VServer developer answers your questions

Herbert Pötzl, lead VServer developer, kindly answers questions of Linsovet.com and Linux.org.ru users.

Could you tell a little bit about yourself

After finishing the Secondary School (focus on Natural Sciences). I started studying Physics and, once available, Computer Sciences. Finished with a DIPL.-ING. in CS (equivalent of M.S. degree) and
I'm still working on my PhD Thesis.

My hobbies include, but are not limited to (besides coding): Juggling, Billiards, Music, The Movies, and Electronics.

I'm currently self employed as an IT Consultant, and lucky me, my beautiful wife is an artist and IT expert.

... and vserver?

Linux-VServer is an isolation technique in concept very similar to BSD Jails or Solaris Containers, which allows multiple Linux environments to run on a single kernel side by side, with no measurable overhead.

How did you start working on this project?

I started as an simple user back when the project was called 'Linux Security Contexts', maintained by Jacques Gelinas. Everything back then was very rough and edgy, many possible exploits, no resource management, no real SMP support.

But I liked the idea of the Project and soon I had a bunch of patches sitting on my desk for improving behavior or adding new features.

In Summer 2003, Jacques disappeared, which kind of completely stalled the project. A few months later, I volunteered to take over the Project Maintainership temporarily, until Jacques returns. After he reappeared, and it became apparent that he didn't have the time to continue working on this
project, I officially became the new maintainer.

What's the status of the project now and what are you concentrating on at the moment?

I think that we established quite a decent codebase which isn't really hard to maintain, is extremely stable, small, elegant and last but not least high-performance. The current focus is mainly on adapting and integrating the mainline changes (now that the kernel folks discovered virtualization too :) , so that the user can actually utilize new features introduced there.

What are you plans for future?

We will continue to maintain Linux-VServer till the patch has shrunken to zero and only userspace tools are necessary to get the high quality isolation we currently provide.

How easy it is to start playing with vserver, are there any binaries to download & install?

IMHO it is quite easy nowadays to start playing with Linux-VServer -- even Live CDs provide Linux-VServer enabled kernels :) but if you are serious, you should consider building your own kernel and maybe even util-vserver (the toolset used to control the various features the kernel provides)

Do you need to compile anything?

for most distros, no.

When you say that you try to utilize as much of linux capabilities as you can, do you provide support/man/wiki pages for them?

most 'mainline' Linux features are well documented, in one way or another (may it be a document in the kernel tree, a nice wiki or even RFCs describing certain functionality)

I mean traffic shaping, disc i/o prioritization, etc?

For traffic shaping, there are many howtos around (we do not interfere with Linux networking at that level) so you can use your favorite interface to tc (traffic control tool) and of course iptables. For the various I/O schedulers, the kernel provides extensive documentation (the only relevant scheduler for potential hostile environments is probably cfq)

But in geneal, we trust in the user to know what s/he is doing.

Nevertheless, we provide extensive help far beyond Linux-VServer matters on the very active IRC channel (#vserver @ irc.oftc.net)

Is vserver coding/support your main job?

No, definitely not. I'm doing most of my work on Linux-VServer in my spare time, and AFAIK the other developers do so too.

Do you have any plans to turn this into business?

I don't think that 'business' and great software go too well together. Usually business tends to move the focus from making a really good product, to selling a product :)

Of course, as consultant, I often provide Linux-VServer related services.

Where do you see a future for products like vserver/openvz?

IMHO there is nothing innovative in a 'product' which does
virtualization or isolation, it is slowly becoming a commodity
and that will be the future of OS level virtualization too.

They say you can easily crash vserver with directory creation and similar DoS attacks. Is it true?

If you grab a kernel (and Linux-VServer patch) which is several years old, you might be able to successfully run such DoS attacks, but not on a recent kernel/patch.

Besides, do you know that you can run a very similar DoS attack as normal user on most Linux distros out there?

How is it better or worse comparing to openvz?

Linux-VServer and OpenVZ have a very different history and focus, so naturally they do the very same things slightly different. Let me list the differences here, and you be the judge what
suits your needs better.

