Virtualization Technology Introduction

Argentina Software Pathfinding and Innovation

Intel Corporation
28 July 2008

Introduction

Why is Intel giving this course?

Argentina Software Development Center in Crdoba - Strong investment in developing areas of expertise Software Pathfinding and Innovation - Seeking the next technological move Strategic Area in Virtualization Technology - Evolving expertise in Virtualization Technology - Augment critical mass in this area

Introduction

What are your expectations from this course?

-

Learn about virtualization technology Academia research

- Research in grids, cloud

Planning in participate in an Open Source community from virtualization Business

- Using virtualization in my datacenter - Planning to use it

Introduction

How is this course?

Goal: - Foster virtualization technology, its usages, its capabilities and explore possible research and study projects Audience: - Beginners: provide a guide to start working/researching in Virtualization Technologies - Advanced: solidify concepts and go deep in VMM cases and Hardware assisted Virtualization Course Structure: - Virtualization Technology Introduction - Usages of Virtualization - VMMs / Hypervisors - Hardware Assisted Virtualization - Virtualization Technology Trends

Agenda
Introduction Virtualization yesterday virtualization today Challenges for x86 virtualization Approaches to server virtualization
Host-based server virtualization Full Virtualization Para-virtualization Hardware-assisted Virtualization

Approaches to desktop virtualization

Introduction

What is virtualization?
Virtualization is a broad term (virtual memory, storage, network, etc) Focus for this course: platform virtualization Virtualization basically allows one computer to do the job of multiple computers, by sharing the resources of a single hardware across multiple environments Virtual Virtual
Container
App. A App. B App. C App. D App. A App. B

Container
App. C App. D

Operating System

Virtualization Layer

Hardware

Hardware

Nonvirtualized system A single OS controls all hardware platform resources

Virtualized system It makes it possible to run multiple Virtual Containers on a single physical platform

Introduction

Virtualization Requirements
Popek and Goldberg describe in their Formal Requirements for Virtualizable Third Generation Architectures 1974: A Model of Third Generation Machines
Machine states: S = (E, M, P, R) Instructions classification Privileged instructions Control sensitive instructions Behavior sensitive instructions

Properties for a Virtual Machine Monitor

Equivalence Resource control Efficiency

Formal analysis described through 2 theorems

Introduction

The VMM and the VM

Equivalence Resource Control Efficiency Privileged instructions Control sensitive Behavior sensitive

For any conventional third generation computer, a VMM may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions A conventional third generation computer is recursively virtualizable if it is virtualizable and a VMM without any timing dependencies can be constructed for it.

The evolution of virtualization

Evolution of Virtualization

How did it start?

Server virtualization has existed for several decades
IBM pioneered more than 30 years ago with the capability to multitask

The inception was in specialized, proprietary, high-end server and mainframe systems By 1980/90 servers virtualization adoption initiated a reduction
Inexpensive x86 hardware platforms Windows/Linux adopted as server OSs

Evolution of Virtualization

Computing Infrastructure 2000

1 machine 1 OS several applications Applications can affect each other Big disadvantage: machine utilization is very low, most of the times it is below than 25%
App App App App App App App App

X86 Windows XP

X86 Windows 2003

X86 Suse

X86 Red Hat

12% Hardware Utilization

15% Hardware Utilization

18% Hardware Utilization

10% Hardware Utilization

Evolution of Virtualization

Virtualization again
x86 server deployments introduced new IT challenges: Low server infrastructure utilization (10-18%) Increasing physical infrastructure costs (facilities, power, cooling, etc) Increasing IT management costs (configuration, deployment, updates, etc) Insufficient failover and disaster protection
The solution for all these problems was to virtualize x86 platforms

Evolution of Virtualization

Computing Infrastructure - Virtualization

It matches the benefits of high hardware utilization with running several operating systems (applications) in separated virtualized environments
Each application runs in its own operating system Each operating system does not know it is sharing the underlying hardware with others
App. A

App. B

App. C

App. D

X86 Windows XP

X86 Windows 2003

X86 Suse Linux

X86 Red Hat Linux

X86 Multi-Core, Multi Processor

70% Hardware Utilization

Challenges for x86 virtualization

x86 virtualization challenge

Challenges of x86 virtualization

The IA-32 instruction set contains 17 sensitive, unprivileged instructions:

Sensitive register instructions: read or change sensitive registers and/or memory locations such as a clock register or interrupt registers: SGDT, SIDT, SLDT, SMSW, PUSHF, POPF Protection system instructions: reference the storage protection system, memory or address relocation system: LAR, LSL, VERR, VERW, POP, PUSH, CALL, JMP, INT n, RET, STR, MOV

