Parallel's Virtuozzo containers give apps room to play safely on the same server

Virtuozzo 4.0 is a virtual machine hosting platform that provides application partitioning services. These Virtual Environments operate similar to the way RedHat's SELinux and Sun's Containers provide operating systems instance isolation for applications

Virtuozzo, from Parallels (formerly SWSoft), gives every application its own sandbox to play in.

Virtuozzo 4.0 is a virtual machine hosting platform that provides application partitioning services. These Virtual Environments operate in a way that's similar to the way Red Hat's SELinux and Sun's Containers provide operating-system-instance isolation for applications.

Virtuozzo 4.0 (we tested the final RC version), hosts a single operating system (either Windows or Linux, we tested it on machines running Windows XP SP2, Win 2003 Server Standard Edition and CentOS4), then creates independent virtual environment instances that can be setup to run designated applications temporarily, permanently or on an as-needed basis. The Virtual Environments (depending on the operating system host used) have separate administrative controls, registry instances, domain users, Active Directory instances, and can run processes or applications with either unique or shared files.

Net results

Virtuozzo's Virtual Environments are superficially similar to Microsoft Terminal Services or Citrix Systems' Metaframe sessions, but provide instance controls that are more closely related to the application isolation provided through Red Hat's SELinux session/user system file and permissions controls.

The applications are captive to the specific host kernel, meaning that a hardware server platform offers only the host operating system instance, rather than a number of hosted operating system instances. This also fits the common profile of other VM products that usually have one variety of operating system running aside each other atop a hypervisor or paravirtulized host VM management kernel. Virtuozzo is therefore a hybrid between sophisticated VM hosts such as VMware's ESX or Citrix's XenSource, and application instance hosting environments such as Microsoft's Terminal Services or RedHat's SELinux.

All the user and application provisioning controls needed are easily found within the product's excellent GUI, Virtuozzo Control Center (VZCC), or its remote access alternative, Virtuozzo Management Console.

VZCC provides strong and clear control of the Virtual Environments, and makes Virtuozzo approachable by several technical levels of administrators from systems engineers to savvy users, and controls user Virtual Environments administrative behavior. This degree of control isn't usually available in other virtualization environments, although Microsoft's Virtual Manager System Center proposes this capability in the betas we've seen of Microsoft's upcoming virtual services for Windows 2008 Server editions.

Users can be provisioned access to a subset of features tailored towards their needs which they access through an interface called the Virtuozzo Power Panel (VZPP). VZPP allows administratively delegated users to start and stop their own 'sessions' of Virtual Environments, as well as control backups and restorations, monitor session resource utilization, and connect to Virtual Environments through a remote desktop connection and a browser link. This permits very easy and approachable access by users who desire their own remote session.

Virtuozzo comes in a 32-bit version, as well as two 64-bit versions, one for AMD/Intel 64-bit CPUs such as Athlon/Opteron/EM64T-Intel, and a version strictly for the Intel Itanium. We tested the 32- and 64-bit AMD/Intel versions. Virtuozzo's application comes in an Enterprise version (tested), as well as one for server hosting organizations (not tested).

Installation for all versions of Virtuozzo was painless. The host operating system for the physical server was installed, then we installed a Virtuozzo layer. Virtuozzo uses templates to enable common files among hosted applications to be used (optionally), and therein lies Virtuozzo's greatest weakness. Common files can compromise numerous instances should those common files be cracked. That said, if the server's shared resource applications (think DLLs in Windows) are secure, then the Virtual Environments are secure.

We used several simple programs to attempt to tie up CPU and disk resources to view Virtuozzo's ability to 'sequester' instance sessions. When we pegged CPU on either Linux or Windows, the control reaction (diminishing the out-of-control session on others) came after only a second or so of perceived session latency. Additional attempts that we used to either tie up resources (running applications that tried to grab CPU utilization or otherwise blow up a session) didn't have a discernible effect upon other applications running on the hosted applications we used.

We installed Microsoft Office on our Windows installation, and were able to spawn 28 Virtual Environment sessions using the prototype of a document, with Microsoft Word, before no more sessions could be opened. Admittedly, the 28 sessions were somewhat slow, partially as a result of the viewing mechanism (Microsoft's Remote Desktop Protocol), and partly because the server was managing a lot of work. By contrast, CentOS Linux was able to host 41 Virtual Environment OpenOffice Writer sessions before those sessions crawled to a halt on the same hardware.

Copious research must be done by potential users of Virtuozzo, as some application licenses are for a single CPU, while others are for a number of sessions, or users. Your value from licensing, and the odd imbalance of possible application instances on a single operating system, will vary.

The Virtuozzo sandboxing approach to Linux and Windows application instantiation lends itself handily to application session hosting. With the PowerPanel, users can get in, do work, and get out in an understandable way. Virtuozzo's masterful VZCC interface was very powerful and approachable, as was the company's Adobe Flash-based tutorial and help system. Virtuozzo's methodology for software-as-a-service may help circumvent the overhead associated with more sophisticated VM instances handily. Perhaps the success of Virtuozzo is another reason that Citrix purchased XenSource, because Virtuozzo is poised to make terminal services less terminal and more service.

< Previous story: Reflex IPS adds security to your VM life >

Learn more about this topic

 
Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies