Re: Operating system-level virtualization: how to make it?
On Tue, May 26, 2009 at 08:46:49PM +0200, Laurent Guignard wrote:
> On Fri, 22 May 2009 18:02:27 +0000, Sylvain Le Gall wrote:
> > On 22-05-2009, Sthu Deus <firstname.lastname@example.org> wrote:
> > > How I can organize a Operating system-level virtualization on a server
> > > for every service I would isolate?
> > Use a chroot (standard) or a vserver (search for vserver in debian
> > archives there is a kernel version and two packages for userland tools).
> > vserver is more flexible and allow you to assign IP address et al.
> Beyond the question, what is the interest to virtualize services. I understand
> the need to virtualize different machine for OS specific server software,
> tests and so on.
> Is there anywhere to find when virtualization is the best way to solve a
> problem and when it isn't ?
Unless something has changed, to be really secure, virtualization has to
be fully supported in the hardware of the CPU so that there are no CPU
instructions that can be issued from within the virtual machine to break
out of it. i386/amd64 don't meet that criteria. I don't know what
other vendors have, but e.g. IBM's Power architecture does, and provides
logical partitions (LPARs) at the firmware level which appear to the OS
as a real piece of hardware.
AFAIK, virtualization on i386/amd64, beyond the os-specific software or
testing issues, is a gimmick. It may provide one extra layer for
someone to try to break out of but it also adds an extra layer to hold