Good ol' debate OpenVZ vs KVM - Why yes, why not?

SeriesN

New Member
Verified Provider
I have been doing some extensive research for last couple of months regarding this topic. I have seen a lot of debates, logics and arguments.

As a clients perspective and as an end user, which one do you prefer more? Why? Please just don't reply with an one liners like "Because I like it or Because I can sell 100GB ram for 1 dollar". Looking forward to reading some fine technical contents :)
 
Last edited by a moderator:

D. Strout

Resident IPv6 Proponent
Please just don't reply with an one liners like "Because I like it or Because I can sell 100GB ram for 1 dollar".
Well, I am a client/end user, and that is a primitive version of my answer. The point is, for many projects, OpenVZ is "good enough". Sure, the virtualization is somewhat cobbled together, and therefore limited in how much it can do. But as an end user, I seldom bump up against these limitations. In these cases, for instance just running a plain LAMP server setup, OpenVZ works well and I can get decent performance for the money. Yes, there is the concern of overselling, but that's where, again as an end user, I have to exercise due diligence and research a provider to make sure they're not overselling too much.

In the cases where I do need more, such as Windows virtualization, custom modules/kernels, etc., then I get a KVM. The more complete virtualization, but for a bit more. But for the 75%+ of things I do that don't need full virtualization, why not save the money and get OpenVZ? You don't need a long technical explanation to see that if you can get something that does what you need for less, you get that.
 
Last edited by a moderator:

GVH-Jon

Banned
It really depends on what you need a VPS for to be honest as OpenVZ = Faster speeds and KVM = Full virtulization
 

concerto49

New Member
Verified Provider
You need KVM when you do. There's no debate about it. Don't use KVM when you don't need it, e.g. don't need Windows / BSD / Solaris, real networks adapteres and other strange beasts. OpenVZ with VSwap works well in a lot of cases.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
As an end-user, I would never use OpenVZ as there is definitely no way that you can assert your OS environment is tamper-proof.

And really, I don't want my /etc/shadow or /etc/ircd/ircd.conf files being dumped on the internet by some script kiddie who got lucky with an OpenVZ jailbreak.

It's just bad for business.
 

D. Strout

Resident IPv6 Proponent
no way that you can assert your OS environment is tamper-proof
That's why you don't put sensitive data on a VPS - public stuff only. If you need privacy, keep it encrypted on your home machine. If you're worried about tampering, certainly, avoid OVZ. Otherwise, it provides good value for the money.
 

fapvps

New Member
Verified Provider
It is possible to have a secure KVM VPS by encrypting your entire filesystem, thank should make it resonably secure.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
That's why you don't put sensitive data on a VPS - public stuff only. If you need privacy, keep it encrypted on your home machine. If you're worried about tampering, certainly, avoid OVZ. Otherwise, it provides good value for the money.
Err, no.  With Xen, KVM and VMware you can encrypt your data and ensure it is tamper-proof.

I have noticed that OpenVZ enthusiasts tend to claim that defects in their platform of choice are problems with VPSes as a whole -- let me assure you: they are not.
 

peterw

New Member
It is possible to have a secure KVM VPS by encrypting your entire filesystem, thank should make it resonably secure.
Err, no.  With Xen, KVM and VMware you can encrypt your data and ensure it is tamper-proof.
KVM is not as secure as you think: http://vpsboard.com/topic/728-kvm-luks-io/ If you want to secure your files you have to use a dedicated server.

The only weakness of OpenVZ is the need to run the same kernel as the node. If your os needs an older or newer kernel you have to switch nodes.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
KVM is not as secure as you think: http://vpsboard.com/topic/728-kvm-luks-io/ If you want to secure your files you have to use a dedicated server.

The only weakness of OpenVZ is the need to run the same kernel as the node. If your os needs an older or newer kernel you have to switch nodes.
While yes, secret key data could be extracted from a memory dump, this is also true of dedicated servers as well -- there are quite a few hardware attacks on DIMM-based memory to ensure that it doesn't get blanked out immediately... most of them involve literally cooling down the chips so that they remain stuck in their current states.

