cloud

Questions and Answers

A company develops warehouse management software with a core component and customer-specific modules. To minimize costs, which deployment model is most suitable?

• VMs running on the customer's on-premise servers.
• Software-as-a-Service (SaaS) model, delivered online. (correct)
• Containers running on the customer's on-premise servers.
• Virtual private cloud instance dedicated to the customer on a public cloud.

What is the primary characteristic of Common-Off-The-Shelf (COTS) hardware?

• Hardware suitable for on-premise data centers, but not hyperscalers.
• Hardware used only by individual customers, not cloud workloads.
• Standardized hardware bought in large quantities to reduce variety. (correct)
• Hardware that cannot be specialized with additional components.

A company wants to deploy its application using containers for better resource utilization and faster deployment. Which infrastructure setup would be the MOST appropriate?

• Utilizing a container orchestration platform like Kubernetes on a cluster of servers. (correct)
• Deploying containers on individual virtual machines.
• Running each container on a separate physical server to ensure isolation.
• Installing containers directly on bare metal servers without any orchestration.

A company wants to improve its disaster recovery strategy. Which cloud deployment model would be best suited for creating a highly available and fault-tolerant system?

Distributing the application across multiple availability zones or regions in a public cloud. (C)

A company is deciding between using virtual machines (VMs) and containers for deploying its applications. Which of the following scenarios would make containers a more suitable choice than VMs?

When applications need to be deployed and scaled rapidly, with efficient resource utilization. (D)

Which task is NOT a typical responsibility of Kubernetes kubelet?

Managing cloud resources. (C)

Why is a Kubernetes Service crucial for application deployment?

It provides a stable access point to a dynamic set of pods. (C)

What is the main role of the Kubernetes scheduler in resource management?

Assigning pods to the appropriate nodes based on resource requirements and constraints. (C)

When should Secrets be utilized in Kubernetes?

When storing sensitive information such as API keys and passwords. (B)

How does a ReplicaSet contribute to maintaining application availability?

By ensuring a specified number of pod replicas are running at all times. (B)

Which of the following methods is used to emulate instructions that trigger a trap in a virtualized environment?

Replacing source code of the GuestOS kernel with HostOS kernel functions. (A)

What is the typical characteristic of modern CPUs regarding the execution of OS kernels?

They have many CPU rings, with a dynamically programmable number intended for OS kernels. (D)

In the context of virtualization, what does dynamic binary translation primarily refer to?

An instruction executed by the GuestOS kernel. (A)

In a virtualized system, what is the primary function of VMEntry and VMExit instructions?

Enable fast transitions between GuestOS and HostOS kernels. (B)

Regarding I/O device emulation, what is a typical characteristic of a hypervisor?

It is usually able to emulate a very large number of physical devices. (B)

What type of drivers are typically included in the image (ISO) of a modern operating system intended for use in a virtual machine?

Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO). (D)

What is the primary function of Libvirt?

Simplifies the interaction with VMs running on different hypervisors (KVM, Vmware, etc). (D)

In Linux, how do QEMU and KVM relate in terms of their execution context?

QEMU runs in user space, KVM runs in kernel space. (C)

When implementing hot migration of a VM to another server, what states must be moved?

The entire VM (i.e., applications and GuestOS kernel), plus some additional data kept in the hypervisor. (D)

In computing virtualization, what defines a 'sensitive instruction'?

Is an instruction that has to be handled with Trap-And-Emulate. (C)

Under what condition can an instruction executed at CPU ring 0 in VMX non-root mode generate a trap?

Can generate a trap if it is a privileged instruction. (B)

How does a CPU that supports VMX root/non-root modes improve efficiency in virtualization?

Is more efficient when handling privileged instructions in the GuestOS. (A)

When Trap-And-Emulate is used for a system call invoked by a userland program, what sequence of transitions occurs?

We experience two transitions: User space --> GuestOS kernel --> HostOS kernel. (A)

In computing virtualization, what does direct assignment of I/O devices imply?

A real device that is completely controlled by the GuestOS. (B)

How does a GuestOS typically detect devices during boot in a virtualized environment?

It usually detects a set of virtual devices presented to it by the hypervisor. (C)

What information is crucial for a successful hot migration of a VM to another server?

The entire VM (applications and GuestOS kernel), plus some state in the hypervisor. (C)

What is the primary function of the Trap-And-Emulate approach in computing virtualization?

To emulate privileged CPU instructions executed at the wrong privilege level. (B)

How does CPU para-virtualization primarily work?

Replaces some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel. (C)

For what purpose is a 'ClusterIP' service most commonly used in Kubernetes?

To make a service reachable only from within the cluster, such as a backend database. (A)

What is a key characteristic of CPU rings in modern CPUs regarding operating system kernels?

Have many CPU rings, and 2 of them are intended for executing OS kernels. (B)

What is the primary function of an Ingress controller in Kubernetes?

To enable multiple HTTP/HTTPS services to share a single TCP port. (A)

To what instructions can dynamic binary translation refer in the context of virtualization?

Can refer to an instruction executed by GuestOS kernel. (B)

Which Kubernetes service type should you choose if you need to create a service that is only accessible from inside the cluster?

ClusterIP (C)

What is the key functionality provided by VMEntry and VMExit instructions in a virtualized system?

Enable fast transitions between GuestOS and HostOS kernels. (C)

When using a command like htop inside a Docker container to view available resources, what information is typically displayed?

The specific resources allocated to the Docker container at startup (e.g., 2 CPU cores and 4GB RAM). (C)

Why is a Kubernetes Service (e.g., ClusterIP) preferred over directly routing traffic to a pod's IP address?

Services handle pod respawning and multiple replicas, providing a stable access point. (D)

How does a hypervisor typically handle the emulation of physical devices in computing virtualization?

