VPS Implementation Question

[tinnel]

Hi. I read Greg's post explaining what VPS is and was wondering if you could share some tidbits about how you've implemented it with another techno geek. At first, I thought you were just using a chroot'd environment on a single server, but if every user has their own CPU, memory, and NIC, that doesn't sound right. I've been doing some work recently with blade units, and am wondering if this is what you are doing? The blades I'm working with do have their own CPU and memory, but each chassis shares 4 NICs and has 12-14 blades, which doesn't doesn't equate to a one-to-one NIC assignment, thereby preventing a DOS attack from affecting other units on the system (unless I'm not understanding how the NICs work on blade systems.) OTOH, I would think that if each user was on his/her own blade, then they would actually have better performance than sharing one big beefy system amongst 100's of users. But I read here that the Shared plan gives better performance, so that doesn't quite make sense either.

Thanks!

[AlexKall]

VPS is a virtual enviroment (doesn't physicly exist) on a server (one main operating System). It's a program that divides CPU (shared on jag), ram(divided) and diskspace(divided). And then creates a virtual enviroment for a host operating system (can be something else then the main OS) where you as the only user has control of this enviroment, no one else on another VPS can get to your OS/System.

[jason]

Essentially, what happens is that the physical server runs virtualization software that includes emulators for all of the hardware in a typical system. You create a virtual disk and then "flip the switch" in the virtualization software and literally watch a second system boot right in your OS.

Jag uses software called Virtuozzo (http://www.swsoft.com/en/products/virtuozzo/). There is also an open source version of the Virtuozzo core called penVZ (http://openvz.org/). I've never use either, however.

Another company, VMWare, makes similar products, somw of which are geared at developers that want to set up virtual client/server environments on their desktop for development and testing (http://www.vmware.com). I use (the freely available) VMWare Server (http://www.vmware.com/products/server/) to run a development/test server off my desktop at work. It runs CentOS, MySQL, Apache, Subversion, and everything else I need right on to of Windows, where I do all of my dev work. It has its own IP address and domain name and can pretty much be accessed from anywhere (use can also use NAT through the host OS's IP if you can't get a second one assigned). The nice thing about doing it this way is that, if I ever want to set up a new environment (say I want to build Windows/ISS web server or an Oracle server, or whatever), I just have to create a new virtual machine instead of scrounging for some old hardware to set up and hope it works.

Another option that is free and really easy to set up (if you're running Windows) is Microsoft VirtualPC (http://www.microsoft.com/windows/pro.../default.mspx). It doesn't have all of the options that VMWare Server has (for example, it can't run as a server process I don't think, so you have to be logged in to the host OS (Windows) for virtual machines to work; you also can't access the virtual machine's console from a remote machine). I've used the older version (2004, I think it was) a little, but I had networking issues with it and switched to VMWare. I haven't tried 2007.

On Mac, the Parallels Desktop (http://www.parallels.com/) is becoming popular for running Windows on top of OS X on the new Intel-based systems. I haven't used any of the Parallel's products.

I hope my description and examples helps you understand what's going on. If not, simply download one of the free products I mentioned and try it out for yourself.

--Jason

[Ron]

Wow. Nice response, Jason!

[jason]

Thanks, Ron. Can you tell I've done my homework?

Oh...and here's a couple others that I forgot to mention before:
* Xen (http://www.xensource.com/) - No experience.
* Bochs (pronounced 'box' in the spirit of calling computers 'boxes'; http://bochs.sourceforge.net/) - I played with it once, but didn't get very far, it might serve you for a "hobby" setup, but not much else.

--Jason

[Gwaihir]

Thanks, Ron. Can you tell I've done my homework?

Some of it . You missed one very essential point.

Essentially, what happens is that the physical server runs virtualization software that includes emulators for all of the hardware in a typical system. You create a virtual disk and then "flip the switch" in the virtualization software and literally watch a second system boot right in your OS.

This is true for VMWare, VirtualPC, etc, but NOT for Virtuozzo / OpenVZ. Virtuozzo doesn't emulate hardware, it partitions one Linux system in a very sophisticated way (or one Windows system, IIRC).

Advantages:
- Very low overhead, something like 1 or 2%. True virtualisation of hardware has a much higher overhead. A good virtual drive for example performs at 50% of the speed of a normal hard disk. For processor power much depends on what you're emulating, but even a virtual 386-architecture CPU on a true 386-architecture CPU can easily incur 10% overhead.
- OS kernel is shared between VPSses, which saves a lot of memory use and allows for quite sophisticated sharing of resources.

