Operating system-level virtualization

Operating system-level virtualization

Operating system-level virtualization is a server virtualization method where the kernel of an operating system allows for multiple isolated user-space instances, instead of just one. Such instances (often called containers, VEs, VPSs or jails) may look and feel like a real server, from the point of view of its owner. On Unix systems, this technology can be thought of as an advanced implementation of the standard chroot mechanism. In addition to isolation mechanisms, the kernel often provides resource management features to limit the impact of one container's activities on the other containers.



Operating system-level virtualization is commonly used in virtual hosting environments, where it is useful for securely allocating finite hardware resources amongst a large number of mutually-distrusting users. System administrators may also use it, to a lesser extent, for consolidating server hardware by moving services on separate hosts into containers on the one server.

Other typical scenarios include separating several applications to separate containers for improved security, hardware independence, and added resource management features.

OS-level virtualization implementations that are capable of live migration can be used for dynamic load balancing of containers between nodes in a cluster.

Advantages and disadvantages


This form of virtualization usually imposes little or no overhead, because programs in virtual partition use the operating system's normal system call interface and do not need to be subject to emulation or run in an intermediate virtual machine, as is the case with whole-system virtualizers (such as VMware and QEMU) or paravirtualizers (such as Xen and UML). It also does not require hardware assistance to perform efficiently.


Operating system-level virtualization is not as flexible as other virtualization approaches since it cannot host a guest operating system different from the host one, or a different guest kernel. For example, with Linux, different distributions are fine, but other OS such as Windows cannot be hosted. This limitation is partially overcome in Solaris by its branded zones feature, which provides the ability to run an environment within a container that emulates an older Solaris 8 or 9 version in a Solaris 10 host. (a Linux branded zone was also announced but later abandoned).


Some operating-system virtualizers provide file-level copy-on-write mechanisms. (Most commonly, a standard file system is shared between partitions, and partitions which change the files automatically create their own copies.) This is easier to back up, more space-efficient and simpler to cache than the block-level copy-on-write schemes common on whole-system virtualizers. Whole-system virtualizers, however, can work with non-native file systems and create and roll back snapshots of the entire system state.


Mechanism Operating system License Available since/between Features
File system isolation Copy on Write Disk quotas I/O rate limiting Memory limits CPU quotas Network isolation Partition checkpointing
and live migration
chroot most UNIX-like operating systems Proprietary



1982 Partial[1] No No No No No No No
iCore Virtual Accounts Windows XP Proprietary/Freeware 2008 Yes No Yes No No No No No
(security context)
Linux GNU GPL v.2 2001 Yes Yes Yes Yes [2] Yes Yes Partial[3] No
LXC Linux GNU GPL v.2 2008 Partial[4] Partial. Yes with Btrfs. Partial. Yes with LVM or Disk quota. Yes Yes Yes Yes No
OpenVZ Linux GNU GPL v.2 2005 Yes No Yes Yes [5] Yes Yes Yes[6] Yes
Parallels Virtuozzo Containers Linux, Windows, Mac OS X Proprietary 2001 Yes Yes Yes Yes [7] Yes Yes Yes[6] Yes
Container/Zone Solaris and OpenSolaris CDDL 2005 Yes Partial. Yes with ZFS Yes No Yes Yes Yes[8] No[9]
FreeBSD Jail FreeBSD BSD 1998 Yes Yes (ZFS) Yes [10] No Yes [11] Partial [12] Yes No
sysjail OpenBSD, NetBSD BSD - no longer supported as of 03-03-2009 Yes No No No No No Yes No
WPARs AIX Proprietary 2007 Yes No Yes Yes Yes Yes Yes[13] Yes[14]
HP SRP HPUX Proprietary 2007 Yes No  — Yes Yes Yes Yes Yes
Sandboxie Windows Shareware ? ? ? ? ? ? ? ? ?


  1. ^ Root user can easily escape from chroot. Chroot was never supposed to be used as a security mechanism.[according to whom?] [1]
  2. ^ Utilizing the CFQ scheduler, you get a separate queue per guest.
  3. ^ Networking is based on isolation, not virtualization.
  4. ^ Due to lack of user name space separation in the Linux kernel it is currently possible to evade from linux containers
  5. ^ Available since kernel 2.6.18-028stable021. Implementation is based on CFQ disk I/O scheduler, but it is a two-level schema, so I/O priority is not per-process, but rather per-container. See OpenVZ wiki: I/O priorities for VE for details.
  6. ^ a b Each container can have its own IP addresses, firewall rules, routing tables and so on. Three different networking schemes are possible: route-based, bridge-based, and assigning a real network device (NIC) to a container.
  7. ^ Available since version 4.0, January 2008.
  8. ^ See OpenSolaris Network Virtualization and Resource Control and Network Virtualization and Resource Control (Crossbow) FAQ for details.
  9. ^ Cold migration (shutdown-move-restart) is implemented.
  10. ^ Check the "allow.quotas" option and the "Jails and File Systems" section on the FreeBSD jail man page for details.
  11. ^ http://wiki.freebsd.org/Hierarchical_Resource_Limits
  12. ^ Check the "cpuset.id" option on the FreeBSD jail man page and the cpuset command. It's not a full cpu quota support because it constraints one or more processes to a given set/list of processors (cores) but it doesn't control the absolute processor/core related utilization.
  13. ^ Available since TL 02. See [2] for details.
  14. ^ See [3]

See also

External links

Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать реферат

Look at other dictionaries:

  • Operating system — Operating systems …   Wikipedia

  • IBM AIX (operating system) — Infobox OS name = AIX caption = developer = IBM source model = Closed source kernel type = Dynamic Extendable supported platforms = ROMP, IBM POWER, PowerPC, IBM PS/2, System/370, ESA/390 ui = Common Desktop Environment family = UNIX System V… …   Wikipedia

  • Virtualization — In computing, virtualization is a broad term that refers to the abstraction of computer resources:* Platform virtualization, which separates an operating system from the underlying platform resources ** Full virtualization ** Hardware assisted… …   Wikipedia

  • Virtualization engine — In computing, a virtualization engine is the concept of giving a holistic view of all the resources in the entire network infrastructure. The holistic view is independent of the physical data storage devices and their geographic location.A good… …   Wikipedia

  • VM (operating system) — Infobox OS name = z/VM Teddy bear a VM s mascot since 1983. caption = zVM/CMS fullscreen developer = IBM source model = Closed source kernel type = supported platforms = System/370, System/390, zSeries, System z9 ui = family = VM family released …   Wikipedia

  • Solaris (operating system) — Solaris Company / developer Oracle Corporation Programmed in C OS family Unix …   Wikipedia

  • Comparison of operating system kernels — A kernel is the core component of every computer operating system. While kernels are highly technical in nature, and may be hidden from the user under many layers of software and applications, they do have distinguishing or characteristic… …   Wikipedia

  • Ubuntu (operating system) — Ubuntu Ubuntu 11.10 (Oneiric Ocelot) Company / developer …   Wikipedia

  • Timeline of virtualization development — Timelines Note: This timeline is missing data for important historical systems, including: Atlas Computer (Manchester), GE 645, Burroughs B5000* 1964 ** IBM Cambridge Scientific Center begins development of CP 40. * 1965 ** IBM M44/44X,… …   Wikipedia

  • Platform virtualization — In computing, platform virtualization is a term that refers to the abstraction of computer resources. Virtualization hides the physical characteristics of computing resources from their users, be they applications, or end users. [ cite web | last …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”