Is usually able to emulate a very small number of physical devices. (D)

What is the primary purpose of a Dockerfile?

Defining a 'recipe' that outlines all the necessary steps to rebuild the container from scratch. (C)

What types of drivers are typically included in a modern operating system image used to start a VM?

Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO). (D)

Theoretically, how do the memory requirements compare for an application running on bare metal, in a VM, and in a Docker container?

Memory(VM) > Memory(Docker) = Memory(bare metal) (B)

In Kubernetes, what is the typical use case for a 'DaemonSet'?

To ensure a pod is running on every node in the Kubernetes cluster, typically for providing network services or system-level utilities. (B)

Consider an e-commerce site deployed in a Kubernetes cluster using a 'ClusterIP' service for the web frontend. What can be said about its reachability from the internet?

The e-commerce site may only be reachable from the Internet depending upon the configuration of the Ingress controller. (D)

Theoretically, assuming no layered filesystem advantages, how do the disk requirements compare for an application running on bare metal, in a VM, and in a Docker container?

Disk(VM) = Disk(Docker) > Disk(bare metal) (B)

What is the primary purpose of Libvirt in virtualization management?

Simplifies the interaction with VMs running on different hypervisors (KVM, Vmware, etc). (D)

What is the primary role of the 'control loop' concept in Kubernetes?

To continuously observe the desired state of resources in the cluster and make necessary changes to achieve that state. (A)

Under what circumstance will a sensitive instruction NOT generate a trap when executed?

When executed in an unprivileged mode. (C)

Which platform is most suitable for creating a web server that can effortlessly scale to handle unpredictable traffic spikes?

Kubernetes (public cloud) (D)

In Linux-based virtualization, where do QEMU and KVM operate?

QEMU runs in user space, KVM runs in kernel space. (C)

What is the main role of a hypervisor in a virtualized environment?

It virtualizes hardware resources and manages the execution of virtual machines. (D)

Which of the following capabilities typically requires a service mesh, rather than being provided by a standard Kubernetes service?

Load balancing HTTP/HTTPS connections based on request URL. (B)

What is the purpose of a Custom Resource in Kubernetes?

To enable definition of custom objects, potentially unrelated to existing Kubernetes workflows, for managing other aspects of a system. (D)

Which component is responsible for emulating privileged CPU instructions when they are executed at the wrong privilege level in a virtualized environment?

Trap-And-Emulate approach. (B)

What action does CPU para-virtualization take to optimize the guest operating system's performance?

Replaces some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel. (A)

What is the function of the Virtual Machine Control Structure (VMCS) in hardware-assisted virtualization?

It manages the transitions between guest and hypervisor. (D)

A university with campuses in different countries needs to set up real-time videoconferencing. Which is the BEST option?

Buy a managed service running in multiple cloud locations across the world. (D)

If you connect a set of VMs/Dockers to a software bridge, what can you guarantee regarding network connectivity?

You cannot guarantee full network connectivity to the services running within the VMs/Dockers. (C)

Which tool is most commonly used to connect to a remote server from the management host using a secure, encrypted connection?

SSH (C)

If a Docker container attempts to modify its filesystem by writing a file, where is the file stored?

In the filesystem of the running Docker container. (C)

What is the primary consideration when selecting servers for a new datacenter?

Servers are usually all equal (in terms of CPU, memory, disks, etc). (B)

How many CPU rings are typically allocated for executing OS kernels in modern CPUs?

Have many CPU rings, and 2 of them are intended for executing OS kernels. (A)

Which type of hypervisor runs directly on bare metal, offering better performance by directly managing hardware resources?

Type-1 Hypervisor (D)

You are setting up a database-as-a-service from a cloud provider in 'high-availability' for an e-commerce site. Which deployment strategy is most appropriate?

Multiple replicas across different Regions. (A)

What type of instructions can dynamic binary translation apply to?

Can refer to an instruction executed by GuestOS kernel. (C)

In a Docker layered filesystem, when is a new layer created?

Each time a Dockerfile executes a command that modifies the filesystem. (D)

What functionality do VMEntry and VMExit instructions facilitate in a virtualized system?

Enable fast transitions between GuestOS and HostOS kernels. (B)

A Docker container is running on a server with 2 CPUs (52 cores each) and 512 GB RAM. How can this container utilize the underlying compute resources?

The Docker utilizes the resources of the host server, but the exact amount must be pre-configured. (D)

What is the primary disadvantage of using Dynamic Binary Translation (DBT) in virtualization?

It introduces performance overhead due to the need for continuous translation of non-virtualizable instructions. (C)

When deploying an application like an e-commerce site on a public cloud cluster, what is your responsibility regarding service reliability?

You have to care about reliability, which is not completely guaranteed by the cloud provider. (C)

Which virtualization technique, pioneered by VMware, translates non-virtualizable x86 instructions at runtime to enable virtualization on standard hardware?

Dynamic Binary Translation (DBT) (C)

In what scenarios is deploying cloud computing technologies at the edge of the network particularly beneficial?

All the other answers. (D)

The University IT manager wants to move to cloud. The main goal is to be future proof and cost effective at the same time. Which is the best approach?

Containerizing current applications and relying on a managed kubernetes service, and rely on managed databases (D)

What is a key characteristic of technologies for computing virtualization regarding isolation?

Are used whenever strong computing isolation is required. (D)

Which technique optimizes memory usage in virtual machines by dynamically adjusting the amount of memory allocated based on the VM's current demand?

Memory Ballooning (A)

A company runs an application that needs to store files. Some files are accessed every second, while others are only accessed every year. How would optimize costs?

