Virtual Machine Monitors: Current Technology And Future Trends

Download Report

Transcript Virtual Machine Monitors: Current Technology And Future Trends

Virtual Machine Monitors
Bibliography
1.
2.
3.
4.
5.
“Virtual Machine Monitors: Current Technology And
Future Trends”, Mendel Rosenblum and Tal Garfinkel,
IEEE Computer, May 2005
“Xen and the Art of Virtualization”, P. Barham, R.
Dragovic, K. Fraser, S. Hand, T. Harris, A Ho, R.
Neugebauer, I. Pratt, A. Warfield, SOSP ’03.
The Definitive Guide to the Xen Hypervisor, David
Chisnall, Prentice Hall, 2008.
“Scale and Performance in the Denali Isolation
Kernel”, Andrew Whitaker, Marianne Shaw, and Steven
D. Gribble, in System Design and Implementation
(OSDI), Boston, MA, Dec. 2002.
Xen Homepage:
http://www.cl.cam.ac.uk/research/srg/netos/xen/
Outline
• Overview
– What is a virtual machine?
– What is a virtual machine monitor (VMM)?
– System or application virtual machines
• History of Virtual Machines
• Benefits of Virtual Machines
• Issues and Implementation
What is a Virtual Machine?
• Several definitions and implementations.
• Here, a virtual machine is an isolated
environment that appears to be a whole
computer, but actually only has access to
a portion of the computer’s resources.
A Formal Definition
• “The environment in which a hosted
operating system runs, providing the
abstraction of a dedicated machine. A
virtual machine may be identical to the
underlying hardware (full virtualization) or it
may differ slightly (paravirtualization).”
www.linuxtopia.org/online_books/linux_virt
ualization/xen_3.0_user_guide/linux_viruali
zation_xen_user_78.html
What is a Virtual Machine Monitor?
• A virtual machine monitor (VMM) is a thin
software layer that runs directly on the bare
hardware
• It partitions the computer’s resources into one or
more virtual machines
• Each virtual machine appears to be running on
the bare hardware.
• End result – the appearance of multiple
instances of the same computer, but all are
supported on a single machine.
Full Virtualization versus
Paravirtualization
• Full virtualization: each virtual machine
runs on an exact copy of the underlying
hardware.
• Paravirtualization: the VMM modifies the
underlying hardware somewhat
– Because some aspects of the hardware can’t
be virtualized
– To present a simpler interface; improve
performance.
VM1
VM2
VM3
Application
Application
Application
Guest OS1
Guest OS2
Guest OS3
Virtual machine layer - VMM
Hardware layer
Sometimes a virtual machine
monitor is installed on an existing
operating machine.
VM1
VM2
More about this later.
VMM
Operating system
Hardware layer
VM – How They Work
• When an application process makes a system
call, it is received by its own OS, running (in user
mode) on its private virtual machine.
• When the “guest” OS tries to execute a
privileged instruction, the virtual machine
software traps the operation and ensures that it
is executed correctly & safely
– e.g., when a guest OS appears to execute an I/O
system call, the “host” VM monitor is actually in
charge.
Virtualization versus Emulation
• Virtualization presents multiple copies of
the same hardware system.
– Direct execution of code on the hardware
• Emulation presents a model of another
hardware system
– Instructions are “emulated” in software – much
slower than virtualization
– Example: Microsoft’s VirtualPC can run on
other chipsets than the x86 family; used on
Mac hardware until Apple adopted Intel chips
System & Process VMs
http://en.wikipedia.org/wiki/Virtual_machine
• System virtual machine (hardware virtual
machine)
– Multiplex the underlying hardware
– Each VM can run its own OS
– Each VM is securely isolated from others
• Process or application virtual machine
– Runs inside a normal OS
– Provides a platform-independent host for an
application
– For example, the Java Virtual Machine
Virtual Machines – Examples
• Denali was designed to support Internet services
by providing a platform that allows a large
number of servers to run on a single server
machine.
• Paravirtualizes x86 architecture to improve
performance and scalability
• “Isolation kernel”: isolates each server in a
virtual machine to reduce the danger of sharing
physical resources with untrusted servers.
History - Why VMM’s?
