1 Virtualization Recap

Size: px

Start display at page:

Download "1 Virtualization Recap"

Nathaniel Heath
5 years ago
Views:

1 1 Virtualization Recap

2 2 Recap 1 What is the user part of an ISA? What is the system part of an ISA? What functionality do they provide?

3 3 Recap 2 Application Programs Libraries Operating System Arrows? What runs in User / Kernel Mode? Hardware

4 4 Recap 3 Difference Process VM and System VM in terms of the interface virtualized? Classify Java in the taxonomy

5 5 Recap 4 e Sa Sb e' S'a S'b

6 6 Implementing Virtual Machines with the Same ISA

7 7 Same ISA VMs Emulation needed for different ISA VMs For same ISA: Theoretically, source instructions can be executed directly on target Fastest Application Programs Libraries Does this work for all Guest OS instructions? Virtual Machine Monitor Hardware

8 8 Same ISA VMs (cont'd) No: System ISA instructions need to be controlled When? System VMs with a guest OS How? Guest OS runs in CPU User Mode System ISA instructions called in User Mode activate Kernel Mode (trap) VMM in Kernel Mode then emulates system instruction

9 9 Example: App Scheduling User Mode Applications Run Kernel Mode Operating System Interrupts, Traps, faults Privileged instructions Hardware

10 10 Example: App Scheduling User Mode Applications 2. Run app in User Mode Kernel Mode Operating System 3. Interrupt 1. Set interval timer Hardware

11 11 Example: App Scheduling Applications 4. Run app in User Mode User Mode Operating System 3. Run OS in User Mode 1. Set interval timer t Kernel Mode Virtual Machine Monitor 5. Interrupt 2. Set interval timer t' Hardware

12 12 Example: App Scheduling Applications 4. Run app in User Mode User Mode Operating System 3. Run OS in User Mode 1. Set interval timer t Kernel Mode Virtual Machine Monitor 5. Interrupt 2. Set interval timer t' Hardware t= requested by OS t' = granted by VMM for fair scheduling of multiple VMs

13 13 Example: App Scheduling Applications Guest OS schedules Apps 4. Run app in User Mode Operating System 3. Run OS in User Mode 1. Set interval timer t Virtual Machine Monitor VMM schedules VMs 5. Interrupt 2. Set interval timer t' Hardware

14 14 x86 Same ISA Problems (1/3) Normal: VM: OS no longer in kernel mode! Apps OS + Apps OS OS VMM Ring 0: Kernel Mode Ring 3: User Mode

15 15 x86 Same ISA Problems (2/3) In x86, not all system instructions in User Mode activate Kernel Mode! When Guest OS runs in User Mode, not all system instruction calls observed by VMM Old solution: patch all binary code! Replace these critical instructions with explicit traps to Kernel Mode

16 16 x86 Same ISA Problems (3/3) New solution: Intel VT-x Allows Guest OS to run in Kernel Mode (Ring 0) Shared resources still controlled by VMM Apps Using extra mode: VMX VMX Root for VMX VMX Non-root for Guest OS Ring -1 Also hardware support for VM context switch OS OS VMM

17 17 VM Memory Management Normal: Guest OS has virtual memory Guest OS maintains mapping to physical memory Virtual Real Physi cal VM: Guest OS has virtual memory Guest OS maintains mapping to real memory VMM maintains mapping to physical memory

18 18 Native and Hosted VMs Apps Apps Guest OS Guest OS VMM VMM Hardware (a) Native VM Host OS Hardware (b) Dual-Mode Hosted VM User Mode Kernel Mode

19 19 VMWare Workstation Install on top of existing host OS Easy to use Can use myriad of device drivers available in host OS

20 20 VMWare Architecture Applications VMApp Guest OS VM Driver VMMonitor Host OS X86 Hardware

21 22 VMWare I/O Applications VMApp Guest OS VM Driver VMMonitor Device Driver Direct support, e.g. IDE Use host support, e.g. CD, sound, serial port Device Driver Host OS X86 Hardware Device Driver

22 23 VMWare: New Capabilities Applications VMApp Guest OS VM Driver VMMonitor Device Driver Host OS X86 Hardware Device Driver COW

23 24 Operating System Support for Virtualization

24 25 Native, Hosted, Paravirtualized VMs Apps Apps Guest OS Guest OS VMM Guest OS Host OS VMM VMM Hardware Hardware Apps Hardware Modify the Guest OS!

25 26 Paravirtualization System VMs can be faster when Guest OS can be modified for virtualization Showcased in Xen Project Modified Linux Windows XP Near native performance!