Linux-VServer
- community driven project
- lightweight isolation
- small and unintrusive patch
- supports all kernel archs
- provides highly advanced jails

OpenVZ
- FOSS version of commercial product
- virtualization (e.g. network)
- rather large (grown) patch
- focused on a few (x86/ppc/sparc)
- provides VPS (e.g. live migration)

Except for that, give or take a feature the functionality is mostly the same.

It is long overdue to be included into mainstream. very respectful and slim subsystem for some cases

Mainline is working on OS level virtualization, and the first few results are already incorporated in Linux-VServer, I'm optimistic that in the near future Linux (mainline) will provide most of the basic functionality to build jails.

Do you recommend to use vserver in production. if not, what would you recommend?

Of course I do! After all several companies, organizations and individuals including myself are using it for production for several years (more than 5 here :)

I will never use VServer until it becomes a part of a mainline kernel.

That's your choice! Live with it :)

When can we expect its patches to be fully integrated into the mainline kernel?

Never! but the good news is, the functionality will be there in a (maybe not so) distant future. So just sit and wait till mainline gets there :)

How many kernel developers are in linux-vserver?

Currently we have about four people contributing to the kernel development (including myself).

Why network virtualization is still unimplemented in linux vserver?

Linux-VServer is not trying to compete with full system virtualization (like Xen or VMWare(tm)), and IP (layer 3) isolation has a lot of advantages over network virtualization.

That is a decision we made after testing the implications of fully virtualizing the network stack (mainly performance penalties and seemingly unpredictable behaviour in certain corner cases).

Note that 99% of all applications (except for network test tools) work at or above the IP layer, so they are perfectly fine with isolation on the IP layer.

What's the status of ngnet project?

The virtualization part was dropped, the isolation was improved what you have when you download a recent Linux-VServer patch is NGnet :)

Why vserver developers and Herber personally do not contribute to mainstream, and do not participate in common work on 'containers' in the kernel?

If you search the mainline Linux kernel sources or changelogs you will find that Linux-VServer developers contribute quite a lot to mainline development. The main difference here is probably that Linux-VServer is not pushing for mainline inclusion as SWsoft/Parallels? is.

Why project's infrastructure lacks a bugtracker (a la bugzilla)

Short version: we do not track bugs, we fix them :)
Longer version: we had a bug tracker for a long time (for the kernel) and we still have one for the tools (util-vserver). the kernel bug-tracker was more work than benefit, so we dropped it at some point.

And code repository (a la git)?

We have a git and svn repository. But my personal preference (and that affects the kernel patches) is to go with patches similar to many other projects. Again, we tried with git for the kernel tree too, but it caused more work than helping.

Can vserver run rhel 3.x with kernel 2.4.2*?

I tell you, i have no idea. There are patches for 2.4.x host kernels, so given that RHEL 3.x works with a mainline 2.4.x kernel, you should be fine. Note: most distros do not do _anything_ which requires a specific kernel (besides hardware related stuff, which is done by the host system anyways), so it is usually fine to run _whatever_ distro you like inside a Linux-VServer guest.

Thanks to comrade Poetzl for perfect vserver, i've been using it for years!

You're very welcome!

OpenVZ is better than vserver because it has iptables inside container,

Okay :) Linux-VServer has iptables outside the container :)

It does not have 127.0.0.1 issue,

Neither does Linux-VServer

No problem working with any piece of software that i tried.

Which might not be that many ...

For vserver you even have to patch bind!

Only if you use a very old version of Linux-VServer. But to clarify on that, this is actually a Bind problem, as you can easily recreate it on an unpatched kernel.

This is ridiculous.

I totally agree here :)

I switched to openvz and forgot about vserver!

Excellent! Have fun!

There was also lycos from the company with the same name. it had / (root fs) imitated via NFS, so you couldn't do rm -rf dir if any file in it was opened, but you could rename it!

AFAIK, Lycos is using Linux-VServer for some? of their VPS solutions. Of course, you can do all kind of strange stuff on a VPS :)

Does vserver know already how to limit number of sockets, memory, etc?

Since a long time. Actually I looked up when we introduced the new limit system, and it turned out that was February 2004, with the 1.3.6 (2.4 kernel) release, so long before OpenVZ saw the light :)

So, yes, Linux-VServer supports accounting and limiting many resources, including sockets and memory, so that you can ensure that a potentially hostile Guest user will not take down your Host system. [http://linux-vserver.org/ProcFS#limit]