From: John Goerzen (jgoerzen_at_complete.org)
Date: Fri 09 May 2003 - 16:19:20 BST
"Mitchell Smith" <mjs_at_blitztechnology.net> writes:
> In a production environment does UML http://user-mode-linux.sourceforge.net
> offer any security advantages over vserver?
The isolation is somewhat more complete, but generally it protects you
only against administrative errors. For instance, some people setting
up a vserver may leave /dev/hda nodes in /dev. If you set up the
vserver without those, it'll be secure since it prevents people from
doing that themselves.
A few applications require relaxed permissions in a vserver and may
not require those in UML.
The disadvantages of UML exist, too, which is why we're using vserver
instead of UML on our production server.
A big one is performance. Since applications running in a vserver are
running as close "to the metal" as any other application, they're not
any slower. UML adds an extra layer of emulation, which hurts
performance. I have seen *significant* (we're talking 10x-30x)
performance hits with multithreaded apps running under UML.
Another is the filesystem. vservers can have directories on your
regular filesystem. For instance, we have a 130GB ext3 filesystem
that all our vservers run off. It's a lot easier to manage space that
way, and wastes less space (you don't have to allocate extra space to
a vserver to start with, or adjust these things later)
I've found UML networking to be unreliable and fairly slow as well.
> The other advantage I see over UML, is you would be able to enforce per user
> system resource limits, amount of memory etc, where as you probably couldn't
> do that with vserver, or no way that I have found yet.
ulimit works in a vserver. You can also set hard limits for the
entire server; see the ULIMIT option in the config file and "man ulimit".
> Any suggestions on the advantages of one system over the other greatly
> appreciated.
I'd say the net result is that UML theoretically has a higher amount
of isolation, but in practical terms, vserver achieves similar results
without so many problems.
-- John