# Good ol' debate OpenVZ vs KVM - Why yes, why not?



## SeriesN (Jun 23, 2013)

I have been doing some extensive research for last couple of months regarding this topic. I have seen a lot of debates, logics and arguments.

As a clients perspective and as an end user, which one do you prefer more? Why? Please just don't reply with an one liners like "Because I like it or Because I can sell 100GB ram for 1 dollar". Looking forward to reading some fine technical contents


----------



## D. Strout (Jun 23, 2013)

SeriesN said:


> Please just don't reply with an one liners like "Because I like it or Because I can sell 100GB ram for 1 dollar".


Well, I am a client/end user, and that is a primitive version of my answer. The point is, for many projects, OpenVZ is "good enough". Sure, the virtualization is somewhat cobbled together, and therefore limited in how much it can do. But as an end user, I seldom bump up against these limitations. In these cases, for instance just running a plain LAMP server setup, OpenVZ works well and I can get decent performance for the money. Yes, there is the concern of overselling, but that's where, again as an end user, I have to exercise due diligence and research a provider to make sure they're not overselling too much.

In the cases where I do need more, such as Windows virtualization, custom modules/kernels, etc., then I get a KVM. The more complete virtualization, but for a bit more. But for the 75%+ of things I do that don't need full virtualization, why not save the money and get OpenVZ? You don't need a long technical explanation to see that if you can get something that does what you need for less, you get that.


----------



## GVH-Jon (Jun 23, 2013)

It really depends on what you need a VPS for to be honest as OpenVZ = Faster speeds and KVM = Full virtulization


----------



## concerto49 (Jun 23, 2013)

You need KVM when you do. There's no debate about it. Don't use KVM when you don't need it, e.g. don't need Windows / BSD / Solaris, real networks adapteres and other strange beasts. OpenVZ with VSwap works well in a lot of cases.


----------



## D. Strout (Jun 23, 2013)

SeriesN said:


> Looking forward to reading some fine technical contents


Not much to be said in that regard.


----------



## kaniini (Jun 23, 2013)

As an end-user, I would never use OpenVZ as there is definitely no way that you can assert your OS environment is tamper-proof.

And really, I don't want my /etc/shadow or /etc/ircd/ircd.conf files being dumped on the internet by some script kiddie who got lucky with an OpenVZ jailbreak.

It's just bad for business.


----------



## D. Strout (Jun 23, 2013)

kaniini said:


> no way that you can assert your OS environment is tamper-proof


That's why you don't put sensitive data on a VPS - public stuff only. If you need privacy, keep it encrypted on your home machine. If you're worried about tampering, certainly, avoid OVZ. Otherwise, it provides good value for the money.


----------



## fapvps (Jun 24, 2013)

It is possible to have a secure KVM VPS by encrypting your entire filesystem, thank should make it resonably secure.


----------



## kaniini (Jun 24, 2013)

D. Strout said:


> That's why you don't put sensitive data on a VPS - public stuff only. If you need privacy, keep it encrypted on your home machine. If you're worried about tampering, certainly, avoid OVZ. Otherwise, it provides good value for the money.


Err, no.  With Xen, KVM and VMware you can encrypt your data and ensure it is tamper-proof.

I have noticed that OpenVZ enthusiasts tend to claim that defects in their platform of choice are problems with VPSes as a whole -- let me assure you: they are not.


----------



## peterw (Jun 24, 2013)

fapvps said:


> It is possible to have a secure KVM VPS by encrypting your entire filesystem, thank should make it resonably secure.





kaniini said:


> Err, no.  With Xen, KVM and VMware you can encrypt your data and ensure it is tamper-proof.


KVM is not as secure as you think: http://vpsboard.com/topic/728-kvm-luks-io/ If you want to secure your files you have to use a dedicated server.

The only weakness of OpenVZ is the need to run the same kernel as the node. If your os needs an older or newer kernel you have to switch nodes.