26 27 Xen Evolution Problems: only open-source OSes can be modified Xen implementation tricks not on x86-64 New approach: Start from Full virtualization with Hardware Support Apply Paravirtualization in areas where speed can be gained: 1. Disk and network I/O 2. Interrupts and timers 3. Emulated motherboard, legacy boot 4. Privileged instructions, page tables

27 28 Xen Mode: HVM Source: Lars Kurth,

28 29 Xen Mode: PV

29 30 Xen Mode: HVM + PV Drivers

30 31 Xen Mode: PVHVM Drivers

31 32 Xen Mode: PVH

32 33 KVM KVM

33 34 Xen Architecture Domain 0 Toolstack Host OS Drivers Applications Applications Guest OS (Modified) Guest OS (Modified) PV front PV front Xen Hypervisor virtual x86 Scheduler CPU X86 Hardware MMU Timers Domain

34 35 Xen Architecture Toolstack Domain 0 Host OS Drivers Applications Applications Guest OS (Modified) Guest OS (Modified) PV front PV front Xen Hypervisor virtual x86 Scheduler CPU X86 Hardware MMU Timers Domain

35 36 Operating-System Level Virtualization In between System VM and Process VM Not System VM: Not Process VM: Cannot choose OS Multiple processes, not isolated As if multiple instances of the same OS are running on the same machine Example: Linux Containers cf. Docker

36 37 Linux Containers Applications OS View Namespaces Applications OS View Linux Host OS X86 Hardware Applications OS View CGroups

37 38 Linux Containers: Namespaces Linux has a configuration Controlled via many files and outside input Idea: allow a configuration per process (group) E.g. for process A the hostname is X, for process B the hostname is Y cf. chroot Now: configuration is set of 6 namespaces Source: Rami Rosen, Linux Kernel Networking, APress.

38 39 6 Namespaces of Linux uts (hostname) mnt (mount points, filesystems) pid (processes) user (UIDs) ipc (System V IPC) net (network stack) (plans to add more)

39 40 UTS Namespace (1/3) UNIX time sharing?! Contains 6 strings: sysname Operating system name (e.g., "Linux") nodename Name within "some implementation -defined network" release OS release (e.g., "2.6.28") version OS version machine Hardware identifier domainname NIS or YP domain name i.e., control the names of the container Source: uname(2)

40 41 UTS Namespaces (2/3) The old implementation of gethostname(): asmlinkage long sys_gethostname(char user *name, int len) {... if (copy_to_user(name, system_utsname.nodename, I)) errno = -EFAULT;... } system_utsname is a global variable

41 42 UTS Namespaces (3/3) The new implementation of gethostname(): static inline struct new_utsname *utsname(void) { return &current->nsproxy->uts_ns->name; } SYSCALL_DEFINE2(gethostname, char user *, name, int, len) { struct new_utsname *u;... u = utsname(); if (copy_to_user(name, u->nodename, i)) errno = -EFAULT;

42 43 MNT Namespace View of which filesystems are mounted New mounts only visible in current mnt namespace Unless special flags are used: mount make-shared / (root) /mnt sdb1 / (root) /home sda3 /mnt mnt ns1 /home sdc1 mnt ns1

43 44 PID Namespace Processes in different PID namespaces can have the same process ID. When creating the first process in a new namespace, its PID is 1. Hierarchy of PID namespaces: PIDs visible to parent namespace Nested upto 32 levels deep

44 45 User namespace New namespace = new set of UIDs and GIDs Hierarchy Existing UIDs are mapped into new space E.g. UID 1000 becomes UID 0 in new space First process in the new space has root Only for namespaces inside the new space! Create container: 1. Create new user namespace 2. Create new UTS, MNT, PID, etc. namespaces from that namespace Outside: permissions of parent UID

45 46 NET Namespace (1/2) A network namespace is logically another copy of the network stack: own routes, own firewall rules, own network devices. A network device belongs to exactly one network namespace A socket belongs to exactly one network namespace

46 47 NET Namespace (2/2) The initial network namespace includes: loopback device all physical devices, networking tables, etc. New network namespace includes only the loopback device Real devices can be moved into NS Virtual devices can be added Control via ip netns command And e.g. /etc/netns/<nsname>/hosts

47 48 Containers via namespaces Create a container: 1. Create a user namespace 2. Create a PID and UTS namespace inside 3. Create a MNT namespace to get your own filesystem 4. Mount container disk image 5. Create NET namespace, add virtual devices 6. Connect virtual devices to real network via e.g. virtual bridges

48 49 CGroups Namespaces can give groups of processes: Same view of the OS Illusion there are no other groups Control Groups is a mechanism for resource management for groups of processes: Set limits, e.g. on memory usage (main + FS cache) Set priorities (CPU or disk bandwidth) Accounting Checkpointing

Large Systems: Design + Implementation: Virtualization. Image (c) Facebook

Large Systems: Design + Implementation: Image (c) Facebook Virtualization Virtualization What is Virtualization "a technique for hiding the physical characteristics of computing resources from the way