Good ol' debate OpenVZ vs KVM - Why yes, why not?

Discussion in 'Questions and Answers' started by SeriesN, Jun 23, 2013.

  1. SeriesN

    SeriesN New Member Verified Provider

    Mar 29, 2013
    I have been doing some extensive research for last couple of months regarding this topic. I have seen a lot of debates, logics and arguments.

    As a clients perspective and as an end user, which one do you prefer more? Why? Please just don't reply with an one liners like "Because I like it or Because I can sell 100GB ram for 1 dollar". Looking forward to reading some fine technical contents :)
    Last edited by a moderator: Jun 23, 2013
  2. D. Strout

    D. Strout Resident IPv6 Proponent

    Apr 17, 2013
    Well, I am a client/end user, and that is a primitive version of my answer. The point is, for many projects, OpenVZ is "good enough". Sure, the virtualization is somewhat cobbled together, and therefore limited in how much it can do. But as an end user, I seldom bump up against these limitations. In these cases, for instance just running a plain LAMP server setup, OpenVZ works well and I can get decent performance for the money. Yes, there is the concern of overselling, but that's where, again as an end user, I have to exercise due diligence and research a provider to make sure they're not overselling too much.

    In the cases where I do need more, such as Windows virtualization, custom modules/kernels, etc., then I get a KVM. The more complete virtualization, but for a bit more. But for the 75%+ of things I do that don't need full virtualization, why not save the money and get OpenVZ? You don't need a long technical explanation to see that if you can get something that does what you need for less, you get that.
    Last edited by a moderator: Jun 23, 2013
    Chronic and SeriesN like this.
  3. GVH-Jon

    GVH-Jon Banned

    Apr 10, 2013
    It really depends on what you need a VPS for to be honest as OpenVZ = Faster speeds and KVM = Full virtulization
  4. concerto49

    concerto49 New Member Verified Provider

    May 5, 2013
    You need KVM when you do. There's no debate about it. Don't use KVM when you don't need it, e.g. don't need Windows / BSD / Solaris, real networks adapteres and other strange beasts. OpenVZ with VSwap works well in a lot of cases.
    D. Strout likes this.
  5. D. Strout

    D. Strout Resident IPv6 Proponent

    Apr 17, 2013
    Not much to be said in that regard.
  6. kaniini

    kaniini Beware the bunny-rabbit! Verified Provider

    Jun 18, 2013
    As an end-user, I would never use OpenVZ as there is definitely no way that you can assert your OS environment is tamper-proof.

    And really, I don't want my /etc/shadow or /etc/ircd/ircd.conf files being dumped on the internet by some script kiddie who got lucky with an OpenVZ jailbreak.

    It's just bad for business.
  7. D. Strout

    D. Strout Resident IPv6 Proponent

    Apr 17, 2013
    That's why you don't put sensitive data on a VPS - public stuff only. If you need privacy, keep it encrypted on your home machine. If you're worried about tampering, certainly, avoid OVZ. Otherwise, it provides good value for the money.
  8. fapvps

    fapvps New Member Verified Provider

    Jun 13, 2013
    It is possible to have a secure KVM VPS by encrypting your entire filesystem, thank should make it resonably secure.
  9. kaniini

    kaniini Beware the bunny-rabbit! Verified Provider

    Jun 18, 2013
    Err, no.  With Xen, KVM and VMware you can encrypt your data and ensure it is tamper-proof.

    I have noticed that OpenVZ enthusiasts tend to claim that defects in their platform of choice are problems with VPSes as a whole -- let me assure you: they are not.
  10. peterw

    peterw New Member

    Jun 14, 2013
    KVM is not as secure as you think: If you want to secure your files you have to use a dedicated server.

    The only weakness of OpenVZ is the need to run the same kernel as the node. If your os needs an older or newer kernel you have to switch nodes.
  11. kaniini

    kaniini Beware the bunny-rabbit! Verified Provider

    Jun 18, 2013
    While yes, secret key data could be extracted from a memory dump, this is also true of dedicated servers as well -- there are quite a few hardware attacks on DIMM-based memory to ensure that it doesn't get blanked out immediately... most of them involve literally cooling down the chips so that they remain stuck in their current states.

