TOCICI

What is OpenVZ

OpenVZ (Open VirtualiZation) is an operating system-level virtualization technology based on the Linux kernel and operating system. OpenVZ enables a physical server to run multiple isolated operating system instances, known as containers, Virtual Private Servers (VPSs), or Virtual Environments (VEs). It is similar to FreeBSD Jails and Solaris Zones.

As compared to virtual machines such as VMware and paravirtualization technologies like Xen, OpenVZ focuses on supporting only linux as both the guest and host operating system (Linux distributions can vary within different containers). However, the major advantage is in performance; there is only a 1–3% performance penalty for OpenVZ as compared to using a standalone server.

Security

For a project such as OpenVZ, security of the software is of paramount importance. This is how we're assured of OpenVZ's security.

Kernel Security

  • The OpenVZ kernel is based on the Linux kernel.
  • The OpenVZ team tracks and analyzes all the security updates to the Linux kernel and applies them accordingly.
  • Note that the current stable kernel branches are based upon the 2.6.18 and 2.6.32 kernel versions, both of which are older releases. This is done to achieve the maximum possible security and stability. By using an older kernel, we avoid suddenly introducing new bugs or security holes, with older bugs and holes already discovered and fixed.
  • Larger vendors, such as Novell and RedHat, do the same for their enterprise Linux offerings.

Security Audit

OpenVZ has undergone a thorough security audit, performed by Solar Designer in winter 2005. He found a single issue in OpenVZ kernel code and a couple of issues in mainstream Linux kernel code — all of them were fixed, and the mainstream fixes were sent to the LKML.

Security History

Since its initial public release in 2005, only two (2) CVE listings have been assigned to OpenVZ 1):

Compare OpenVZ's track record, to other popular virtualization solutions:

Product CVE Entries
KVM 50
VMWare 634
VirtualBox 15
Xen 148

Performance

To briefly address and nullify possible performance-related concerns:

  1. OpenVZ does not utilize a hypervisor, full-virtualization, or other type of emulation layers, and hence does not have the overheard typical of those environments.
  2. All security isolation is managed at kernel level, without context switching overheads.
  3. Performance concerns regarding I/O contention from multiple simultaneous virtual machines is not possible in this setup; only one VM will be running during measurements and profiling runs.
  4. See Wikipedia on OpenVZ Performance
    1. For all the cases tested, the virtualization overhead observed in OpenVZ is low, and can be neglected in many scenarios.
  5. The overhead of popular system-level profiling tools, such as OProfile, is higher than the virtualization overhead typically found in OpenVZ containers.
1) as-of March of 2013