----------



## kaniini (Jun 24, 2013)

peterw said:


> KVM is not as secure as you think: http://vpsboard.com/topic/728-kvm-luks-io/ If you want to secure your files you have to use a dedicated server.
> 
> The only weakness of OpenVZ is the need to run the same kernel as the node. If your os needs an older or newer kernel you have to switch nodes.


While yes, secret key data could be extracted from a memory dump, this is also true of dedicated servers as well -- there are quite a few _hardware_ attacks on DIMM-based memory to ensure that it doesn't get blanked out immediately... most of them involve literally cooling down the chips so that they remain stuck in their current states.

Frankly, this sort of attack (i.e. examining a memory dump forensically) is too sophisticated for the average attacker owning a node.

Beyond that, only an idiot VNCs into their box to input a passphrase.  Anyone who is seriously encrypting their data in this way has customized the initramfs to have an SSH daemon in it.

So, yeah, sorry, but NO.  Non-container virtualization still provides realistic tangible value for data security over OpenVZ.  In any case where a dedicated server is more useful, you're still screwed anyway because the attacker probably has sophisticated capabilities.  But for ensuring John Q. Skriptkiddie doesn't own your /etc/shadow, it's good enough really.


----------



## Master Bo (Jul 2, 2013)

Talking about these two, I see, amoing other disadvantages of OpenVZ:

- SELinux incompatible (SELinux must be turned off)

- ipset extension for netfilter not implemented (and it's unlikely it will be)

The former means VPS lacks one of security defense lines. The latter makes filtering of malicious traffic much harder work.

The onle advantage of OpenVZ is its speed.


----------



## Holoshed (Jul 2, 2013)

I have liked KVM since I first started using it which is why I chose it as the platform for my offers. I use OpenVZ sometimes but only when I really need to. I run nodes I need to be separated on proxmox so I can pick between and only where required do I not use KVM. I actually like flashcache so much I even use it on one of my proxmox nodes and a single fc'd hard drive gives me very good performance when running multiple vms, all KVM.


----------



## jcaleb (Jul 2, 2013)

If I have extra money, I prefer KVM, even when OVZ is good enough. For future proofing, in case I need the flexibility of KVM.


----------



## peterw (Jul 3, 2013)

I never needed KVM. I like OVZ for it's plainness. But OVZ annoys because of the tickets I have to write to enable fuse, ip_conntrack, iptable_nat, iptable_mangle, iptable_filter and tun.


----------



## Enterprisevpssolutions (Jul 20, 2013)

[SIZE=10.5pt]From a provider standpoint and an end user kvm is the best option.[/SIZE] With kvm you can do anything you want, cloning, snapshots, hot migration, quicker restoring, vnc console, and more, everything is virtualized for the client. From a client standpoint, kvm you don’t have to worry about misconfiguration on the host for iptables and other modules as you do with openvz also you’re not restricted to a certain OS. Speed depends on your setup really, kvm is faster in my option with only a small performance drop compared from the dedicated server as well as all the positive aspects for restoring and migrating your data and the option to just about any os you want 32/64 bit.


----------



## JackDoan (Jul 28, 2013)

From my experience, OpenVZ has always been more than enough. Sure, the extra capabilities of Xen or KVM are interesting, but they're really just extra overhead. For tinkering, I like KVM. For production use, I think OpenVZ is the way to go.


----------



## Francisco (Jul 28, 2013)

Most people are fine with just OpenVZ.
 

KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).

With that being said I use OpenVZ's any time I need a quick box setup. I don't have KVM templates supported (nor does proxmox I don't think....) so I don't want to have to sit around for 5 minutes waiting for debian to net install when I can just vzctl and be set 

Francisco


----------



## MannDude (Jul 28, 2013)

Francisco said:


> KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).


That was me the first time I used it. Didn't break anything, but didn't realize the difference in installing an OS on a KVM VPS vs installing an OS on OpenVZ via Solus (Or Stallion). Haha.


----------



## Slownode (Jul 28, 2013)

&nbsp;



Francisco said:


> Most people are fine with just OpenVZ.
> 
> 
> &nbsp;
> ...


A host I worked with had template compressed disk images for "instant" KVM installs, also had image(disk and hdd) access which let me clone/move/archive entire machines.


----------



## Francisco (Jul 28, 2013)

Slownode said:


> &nbsp; A host I worked with had template compressed disk images for "instant" KVM installs, also had image(disk and hdd) access which let me clone/move/archive entire machines.


For sure! As far as I know most hosts (all?) doing KVM on SolusVM will have template support.

Proxmox doesn't support it though and that's where I do most of my dev work 

Francisco


----------



## NodeBytes (Jul 28, 2013)

@Francisco - On Proxmox you can clone a machine and turn it into a template. I have a base Windows Server Datacenter image that I use for a template that is pre-licensed and has a script to change the machine name on first start.


----------



## Francisco (Jul 28, 2013)

bcarlsonmedia said:


> @Francisco - On Proxmox you can clone a machine and turn it into a template. I have a base Windows Server Datacenter image that I use for a template that is pre-licensed and has a script to change the machine name on first start.


That's a good point, I never noticed that . Thanks!

I don't use proxmox a whole hell of a lot as you can tell.

Francisco


----------



## Slownode (Jul 29, 2013)

Francisco said:


> For sure! As far as I know most hosts (all?) doing KVM on SolusVM will have template support.
> 
> 
> Proxmox doesn't support it though and that's where I do most of my dev work
> ...


I'm going to allow clients to download ISOs and system snapshots on my little panel, however I'm not going to allow uploading their own due to security... until I find a way I'm happy with.
I don't know how well guarded VMs are when it comes to malformed images... if in doubt use raw, too simple to screw up lol


----------



## ChrisM (Jul 29, 2013)

I love KVM because you can make things how you want alot easier then in OpenVZ.


----------



## jarland (Jul 29, 2013)

Honestly, I still prefer OpenVZ most of the time. It's more efficient. Bare metal performance on enterprise hardware at low cost, significant amount of overhead left to the host OS.


----------



## wdq (Jul 29, 2013)

If I can trust that the provider isn't overselling their resources too much I almost always prefer OpenVZ. It's much easier to install/reinstall operating systems, and it typically just plain works. 

The only time I use KVM is when I need to change something to do with the kernel, like when setting up a VPN server, or when I need to run something other than Linux.


----------



## Quexis (Jul 29, 2013)

It's really a tie for me as both an end user and a provider (or staff member thereof).

KVM has the distinct disadvantage of requiring the entire disk to be available at any time. This means you can't shrink or expand the disk without messing with gParted. Of course, this is a necessity because of full virtualisation (which comes with quite the few benefits such as an independent kernel), but it tags on a hefty time tag when migrating clients from node to node. It's also quite a bit more difficult to debug issues with the container, as you can't see very much from the host node. OpenVZ also has less overhead, at the cost of a considerably stronger "link" between the VM and the host.

I have an OpenVZ VPS which works perfectly for my needs as a Debian-OS webserver and code repo, however I consistently consider moving to a KVM solely so I can be edgy and run Arch on a server.



wdq said:


> If I can trust that the provider isn't overselling their resources too much I almost always prefer OpenVZ. It's much easier to install/reinstall operating systems...


I'm curious; how is it easier? For RamNode at least, we have preset templates that people can install just like an OpenVZ VPS, or you can mount your own ISO and go to town with a custom installation configuration.


----------



## wdq (Jul 29, 2013)

Speck said:


> I'm curious; how is it easier? For RamNode at least, we have preset templates that people can install just like an OpenVZ VPS, or you can mount your own ISO and go to town with a custom installation configuration.


The majority of providers don't offer pre built KVM templates like that. RamNode is one of the few exceptions.