    Frankly, this sort of attack (i.e. examining a memory dump forensically) is too sophisticated for the average attacker owning a node.

    Beyond that, only an idiot VNCs into their box to input a passphrase.  Anyone who is seriously encrypting their data in this way has customized the initramfs to have an SSH daemon in it.

    So, yeah, sorry, but NO.  Non-container virtualization still provides realistic tangible value for data security over OpenVZ.  In any case where a dedicated server is more useful, you're still screwed anyway because the attacker probably has sophisticated capabilities.  But for ensuring John Q. Skriptkiddie doesn't own your /etc/shadow, it's good enough really.
    Last edited by a moderator: Jun 24, 2013
  12. Master Bo

    Master Bo Member

    Jun 4, 2013
    Talking about these two, I see, amoing other disadvantages of OpenVZ:

    - SELinux incompatible (SELinux must be turned off)

    - ipset extension for netfilter not implemented (and it's unlikely it will be)

    The former means VPS lacks one of security defense lines. The latter makes filtering of malicious traffic much harder work.

    The onle advantage of OpenVZ is its speed.
    Last edited by a moderator: Jul 2, 2013
  13. Holoshed

    Holoshed New Member

    Jun 19, 2013
    I have liked KVM since I first started using it which is why I chose it as the platform for my offers. I use OpenVZ sometimes but only when I really need to. I run nodes I need to be separated on proxmox so I can pick between and only where required do I not use KVM. I actually like flashcache so much I even use it on one of my proxmox nodes and a single fc'd hard drive gives me very good performance when running multiple vms, all KVM.
  14. jcaleb

    jcaleb New Member

    May 15, 2013
    If I have extra money, I prefer KVM, even when OVZ is good enough. For future proofing, in case I need the flexibility of KVM.
  15. peterw

    peterw New Member

    Jun 14, 2013
    I never needed KVM. I like OVZ for it's plainness. But OVZ annoys because of the tickets I have to write to enable fuse, ip_conntrack, iptable_nat, iptable_mangle, iptable_filter and tun.
  16. Enterprisevpssolutions

    Enterprisevpssolutions Article Submitter Verified Provider

    May 22, 2013
    [SIZE=10.5pt]From a provider standpoint and an end user kvm is the best option.[/SIZE] With kvm you can do anything you want, cloning, snapshots, hot migration, quicker restoring, vnc console, and more, everything is virtualized for the client. From a client standpoint, kvm you don’t have to worry about misconfiguration on the host for iptables and other modules as you do with openvz also you’re not restricted to a certain OS. Speed depends on your setup really, kvm is faster in my option with only a small performance drop compared from the dedicated server as well as all the positive aspects for restoring and migrating your data and the option to just about any os you want 32/64 bit.
  17. JackDoan

    JackDoan New Member

    Jul 21, 2013
    From my experience, OpenVZ has always been more than enough. Sure, the extra capabilities of Xen or KVM are interesting, but they're really just extra overhead. For tinkering, I like KVM. For production use, I think OpenVZ is the way to go.
  18. Francisco

    Francisco Company Lube Verified Provider

    May 15, 2013
    Most people are fine with just OpenVZ.

    KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).

    With that being said I use OpenVZ's any time I need a quick box setup. I don't have KVM templates supported (nor does proxmox I don't think....) so I don't want to have to sit around for 5 minutes waiting for debian to net install when I can just vzctl and be set :)

    Last edited by a moderator: Jul 28, 2013
  19. MannDude

    MannDude Just a dude vpsBoard Founder Moderator

    Mar 8, 2013
    That was me the first time I used it. Didn't break anything, but didn't realize the difference in installing an OS on a KVM VPS vs installing an OS on OpenVZ via Solus (Or Stallion). Haha.
  20. Slownode

    Slownode New Member

    Jul 23, 2013

    A host I worked with had template compressed disk images for "instant" KVM installs, also had image(disk and hdd) access which let me clone/move/archive entire machines.
    Francisco likes this.