One of the terms that often comes up in conversations about cloud computing is multi-tenancy, but it’s generally left even less defined than “cloud” itself. This recently came up on the cloud mailing list, so it seems like a good time to take a stab at explaining what I think multi-tenancy means. First, just to get it out of the way, let’s say that a multi-tenant system is much like a multi-user system. In fact, a multi-tenant system is a multi-user system if “user” is defined the right way, but that’s where the differences start to creep in. A cloud provider actually interacts with two classes of users. For the sake of terminological clarity, I’ll refer to them thus:

  • A “tenant” is a person with whom the cloud provider has a contractual relationship, to whom they send bills, etc. Someone must be authenticated and authorized as a tenant to allocate or free cloud resources.
  • An “end user” is someone (or some program) outside the cloud, doing things that generate requests within the cloud. Tenants act as end users’ proxies facilitating access to the cloud, so some sort of relationship must exist, but it need not be a legal or financial one.

For the most part, the cloud provider is concerned with tenants. End users, and conflicts between end users, are the tenant’s problem. One of a tenant’s end users could do something that denies service to all of that tenant’s other end users, and the cloud provider need not care unless it starts to affect other tenants.

That brings us to the big difference between multi-user and multi-tenant. Tenants have Service Level Agreements. Users don’t. In multi-user systems, users routinely contend for resources, affect each others’ performance, etc. One example of this, and one closely related to cloud computing, is web hosting services. If you’re on a shared host, as I am, you’re in a multi-user world. Your account represents one user on a shared bit of hardware, with some access control between you and other users, but there’s practically no fault or performance isolation between you and them. You will be affected by their activity. Sure, most hosts have something in their TOS about not hogging resources, but enforcement of such terms is pretty random. The only effect I’ve ever seen was when a previous host had underprovisioned their database servers, and started pointing the “resource hog” finger at random customers whenever it started to falter under the load. Anyone with any sense knows that to get any kind of real isolation you have to go from a multi-user system to a multi-tenant one – a Virtual Private Server. How is a VPS different than a virtual machine in a cloud? At a technical level, there’s hardly any difference. The main difference is that one is created by a user and billed by the hour while the other is created by an administrator and billed by the month. Either way you have a multi-tenant system, which is to say that it provides strong enough security/fault/performance isolation to support an SLA.

Is a multi-tenant system necessarily virtual? Not entirely. You could, in theory, enforce multi-tenant isolation in a non-virtual environment. You could start with a fair-share scheduler and filesystem quotas, providing isolation for two kinds of resources. You’d need to add similar isolation for memory, swap (space and activity), network and storage bandwidth, etc. If you then provide each tenant with their own filesystem view, UID/PID space, and so on, then you would have reinvented OS-level virtualization. If you just put each tenant in a group, and give them some way to allocate user IDs within the group, then I suppose you’d have a multi-tenant but non-virtual environment . . . but it seems like a lot of work to get something that you could have had in minutes with virtualization, and you still wouldn’t have the same level of fault isolation that virtualization gives you. Of course, you could also have a system that supports multi-tenancy without virtualization by provisioning whole physical machines instead of virtual ones, but I have my doubts whether such an approach is economically competitive with those where you can allocate at a finer granularity. In some cases a virtual instance equivalent to a single 2GHz processor with 256MB of memory and 10GB of storage is all one needs, and therefore all one should pay for, and paying more because physical machines don’t come that small any more won’t be very appealing.

In the end, I think it’s all about isolation. A multi-tenant system is like individual apartments, providing each tenant with a certain level of isolation and control over their environment within a defined space for a defined period, enforced by a lease. By contrast, a multi-user system is more like a hostel. You have your own bunk, but you get to hear your neighbor snore and in the morning you eat whatever was cooked in the shared kitchen. They’re similar in some ways, notably that neither involves actual ownership of the property involved, but they’re also quite different in other ways.