Virtual Machine Monitors

Bibliography
1. 2. 3. 4. Virtual Machine Monitors: Current Technology And Future Trends, Mendel Rosenblum and Tal Garfinkel, IEEE Computer, May 2005 Xen and the Art of Virtualization, P. Barham, R. Dragovic, K. Fraser, S. Hand, T. Harris, A Ho, R. Neugebauer, I. Pratt, A. Warfield, SOSP 03. The Definitive Guide to the Xen Hypervisor, David Chisnall, Prentice Hall, 2008. Scale and Performance in the Denali Isolation Kernel, Andrew Whitaker, Marianne Shaw, and Steven D. Gribble, in System Design and Implementation (OSDI), Boston, MA, Dec. 2002. Xen Homepage: http://www.cl.cam.ac.uk/research/srg/netos/xen/

5.

Outline
Overview
What is a virtual machine? What is a virtual machine monitor (VMM)? System or application virtual machines

History of Virtual Machines Benefits of Virtual Machines Issues and Implementation

What is a Virtual Machine?

Several definitions and implementations. Here, a virtual machine is an isolated environment that appears to be a whole computer, but actually only has access to a portion of the computers resources.

A Formal Definition
The environment in which a hosted operating system runs, providing the abstraction of a dedicated machine. A virtual machine may be identical to the underlying hardware (full virtualization) or it may differ slightly (paravirtualization). www.linuxtopia.org/online_books/linux_virt ualization/xen_3.0_user_guide/linux_viruali zation_xen_user_78.html

What is a Virtual Machine Monitor?

A virtual machine monitor (VMM) is a thin software layer that runs directly on the bare hardware It partitions the computers resources into one or more virtual machines Each virtual machine appears to be running on the bare hardware. End result the appearance of multiple instances of the same computer, but all are supported on a single machine.

Full Virtualization versus Paravirtualization

Full virtualization: each virtual machine runs on an exact copy of the underlying hardware. Paravirtualization: the VMM modifies the underlying hardware somewhat
Because some aspects of the hardware cant be virtualized To present a simpler interface; improve performance.

VM1 Application

VM2 Application

VM3 Application

Guest OS1

Guest OS2

Guest OS3

Virtual machine layer - VMM Hardware layer

Sometimes a virtual machine monitor is installed on an existing operating machine. More about this later.

VM1

VM2

VMM Operating system Hardware layer

VM How They Work

When an application process makes a system call, it is received by its own OS, running (in user mode) on its private virtual machine. When the guest OS tries to execute a privileged instruction, the virtual machine software traps the operation and ensures that it is executed correctly & safely
e.g., when a guest OS appears to execute an I/O system call, the host VM monitor is actually in charge.

Virtualization versus Emulation

Virtualization presents multiple copies of the same hardware system.
Direct execution of code on the hardware

Emulation presents a model of another hardware system

Instructions are emulated in software much slower than virtualization Example: Microsofts VirtualPC can run on other chipsets than the x86 family; used on Mac hardware until Apple adopted Intel chips

System & Process VMs

http://en.wikipedia.org/wiki/Virtual_machine

System virtual machine (hardware virtual machine)

Multiplex the underlying hardware Each VM can run its own OS Each VM is securely isolated from others

Process or application virtual machine

Runs inside a normal OS Provides a platform-independent host for an application For example, the Java Virtual Machine

Virtual Machines Examples

Denali was designed to support Internet services by providing a platform that allows a large number of servers to run on a single server machine. Paravirtualizes x86 architecture to improve performance and scalability Isolation kernel: isolates each server in a virtual machine to reduce the danger of sharing physical resources with untrusted servers.

History - Why VMMs?

Early computers were large (mainframes) and expensive VMM approach allowed the machine to be safely multiplexed among many different applications As an alternative to multiprogramming

Virtual Machines - History

Early example: the IBM 370
VM/370 is the virtual machine monitor As each user logs on, a new virtual machine is created CMS, a single-user, interactive OS was commonly run as the OS

Separation of powers:
Virtual machine interacts with user applications Virtual machine monitor manages hardware resources

History 1980s & 1990s

As hardware got cheaper and operating systems became better equipped to handle multitasking, the original motivation went away. Hardware platforms gradually eliminated hardware support for virtualization. And then

History late 90s to today

Massively parallel processors (MPPs) were developed during the 1990s; they were hard to program and did not support existing operating systems Researchers at Stanford used virtualization to make MPPs look more like traditional machines Result: VMware Inc. supplier of VMMs for commodity hardware

Rationale for VMMs Today

Today, security and encapsulation are the most important reasons for using VMMs VMMs give operating systems developers another opportunity to develop functionality no longer practical in todays complex and ossified operating systems, where innovation moves at a geologic pace. [1]

Example Virtual Machine Systems

VMware: commercial product, derived from research done at Stanford Xen: open source, Cambridge University, widely used in research and academia Denali: University of Washington, focuses on support for Internet services

Reasons for Adopting VMMs

Security and isolation Ability to support several operating systems at the same time Ability to experiment with new operating systems, or modifications of existing systems, while maintaining backward compatibility with existing operating systems.

Security and Isolation

Applications running on a virtual machine are more secure than those running directly on hardware machines.
VMM controls how guest operating systems use hardware resources; what happens in one VM doesnt affect any other VM: by virtualizing all hardware resources, a VMM can prevent one VM from even naming the resources of another VM, let alone modifying them. [4]

Encapsulation
The software state of a virtual machine isnt dependent on the underlying hardware. Rosenblum and Garfinkel [1] point out that this makes it possible to suspend and resume entire virtual machines and even move them to other platforms
For load balancing For system maintenance Etc.