Store 'hot' files in an external SSD drive. Once the files become cold, move them into a cloud storage bucket. (C)

A developer is encountering issues with their application failing due to insufficient memory. How can they monitor how much memory is actually used by the application?

Using top or htop commands to view real-time memory usage. (B)

Which virtualization technique allows a guest OS to run without modification by virtualizing all hardware interfaces?

Full Virtualization (D)

How is the filesystem within a Docker container initially related to the filesystem of the host machine?

At startup, it is completely independent from the one present on the hosting machine; however, temporary files created during Docker execution are stored in the filesystem of the hosting machine (e.g., /var/tmp/). (D)

A Docker is running on a server that has 2 CPUs with 52 cores each. How many cores are available for this Docker?

The amount defined in the docker compose file. (C)

What is a key advantage of using hardware-assisted virtualization (HVM)?

It enables faster execution of guest OS code by minimizing VM exits. (D)

Which of the following is a valid use for Kubernetes?

Orchestrating a set of VMs on your local machine. (C)

Which feature allows the hypervisor to share a single physical I/O device among multiple VMs, enhancing I/O performance and resource utilization?

Single-Root I/O Virtualization (SR-IOV) (D)

A Docker container is running on a server with two CPUs, each having 52 cores. An application within the Docker container attempts to maximize performance by creating a thread for each available CPU core. How many threads will the application create?

104 (B)

What does the Extended Page Table (EPT) feature in Intel processors primarily aim to improve in a virtualized environment?

Memory address translation efficiency (D)

In which virtualization technique does the guest OS need to be modified to work effectively with the hypervisor?

Paravirtualization (D)

What is required for a virtual machine (VM) running in OpenStack to be reachable from a customer connected to the Internet?

Explicit enablement in the OpenStack configuration of the VM. (C)

A pod, along with its associated service, runs in a Kubernetes datacenter and is exposed to the outside world through an Ingress controller. When a client on the Internet establishes a TCP connection to this pod/service, what happens with the network packets?

Two cascading TCP connections must be established to allow the client to connect to the pod. (B)

What is the primary role of cgroups in Linux?

To limit and account for resource usage by processes. (D)

In a service mesh architecture, what addition is typically made to each microservice to integrate it into the mesh?

Each micro-service is automatically started with a sidecar that implements the service mesh. (C)

Which of the following features is NOT provided by Linux cgroups?

Network isolation. (C)

When setting up servers in a new datacenter, what is the most common approach to selecting hardware?

Servers are usually all equal (in terms of CPU, memory, disks, etc.). (D)

An e-commerce site utilizes a database-as-a-service from a cloud provider and needs to run in 'high-availability' mode. Which setup would you choose?

In multiple replicas across different Regions. (D)

When deploying an application on a cluster in a public cloud and aiming for a reliable service, what is the most accurate consideration?

You have to care about reliability. (B)

In what scenarios is the deployment of cloud computing technologies at the edge of the network most beneficial?

All the other answers. (A)

When is computing virtualization most applicable?

Are used whenever strong computing isolation is required. (A)

How does the filesystem in a Docker container relate to the filesystem on the host machine?

It is logically independent from the one present on the hosting machine; however, some physical characteristics of the hosting machine (e.g., free disk space) can affect the behavior of the Docker file system as well. (B)

When Linux leverages the KVM hypervisor, what are the ring levels at which QEMU and the GuestOS operate?

QEMU runs at ring 3 (VMX root), the GuestOS runs at ring 0 (VMX non-root). (A)

A Docker container is running on a server with 2 CPUs (52 cores each). If, inside the Docker, we execute an application that maximizes its performance by creating a number of threads equal to the number of CPU cores available, it will create the following number of threads:

104 (B)

What is primarily needed for a VM in OpenStack to be reachable from the Internet?

Must be explicitly enabled in the OpenStack configuration of the VM. (A)

In computing virtualization, which statement best characterizes a 'sensitive instruction'?

Is an instruction that may leak information about the current OS kernel context or actual hardware configuration. (C)

When Trap-And-Emulate is used to handle a system call invoked by a userland program within a VM, what sequence of transitions is typically observed?

We experience at least two transitions: User space --> GuestOS kernel --> HostOS kernel. (D)

A pod (and it associated service) is running in a Kubernetes datacenter and is reachable from the outside world through an Ingress controller. When a client (on the Internet) establishes a TCP connection toward the pod/service:

Two cascading TCP connections must be established to allow the client to connect to the pod. (B)

What constitutes the state of a VM that is essential for enabling a hot migration?

The content of the entire memory allocated to the VM plus some additional information stored in the hypervisor. (C)

In a service mesh, how is each micro-service typically augmented to participate in the mesh?

Is automatically started with a sidecar that implements the service mesh. (B)

Under what conditions will an instruction executed at CPU ring 0 (VMX non-root mode) generate a trap?

Will generate a trap if it is either a sensitive or privileged instruction. (B)

In computing virtualization, what best describes the use of the Trap-And-Emulate approach?

Is used only to intercept privileged CPU instructions. (A)

How does a CPU that supports VMX root/non-root modes improve system call processing?

Is more efficient when handling system calls. (B)

In computing virtualization, what does 'direct assignment for I/O devices' signify?

A real device that is completely controlled by the GuestOS. (B)

When a GuestOS boots in a virtualized environment, what type of devices does it typically detect?

It usually detects a set of virtual devices presented to it by the hypervisor. (C)

How does a VIRTIO driver running in a GuestOS primarily interact with the host system to send and receive data?

Uses mainly bi-directional queues shared with the companion backend driver to send/receive data. (D)

In Linux, what is the primary function of tools like virsh and virt-manager?

Enable users to interact with VMs (e.g., KVM-based) in a user-friendly way. (C)

What does the term 'nested virtualization' refer to?

