Documente Academic
Documente Profesional
Documente Cultură
Virtualization
Contents
Virtualization.
Layering and virtualization.
Virtual machine monitor.
Virtual machine.
Performance and security isolation.
Architectural support for virtualization.
x86 support for virtualization.
Full and paravirtualization.
Xen 1.0 and Xen 2.0.
Performance comparison of virtual machine monitors.
The darker side of virtualization.
Software fault isolation.
Dan C. Marinescu
Motivation
Dan C. Marinescu
Motivation (contd)
Dan C. Marinescu
Virtualization
Dan C. Marinescu
Layering
Hardware.
Software.
Operating system.
Libraries.
Applications.
Dan C. Marinescu
Interfaces
Dan C. Marinescu
Applications
A1
API
Libraries
A2
ABI
System calls
Operating System
A3
ISA
System ISA
User ISA
Hardware
Code portability
Dan C. Marinescu
HLL code
Dan C. Marinescu
Compiler front-end
Compiler
Intermediate
code
Portable
code
Compiler back-end
VM loader
Object code
VM image
Loader
VM compiler/
interpreter
VM compiler/
interpreter
Memory
image
Memory
image ISA-1
Memory
image ISA-2
10
A VMM allows
Multiple services to share the same platform.
Live migration - the movement of a server from one platform to
another.
System modification while maintaining backward compatibility
with the original system.
Enforces isolation among the systems, thus security.
Dan C. Marinescu
11
A VMM
Traps the privileged instructions executed by a guest OS and
enforces the correctness and safety of the operation.
Traps interrupts and dispatches them to the individual guest
operating systems.
Controls the virtual memory management.
Maintains a shadow page table for each guest OS and replicates
any modification made by the guest OS in its own shadow page
table. This shadow page table points to the actual page frame
and it is used by the Memory Management Unit (MMU) for
dynamic address translation.
Monitors the system performance and takes corrective actions to
avoid performance degradation. For example, the VMM may
swap out a Virtual Machine to avoid thrashing.
Dan C. Marinescu
12
Dan C. Marinescu
13
Same ISA
Different ISA
Multi
program
Dynamic
translators
Binary
optimizers
HLL VMs
Same ISA
Different ISA
Application
Application
Traditional
VM
Whole
system VM
Guest
OS -1
Guest
OS -n
Hybrid VM
Codesigned
VM
VM-1
VM-n
Hosted VM
Application
Application
Guest OS -1
Guest OS -n
VM-1
VM-n
Application
Application
Application
Application
(a)
Guest OS
Dan C. Marinescu
VMM
Host OS
Hardware
Hardware
(c)
(d)
14
Dan C. Marinescu
15
Dan C. Marinescu
16
Dan C. Marinescu
17
Dan C. Marinescu
18
Guest OS
Hardware
abstraction
layer
Hardware
abstraction
layer
Hypervisor
Hypervisor
Hardware
Hardware
Dan C. Marinescu
(b) Paravirtualization
19
Dan C. Marinescu
20
Dan C. Marinescu
21
Dan C. Marinescu
22
VT- x
host-state
VMX root
VMX non-root
guest-state
VM exit
(a)
Dan C. Marinescu
(b)
23
Dan C. Marinescu
24
Dan C. Marinescu
25
Xen
Management
OS
Xen-aware
device drivers
Application
Application
Application
Guest OS
Guest OS
Guest OS
Xen-aware
device drivers
Xen-aware
device drivers
Xen-aware
device drivers
Xen
Domain0 control
interface
Virtual x86
CPU
Virtual physical
memory
Virtual network
Virtual block
devices
X86 hardware
Dan C. Marinescu
26
Dan C. Marinescu
27
Dom0 components
Dan C. Marinescu
28
Dan C. Marinescu
29
30
Driver domain
I/O channel
Guest domain
Bridge
Frontend
Backend
Network
interface
Event channel
XEN
NIC
(a)
Request queue
Producer Request
(shared pointer updated
by the guest OS)
Consumer Request
(private pointer in Xen)
Outstanding
descriptors
Unused
descriptors
Producer Response
(shared pointer updated
by Xen)
Response queue
Consumer Response
(private pointer maintained by
the guest OS)
(b)
Xen zero-copy semantics for data transfer using I/O rings. (a) The communication
between a guest domain and the driver domain over an I/O and an event channel;
NIC is the Network Interface Controller. (b) the circular ring of buffers.
Dan C. Marinescu
31
Xen 2.0
Optimization of:
Virtual interface - takes advantage of the capabilities of some
physical NICs, such as checksum offload.
I/O channel - rather than copying a data buffer holding a packet,
each packet is allocated in a new page and then the physical
page containing the packet is re-mapped into the target domain.
Virtual memory - takes advantage of the superpage and global
page mapping hardware on Pentium and Pentium Pro
processors. A superpage entry covers 1,024 pages of physical
memory and the address translation mechanism maps a set of
contiguous pages to a set of contiguous physical pages. This
helps reduce the number of TLB misses.
Dan C. Marinescu
32
Driver domain
Guest domain
Driver domain
Bridge
NIC
Driver
Bridge
I/O
channel
Backend
Interface
Physical
NIC
Guest domain
Offload
Driver
Virtual
Interface
Xen VMM
NIC
Driver
I/O
channel
Backend
Interface
Physical
NIC
(a)
High Level
Virtual
Interface
Xen VMM
(b)
Dan C. Marinescu
33
A comparison of send and receive data rates for a native Linux system, the Xen
driver domain, an original Xen guest domain, and an optimized Xen guest domain.
Dan C. Marinescu
34
Dan C. Marinescu
35
Linux
OpenVZ
Xen
Web
server
Web
server
Web
server
MySQL
server
MySQL
server
MySQL
server
(a)
Linux
MySQL
server
Web
server
Xen
OpenVZ
MySQL
server
Web
server
MySQL
server
Web
server
(b)
Linux
Xen
OpenVZ
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
Web
server
MySQL
server
(c)
The setup for the performance comparison of a native Linux system with OpenVZ, and
the Xen systems. The applications are a web server and a MySQL database server. (a)
The first experiment, the web and the DB, share a single system; (b) The second
experiment, the web and the DB, run on two different systems; (c) The third experiment,
the web and the DB, run on two different systems and each has four instances.
Dan C. Marinescu
36
observe the data, the events, or the state of the target system.
run services, such as spam relays or distributed denial-of-service
attacks.
interfere with the application.
Dan C. Marinescu
37
Application
Application
Guest OS
Malicious
OS
Operating
system (OS)
Malicious
OS
Hardware
Hardware
(a)
(b)
Dan C. Marinescu
38
The features of the SFI for the Native Client on the x86-32, x86-64 , and ARM.
Dan C. Marinescu
39