dcsimg

The Lazy System Administrator’s Way to Virtualize

The easiest, quickest, and cheapest virtualization method is at your fingertips -- you'll want to get to know OS-level virtualization.

Do you need to setup a new application or service in a virtual environment using a current version of Linux or Unix and don’t want to expend a lot of energy or money? If so, then OS-level virtualization deserves a second look. OS-level virtualization or operating system level virtualization means that a single kernel is shared amongst all virtual machine (VM) instances though each VM is separated logically from all other instances. This is the most basic type of virtualization available and is the path of least resistance for getting those applications up and running quickly and securely.

OS-level virtualization might have the most synonyms of any other type of virtualization. It’s known as shared-kernel virtualization, system-level virtualization, containers, zones, jails, change rooted (chroot) jails, virtual private server virtualization, and maybe others. Whatever you call it, you will call it the best performing virtualization strategy you’ve ever encountered. The overtly lazy among you may refer to it simply as jails.This type of virtualization shares not only the kernel with its VMs but also the disk, memory, and basic filesystem structure giving it the best performance of any of its counterparts.

In a world where everyone wants to sell you something; OS-level virtualization is free (Free as in no cost — since I’ve never had any of that free beer I’ve heard so much about). The capability to create a jail comes with your operating system and requires very little time or effort from a system administrator to setup. In a nutshell, the administrator creates a directory tree to house an application, populates it with libraries, binaries, and other supporting files, edits the configuration files to point to the jailed application using the chroot utility, and finally starts the application inside the jail.

The jail provides the necessary environment to run the application with no extras. A user on the jailed system is limited to that environment and isn’t aware of the host at all.

And, if you’re somewhat lazy about security, this type of virtualization provides a high level of security for the host system. Protecting the host system from attacks is the number one reason for implementing OS-level virtualization. The theory is that, if the VM falls prey to a hack attack and is compromised, your host system is preserved since the attacker remains jailed in the application VM with only the credentials of the non-privileged application user.

You aren’t limited to the particular Linux distribution running on your host, though your VMs are limited to the host’s running kernel. Any distribution that can use your running kernel can be used in a VM. To run different distributions in your VMs, you’ll need to use an add-on product such as OpenVZ, Linux-Vserver, or FreeVPS.

OS-Level Advantages and Disadvantages

Advantages:

  • Best Performance
  • Ease of Implementation
  • Available on all Linux and Unix flavors
  • Distribution Flexibility
  • Free
  • Easy to Manage
  • Host System Security

Disadvantages:

  • Single Kernel Restriction
  • Same OS for all VMs
  • Virtual Machine Vulnerability
  • Single Point of Failure

There are some limitations to OS-level virtualization despite high number of plus-side attributes. The single kernel restriction may disuade you from using this method since all of your VMs depend on that single kernel for operational stability. It is the only kernel that receives an update and you can’t experiment with alternative kernels. The shared kernel is a single point of failure for all VMs on the host system. This is a significant drawback to this virtualization technology and the seriousness shouldn’t go unrecognized.

One of the advantages that I listed states that using chrooted applications provides extra security for the host machine. It does. It does not, however do so for the VM. The VM is still just as vulnerable as it ever was. The purpose behind using jailed applications is not to necessarily protect the VM but to protect the host. We aren’t sacrificing the VM. We are protecting it by using a non-privileged account to run the application, limiting the number of users on the VM, and changing the VM’s root password to something different from the host’s.

Some of you might find it too restrictive to use a single operating system for every service. OS-level virtualization does have that shortcoming. You can’t, for example, run Windows VMs, Solaris/OpenSolaris VMs, or support any operating system that can’t use the host’s running kernel.

OS-level virtualization is an easy and inexpensive way to add an extra layer of protection for your host systems in spite of the few drawbacks to the technology. It’s a bonus feature of all Unix and Linux systems and one that you should add to your virtualization strategy. Consider it strongly for mail, DNS, web, services that don’t necessarily need their own fully virtualized VM, and for services whose compromise would make other data and services vulnerable.

OS-Level VM Security Reminders

  • Run chrooted Applications as Non-Privileged User
  • Remove All Privileged Accounts from Shadowed Password File
  • Include Only Necessary Files
  • One Service per VM
Fatal error: Call to undefined function aa_author_bios() in /opt/apache/dms/b2b/linux-mag.com/site/www/htdocs/wp-content/themes/linuxmag/single.php on line 62