Running a VM inside another VM (B)

Which of the following statements best describes a Virtual Machine Monitor (VMM)?

It is software responsible for emulating and managing virtual hardware. (A)

What is the primary purpose of the management host?

To control the remote hypervisor (A)

Which of the following is a challenge with the x86 architecture in virtualization?

It requires hardware-assisted virtualization from the start. (D)

When the Trap-And-Emulate is used to handle a userland program invoking a system call, what sequence of transitions is typically observed?

We experience at least two transitions: User space --> GuestOS kernel --> HostOS kernel. (A)

In a typical virtualized environment, what type of device drivers are predominantly included within the GuestOS kernel?

A mix of drivers for a few physical devices (e.g., Intel NIC) and many para-virtualized devices (e.g., VIRTIO). (B)

Libvirt's primary function is to:

Offer a simplified interface for managing VMs across various hypervisors (KVM, VMware, etc.). (A)

In the Linux operating system, how do QEMU and KVM interact in a virtualized environment?

QEMU operates in the user space, while KVM operates in the kernel space. (C)

What specific condition triggers the Trap-And-Emulate approach in computing virtualization?

When a privileged CPU instruction is executed at the incorrect privilege level. (A)

A hot migration of a virtual machine from one server to another necessitates the transfer of:

The entire VM (applications and GuestOS kernel) and specific hypervisor state information. (D)

In a virtualized setting, what is the role of VMEntry and VMExit instructions?

To enable fast transitions between the GuestOS and HostOS kernels. (C)

How does Docker networking compare to traditional virtualized networking environments?

Docker networking provides a simplified default configuration but also allows for extensive customization, similar to KVM. (B)

If a Docker container, Docker1, needs to connect to another Docker container, Docker2, running on a different server, what network address and port should Docker1 use?

The server's IP address and the public TCP/UDP port published by Docker2. (D)

What network components are typically included in the standard network created by Docker on a server?

A software bridge, routing, and NAT functions, specifically for traffic leaving the server. (D)

How does a Docker container obtain its IP address within the Docker network?

A DHCP service managed by Docker within the Docker network assigns the IP address. (B)

If Docker1 and Docker2 are running on the same server, how does Docker1 establish a network connection to Docker2?

Docker1 uses the IP address of Docker2 and the actual TCP/UDP port employed by the application in Docker2. (B)

What happens if an instruction, executed at CPU ring 0 in VMX non-root mode, is either sensitive or privileged?

The instruction will generate a trap if it is either a sensitive or privileged instruction. (D)

How does a CPU that supports VMX root/non-root modes improve virtualization efficiency?

It is more efficient when handling privileged instructions in the Host. (C)

In computing virtualization, what does the term 'direct assignment' refer to regarding I/O devices?

A real device exclusively controlled by the GuestOS. (D)

When a GuestOS boots within a virtualized environment, what kind of hardware devices does it typically detect?

It detects a set of virtual devices presented by the hypervisor. (A)

How does Libvirt enhance the management of virtual machines?

By offering a simplified interface to interact with VMs across different hypervisors. (C)

In the Linux environment, how do QEMU and KVM interact regarding their execution space?

QEMU operates in user space to manage VM emulation, while KVM runs within the kernel as a module. (A)

What is the minimal state that must be moved during a hot migration of a virtual machine to ensure continuous operation?

The entire VM (GuestOS and applications) along with some state information from the hypervisor. (A)

When a CPU executes an instruction at ring 0 in VMX non-root mode, under what circumstances will a trap be generated?

A trap is triggered if the instruction is either sensitive or privileged, enforcing virtualization constraints. (A)

How does a CPU that supports VMX root/non-root modes improve the handling of privileged instructions?

It enhances the efficiency of managing privileged instructions, reducing overhead in the host environment. (C)

In computing virtualization, what does direct assignment for I/O devices imply regarding device control?

A real device is exclusively controlled by the GuestOS, bypassing the HostOS for direct access. (C)

How does a VIRTIO driver within a GuestOS primarily communicate with its counterpart backend driver?

By utilizing shared bi-directional queues for efficient, asynchronous data exchange. (A)

In Linux, what primary function do tools like virsh and virt-manager serve in the context of virtualization?

They offer a user-friendly means to interact with and manage VMs, such as those based on KVM. (D)

When leveraging KVM in Linux, at which CPU ring levels do QEMU and the GuestOS operate?

QEMU runs at ring 3 (VMX root), while the GuestOS runs at ring 0 (VMX non-root), ensuring controlled access. (D)

In computing virtualization, what is the primary characteristic of a 'sensitive instruction'?

It may leak information about the current OS kernel context or the actual hardware configuration. (D)

When Trap-And-Emulate is used for a system call invoked by a program in userland, what sequence of transitions occurs?

User space transitions to the HostOS kernel, then to the GuestOS kernel. (B)

To implement a hot migration successfully, what information about the VM's state is essential?

The entire memory allocated to the VM along with specific additional data stored in the hypervisor. (B)

What is the main mechanism involved in CPU para-virtualization?

Replacing specific source code in the GuestOS kernel with corresponding functions in the HostOS kernel. (B)

How are CPU rings structured in modern CPUs, particularly concerning OS kernel execution?

Modern CPUs have numerous rings with two specifically designated for OS kernel execution. (B)

Flashcards

SaaS (Software-as-a-Service)

Delivering software online, customers access it over the internet.

COTS Hardware

Standardized hardware purchased in bulk to reduce variety in a data center.

VMs on-premise

Running software in virtualized environments on the customer's premises.

Containers on-premise

Running software in containers on the customer's premises for efficiency.

Virtual Private Cloud

A cloud instance dedicated to a single customer, but on a shared cloud infrastructure.

