January 15th, 2007

Comparing Isolation in Hardware and OS Virtualization

In our recent discussions with customers and analysts, the question of isolation has come up again. The reason is that whenever an article in the press needs a one-sentence explanation of OS virtualization it is something like ’OS virtualization provides better density and performance but cannot run different operating systems simultaneously and does not provide as much isolation between partitions as hardware virtualization technologies such as Xen or VMware.’ The two “not” statements require some clarification.

The statement about different operating systems is generally correct, but one needs to understand that Virtuozzo can run different Linux distributions – such as Red Hat, SuSE and Debian - as long as they use the same kernel.

The issue of isolation requires a more detailed explanation. There are several aspects of isolation:

·         Namespace isolation - Each partition provides a complete virtual copy of the entire system namespace – file system, registry, processes, users, IP addresses, port numbers, routing table, etc. Virtuozzo fully virtualizes all system namespaces and provides the same level of isolation as hardware virtualization.

·         Functional isolation - Each partition and the applications it hosts can be configured independently from other partitions and applications. Each Virtuozzo partition has a complete OS environment in it and provides the same level of isolation as hardware virtualization technology.

·         Fault isolation - A fault in one partition does not affect others. Here, hardware virtualization has a theoretical advantage – a fault in the OS would crash all virtual environments on a given machine, although an OS crash in one virtual machine would leave other VMs intact. In practice, though, more than 90% of OS crashes are related to hardware drivers, which always run in the host partition – the one that manages the physical hardware. So, when the driver crashes, the entire machine goes down regardless of which virtualization technology is used.

·         Performance isolation - A partition cannot monopolize resources of the entire machine and hamper performance of other partitions, yet will receive resources required for its execution. Here, Virtuozzo has an advantage over existing hardware technologies because it provides much more granular control of, and intelligent policies for, allocation of system resources.

·         Security isolation - A partition cannot breach security of other partitions, even if its own security was compromised. Each partition has an independent set of local users, including the administrative account. Because of the reasons mentioned above, Virtuozzo is at least as good as hardware virtualization.

However good these logical conclusions are, the best argument is experience. As of now, there are over 500,000 Virtuozzo virtual environments out there running on the public networks, without firewall protection, typically with about a hundred virtual environments on a single machine. In my opinion, these numbers speak for themselves.

What do you think?