Frankly, this sort of attack (i.e. examining a memory dump forensically) is too sophisticated for the average attacker owning a node.

Beyond that, only an idiot VNCs into their box to input a passphrase.  Anyone who is seriously encrypting their data in this way has customized the initramfs to have an SSH daemon in it.

So, yeah, sorry, but NO.  Non-container virtualization still provides realistic tangible value for data security over OpenVZ.  In any case where a dedicated server is more useful, you're still screwed anyway because the attacker probably has sophisticated capabilities.  But for ensuring John Q. Skriptkiddie doesn't own your /etc/shadow, it's good enough really.
 
Last edited by a moderator:

Master Bo

Member
Talking about these two, I see, amoing other disadvantages of OpenVZ:

- SELinux incompatible (SELinux must be turned off)

- ipset extension for netfilter not implemented (and it's unlikely it will be)

The former means VPS lacks one of security defense lines. The latter makes filtering of malicious traffic much harder work.

The onle advantage of OpenVZ is its speed.
 
Last edited by a moderator:

Holoshed

New Member
I have liked KVM since I first started using it which is why I chose it as the platform for my offers. I use OpenVZ sometimes but only when I really need to. I run nodes I need to be separated on proxmox so I can pick between and only where required do I not use KVM. I actually like flashcache so much I even use it on one of my proxmox nodes and a single fc'd hard drive gives me very good performance when running multiple vms, all KVM.
 

jcaleb

New Member
If I have extra money, I prefer KVM, even when OVZ is good enough. For future proofing, in case I need the flexibility of KVM.
 

peterw

New Member
I never needed KVM. I like OVZ for it's plainness. But OVZ annoys because of the tickets I have to write to enable fuse, ip_conntrack, iptable_nat, iptable_mangle, iptable_filter and tun.
 

Enterprisevpssolutions

Article Submitter
Verified Provider
[SIZE=10.5pt]From a provider standpoint and an end user kvm is the best option.[/SIZE] With kvm you can do anything you want, cloning, snapshots, hot migration, quicker restoring, vnc console, and more, everything is virtualized for the client. From a client standpoint, kvm you don’t have to worry about misconfiguration on the host for iptables and other modules as you do with openvz also you’re not restricted to a certain OS. Speed depends on your setup really, kvm is faster in my option with only a small performance drop compared from the dedicated server as well as all the positive aspects for restoring and migrating your data and the option to just about any os you want 32/64 bit.
 

JackDoan

New Member
From my experience, OpenVZ has always been more than enough. Sure, the extra capabilities of Xen or KVM are interesting, but they're really just extra overhead. For tinkering, I like KVM. For production use, I think OpenVZ is the way to go.
 

Francisco

Company Lube
Verified Provider
Most people are fine with just OpenVZ.
 

KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).

With that being said I use OpenVZ's any time I need a quick box setup. I don't have KVM templates supported (nor does proxmox I don't think....) so I don't want to have to sit around for 5 minutes waiting for debian to net install when I can just vzctl and be set :)

Francisco
 
Last edited by a moderator:

MannDude

Just a dude
vpsBoard Founder
Moderator
KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).
That was me the first time I used it. Didn't break anything, but didn't realize the difference in installing an OS on a KVM VPS vs installing an OS on OpenVZ via Solus (Or Stallion). Haha.
 

Slownode

New Member
 

Most people are fine with just OpenVZ.


 


KVM is nice and gives a lot more freedom but there's been more than a few times where someone signs up for KVM and have no idea what they're doing when something breaks (need a FSCK is the most common).


 


With that being said I use OpenVZ's any time I need a quick box setup. I don't have KVM templates supported (nor does proxmox I don't think....) so I don't want to have to sit around for 5 minutes waiting for debian to net install when I can just vzctl and be set :)


 


Francisco
A host I worked with had template compressed disk images for "instant" KVM installs, also had image(disk and hdd) access which let me clone/move/archive entire machines.
 
Top