Virtualisation, VServer, VMWare and others

[a_bertrand]

For those which rent a dedicated server, runs a linux server at home or offer web hosting in some way (VPS renter do not apply here) may face one day one of the following problem. For the others it may be obscure, and for those I'm sorry but I will not explain all the details.

The problem:

Imagine that you have a server which runs some services like MySQL, Apache, PHP, DNS, FTP and maybe some others. Now, one day you decide that you have still place left on it to host firends of users of other kind. Or you may discover that one service / software is unstable / unsecure and requires some isolation of some sort.

In case you host things for somebody else, you certainly don't want to grant him/her full access to your server, therefore you MUST somehow separate his/her stuff from your own.

In case of stability / security issues, you may not want to compromise the whole server in case one thing is hacked or crash.

Solutions:

1. To host PHP files of friends or other and yet prevent them to access your files to easily, you may install a package like PHP-FPM or equivalent:
   http://adityo.blog.binusian.org/?p=428
   However this will work ONLY for PHP and will not make a complete isolation, which means your other users will quiet certainly have some kind of access to the whole server.
   
2. VMWare or other virtualisation software offer a complete isolation / separation and offer like another server available for whatever you want. This is usually what VPS are and you may as well do the same on your own dedicated server to host VPS for friends or others. However there is a few drawbacks, a VPS eats a lot of ressources CPU/DISK and more so Memory! As you will hardly run a successful VPS with less than 512Mb which means you will eat 1/2 Gb of ram for each VPS you run. Therefore if you have 4Gb ram, you will not run more than 6 VPS successfully as you need to save some resources for the host machine as well! Another issue is that each VPS do require its own IP if you want to access it from the outside.
   One of the main advantage of this solution is that you may also install other OS like installing a windows on a linux or the reverse.
   
3. For my personal needs which are basically hosting players small web sites, with PHP enabled, and yet completly isolate this from the remaining part, I decided to use VServer which is somethings special ( http://linux-vserver.org/Welcome_to_Linux-VServer.org ) as it's mainly a special Linux Kernel (which you may find pre-compiled for most major distributions). Once installed this kernel allows you to create virtual servers nearly like a VPS with a couple of main differences. Virtual servers don't use ANY memory by their own, as the kernel and drivers are shared with the host. Which means the virtual servers will use only the memory used by the soft running on it. Starting vserver will use like 200 Kb! For my own need I installed an apache in this vserver with php and that's it. For the IP you may either use some NAT or let the vserver use it's own IP. I decided to go for private IPs and an apache proxy forwarding which means the apache on the host will forward the requests to the guest on the private IP. Therefore PHP scripts running in this vserver will see only the files which are on the guest system... which is nearly empty. Therefore the best solution for me and certainly something to check if you didn't know about it.
   

[Spudinski]

Vurtialbox remains the best for most of my needs. I only every need to run two OS's concurrently.

I mean this in no offense possible, but there are a few things I would like to mention.

The main reason for setting up a VE/VPS is for isolation against OS's, or for complete isolation of hardware and the kernel. It means you are able to run two kernels at the same time, and modify at least one independently of the other.

Also, in your scenario, a VPS was overkill, any multi-user capable kernel would have done the job perfectly.

"A multiuser system is a computer that is able to concurrently and independently execute several applications belonging to two or more users. Concurrently means that applications can be active at the same time and contend for the various resources such as CPU, memory, hard disks, and so on. Independently means that each application can perform its task with no concern for what the applications of the other users are doing. Switching from one application to another, of course, slows down each of them and affects the response time seen by the users." - Understanding the Linux Kernel, OReilly

Apache is designed for this, and makes great use of it when dealing with data from multiple users.

And then, you said you needed isolation from the host? Most *nix kernels are so fast because of a thing called modules, which can be linked into the kernel and then unlinked again. Even though a program can't tell the kernel to do this directly, the kernel does it by itself when it sees it's required by a program, and only if the kernel authorizes it. And allowing a shared kernel among x amount of VEs, would put more stress on the kernel than it would have had if everyone was on one host.

Edited August 18, 2011 by Spudinski

[a_bertrand]

- Check vserver and then tell me if it does indeed put more stress or not. I can tell you that from my own trials as well as all the docs I found the fact is that it is nearly free... doesn't increase the load.

- A complete VPS would for sure allow to run 2 different OS, but that wasn't my goal. Also running a VPS means you will eat something like 512Mb of ram to have something usable, here I save them ;-)

- Also, never said it's the only solution or the best solution for everything, I just said it's the solution I choose.

[Spudinski]

- Tomorrow, I'll do that. If it is actually as you say it is, I'd be more than willing to port to Debian permanently.

- Depending on the purpose, my Ubuntu 11.04 VPS, with Apache, PHP, MySQL, OpenSSH and FTP, averages at about 90-150MB, and 10% processing 2.8GHz 1 core when in moderate use, 0-2% idle 25-50% throttled.

- True.