Kubernetes ClusterIP Service

A service reachable only within the Kubernetes cluster; often used for backend services.

Ingress Controller Use

Enables multiple HTTP/HTTPS services to share a single TCP port, like directing traffic based on the URL.

Internal-Only Service

A service type in Kubernetes used when you need a service to only be accessible from inside the cluster.

Why Use a Kubernetes Service?

Handles multiple replicas and pod respawning, providing a consistent access point.

Memory Usage: VM vs. Docker

VMs require more memory than Docker containers, which are almost equivalent to bare hardware.

Disk Usage: VM vs. Docker

VMs typically require more disk space than Docker containers, which are similar to bare hardware, assuming no layered file system advantages.

Endless Web Server Scaling

Kubernetes on a public cloud provider offers the best scalability.

Service Mesh Necessity

Load balancing based on application-level data (e.g., URL) requires a service mesh.

Videoconferencing Solution

Using a managed service like Zoom, running in multiple cloud locations, ensures reliability and global reach is the best option.

Docker File System Changes

The file is written to the Docker container's file system, within its writable layer.

Docker Layer Creation

Each command in a Dockerfile that modifies the file system creates a new layer.

Docker Resource Reporting

Reports resources assigned at startup (e.g., 2 CPU cores and 4GB RAM).

Dockerfile Purpose

Defines a 'recipe' listing steps to recreate a container from scratch.

Daemonset Usage

A pod that must always be running on each Kubernetes node (e.g., for network services).

ClusterIP Reachability

May be reachable depending on the Ingress controller configuration.

Control Loop in Kubernetes

Controllers watch resource states and make/request changes as needed.

Custom Resource in Kubernetes

Enables defining generic objects, even those unrelated to Kubernetes workflows.

Software Bridge Connectivity

You are NOT able to guarantee full network connectivity to the services running within the VMs/Dockers

New Datacenter Servers

Are usually all equal (in terms of CPU, memory, disks, etc).

Database-as-a-Service High Availability

In multiple replicas across different Regions.

Application Reliability in Public Cloud

You have to care about reliability, which is not completely guaranteed by the cloud provider.

Edge Computing Usefulness

All the other answers.

Technologies for Computing Virtualization

Are used whenever strong computing isolation is required.

Filesystem in a Docker

At startup, it is completely independent from the one present on the hosting machine; however, temporary files created during Docker execution are stored in the filesystem of the hosting machine (e.g., /var/tmp/).

CPU Para-virtualization

Emulates instructions that generate traps, often used in virtualization.

GuestOS Kernel Replacement

Replacing GuestOS kernel code with equivalent HostOS kernel functions.

CPU Rings

Modern CPUs have multiple privilege levels for OS kernels.

Dynamic Binary Translation

Refers to instructions executed by the GuestOS kernel during virtualization.

VMEntry/VMExit Instructions

Enable fast transitions between GuestOS and HostOS kernels in a virtualized environment.

Hypervisor

Software that manages virtual machines; emulates devices.

ISO of Modern OS in VM

Usually includes drivers for many physical devices and a few para-virtualized devices.

Libvirt

Simplifies interaction with VMs running on different hypervisors.

QEMU and KVM in Linux

QEMU runs in user space, KVM runs in kernel space.

Hot VM Migration

Moving an entire VM (applications, GuestOS kernel) and the hypervisor's state.

Sensitive Instruction

An instruction that must be handled with Trap-And-Emulate to avoid problems.

Instruction at CPU ring 0

Can generate a trap if it is a privileged instruction, handled by Trap-and-Emulate.

CPU with VMX Modes

Is more efficient when handling privileged instructions in the Host.

Trap-And-Emulate Transitions

User space to GuestOS kernel to HostOS kernel.

Direct Assignment I/O

A real device that is completely controlled by the GuestOS.

Docker CPU Thread Count

Docker creates threads equal to the number of CPU cores assigned at startup.

OpenStack VM Reachability

VM reachability in OpenStack requires explicit enablement in the VM configuration.

Kubernetes Ingress TCP Connection

Two cascading TCP connections are established for client-to-pod communication via an Ingress controller.

Service Mesh Sidecar

In a service mesh, each microservice is automatically started with a sidecar proxy.

Datacenter Server Standardization

Servers in a new datacenter are usually identical in CPU, memory, and disks.

High-Availability DBaaS

High-availability database services should be set up in multiple replicas across different Regions.

Cloud Application Reliability

When deploying applications in the public cloud, you always have to care about reliability, it is not completely guaranteed by the cloud provider.

Edge Computing Use Cases

Edge computing is useful for applications needing low latency, offline availability, and local data processing.

Computing Virtualization Use

Computing virtualization is used whenever strong computing isolation is required.

Docker Filesystem Independence

A Docker's filesystem is logically independent but its behavior depends on physical characteristics of the hosting machine.

OpenStack VM External Access

VM reachability in OpenStack must be explicitly enabled to communicate to the outside world.

Virtualization Isolation

Virtualization is used whenever strong computing isolation is required.

Service Mesh Implementation

In a service mesh, micro-services automatically start with a sidecar to implement the service mesh.

Trap-And-Emulate in Virtualization

The Trap-And-Emulate approach is used to intercept and handle privileged CPU instructions in computing virtualization.

Kubelet Main Function

Ensures containers within a pod are running as expected.

Kubernetes Pod

The smallest deployable unit in Kubernetes; can contain one or more containers.

Kubernetes Service

Provides a single, stable IP address to access a set of pods.

Kubernetes ReplicaSet

Ensures that a specified number of pod replicas are running.

Kubernetes Scheduler

Assigns pods to worker nodes based on resource requirements and constraints.

Trap-And-Emulate

Emulation of privileged CPU instructions when executed at an incorrect privilege level.