However, x86 is a really big candidate to be virtualized, mainly for business facts

x86 modes: Privilege Levels

Challenges of x86 virtualization

x86 processors segment-protection mechanism recognizes 4 privilege levels (0-high, 3-low level) unused Recognizes the following three types of privilege levels:
Current privilege level (CPL) Descriptor privilege level (DPL) Requested privilege level (RPL)

x86 virtualization challenge example: reading Segment Descriptors

Challenges of x86 virtualization

x86 Code Segment and Stack Segment registers: The upper 14 bits of these registers contain the segment index and descriptor table selector. Lower 2 bits of CS and SS registers contains the CPL (Current Privilege Level). Instructions that explicitly or implicitly access the CS/SS selector (including CALL, MOV from SS and POP SS) do not trap when executed from user mode. Executing POP SS the guest OS will be aware that it is not running on a privileged level when in ring 1 The Equivalence Property could be violated The Resource Control property is violated

X86 virtualization challenge example: reading Segment Descriptors (segment details)

Challenges of x86 virtualization

x86 virtualization challenge example (2)

Challenges of x86 virtualization

GDT, LDT, IDT and TR: For correct virtualization, these tables should be shadowing (the TR, GDTR, IDTR registers should point to VMMs shadow tables) Non privileged code can read from these registers (that means that reading these registers do not trap) The Equivalence Property could be violated

Table 2-2. Summary of System Instructions - Software Developers Manual Vol 3A

Approaches to server virtualization

Evolution of Software solutions

1st Generation: Full 2nd Generation: virtualization Paravirtualizatio (Binary rewriting) n
Software Based VMware and Microsoft
Virtual Machine Virtual Machine

Server virtualization approaches

Cooperative virtualization Modified guest VMware, Xen

VM

3rd Generation: Silicon-based (Hardware-assisted) virtualization

Unmodified guest VMware and Xen on virtualization-aware hardware platforms
Virtual Machine Virtual Machine

Dynamic Translation

Hypervisor

VM

Operating System

Hypervisor

Hardware

Hardware

Hardware

Time

Virtualization Logic

Full Virtualization
1st Generation offering of x86/x64 server virtualization Dynamic binary translation
The emulation layer talks to an operating system which talks to the computer hardware The guest OS doesn't see that it is used in an emulated environment

Server virtualization approaches

Virtual Machine

App. C

App. B

Guest OS

Device Drivers

Emulated Hardware

All of the hardware is emulated including the CPU Two popular open source emulators are QEMU and Bochs

Device Drivers

Host OS

Hardware

App. A

Full Virtualization - Advantages

Server virtualization approaches

The emulation layer

Isolates VMs from the host OS and from each other Controls individual VM access to system resources, preventing an unstable VM from impacting system performance

Total VM portability
By emulating a consistent set of system hardware, VMs have the ability to transparently move between hosts with dissimilar hardware without any problems
It is possible to run an operating system that was developed for another architecture on your own architecture A VM running on a Dell server can be relocated to a HewlettPackard server

Full Virtualization - Drawbacks

Server virtualization approaches

Hardware emulation comes with a performance price In traditional x86 architectures, OS kernels expect to run privileged code in Ring 0
However, because Ring 0 is controlled by the host OS, VMs are forced to execute at Ring 1/3, which requires the VMM to trap and emulate instructions

Due to these performance limitations, paravirtualization and hardware-assisted virtualization were developed
Application Guest OS Virtual Machine Monitor Ring 3

Ring 1 / 3

Application

Ring 3 Ring 0

Operating System

Ring 0

Traditional x86 Architecture

Full Virtualization

Para-Virtualization
The Guest OS is modified and thus run kernel-level operations at Ring 1 (or 3)
the guest is fully aware of how to process privileged instructions thus, privileged instruction translation by the VMM is no longer necessary The guest operating system uses a specialized API to talk to the VMM and, in this way, execute the privileged instructions
Virtual Machine

Server virtualization approaches

App. C

App. B

Virtual Machine Monitor

Guest OS

Device Drivers

Specialized API

The VMM is responsible for handling the virtualization requests and putting them to the hardware

Device Drivers Hypervisor

Hardware

App. A

Para-Virtualization

Server virtualization approaches

Today, VM guest operating systems are paravirtualized using two different approaches:
Recompiling the OS kernel Paravirtualization drivers and APIs must reside in the guest operating system kernel You do need a modified operating system that includes this specific API, requiring a compiling operating systems to be virtualization aware Some vendors (such as Novell) have embraced paravirtualization and have provided paravirtualized OS builds, while other vendors (such as Microsoft) have not Installing paravirtualized drivers In some operating systems it is not possible to use complete paravirtualization, as it requires a specialized version of the operating system To ensure good performance in such environments, paravirtualization can be applied for individual devices For example, the instructions generated by network boards or graphical interface cards can be modified before they leave the virtualized machine by using paravirtualized drivers

Hardware-assisted virtualization
The guest OS runs at ring 0 The VMM uses processor extensions (such as Intel-VT or AMD-V) to intercept and emulate privileged operations in the guest Hardware-assisted virtualization removes many of the problems that make writing a VMM a challenge The VMM runs in a more privileged ring than 0, a virtual -1 ring is created

