Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Bibliography
1. 2. 3. 4. Virtual Machine Monitors: Current Technology And Future Trends, Mendel Rosenblum and Tal Garfinkel, IEEE Computer, May 2005 Xen and the Art of Virtualization, P. Barham, R. Dragovic, K. Fraser, S. Hand, T. Harris, A Ho, R. Neugebauer, I. Pratt, A. Warfield, SOSP 03. The Definitive Guide to the Xen Hypervisor, David Chisnall, Prentice Hall, 2008. Scale and Performance in the Denali Isolation Kernel, Andrew Whitaker, Marianne Shaw, and Steven D. Gribble, in System Design and Implementation (OSDI), Boston, MA, Dec. 2002. Xen Homepage: http://www.cl.cam.ac.uk/research/srg/netos/xen/
5.
Outline
Overview
What is a virtual machine? What is a virtual machine monitor (VMM)? System or application virtual machines
A Formal Definition
The environment in which a hosted operating system runs, providing the abstraction of a dedicated machine. A virtual machine may be identical to the underlying hardware (full virtualization) or it may differ slightly (paravirtualization). www.linuxtopia.org/online_books/linux_virt ualization/xen_3.0_user_guide/linux_viruali zation_xen_user_78.html
VM1 Application
VM2 Application
VM3 Application
Guest OS1
Guest OS2
Guest OS3
Sometimes a virtual machine monitor is installed on an existing operating machine. More about this later.
VM1
VM2
Separation of powers:
Virtual machine interacts with user applications Virtual machine monitor manages hardware resources
Encapsulation
The software state of a virtual machine isnt dependent on the underlying hardware. Rosenblum and Garfinkel [1] point out that this makes it possible to suspend and resume entire virtual machines and even move them to other platforms
For load balancing For system maintenance Etc.
Servers
Conventionally, servers run on dedicated machines.
Protects against another server/application crashing the OS But wasteful of hardware resources
VMM technology makes it possible to support multiple servers, each running on its own VM, on a single hardware platform.
Desirable Qualities
A good VMM
Doesnt require applications to be modified Doesnt severely affect performance Is not complex/error prone
Implementation Issues
Enforce VMM control of hardware by preventing guest OS from executing privileged instructions. Virtualize CPU Virtualize memory
CPU Virtualization
Basic technique: direct execution
The virtual machine executes on the real machine, but the VMM exercises control over privileged instructions
VMM runs in privileged (kernel) mode. Guest OS executes all its code, privileged and unprivileged, in user mode.
If the guest OS tries to execute a privileged instruction the CPU traps to the VMM which executes the privileged operation.
Protection Rings
Intel chips have 3 protection modes:
0: equivalent to kernel mode; can execute all privileged instructions 1: cannot execute privileged instructions but highter priority than user level 2: where user processes run
Binary Translation
Monitor execution of kernel code and replace non-virtualizable instructions with other instructions VMware
Paravirtualization
Rewrite portions of the guest OS to delete this kind of instruction; replace with other instructions that are virtualizable. Paravirtualization affects the guest OS, but not applications that run on it the API is unchanged
Binary Translation
Combines direct execution with on-the-fly binary translation (a form of emulation).
When the guest OS executes privileged code, the DBT (dynamic binary translator) replaces non-virtualizable instructions with equivalent code. Paravirtualization changes the source code of a guest OS; binary translation changes the binary code as it executes.
Comparison
Paravirtualization is more efficient, but requires modification to the guest OS
Paravirtualization also allows more efficient interfaces, in some cases
Binary translation is backward-compatible but has some extra overhead of run-time translation the first time an instruction is encountered.
Once translated, code is saved and used again if needed.
Flags to indicate if running in this mode Will reduce the number of traps and the time to process a trap Will support direct execution of all instructions
Memory Virtualization
VMM maintains a shadow page table for each virtual machine. When the guest OS makes an entry in its own page table, the VMM makes the same entry in the shadow table. Shadow page table points to actual page frame
The hardware MMU uses the shadow page table when it translates virtual addresses.
Challenges
It would make sense to let the virtual machine operating system decide which of its pages to swap out VMwares ESX Server uses the concept of a balloon process, running inside the guest OS, as a conduit for pages to be removed [1].
Balloon Process
When the VMM wants to swap out pages from a VM it notifies the balloon process to allocate more memory to itself. In order to get more memory for the balloon process, the guest OS must page out unused portions of other processes to its virtual disk. The VMM now knows which pages the guest OS thinks it can do without.
Xen focuses on total isolation of each virtual machine, which means no sharing
More difficult to provide complete isolation, so not appropriate for servers from a security perspective.
Denali
Problem addressed: hosting Internet services economically Goal: to allow new services to hosted on third-party servers.
Requires assurances that one server wont interfere with another. Encapsulation of VMM model very important
Isolation Kernel
An OS structure for isolating untrusted software services Based on 4 principles:
Expose low-level resources rather than highlevel abstractions Prevent direct sharing by exposing only private, virtualized namespaces
Keeps one VM from even naming the resources of another VM, let alone modifying them. [4]