Modern CPU Rings

Modern CPUs have multiple rings with two dedicated to OS kernels.

VMEntry/VMExit

Instructions that facilitate quick transitions between GuestOS and HostOS kernels.

Modern OS Image

A modern OS image typically includes drivers for physical and para-virtualized devices.

QEMU vs KVM in Linux

In Linux, QEMU runs in userspace, and KVM operates in kernel space.

VM Hot Migration

Requires transferring the VM state and some of the hypervisor's state.

Moved state

Virtual machine memory and additional hypervisor state.

VMEntry and VMExit instructions

Enable fast transitions between GuestOS and HostOS kernels.

Hypervisor in virtualization

Is usually able to emulate a very small number of physical devices.

Modern Operating system

Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO).

Hot Migration Requirements

Moving the entire VM (applications and GuestOS kernel) plus some state in the hypervisor.

VMX non-root mode trap

Will generate a trap if it is either a sensitive or privileged instruction.

Direct assignment for I/O devices

A real device that is completely controlled by the GuestOS.

GuestOS in virtualized environment

It usually detects a set of virtual devices presented to it by the hypervisor.

VIRTIO driver

Uses mainly bi-directional queues shared with the companion backend driver to send/receive data.

virsh and virt-manager

Enable users to interact with VMs (e.g., KVM-based) in a user-friendly way.

KVM Hypervisor Rings

QEMU runs at ring 3 (VMX root), the GuestOS runs at ring 0 (VMX non-root).

Trap-And-Emulate syscall

We experience at least two transitions: User space --> HostOS kernel --> GuestOS kernel.

VM State for Hot Migration

The content of the entire memory allocated to the VM plus some additional information stored in the hypervisor.

Paravirtualized Device Drivers

Usually includes drivers for para-virtualized devices only (e.g., VIRTIO).

Libvirt's Role

Provides graphical access to VMs running on different hypervisors, simplifying interaction with KVM, VMware, etc.

Docker Network Features

Provides a default network but can also offer high flexibility and customizations similar to KVM.

Docker Networking Across Servers

It must use the IP address of the server, and the public TCP/UDP port published by Docker2.

Standard Docker Network

Includes a software bridge, routing, and NAT for traffic directed outside the server.

Docker IP Assignment

The IP is assigned by the Docker framework to the running container.

Docker Networking on Same Server

It must use the IP address of Docker2, and the actual TCP/UDP port used by the application running in Docker2.

VMX non-root mode instruction

Will generate a trap if it is either a sensitive or privileged instruction.

CPU with VMX root/non-root

Is more efficient when handling system calls.

Direct Assignment for I/O

A real device that is completely controlled by the GuestOS.

GuestOS Device Detection

It usually detects a set of virtual devices presented to it by the hypervisor.

Hypervisor's Main Role

Virtualizes hardware resources and manages the execution of virtual machines.

VMCS Function

Manages transitions between guest and hypervisor in hardware-assisted virtualization.

Connecting to Remote Server

Secure Shell. Used to connect securely to a remote server.

Type-1 Hypervisor

Runs directly on bare metal and usually offers better performance.

DBT Disadvantage

Introduces performance overhead due to the need for continuous translation of non-virtualizable instructions.

Dynamic Binary Translation (DBT)

Dynamically translates non-virtualizable x86 instructions at runtime.

Memory Ballooning

Dynamically allocates memory based on current usage.

Full Virtualization

The guest OS can interact with virtual hardware without needing to be modified.

HVM Advantage

Enables faster execution of guest OS code by minimizing VM exits.

SR-IOV Feature

Allows the hypervisor to share one physical device among multiple VMs.

EPT Feature Goal

Memory address translation efficiency.

Paravirtualization

The guest OS needs to be modified to work efficiently in the virtual environment.

Cgroups Primary Role

To limit and account for resource usage by processes.

Docker's Layered File System

Only differences between layers are stored, reducing disk usage.

API Server in Kubernetes

Exposes Kubernetes APIs for scheduling and managing resources.

KVM's Ring Levels

With KVM, QEMU runs at ring 3 (VMX root), and GuestOS runs at ring 0 (VMX non-root). This setup maintains security and separation.

VM State Contents

VM state for hot migration includes the entire memory allocated to the VM, plus hypervisor info.

Ring 0 Instruction Trap

CPU instructions at ring 0 (VMX non-root) generate a trap if sensitive or privileged.

VMX Efficiency

A CPU with VMX root/non-root modes is more efficient when handling system calls.

Direct Assignment

Direct assignment for I/O devices means a real device is completely controlled by the GuestOS.

VIRTIO Data Transfer

VIRTIO drivers use bi-directional queues shared with the backend driver to send/receive data.

Nested virtualization

Running a VM inside another VM.

Virtual Machine Monitor (VMM)

It is software responsible for emulating and managing virtual hardware.

Management host (Client VM)

To control the remote hypervisor

Workload Virtualization

Running a web application is an example of workload that can be virtualized.

x86 Challenges

It requires hardware-assisted virtualization from the start.

Study Notes

• Below are study notes based on the text:

Software Deployment Options

• A company with a new warehouse management product prefers to deliver it as a Software-as-a-Service (SaaS) model, which is not known by the customer, to minimize costs.

Common-Off-The-Shelf (COTS) Hardware

• COTS hardware refers to standardized hardware bought in large quantities, reducing the variety of hardware in a datacenter.

Kubernetes "ClusterIP" Service

• It is typically used for a service that has to be reachable only inside the cluster, like a backend database service consumed by a web server frontend.

Kubernetes Ingress Controller

• It mainly enables multiple HTTP/HTTPS services to be delivered on a single TCP port through service multiplexing.

