openvz_vs_kvm

OpenVZ vs KVM

Choosing between OpenVZ and KVM is a decision which must be made based on your needs. Neither is outright better than the other but one may be preferable depending on your application.

OpenVZ is an OS level virtualization technology. This means the OS is partitioned into compartments with resources assigned to each. In OpenVZ there are two types of resources, dedicated and burst. A dedicated resource is one the vps is guaranteed to get if requested; these are “yours.” Burst resources come from the remaining unused capacity of the system. The system may allow one VPS to borrow resources like RAM from another VPS when the second one is not using them, but as it is only borrowing, such resources should be returned as soon as possible. Should the other VPS want their dedicated resources back, your processes might become unstable or terminated.

With providers other than EidolonHost, you may find that OpenVZs are overcommitted, which is to say the sum of the dedicated resources exceeds the system capacity. OpenVZ makes it much easier for unscrupulous providers to overcommit resources which can result in very poor system performance.

As it is an OS level virtualization, it's much thinner than a full virtual environment. On two hosts with identical hardware and subscription rates, OpenVZ should perform better than KVM because it doesn't do full emulation. For example, it doesn't have to run an additional full OS kernel, as it can share the single kernel between multiple VPSes, resulting in significant memory and cpu savings. In fact, most of the kernel memory usage is not charged to the VPS at all, only what each particular vps needs in addition to the main kernel.

KVM is a hardware virtualization technology. This means the main OS simulates hardware for another OS to run on top of it. It also acts as a hypervisor, managing and fairly distributing the shared resources like disk and network IO and CPU time. The KVM VPS does not have burst resources; they are all dedicated or shared. This means a VPS's RAM allocation is 100% owned by the VPS that is to say it does not and cannot loan RAM out and it is very difficult to overcommit. The same is true for disk space. The downside being if the limit is hit, the VPS must either swap, incurring a major performance penalty, or start killing its processes. Unlike OpenVZ, KVM VPSes cannot get a temporary reprieve by borrowing from their peers as their dedicated resources are completely isolated.

Because KVM simulates hardware, you can run whatever kernel you like on it (within limits). This means the KVM is not limited to whichever linux kernel is installed in the root node and can run most x86 operating systems like a BSD or even Windows. Having a fully independent kernel means the VPS can make kernel modifications or load its own modules. This may be important because there are some more obscure features that OpenVZ does not support. It also adds the complexity of maintaining a complete operating system and all the pitfalls thereof. This is in contrast to OpenVZ which is very resiliant since it is merely allocating resources from the already running kernel to the VPS. This is not to say OpenVZ has no maintenance required, just that it has less that a person managing the VPS is responsible for.

Both OpenVZ and KVM are mature technologies with advantages and disadvantages to each. Selecting the appropriate technology at the outset may save you significant future headache. To that end, please review the following list to see where you may fall.

  • Only intend to run userspace applications in linux for example LAMP/LNMP stack webhosting
  • Typically better performance per dollar with a smaller disk and memory footprint for equivalent solutions.
  • Lower management complexity for VPS users
  • Intend to run Windows Server or OS other than linux.
  • Solution requires custom kernel modifications, patches, specific kernel version or obscure features that are not supported in OpenVZ
  • Needs advanced netfilter firewall configuration (exceptionally so, as most iptables features are supported) for example ipset or nfnetlink.
  • SELinux. Within the VPS only, it does not prevent inspection from the parent hardware node.
  • Full disk encryption/LUKS. Not possible in OVZ, KVMs can inspect your memory and grab your keys.
  • Specific hardware, for example a gpu for bitcoin mining
  • Heavy IO loads for extended periods of time.
  • netfilter's ipset
  • netfilter's nfnetlink
  • netfilter's ipconntrackpptp
  • cachefs (potentially in post-2.6.19 kernels?)
  • selinux
  • cifs filesystem
  • file acls (setfacl/getfacl)
  • loopback mount (mount -o loop)
  • openvz_vs_kvm.txt
  • Last modified: 2022/10/13 09:11
  • by 127.0.0.1