Server virtualization approaches

Virtual Machine

App. C

App. B

Specialized API
Virtual Machine Monitor

Guest OS

Device Drivers

Device Drivers

Hypervisor

Hardware

App. A

Hardware-assisted virtualization

Server virtualization approaches

The hypervisor/VMM runs at Ring -1

super-privileged mode

VMX non-root

VMX root

Hardware-assisted virtualization
Pros

Server virtualization approaches

It allows to run unmodified Oss (so legacy OS can be run without problems)

Cons
Speed and Flexibility An unmodified OS does not know it is running in a virtualized environment and so, it cant take advantage of any of the virtualization features It can be resolved using paravirtualization partially

Approaches to desktop virtualization

Extending the concept of virtualization for desktops

Servers
Hosted virtualization - mainframes VMMs / Bare Metal hypervisors OS virtualization

Client virtualization approaches

Desktops
Desktop virtualization Server-side workspace virtualization Client-side workspace virtualization

Application virtualization
Application isolation Application streaming

Desktop Virtualization

Desktop virtualization approaches

A VMM or hypervisor running on a physical desktop Examples include:

Microsoft Virtual PC Parallels Desktop for Mac VMware Fusion WINE. Emulating Windows games on the Macintosh, Testing code inside VMs Underpinning client-side workspace virtualization

Use cases include:

Desktop hypervisors and VMMs dont necessarily scale to meet enterprise needs; thats why most of the providers have server products as well

Server-side workspace virtualization

Desktop virtualization approaches

A workspace (desktop operating system with custom configuration) running inside a virtual machine hosted on a server Examples include:
VMware VDI Centrally managed desktop infrastructure Security enforcement and lockdown

Use cases include:

A pool of virtual workspaces resides on the server. Remote users log into them from any networked device via Microsofts Remote Desktop Protocol (RDP) Users can customize their virtual workspace to their hearts content, while operators enjoy the relatively straightforward task of managing desktop configuration on one central server Connection brokers arbitrate between a pool of virtual workspaces residing on a central server The biggest problem with server-hosted workspace virtualization is that its a bandwidth hog. Performance is constrained by the performance of your network

Client-side workspace virtualization

A workspace (desktop operating system with custom configuration) running inside a virtual machine hosted on a desktop Examples include:
Kidaro Managed Workspace Sentillion vThere Secure remote access Protection of sensitive data for defense, healthcare industries Personal computer running corporate desktops remotely

Desktop virtualization approaches

Use cases include:

A virtual workspace is served out to execute on the client device Centralizes management Its big advantage over other models is the security and isolation of data and logic on the client Its the right model for organizations that need to ensure the security of environments served to remote users
Defense contractors Healthcare providers

Application Isolation
An application packaged with its own virtual copies of the operating system resources it might otherwise need to change (registries, file systems, libraries) Examples include:
Thinstall Trigence Preventing DLL hell Sandboxing desktop applications for secure execution

Desktop virtualization approaches

Use cases include:

Applications use a virtual registry (Thinstall) and file system embedded in the package with the application
These extra tools insulate applications from changes to and incompatibility with the underlying desktop operating system

Mostly in Windows, although Linux and Solaris as well Drawback: increased footprint of the application package and the correspondingly greater memory requirements

Application Streaming
Just-in-time delivery of a server-hosted application to the desktop, such that the desktop application can execute before the entire file has been downloaded from the server Examples include:
AppStream Microsoft SoftGrid Managing the number of instances of running applications, in the case of license constraints

Desktop virtualization approaches

Use cases include:

Superset of Application Isolation, including a delivery method and an execution mode

You stream the application code to the desktop, where it runs in isolation

No full PC environment, just the application, so you have to provide a workspace

Requires to maintain the client-side operating system and ensuring compatibility. This may be why application streaming, which has been around for a long time (AppStream has already raised over $50m in venture capital), has not really lived up to its early hype.

Periodic table of Virtualization

Extracted from Virtualization II: Desktops and applications are next the 451 group

Day wrap-up
Requirements for HW Architecture Virtualization Popek and Goldberg Evolution for virtualization: from mainframes to x86 architecture due to business reasons Challenges around x86 virtualization -> ISA doesnt comply with P&G Server virtualization approaches
Full Virtualization Paravirtualization Hardware Assisted Virtualization

Client virtualization approaches

Desktop virtualization Server-side workspace virtualization Client-side workspace virtualization

Application virtualization
Application isolation Application streaming

Questions?

Backup

References
http://en.wikipedia.org/wiki/Platform_virtualization http://en.wikipedia.org/wiki/Popek_and_Goldberg_virtualization_requirements http://www.vmware.com/virtualization/ http://www.vmware.com/overview/history.html Formal Requirements for Virtualizable Third Generation Architectures 1974 Popek (UCLA) and Goldberg (Honeywell Information Systems and Harvard University) Virtualization II: Desktops and applications are next the 451 group

Contacts
Argentina Software Pathfinding and Innovation team from Virtualization Technology: Guillermo Colsani: [email protected] Gisela Giusti: [email protected] Pablo Pssera: [email protected] Duilio Protti: [email protected]