Accessing Services within Kubernetes

• A Kubernetes "ClusterIP" should be used to create a service only reachable from inside a Kubernetes cluster.

Kubernetes Service vs. Pod IP Address

• A Kubernetes Service (e.g., Cluster IP) is used instead of sending traffic to the pod IP address to handle multiple replicas and pod respawning.

Memory Requirements for Applications

• Comparing memory requirements: Memory(VM) > Memory(Docker) = Memory(bare hardware).

Disk Requirements for Applications

• Comparing disk requirements: Disk(VM) = Disk(Docker) > Disk(bare hardware), assuming no layered file system advantages.

Scalable Web Server

• To create a web server that scales endlessly, Kubernetes on a public cloud is the preferred choice.

Service Mesh vs. Kubernetes Service

• A Kubernetes "service" cannot provide load balancing of incoming HTTP/HTTPS connections to different service instances based on application-level information and a "service mesh" software is required instead.

Setting Up a Videoconferencing Service

• For a real-time videoconferencing service between two campuses in different countries, buying a managed service (e.g., Zoom) running in multiple cloud locations is the best option.

Docker Filesystem Modification

• If a Docker running in a server tries to modify its filesystem, the file will be written in the file system of the running Docker.

Docker Layered Filesystem

• The layered file system in Docker builds a new layer each time the Dockerfile executes a command that modifies the current filesystem.

Docker Resource Availability

• A Docker running on a server with 2 CPUs (52 cores each) and 512 GB RAM will report 104 CPU cores and 512 GB RAM when a command to show available resources is typed inside the Docker.

Dockerfile Purpose

• The main purpose is to define a sort of “recipe” listing the steps required to re-create the container from scratch.

Kubernetes Daemonset

• It is typically used for a pod that must always be running on each Kubernetes node to provide network services.

Kubernetes E-commerce Site and Reachability

• The e-commerce site may be reachable from the Internet depending upon the configuration of the Ingress controller if the web frontend is configured as a “ClusterIP” service.

Kubernetes Control Loop Concept

• It is implemented by controllers, which watch the state of the resources in your cluster, then make or request changes where needed.

Kubernetes Custom Resource

• It enables the definition of generic objects, even not related to any Kubernetes workflow.

Software Bridge Connectivity

• By connecting a set of VMs/Dockers to a software bridge, full network connectivity is not guaranteed to the services running within the VMs/Dockers.

Datacenter Servers

• In a new datacenter servers are usually all equal in terms of CPU, memory, disks, etc.

E-commerce Site High-Availability

• You would choose to setup the service in multiple replicas across different Regions when an e-commerce site leverages a database-as-a-service from the cloud provider to run in "high-availability".

Application Deployment in Public Cloud

• Care about reliability, which is not completely guaranteed by the cloud provider when you deploy an application (e.g., e-commerce site) on a cluster in public cloud and you want to have a reliable service:.

Cloud Computing at the Edge of the Network

• It is useful with applications that cannot afford network problems (e.g., outages, limited bandwidth, etc.), require very low latency, and need to keep some data local, or that need to reduce the data volume before sending it to the cloud.

Technologies for Computing Virtualization

• They are used whenever strong computing isolation is required.

Docker Filesystem

• It is logically independent from the one present on the hosting machine; however, some physical characteristics of the hosting machine (e.g., free disk space) can affect the behavior of the Docker file system as well.

Docker CPU Cores

• If we execute an application that maximizes its performance by creating a number of threads equal to the number of CPU cores available, it will create 104 threads if A Docker is running on a server that has 2 CPUs (52 cores each).

VM Reachability in OpenStack

• Its reachability Must be explicitly enabled in the OpenStack configuration of the VM from a customer connected to the Internet.

Kubernetes Pod/Service Reachability Through Ingress Controller

• Two cascading TCP connections must be established to allow the client to connect to the pod when a client (on the Internet) establishes a TCP connection toward the pod/service.

Micro-Service in a Service Mesh

• Is automatically started with a sidecar that implements the service mesh.

Computing Virtualization: Trap-And-Emulate

• It can be used to emulate all the instructions that generate a trap.

CPU Para-Virtualization

• Replaces some source code of the GuestOS kernel with the proper equivalent function in the HostOS kernel.

Modern CPUs

• Have many CPU rings, and 2 of them are intended for executing OS kernels.

Dynamic Binary Translation

• Can refer to an instruction executed by GuestOS kernel.

Virtualized Systems: VMEntry and VMExit Instructions

• Enable fast transitions between GuestOS and HostOS kernels.

Computing Virtualization: Hypervisor

• It is usually able to emulate a very small number of physical devices.

Operating System ISO Image in a VM

• Usually includes drivers for many physical devices (e.g., Intel NIC), and a few para-virtualized devices (eg., VIRTIO).

Libvirt

• Simplifies the interaction with VMs running on different hypervisors (KVM, Vmware, etc).

Linux and Virtualization

• QEMU runs in user space, KVM runs in kernel space.

Implementing Hot Migration of a VM

• It requires moving the entire VM (i.e., applications and GuestOS kernel), plus some additional data kept in the hypervisor.

Computing Virtualization: Sensitive Instruction

• Is an instruction that may leak information about the current OS kernel context or actual hardware configuration.

CPU Instruction at Ring 0 (VMX Non-Root Mode)

• Will generate a trap if it is either a sensitive or privileged instruction.

CPU Supporting VMX Root/Non-Root Modes

• It is more efficient when handling system calls.

Trap-And-Emulate for Userland Programs

• It experience at least two transitions: User space --> HostOS kernel --> GuestOS kernel.

Computing Virtualization: Direct Assignment for I/O Devices

• A real device that is completely controlled by the GuestOS.

GuestOS Booting in a Virtualized Environment

• It usually detects a set of virtual devices presented to it by the hypervisor.