Downsides:
- All VPSses have the same OS as the host (no mixing, so no OS/X, Solaris, etc. VPSses, either)
- VPSses are not 100% independent. In particular on Windows where kernel crashes are more common, machine wide crashes do happen.

[tinnel]

Some of it . You missed one very essential point.

This is true for VMWare, VirtualPC, etc, but NOT for Virtuozzo / OpenVZ. Virtuozzo doesn't emulate hardware, it partitions one Linux system in a very sophisticated way (or one Windows system, IIRC).

Advantages:
- Very low overhead, something like 1 or 2%. True virtualisation of hardware has a much higher overhead. A good virtual drive for example performs at 50% of the speed of a normal hard disk. For processor power much depends on what you're emulating, but even a virtual 386-architecture CPU on a true 386-architecture CPU can easily incur 10% overhead.
- OS kernel is shared between VPSses, which saves a lot of memory use and allows for quite sophisticated sharing of resources.

Downsides:
- All VPSses have the same OS as the host (no mixing, so no OS/X, Solaris, etc. VPSses, either)
- VPSses are not 100% independent. In particular on Windows where kernel crashes are more common, machine wide crashes do happen.

Thanks everyone for the answers. I've used VMWare quite a bit. I didn't think it could meet the specs that Greg laid out. I've at least heard of Bochs, but have done nothing with it. I am not familiar with Virtuozzo. It sounds much more sophisticated. I'll have to check into it. I have a lab where I run security experiments, and I often need to emulate 100's of hosts, so this could prove very useful.

[AlexKall]

Some of it . You missed one very essential point.

This is true for VMWare, VirtualPC, etc, but NOT for Virtuozzo / OpenVZ. Virtuozzo doesn't emulate hardware, it partitions one Linux system in a very sophisticated way (or one Windows system, IIRC).

Advantages:
- Very low overhead, something like 1 or 2%. True virtualisation of hardware has a much higher overhead. A good virtual drive for example performs at 50% of the speed of a normal hard disk. For processor power much depends on what you're emulating, but even a virtual 386-architecture CPU on a true 386-architecture CPU can easily incur 10% overhead.
- OS kernel is shared between VPSses, which saves a lot of memory use and allows for quite sophisticated sharing of resources.

Downsides:
- All VPSses have the same OS as the host (no mixing, so no OS/X, Solaris, etc. VPSses, either)
- VPSses are not 100% independent. In particular on Windows where kernel crashes are more common, machine wide crashes do happen.

WMware can run on bare hardware aswell, but you need to pay for it.

[Gwaihir]

I have a lab where I run security experiments, and I often need to emulate 100's of hosts, so this could prove very useful.

If those hosts are all today's linux or windows, you can do that. If you need to test alternative OSses (whether Solaris or Windows 98), it won't work.

However, IMHO Virtuozzo / OpenVZ are really about getting performance out of virtualization, at the expense of some independence. In security testing, do you need performance, or do you need to be absolutely sure that what you're testing can in no way be affected by anything you're doing on one of the other hosts?

WMware can run on bare hardware aswell, but you need to pay for it.

No clue why you're quoting my post when saying that..

[tinnel]

If those hosts are all today's linux or windows, you can do that. If you need to test alternative OSses (whether Solaris or Windows 98), it won't work.

Depends on the test. Sometimes we aim at a specific O/S. Other times we are going for realism. Most of the time we want the latest Linux and Windows, but it does vary.

However, IMHO Virtuozzo / OpenVZ are really about getting performance out of virtualization, at the expense of some independence. In security testing, do you need performance, or do you need to be absolutely sure that what you're testing can in no way be affected by anything you're doing on one of the other hosts?

The latter is of utmost concern. However the former has been a concern on occasions. I just like to know what's out there so I can choose the right tool for each job.

[AlexKall]

No clue why you're quoting my post when saying that..

This is true for VMWare

Thats why

[Gwaihir]

Oh; then you missed the point. Sure, some versions include a host OS in the product, some don't. The main difference however is in what they emulate: hardware (on which you can freely install any OS) or a machine already complete with OS (on which you can't install another OS).

[the_ancient]

Can I just say, Virtualization Sucks......... ?