----------



## Magiobiwan (Jul 29, 2013)

I've seen customers open support tickets asking how to SSH to their new KVM, apparently not realizing they have to install their own OS through VNC. When I told them that, they went "but admin, I do not know how to use the VNC! PLZ do the needful to make VPS os work". Or something like that. All the customers I saw do that were Chinese. Common thread perhaps?


----------



## peterw (Jul 30, 2013)

Speck said:


> I'm curious; how is it easier? For RamNode at least, we have preset templates that people can install just like an OpenVZ VPS...


Noone is offering templates. And a lot of provider do only support Java vnc clients. You have to install Java to be able to see the settings (iport) and to connect to your KVM with your own vnc client. A lot of providers handle KVM servers like dedicated servers.



Magiobiwan said:


> I've seen customers open support tickets asking how to SSH to their new KVM, apparently not realizing they have to install their own OS through VNC. When I told them that, they went "but admin, I do not know how to use the VNC! PLZ do the needful to make VPS os work". Or something like that.


They know OpenVZ and think that SolusVM is the operating system. They read threads like this that KVM is better and cooler and therefore they buy KVM. The same guys going to a friend to install Windows on their laptops because they are not able to do it.

I have some frensh and german friends asking me for help because they rent a dedicated server and are not able to ftp to it to upload their homepage. Even asking where they can add a domain or mailbox with VNC...


----------



## lv-matt (Jul 30, 2013)

peterw said:


> Noone is offering templates. And a lot of provider do only support Java vnc clients. You have to install Java to be able to see the settings (iport) and to connect to your KVM with your own vnc client. A lot of providers handle KVM servers like dedicated servers.


Unless its just exclusively for me, last time I checked SolusVM had templates for KVM and have had them for some time now.


Infant I have had "templates" available even before SolusVM implemented the feature. I think I was one of the first few in the LEB end of the market to implement them.


----------



## AnthonySmith (Jul 30, 2013)

I like OpenVZ (Shock horror) due to the speed of deployment of basic things, if you want a dynamic site up and running in no time with little fuss it is great, it works well for hosts and works well for end users without much experience or requirement for more advanced things.

KVM is great if you want complete flexibility and control along with isolation.

They both have a place, I think Xen PV is right in the middle but out of the 2 mentioned by the OP overall I personally would pick KVM because I dont like to run in to the brick walls you can with OpenVZ and I dont even have to consider trust as an issue to the same degree as I do with OpenVZ.

I would say neither one is better than the other, it is like do I need a economic small car or a people carrier, it depends what you need it for.


----------



## bizzard (Jul 30, 2013)

Myself, being a user, its the cost that decides most of the time on choosing a VPS. Since most of my work is on LAMP stack based projects, OpenVZ suites the need. At times, when client require Java/Tomcat, we usually face issues with OpenVZ, mostly related to memory/swap and so go for KVM.


----------



## Lee (Jul 30, 2013)

Purely as an end user I am really just echoing what others have already said.  Most of the time OpenVZ because it's quick and easy to deploy, setup and get to work on.  For the more serious production type work I will go KVM to remove any potential barriers OpenVZ may have.  

I am also getting pretty lazy at backups on my personal production stuff since I decided to use R1Soft which does not run on OpenVZ so that can make my mind up for me.

Having said all of that though I am more and more choosing Digital Ocean for the quick projects or testing, simply because of it's flexibility over the standard WHMCS/Solus setup.


----------



## nixcom (Aug 9, 2013)

If you need something more specific like BSD and/or install your own kernel, then go with KVM.


----------



## wlanboy (Aug 9, 2013)

W1H-Lee said:


> Purely as an end user I am really just echoing what others have already said.  Most of the time OpenVZ because it's quick and easy to deploy, setup and get to work on.  For the more serious production type work I will go KVM to remove any potential barriers OpenVZ may have.