VIRTIO Driver

• Uses mainly bi-directional queues shared with the companion backend driver to send/receive data.

Linux Leveraging KVM Hypervisor

• QEMU runs at ring 3 (VMX root), the GuestOS runs at ring 0 (VMX non-root).

Linux Tools: virsh and virt-manager

• Enable users to interact with VMs (e.g., KVM-based) in a user-friendly way.

VM State

• Can be found in / consists in the content of the entire memory allocated to the VM plus some additional information stored in the hypervisor.

Nested Virtualization

• Refers to running a VM inside another VM.

Virtual Machine Monitor (VMM)

• Is software responsible for emulating and managing virtual hardware.

Management Host (Client VM)

• The primary purpose is to control the remote hypervisor.

Challenges with x86 Architecture in Virtualization

• Some sensitive instructions do not trap when executed in an unprivileged mode.

Role of Hypervisor in Virtualized Environment

• It virtualizes hardware resources and manages the execution of virtual machines.

Virtual Machine Control Structure (VMCS)

• It manages the transitions between guest and hypervisor in hardware-assisted virtualization.

Connecting to Remote Server

• SSH tool is used to connect to the remote server from the management host.

Type-1 Hypervisor

• Type-1 Hypervisor runs directly on bare metal and usually offers better performance.

Disadvantage of Using Dynamic Binary Translation (DBT)

• It introduces performance overhead due to the need for continuous translation of non-virtualizable instructions.

Dynamic Binary Translation (DBT) Introduced by VMware

• VMware is used to dynamically translates non-virtualizable x86 instructions at runtime.

Memory Ballooning

• Technique used to optimize memory usage in virtual machines by dynamically allocating memory based on current usage.

Full Virtualization

• Technique allows the guest OS to interact with virtual hardware without needing to be modified.

Advantage of Hardware-Assisted Virtualization (HVM)

• It enables faster execution of guest OS code by minimizing VM exits.

Single-Root I/O Virtualization (SR-IOV)

• The hypervisor is allowed to share one physical device among multiple VMs in virtualization via this feature.

Extended Page Table (EPT)

• In Intel processors it aims to improve memory address translation efficiency.

Paravirtualization

• The technique in which guest OS needs to be modified to work efficiently in the virtual environment.

Cgroups in Linux

• The feature primarily roles to limit and account for resource usage by processes in Linux.

Features Provided by Linux Cgroups

• Network isolation is NOT one of the features that is provieded by Linux cgroups in addition to CPU quotas; process freezing; memory limiting.

Docker Resource Isolation

• Docker uses Cgroups and namespaces to isolate resources such as CPU and memory.

Docker Filesystem Technology

• Docker primarily uses the Union File System for its file system.

Advantage of Docker's Layered Filesystem

• Only differences between layers are stored, reducing disk usage.

Namespace Isolating Filesystem Visibility

• Mount namespace isolates the visibility of the filesystem across processes.

Limitations of LXC Compared to Docker

• Docker has better integration with orchestration tools like Kubernetes.

Namespace NOT Provided by Linux Kernel

• Memory Namespace is NOT provided by Linux Kernel, Mount Namespace, Processs ID (PID) Namespace and Network Namespace are.

Network Namespace Connection

• Virtual Ethernet (veth) pair is a type of virtual interface connects two namespaces while in network namespaces

Primary Use of Docker

• To creating lightweight, portable, and self-contained containers.

OpenStack for Large Datasets: Swift

• Swift is the OpenStack used to store and retrieve large datasets and backups module.

Main Purpose of Keystone Module in OpenStack

• Manage and authorize user access to OpenStack services.

OpenStack Networking Through Neutron

• It provides Network as a Service (NaaS) for virtual network connectivity.

Non-Core Module in OpenStack

• Docker is NOT a core module in OpenStack, Horizon, Glance, Cinder are.

OpenStack Module Responsible for Managing VMs: Nova

• Nova is responsible for managing virtual machines (compute resources).

Non-Kubernetes Service Type

• NodeIP is NOT Kubernetes service, ExternalName, Loadbalancer, ClusterIP are.

API Server in Kubernetes

• Exposes Kubernetes APIs for scheduling and managing resources.

Purpose of Horizontal Pod Autoscaler (HPA)

• To automatically scale pods based on metrics like CPU usage.

Main Function Of Kubelet in Kubernetes

• Monitor and ensure the containers in the pod are running as expected.

Kubernetes Pod

• The smallest unit of execution in Kubernetes.

Kubernetes Stable Access Point

• Service resources provides a stable access point to a set of pods in Kubernetes.

Object Ensures Correct Number of Pod Replicas

• ReplicaSet object ensures that the correct number of pod replicas are running in Kubernetes.

Role of Kubernetes Scheduler

• To assign pods to nodes.

Data Stored in Kubernetes Secrets

• Sensitive information like passwords and keys.

Docker Network Behavior

• It provides a default (simplified) network behavior, but it can also offer high flexibility and customizations such as in a traditional virtualized environment (e.g., KVM).

Establishing Network Connection Between Dockers on Different Servers

• Docker1 must use the IP address of the server, and the public TCP/UDP port published by Docker2, when tryng to establish a network connection to Docker2 if they are running on two different servers.

Standard Network Created by Docker

• It includes a software bridge, plus routing and NAT functions operating on all the traffic generated by the containers and directed outside of the server.

IP Address Acquired by a Docker

• It is "manually" assigned by the Docker framework to the running container.

Establishing Network Connection Between Dockers on the Same Server

• Docker1 Must use the IP address of Docker2, and the actual TCP/UDP port used by the application running in Docker2 if it would like to establish a network connection to Docker2, if both are running on the same server.