Understanding Virtualization

Questions and Answers

Which of the following is a fundamental abstraction necessary to describe the operation of computing systems?

• Interpreters/processors
• Memory
• Communications links
• All of the above (correct)

What does virtualization enable users to operate in?

• Isolated hardware
• Specific ones
• Limited OS
• Familiar environments (correct)

What is 'Virtualization' in computing?

• A way to increase hardware costs
• A method of limiting user access
• The process of allocating physical resources directly
• The act of creating a virtual version of something (correct)

Which of the following is a benefit of cloud resource virtualization?

All of the above (D)

What does virtualization simulate to a physical object?

The interface (A)

What does multiplexing create in virtualization?

Multiple virtual objects from one instance (A)

What does aggregation create in virtualization?

One virtual object from multiple physical objects (B)

What does emulation construct in virtualization?

A virtual object of a certain type from a different type of physical object (C)

What is layering in a computer system used for?

Managing system complexity (A)

What does layering simplify regarding subsystems?

Description (A)

What is the role of the Application Programming Interface (API)?

Provides a high-level interface for applications (C)

What is the role of the Application Binary Interface (ABI)?

Defines how applications interact with the OS at a binary level (C)

What is the role of the Instruction Set Architecture (ISA)?

Is at the boundary between hardware and software (D)

What does dynamic binary translation convert?

Guest instructions to host instructions (C)

A VM loader converts portable code into what?

VM image (C)

What is the role of a Virtual Machine Monitor (VMM)?

To partition resources into virtual machines (D)

What is a 'guest operating system'?

An OS that runs in a VM under the control of the VMM (B)

What kind of instructions are trapped by the VMM?

Privileged instructions (C)

The VMM maintains a shadow page table for each?

Guest OS (B)

What is a Type 1 Hypervisor also known as?

Bare metal (A)

Where does a Type 1 Hypervisor run?

Directly on the hardware (C)

What is a critical condition for Quality of Service (QoS) guarantees in shared computing environments?

Performance isolation (A)

How is the security vulnerability of VMMs?

Reduced (D)

Which computing mode allows the OS to protect itself and other system components?

Dual-mode (D)

What is required to run privileged instructions?

Kernel mode (A)

Where do user applications run in the x86 privilege execution rings?

Ring 3 (D)

With full virtualization guest OS can run?

Unchanged (A)

What part of the code does binary translation rewrite?

Sensitive (A)

What does paravirtualization involve?

The OS kernel (A)

Flashcards

What is Virtualization?

Creating a virtual version of something including hardware platforms, OS, storage and network.

What is Layering?

Breaks down system complexity. Uses interfaces between subsystems.

What is a VMM? (hypervisor)

Partitions computer resources into virtual machines. Allows OSs to run concurrently.

What is a Virtual Machine (VM)?

An execution environment running an OS in the stack

What is Multiplexing?

It creates multiple virtual objects from one instance of a physical object.

What is Aggregation?

Creates one virtual object from multiple physical objects.

What is Emulation?

Constructs a virtual object of a certain type from a different type of physical object.

What is ISA?

The boundary between hardware and software.

What is ABI?

Allows applications/libraries to access hardware. Doesn't include privileged instructions.

What is API?

The set of instructions that run on the hardware. Gives application access to ISA.

What is Dynamic Binary Translation?

Translates portable code to host instructions, improving performance.

What is Full Virtualization?

Guest OS runs unchanged under VMM.

What is Binary Translation?

Rewrites code to replace sensitive instructions.

What is Paravirtualization?

OS kernel is modified for virtualization.

What is Hardware Assisted Virtualization?

New CPU mode traps privileged and sensitive calls.

Dual-Mode Operation

OS runs in kernel mode, applications run in user mode.

What is OS-assisted Virtualization?

Virtualization with the OS kernel modified.

What is a Linux Container?

A Linux process with its own virtual environment and network space.

What are Privileged Instructions?

Instructions executable only in kernel mode.

What are Sensitive Instructions?

Instructions behaving differently in kernel/user mode.

Study Notes

• Virtualization refers to creating a virtual, rather than actual, version of something in computing
• This includes virtual computer hardware platforms, operating systems (OS), storage devices, or computer network resources
• Virtualization abstracts the underlying resources, simplifies their use, isolates users, and supports replication, increasing system elasticity

Motivation for Virtualization

• Three fundamental abstractions are necessary to operate a computing system: interpreters/processors, memory, and communications links
• Managing resources becomes challenging as systems and user bases grow
• Resource management issues include handling peak demands via overprovisioning, and managing heterogeneous hardware/software and machine failures
• Virtualization simplifies the management of physical resources for the three abstractions and is a basic enabler of cloud computing
• Virtual machine (VM) states can be saved and migrated to other servers to balance the load
• Virtualization allows operation in familiar environments, rather than forcing users to conform to specific ones
• Cloud resource virtualization is key for performance isolation, dynamically assigning resources, system security, and service mobility
• It enables isolating services on the same hardware, performance and reliability by facilitating application migration, and improves development/management of services

How Virtualization Works

• Virtualization simulates the interface to a physical object using these methods:
  • Multiplexing creates multiple virtual objects from single physical object instances, such as a processor multiplexed across threads
  • Aggregation creates a single virtual object from multiple physical objects, like aggregating physical disks into a RAID disk
  • Emulation constructs a virtual object of one type from a different type of physical object, such as emulating RAM with a physical disk
  • Multiplexing and emulation combine in examples like virtual memory with real memory/disk paging, or virtual addresses emulating real addresses

