unique VEID derived from the IP, hostname, some selected resource limits that need to be preserved in the new system, and of course all the data. Two-pass rsync is performed to minimize the VM downtime during migration. If you're interested in using this, or other automation tools related to these two projects, write to me at "jan" at Fry-IT company.

Final Points

In the current development branch, OpenVZ supports live migration of the virtual machines. What a killer feature! (I still need to try it out, though.) Also the virtualized interfaces in OpenVZ that allow separate firewalls attached from inside the VEs and/or individual QoS queuing disciplines can come very handy in more sophisticated setups. Linux-VServer people might say this is inefficient and adds complexity, but I've found the overhead to be very low and the ability to at the very least have individual firewalls in each VM to be extremely useful.

Here's hoping that standard Linux kernel will soon include more OS virtualization features, after recent merge of IPC namespace virtualization (some kernel developers say network device virtualization will be the hardest to reach agreement on) and the basic features will be the same across the board. It certainly appears that virtualization is quickly becoming a commodity and the future developments might focus more on datacentre automation and similar tasks on top of reliable virtualized infrastructure.

As mentioned above, it is reasonably straightforward to convert virtual machines between the two virtualization technologies, even without any standards like those cropping up around hardware virtualization technologies recently. So it is possible to run development VMs on a laptop that can hibernate with swsusp2 and later copy/move this VM to production server that will be hosting it under OpenVZ. An opposite migration would be equally feasible.

The Score

A completely unscientific rating follows.

Linux-VServer loses one point in my eyes on resource management (OpenVZ's vzctl/vzquota simply set the standard high) and one on documentation (it's very hard to find the latest greatest way to do things, that initially lead to my writing version 1.0 of this article with lots of mistakes). Resource management consolidation, switching on useful features by default and centralized and end user focused documentation will further improve the already very successful project.

OpenVZ loses a point on lack of patch flexibility and option to combine with other kernel extensions, or even atypical configurations of standard kernel. Further features such as GUI management and centralized management console can be found in Parallels' commercial offering Virtuozzo. If I were rating Virtuozzo, I would subtract another point for delaying on support of my favourite platform, Ubuntu/Debian Linux, where 64-bit Ubuntu templates took a real effort to get working (despite Ubuntu being listed as officially supported platform and despite the hefty price tag on Virtuozzo solution), in fact it was much harder for me to work with than OpenVZ. However I'm sticking to comparing apples for apples in comparing the two opensource offerings and OpenVZ's packaging under Ubuntu/Debian is fortunately very good.

Community support from both projects is nothing short of amazing, helpful hints on how to get setups working, even patches to support my weird kernel option combinations, etc, are equally likely to come from either direction. In any case, and based on previous experience, I doubt many commercial vendors would be able to even match the level of dedication to support that both of the Linux OS virtualization projects offer consistently and for free.

Linux-VServer: 8/10,
OpenVZ: 9/10.




Comment

Peter Bengtsson - 22nd November 2007  [«« Reply to this]
Thanks for writing that. Great summary that even I can understand.

One question though, if you were to include performance in the final score, what would it be then?
Jan - 22nd November 2007   [«« Reply to this]
Both Vserver and OpenVZ are Linux *OS* virtualization, that barely has any performance hit at all -- it runs very close to the native speed with which the Linux kernel can do things. This is why putting it all under Xen (to achieve resource *guarantees* per partition on really big boxes) is something we're certainly not rushing -- Xen would have to give us close to native performance like the OS virtualization can, first of all, and it currently falls far behind (CPU chip improvements are needed, too, Xen has it much harder).

I was looking into this in a previous article linked at the top of this one:
http://www.fry-it.com/at/the-virtues-of-os-level-virtualization

That explains in what respects OS virtualization is better than the other methods and some risks associated with it (that Vserver and OpenVZ must handle somehow and that's what I'm rating them on here).

I was previously thinking of Xen+Vserver, because vserver couldn't do as much in terms of resource limiting. These days I'm thinking OpenVZ alone will be able to handle it, even on 4x4 (16-core) machines with lots of RAM. We shall see a year down the line.
Bertl - 6th January 2008  [«« Reply to this]
I think you should have a look at Linux-VServer instead of this strange Vserver patch you have been testing ... (http://linux-vserver.org/)

It supports all the various Resource Limits and of course, they can be adjusted at runtime. Furthermore all the information (like load or memory) is virtualized as one can expect. Finally the network isolation (compared to virtual network stacks) is a performance win as is the TB scheduler.

good luck next time,
Herbert
Jan - 6th January 2008   [«« Reply to this]
Hi Herbert,

Maybe you can explain what I'm doing wrong then. This is a physical machine:
root@wonko:~# free
total used free shared buffers cached
Mem: 16500576 16298204 202372 0 2042616 1776824
-/+ buffers/cache: 12478764 4021812
Swap: 979924 434904 545020

This is a Vserver running on it:

qua:~# free
total used free shared buffers cached
Mem: 16500576 16393948 106628 0 2042716 1777672
-/+ buffers/cache: 12573560 3927016
Swap: 979924 434904 545020

Lets see what OpenVZ does, a physical machine:

root@desiato:~# free
total used free shared buffers cached
Mem: 12271732 11948488 323244 0 310964 9495272
-/+ buffers/cache: 2142252 10129480
Swap: 1951856 2548 1949308

And a VE (virtual environment) running on it (with 1 GB physpages quota):

keean:~# free
total used free shared buffers cached
Mem: 1024000 13108 1010892 0 0 0
-/+ buffers/cache: 13108 1010892
Swap: 0 0 0

See my point? Same for load, same for network sockets (open files), etc.

