Container-Based OS Virtualization

How Does It Work?

If you have been keeping up with our IT articles, you have undoubtedly come across Johan's overview of hypervisor-based virtualization. We will take a similar approach to its container-based counterpart, giving you a strong introduction into what makes it work and guiding you through the strengths and weaknesses of the technology.

To get started, a clear view of what the system "looks" like is needed. Unlike hypervisors and application virtualization solutions, the isolation happens inside the actual OS layer, where certain additions are included to allow for the isolation of each OS subsystem. Every container is essentially no more than a shielded part of the host OS.

This means there is no need to virtualize the machine's different hardware components, as direct access through the OS is not compromised. Instead, several environments are running on the same kernel, each with their own processes, libraries, root, and users. This method is somewhat limiting, as it means that Linux and Windows operating systems cannot be combined on the same host; however, the technology's extremely small overhead allows for an enormous density. In addition, using a single kernel does not prevent users from running different distributions next to each other, which does counter the lack of diversity somewhat.

There are numerous software packages offering this type of virtualization - Solaris Containers, FreeBSD Jails, and Linux-VServer to name a few. However, we decided to focus on a pair of products that is closely tied together, while still allowing us to go in-depth into its inner workings: OpenVZ and Parallels Virtuozzo. OpenVZ is an open source initiative, backed by Parallels, and can be seen as a testing platform for future developments of its proprietary product, Virtuozzo. Technically, both products are used for the same purpose but are aimed at different users in the same market space.

Virtuozzo is the more robust product; it's aimed at corporate customers and comes with a very large feature set. It has support for both Windows and Linux platforms and incorporates most of OpenVZ's features. At this point, it is one of the most advanced and widely used products in the container-based OS virtualization market.

A view of Parallel's Management console, which is used to manage the Virtuozzo containers.

On the other hand, OpenVZ is freely available, although it's only for use on Linux systems. While still sporting a powerful and varied feature set, its limited management tools make it better suited for smaller scale environments where Linux is the primary OS in use. Since it is open source, however, OpenVZ allows us to dig deep into its inner workings. Moreover, because OpenVZ is in a sense the testing ground for Virtuozzo, we believe gaining insight into the former will provide our readers a solid base to better understand the latter, as well as other similar products.

From an administrator's point of view, OpenVZ employs a system that allows them to use the "base" OS as their access to management tools and monitoring. This is what we will be referring to as the host environment, and is for all intents and purposes a perfectly normal and usable OS. In production environments, however, it is best not to assign it a large personal workload to ensure functionality of the management system at times of peak load. From the host environment, we are able to see a complete overview of the resources consumed by the different guests, and run tools like vzctl to make live changes to them. Furthermore, we have full access to all containers' file systems, so the admin can make live changes without even having to log into the guest containers.

Isolation of the containers runs quite deep, ranging from a virtualized file structure to their own root users and user groups, process trees, and inter-process communication objects. This allows a container's root user high levels of customization and tweaking of everything apart from the kernel itself.

Handling of different distributions is taken care of by so-called templates. These are the blueprints for every environment installed on top of the OpenVZ kernel. In reality, they are no more than that distribution's files rounded up in a GZIP-compressed TAR, which will be set up in an isolated part of the file system for the container to run in. Templates for many distributions are freely available on the OpenVZ wiki, and while these are usually as lightweight as systems can get, it is possible to create your own once you have familiarized yourself with the system a bit.