• Early computers were large (mainframes)
and expensive
• VMM approach allowed the machine to be
safely multiplexed among many different
applications
• As an alternative to multiprogramming
Virtual Machines - History
• Early example: the IBM 370
– VM/370 is the virtual machine monitor
– As each user logs on, a new “virtual machine”
is created
– CMS, a single-user, interactive OS was
commonly run as the OS
• Separation of powers:
– Virtual machine interacts with user
applications
– Virtual machine monitor manages hardware
resources
History – 1980s & 1990s
• As hardware got cheaper and operating
systems became better equipped to
handle multitasking, the original motivation
went away.
• Hardware platforms gradually eliminated
hardware support for virtualization.
• And then …
History – late 90s to today
• Massively parallel processors (MPPs)
were developed during the 1990s; they
were hard to program and did not support
existing operating systems
• Researchers at Stanford used
virtualization to make MPPs look more like
traditional machines
• Result: VMware Inc. – supplier of VMMs
for commodity hardware
Rationale for VMMs Today
• Today, security and encapsulation are the
most important reasons for using VMMs
• “…VMMs give operating systems
developers another opportunity to develop
functionality no longer practical in today’s
complex and ossified operating systems,
where innovation moves at a geologic
pace.” [1]
Example Virtual Machine Systems
• VMware: commercial product, derived
from research done at Stanford
• Xen: open source, Cambridge University,
widely used in research and academia
• Denali: University of Washington, focuses
on support for Internet services
Reasons for Adopting VMM’s
• Security and isolation
• Ability to support several operating
systems at the same time
• Ability to experiment with new operating
systems, or modifications of existing
systems, while maintaining backward
compatibility with existing operating
systems.
Security and Isolation
• Applications running on a virtual machine
are more secure than those running
directly on hardware machines.
– VMM controls how guest operating systems
use hardware resources; what happens in
one VM doesn’t affect any other VM: “…by
virtualizing all hardware resources, a VMM
can prevent one VM from even naming the
resources of another VM, let alone modifying
them.” [4]
Encapsulation
• The software state of a virtual machine isn’t
dependent on the underlying hardware.
• Rosenblum and Garfinkel [1] point out that this
makes it possible to suspend and resume entire
virtual machines and even move them to other
platforms
– For load balancing
– For system maintenance
– Etc.
Servers
• Conventionally, servers run on dedicated
machines.
– Protects against another server/application
crashing the OS
– But … wasteful of hardware resources
• VMM technology makes it possible to
support multiple servers, each running on
its own VM, on a single hardware platform.
Desirable Qualities
• A good VMM
– Doesn’t require applications to be modified
– Doesn’t severely affect performance
– Is not complex/error prone
Implementation Issues
• Enforce VMM control of hardware by
preventing guest OS from executing
privileged instructions.
• Virtualize CPU
• Virtualize memory
CPU Virtualization
• Basic technique: direct execution
– The virtual machine executes on the real
machine, but the VMM exercises control over
privileged instructions
• VMM runs in privileged (kernel) mode.
• Guest OS executes all its code, privileged
and unprivileged, in user mode.
– If the guest OS tries to execute a privileged
instruction the CPU traps to the VMM which
executes the privileged operation.
Protection Rings
• Intel chips have 3 protection modes:
– 0: equivalent to kernel mode; can execute all
privileged instructions
– 1: cannot execute privileged instructions but
highter priority than user level
– 2: where user processes run
• Normally, only rings 0 and 2 are used.
– Xen runs the guest OS in level 1
Example: Disable Interrupts [1]
• If a guest OS tries to disable interrupts, the
instruction is trapped by the VMM which
makes a note that interrupts are disabled
for that virtual machine
• If interrupts arrive for that machine, they
are buffered at the VMM layer until the
guest OS enables interrupts.
Direct Execution Not Always
Possible
• Modern CPUs, esp. x86 architectures,
have not been designed for virtualization.
• Example: POPF (pop CPU flags from
stack)
– If executed in user mode, no trap - just ignore
– In this case, direct execution fails – Guest OS
assumes flags have been popped, but they
haven’t
Two Ways to Handle Nonvirtualizable Instructions
• Paravitualization
– Modify VMM interface to use instructions that
can be virtualized
– Xen, Denali
• Binary Translation
– Monitor execution of kernel code and replace
non-virtualizable instructions with other
instructions
– VMware
Paravirtualization
• Rewrite portions of the guest OS to delete
this kind of instruction; replace with other
instructions that are virtualizable.