How do I get similar functionality in Vserver?

I could well we unaware what you & team have done lately and somehow forcing the old way things have been done in early days. Please let me know if this is the case.

root@wonko:~# uname -r
2.6.20.15-vs2.2.0.3-64bit

Also, how do I make a change such as changing max phys pages in rlimits/rss.hard apply to a running vserver? Some kind of reload command?

It's not even obvious (as per the above) what the running limits *are*. In OpenVZ this is very obvious.

I'm absolutely willing to edit my article to show the best way you're doing things, but if I couldn't glean it from the documentation, maybe you could help.
Bertl - 7th January 2008   [«« Reply to this]
try setting a VM and RSS limit for this guest (http://linux-vserver.org/Memory_Limits), and make sure that you have VIRT_MEM set ... (http://linux-vserver.org/Capabilities_and_Flags)

the difference to OpenVZ is that Linux-VServer does not impose any limits by default ...

check out VIRT_LOAD, VIRT_UPTIME, ...

you can get the current limits as well as statistical information via proc or via the API/ABI (http://linux-vserver.org/ProcFS#limit)

documentation is definitely the weak spot of Linux-VServer, that's why we have the IRC channel (#vserver @ irc.oftc.net) to help folks (like you) ...
Jan - 7th January 2008  [«« Reply to this]
I'll check out the VIRT_* capabilities, that definitely looks like what I need. Edit: yes, free, uptime, top, everything looks much more useful now!

My mistake was to assume this is unavailable when in fact the wiki says it's been in since 2.1.1. What I do question however is this off-by-default policy. When you introduce a vastly superior feature such as showing guest how much RAM it has and how much it in fact taking up, instead of showing completely useless figures for the whole machine, I would push for on-by-default on all these (VIRT_* with exception of the overhead-introducing VIRT_TIME maybe... guests can be expected to make do with only different timezones in userland, as long as root's UTC is precise).

Now time to find out what all else I should enable to really get all the benefits ;)

BTW, documentation is what got hooked me up on OpenVZ so quickly. Having to read 100 pages of docs might be seen as a slight pain (I don't mind much), but having it instead scattered all over place is in fact worse. People are lazy and don't want to make their own user applicable conclusions from what is essentially developer documentation. It sounds bad, but I'm no exception.

Is there some particular area that lacks user documentation the most? Is someone working on a bigger PDF of 2.2 user docs all in one place? I should probably come and ask this on the channel..
Jan - 18th January 2008  [«« Reply to this]
Version 1.1 of the article released by replacing version 1.0 originally above. All comments above this one concern the original version of the article and may not necessarily apply to version 1.1.
Jan Kokoska - 27th January 2008  [«« Reply to this]
http://www.montanalinux.org/linux-vserver-interview.html
http://lwn.net/Articles/257989/

I share the opinion of some of the posters that OOT = (maintaining code) out of (mainline kernel) tree is very costly. Our migration to OpenVZ continues, as well as development of custom OpenVZMA control panel.
Randy - 5th May 2008  [«« Reply to this]
Jan,

Thanks for the great review! I do have one question for you. Does OpenVS support guest files system unification or something like it?

http://linux-vserver.org/Paper#Unification

If not, does that impact your consideration/rating at all?
Jan - 6th May 2008  [«« Reply to this]
Hi Randy,

I'm glad you found this post useful! Regarding filesystem unification, I don't think OpenVZ supports it out of box. However, the commercial parent, Virtuozzo supports it via VZFS and takes it even much further: "immutable" library objects are shared in memory, too, filecaches are shared etc. There are a lot of ACLs that they must be taking care of to make that work. The result is what SWsoft/Parallels people say about virtualization density: OpenVZ is good for tens of VMs, Virtuozzo scales up to hundreds.

At Fry-IT, I think we'll soon manage to squeeze in 100 VMs even on OpenVZ (when we get a 16-core machine), but otherwise I do buy the argument that unification in filesystem and memory mappings does help. To be frank, RAM is of much more concern than disk -- it's easy to get a terabyte of RAID disk these days and that will be half empty, too, but RAM costs still significantly more in the units you needs to have it in for a decent virtualization server (16 GB min, 32 GB better).

Back to your original question: I think unification would seriously start to matter for me if I were managing a mass hosting infrastructure with thousands of low-cost VMs. As we're more into managed services, where the pressure to squeeze every bit of efficiency out of the system (perhaps at the expense of availability and quality of service) isn't as great, lack of unification support for me still is a non-issue.
 



hide my email address.

Your email address will be encoded to prevent email-extraction spiders from reading it so you won't get spammed if you decide to show your email address.