Servers
Conventionally, servers run on dedicated machines.
Protects against another server/application crashing the OS But wasteful of hardware resources

VMM technology makes it possible to support multiple servers, each running on its own VM, on a single hardware platform.

Desirable Qualities
A good VMM
Doesnt require applications to be modified Doesnt severely affect performance Is not complex/error prone

Implementation Issues
Enforce VMM control of hardware by preventing guest OS from executing privileged instructions. Virtualize CPU Virtualize memory

CPU Virtualization
Basic technique: direct execution
The virtual machine executes on the real machine, but the VMM exercises control over privileged instructions

VMM runs in privileged (kernel) mode. Guest OS executes all its code, privileged and unprivileged, in user mode.
If the guest OS tries to execute a privileged instruction the CPU traps to the VMM which executes the privileged operation.

Protection Rings
Intel chips have 3 protection modes:
0: equivalent to kernel mode; can execute all privileged instructions 1: cannot execute privileged instructions but highter priority than user level 2: where user processes run

Normally, only rings 0 and 2 are used.

Xen runs the guest OS in level 1

Example: Disable Interrupts [1]

If a guest OS tries to disable interrupts, the instruction is trapped by the VMM which makes a note that interrupts are disabled for that virtual machine If interrupts arrive for that machine, they are buffered at the VMM layer until the guest OS enables interrupts.

Direct Execution Not Always Possible

Modern CPUs, esp. x86 architectures, have not been designed for virtualization. Example: POPF (pop CPU flags from stack)
If executed in user mode, no trap - just ignore In this case, direct execution fails Guest OS assumes flags have been popped, but they havent

Two Ways to Handle Nonvirtualizable Instructions

Paravitualization
Modify VMM interface to use instructions that can be virtualized Xen, Denali

Binary Translation
Monitor execution of kernel code and replace non-virtualizable instructions with other instructions VMware

Paravirtualization
Rewrite portions of the guest OS to delete this kind of instruction; replace with other instructions that are virtualizable. Paravirtualization affects the guest OS, but not applications that run on it the API is unchanged

Binary Translation
Combines direct execution with on-the-fly binary translation (a form of emulation).
When the guest OS executes privileged code, the DBT (dynamic binary translator) replaces non-virtualizable instructions with equivalent code. Paravirtualization changes the source code of a guest OS; binary translation changes the binary code as it executes.

Comparison
Paravirtualization is more efficient, but requires modification to the guest OS
Paravirtualization also allows more efficient interfaces, in some cases

Binary translation is backward-compatible but has some extra overhead of run-time translation the first time an instruction is encountered.
Once translated, code is saved and used again if needed.

Techniques Hardware Support

AMD and Intel have added extensions to support virtualization.
New execution mode (-1)
Allows guest OS to run in execution ring 0 and VMM in yet a higher privileged mode

Flags to indicate if running in this mode Will reduce the number of traps and the time to process a trap Will support direct execution of all instructions

Memory Virtualization
VMM maintains a shadow page table for each virtual machine. When the guest OS makes an entry in its own page table, the VMM makes the same entry in the shadow table. Shadow page table points to actual page frame
The hardware MMU uses the shadow page table when it translates virtual addresses.

Paging Out the Virtual Machine

The VMM can swap one virtual machine (or parts thereof) to disk and swap in another. Reduces the hardware requirements for a given workload Particularly useful in environments where many servers are required, but only a few are used frequently. (Web services, for ex.)

Challenges
It would make sense to let the virtual machine operating system decide which of its pages to swap out VMwares ESX Server uses the concept of a balloon process, running inside the guest OS, as a conduit for pages to be removed [1].

Balloon Process
When the VMM wants to swap out pages from a VM it notifies the balloon process to allocate more memory to itself. In order to get more memory for the balloon process, the guest OS must page out unused portions of other processes to its virtual disk. The VMM now knows which pages the guest OS thinks it can do without.

Other Virtual Memory Challenges

VMware tracks duplicate pages in different virtual machines
To avoid duplication, it only stores one copy of the actual page with pointers from the shadow page tables in sharing processes. Copy-on-write policy

Xen focuses on total isolation of each virtual machine, which means no sharing

Virtual Machines - Examples

VMware, a publicly held company, has two lines of products:
Desktop : VMware Workstation can run multiple different operating systems on a single PC. Runs in between the virtual machines and the native (host) OS.
VMware Fusion (for Mac-Intel platform)

VMware ESX Server, VMware Server run directly on hardware;

Hosted versus Non-hosted VMM

Hosted has 3 advantages [1]
VMM is no harder to install than any other application The VMM can use the host OS scheduler, pager, etc. and focus primarily on isolation I/O support is better: the VMM can use the device drivers that are designed to work with the host OS rather than having to provide its own.

Hosted versus Non-hosted VMM

Disadvantage [1]
I/O overhead is greatly increased: requests go from guest OS to VMM to host OS and down eventually to the device driver. Too much for servers

More difficult to provide complete isolation, so not appropriate for servers from a security perspective.

Virtual Machines - Examples

Xen is an open-source VM system for PCs Designed to support execution of Linux, BSD Unix, Windows simultaneously on the same platform Objective of original project: efficient hosting of up to 100 virtual machines XenSource, Inc. provides products based on Xen and recently entered the server market in a big way.

Denali
Problem addressed: hosting Internet services economically Goal: to allow new services to hosted on third-party servers.
Requires assurances that one server wont interfere with another. Encapsulation of VMM model very important

Isolation Kernel
An OS structure for isolating untrusted software services Based on 4 principles:
Expose low-level resources rather than highlevel abstractions Prevent direct sharing by exposing only private, virtualized namespaces
Keeps one VM from even naming the resources of another VM, let alone modifying them. [4]