Layering and Interfaces

• Layering is a common approach to manage system complexity
• Layering simplifies subsystem descriptions via abstracted interfaces and minimizes interactions between subsystems
• Layering enables independent design, implementation, and modification of subsystems
• In a computer system, layering includes hardware, software, operating systems, libraries, and applications
• Application Programming Interface (API) provides a high-level interface for applications using libraries
• Application Binary Interface (ABI) defines how applications interact with the OS at a binary level
• Instruction Set Architecture (ISA) constitutes the lowest level, governing direct hardware communication

Code Portability

• Binaries compiled for a specific ISA and OS are not portable
• Compiling a High-Level Language (HLL) program for a VM allows creation of portable code, convertible to the host system's ISA via binary translators
• Dynamic binary translation converts blocks of guest instructions from portable code to host instructions, enhancing performance by caching and reusing blocks

HLL Translations

• Traditional compilation involves the compiler processing HLL code in two steps

  • Front-end converts HLL code into intermediate code
  • Back-end generates object code for the system

• The loader then loads object code into memory

• Virtual Machine Compilation

  • The compiler generates portable code instead of direct machine code
  • A VM loader converts this into a VM image (a format runnable on different systems)
  • The image is converted into machine code based on the target system's ISA

Virtual Machine Monitor (VMM/Hypervisor)

• A VMM partitions resources into VMs, allowing multiple OSs to run concurrently on a single platform
• A VM is an execution environment with an OS
• VMs are isolated environments that appear as whole computers, only with access to a fragment of computing resources
• A VMM enables multiple services to share a platform, live migration of servers, system modification while maintaining backward compatibility, and enforces systems isolation for security
• A guest OS runs in a VM, controlled by the VMM

VMM Functionality

• A VMM (also known as a hypervisor) performs the following key functions:
  • Traps privileged instructions executed by a guest OS, ensuring operation correctness and safety
  • Traps and dispatches interrupts to respective guest operating systems
  • Controls virtual memory management
  • Shadow page tables maintain memory mapping for each guest OS, used by the Memory Management Unit (MMU) for address translation
  • Monitors system performance, taking actions to prevent degradation, such as swapping out VMs to avoid thrashing

Hypervisor Types

• Type 1 Hypervisors (bare metal, native) run directly on hardware and support multiple VMs (e.g., VMware ESX, Xen, Denali)
• Type 2 Hypervisors (hosted) run under a host OS (e.g., user-mode Linux)

Performance and Security Isolation

• Application run-time behavior is affected by other concurrent applications that are competing for CPU, cache, memory, disk and network access

• It is hard to predict the completion time

• Performance isolation is a key condition for Quality of Service (QoS) guarantees

• A VMM is simpler and better specified than an OS

  • For example, Xen has roughly 60,000 code lines, while Denali has about 30,000

• VMMs reduce security vulnerabilities by exposing fewer privileged functions

  • For example, Xen VMM has 28 hypercalls, while Linux has hundreds of system calls

VMM Conditions

• Conditions for efficient virtualization:
  • Programs running under the VMM should behave nearly identical to their behavior when running directly on a machine
  • The VMM should maintain complete control over virtualized resources
  • A statistically significant fraction of machine instructions must execute without VMM intervention

Dual-Mode Operation

• Dual-mode operation allows the OS to protect itself and other system components using user mode and kernel mode
  • Hardware indicates current mode
  • Privilege determines instruction which can be executed
  • System calls initiate a mode switch

Kernel vs User Mode

• Kernel-code runs in kernel mode
• Provides unrestricted access to hardware
• Everything else runs in user mode
• The OS relies on hardware enforced protection for this mechanism

Challenges of x86 CPU Virtualization

• Four layers of privilege execution with rings
  • User applications run in ring 3
  • OS runs in ring 0
• The VMM must run in a ring where it can manage the OS
  • Moving the OS to ring 1 and the VMM to ring 0 resolves this
• Three classes of machine instructions:
  • Privileged: Can only be executed in kernel mode
  • Non-privileged: Can only be executed in user mode
  • Sensitive: Behave differently depending on the mode

Techniques for Virtualizing CPU on x86

• Full virtualization employs binary translation
• OS-assisted virtualization uses paravirtualization
• Hardware-assisted virtualization makes use of hardware features to simplify the process

Full Virtualization

• A guest OS runs unchanged under a VMM on the hardware platform
• Binary translation rewrites code to replace sensitive instructions with safe code for emulation
• The hypervisor translates all OS instructions on the fly, which are then cached, while user-level instructions are ran at native speed
• Examples include VMware and Microsoft Virtual Server
• Advantages: no hardware assistance or guest OS modifications are needed
• Main disadvantage: decreased speed of execution

Paravirtualization

• Paravirtualization modifies the OS kernel to replace non-virtualizable instructions with hypercalls that communicate directly with the virtualization layer hypervisor
• The hypervisor provides hypercall interfaces for other kernel operations
• Faster execution and lower virtualization overhead
• The main disadvantage is poor portability with unmodified operating systems
• Examples include Xen and Denali

Hardware-Assisted Virtualization

• CPUs include execution mode features
• Runs VMM in a new root mode below ring 0
• Privileged and sensitive calls automatically trap to the hypervisor
• This eliminates the need for either binary translation or paravirtualization
• It offers faster execution
• Examples include Intel VT-x and Xen 3.x

Linux Containers

• A Linux Container is a Linux process in a virtual environment with its own process network space, providing lightweight process virtualization
• Containers share portions of the host kernel
• Containers make use of:
  • Namespaces: per-process isolation of OS resources like the filesystem
  • Cgroups: resource management and accounting per process
• Examples for using containers:
  • dotcloud.com/
  • heroku.com/