• Paravirtualization affects the guest OS, but
not applications that run on it – the API is
unchanged
Binary Translation
• Combines direct execution with on-the-fly
binary translation (a form of emulation).
– When the guest OS executes “privileged” code,
the DBT (dynamic binary translator) replaces
non-virtualizable instructions with equivalent
code.
– Paravirtualization changes the source code of a
guest OS; binary translation changes the binary
code as it executes.
Comparison
• Paravirtualization is more efficient, but
requires modification to the guest OS
– Paravirtualization also allows more efficient
interfaces, in some cases
• Binary translation is backward-compatible
but has some extra overhead of run-time
translation the first time an instruction is
encountered.
– Once translated, code is saved and used
again if needed.
Techniques – Hardware Support
• AMD and Intel have added extensions to
support virtualization.
– New execution mode (-1)
• Allows guest OS to run in execution ring 0 and VMM in
yet a higher privileged mode
– Flags to indicate if running in this mode
– Will reduce the number of traps and the time to
process a trap
– Will support direct execution of all instructions
Memory Virtualization
• VMM maintains a shadow page table for
each virtual machine.
• When the guest OS makes an entry in its
own page table, the VMM makes the same
entry in the shadow table.
• Shadow page table points to actual page
frame
– The hardware MMU uses the shadow page
table when it translates virtual addresses.
Paging Out the Virtual Machine
• The VMM can swap one virtual machine
(or parts thereof) to disk and swap in
another.
• Reduces the hardware requirements for a
given workload
• Particularly useful in environments where
many servers are required, but only a few
are used frequently. (Web services, for
ex.)
Challenges
• It would make sense to let the virtual
machine operating system decide which of
its pages to swap out
• VMware’s ESX Server uses the concept of
a balloon process, running inside the
guest OS, as a conduit for pages to be
removed [1].
Balloon Process
• When the VMM wants to swap out pages
from a VM it notifies the balloon process to
allocate more memory to itself.
• In order to get more memory for the
balloon process, the guest OS must “page
out” unused portions of other processes to
its virtual disk.
• The VMM now knows which pages the
guest OS thinks it can do without.
Other Virtual Memory Challenges
• VMware tracks duplicate pages in different
virtual machines
– To avoid duplication, it only stores one copy of
the actual page with pointers from the shadow
page tables in sharing processes.
– Copy-on-write policy
• Xen focuses on total isolation of each
virtual machine, which means no sharing
Virtual Machines - Examples
• VMware, a publicly held company, has two lines
of products:
– Desktop : VMware Workstation can run multiple
different operating systems on a single PC. Runs in
between the virtual machines and the native (host)
OS.
• VMware Fusion (for Mac-Intel platform)
– VMware ESX Server, VMware Server run directly on
hardware;
Hosted versus Non-hosted VMM
• Hosted has 3 advantages [1]
– VMM is no harder to install than any other
application
– The VMM can use the host OS scheduler,
pager, etc. and focus primarily on isolation
– I/O support is better: the VMM can use the
device drivers that are designed to work with
the host OS rather than having to provide its
own.
Hosted versus Non-hosted VMM
• Disadvantage [1]
– I/O overhead is “greatly increased”: requests
go from guest OS to VMM to host OS and
down eventually to the device driver.
– Too much for servers
• More difficult to provide complete isolation,
so not appropriate for servers from a
security perspective.
Virtual Machines - Examples
• Xen is an open-source VM system for PCs
• Designed to support execution of Linux,
BSD Unix, Windows simultaneously on the
same platform
• Objective of original project: efficient
hosting of up to 100 virtual machines
• XenSource, Inc. provides products based
on Xen and recently entered the server
market in a big way.
Denali
• Problem addressed: hosting Internet
services economically
• Goal: to allow new services to hosted on
third-party servers.
– Requires assurances that one server won’t
interfere with another.
– Encapsulation of VMM model very important
Isolation Kernel
• “An OS structure for isolating untrusted
software services”
• Based on 4 principles:
– Expose low-level resources rather than highlevel abstractions
– Prevent direct sharing by exposing only
private, virtualized namespaces
• Keeps one VM from “… even naming the
resources of another VM, let alone modifying
them”. [4]