But OpenVZ depends on the skills of your provider. I did not touch any barrier of OpenVZ yet.

Ok one time because a kernel version was not available and therefore Ubuntu 13.1 was not available (had to switch node).


----------



## Magiobiwan (Aug 9, 2013)

Ubuntu is a PITA IMO. Honestly, i've had nothing but trouble with it.


----------



## Adwait_Leap (Aug 12, 2013)

I feel it depends on a mixture of two elements Cost and complexity of prerequisites for the application . Low cost and fairly straightforward environment would go well for an Openvz on the other hand a complex requirement generally would require KVM, for a efficient running but then the cost is obviously high.


----------



## HostUS-Alexander (Aug 12, 2013)

For a host - i would say KVM Is generally cheaper.


----------



## Magiobiwan (Aug 13, 2013)

Are you sure? OpenVZ can be oversold to insane levels, lowering its cost. Meanwhile, KVM (for the most part) can't be, meaning you can't keep it as low of cost.


----------



## HostXNow (May 20, 2017)

The good thing about OpenVZ for provider and end user is Kernelcare can automatically keep all containers hosted on the VPS node secure. With KVM this has to be done on each VM. 

KVM is best if you want to use full functionally of CloudLinux regarding LVE limits, otherwise, I would usually choose OpenVZ which is generally faster with reputable providers.


----------



## Lee (May 21, 2017)

HostXNow said:


> The good thing about OpenVZ for provider and end user is Kernelcare can automatically keep all containers hosted on the VPS node secure. With KVM this has to be done on each VM.



Which is also the worst thing about it, well not only that. OVZ is fine providing you are happy that you do not need control over the Kernel, privacy is not an issue and so on.


----------



## maounique (May 22, 2017)

Lee said:


> privacy is not an issue



If privacy is an issue, i.e. you do not want the host to be able to read your files, you host at home/use proxies for your home content. There is no form of hosting that I know of, which allows for visitors to see the files but not the host's admins and even more. You can share an encrypted file, separated from the key, for example, but that is not really public hosting, more like p2p with an intermediary.


----------



## raindog308 (May 22, 2017)

I prefer KVM. Unless it means "any reinstall means firing up the Debian installer" in which case I am sad.

I see more hosts with KVM reinstall templates these days but not nearly as universal as OpenVZ.


----------



## maounique (May 23, 2017)

raindog308 said:


> I see more hosts with KVM reinstall templates these days but not nearly as universal as OpenVZ.



Well, in case of OVZ there is no choice, only a failed romanian host (phase-7) had the option to mount ISOs for OVZ, many people go to KVM for the installation flexibility, partitioning, even encryption although it does not help anything.
For sure there are cases for templated KVM installs too, so, having both and leaving the choice to the customer is better.
Best would be to be able to mount your own ISO and create own template, this is one of the main reasons for IWStack.


----------



## nelsahost (May 23, 2017)

What is better..OVZ or KVM...Well it depend,when it comes perfomance OVZ is winner and also has many other cool features and adventages,but if also has many disadventages expecually from end user point of view(user who consider to buy VPS),so it depend from whom point of view we are considering this and also for what is intended.
From provider/vendor perspective it is first choice for Linux virtualized infrastucture and mine first choice,in case when provider need Linux virtualized infrastucture for own needs OVZ is always first choice....you get only OVZ adventages and in same time main disadventages are excluded....since no one will resell to itself  .
Now it is compltetly different story if look this from VPS provider perspective who will sell VPSs to diffirent users with different level of skills and different intention.First problem can ,and in most case they do, make VPS provider it self with overselling service more than 20% which is generally considered to be safe to go,but that is not only problem,it is one thing when provider/vendor need linux virtualized infrastucture for itself,but t is completly different story when you have 50 different users with totaly different needs, OVZ share kernel which mean it is not always possible to satisfy every one needs when it comes kernel level.
So,at the end it is all about your needs...both have adventages and disantventages


----------

