Document Sample
Virtualization Powered By Docstoc
                    Presented by: Prof Mark Baker

                      SSE, University of Reading
                         Tel: +44 118 378 8615


22th August 2010  
                     Virtual Systems

Type of System         VM Based                   Web Site

Open Source            Xen              


                       Virtual Box      

Commercial Systems     VMWare           


                       IBM - z/VM       

22th August 2010
                   Virtualization Systems

22th August 2010
              Advantages of Virtualization

• Zero downtime maintenance,
• Freedom from vendor-imposed upgrade cycles,
• Instant provisioning,
• Pooling hardware resource,
• Virtual hardware supports legacy operating systems
• Dynamic resource sharing,
• Security and fault isolation,
• Business continuity, backups, and automated restoration,

    22th August 2010
                   Virtual Machines
• Cloud computing is a model for enabling convenient,
  on-demand network access to a shared pool of
  configurable computing resources:
   • e.g., networks, servers, storage, applications, and
• Which can be rapidly provisioned and released with
  minimal management effort or service provider
• The cloud model promotes availability and is composed
  of five essential characteristics, three service
  models, and deployment models.

22th August 2010

22th August 2010
                   Abstraction Levels
• Operating System Level:
     –   Many different operating systems,
     –   Virtualized SysCall Interface,
     –   Provide all the device abstractions,
     –   Easy to manipulate (create, configure, destroy),

• Library Level:
     – Various API for applications,
     – Builder libraries that are needed,
     – User-level device drivers,

• Application Level:
     – Old and new applications,
     – Virtual architecture (memory, CPU, storage …),
     – Platform-independence (portable).

22th August 2010 
                     Cloud Service Models
• Cloud Software as a Service
    – The capability provided to the
      consumer is to use the provider’s
      applications running on a cloud
      infrastructure, which is accessible
      from various client devices, such as
      a Web browser.
    – The consumer does not manage or
      control the underlying cloud
      infrastructure, or even individual
      application capabilities, with the
      possible exception of initial user-
      specific application configuration

 22nd August, 2010
                    Cloud Service Models
• Cloud Platform as a
  Service (PaaS):
     – The consumer deploys their
       the applications onto the
       cloud using programming
       languages and tools
       supported by the provider,
       such as Java, python, and
     – The consumer does not
       manage/control the
       underlying cloud
       infrastructure, but has
       control over the deployed
       applications and possibly
       application hosting
       environment configurations.
22nd August, 2010
                    Cloud Service Models
 • Cloud Infrastructure as a Service
       – The capability is provided to the
         consumer, who can use processing,
         storage, networks, and resources.
       – The consumer is able to deploy and
         run arbitrary software, which can
         include an operating systems and
       – The consumer does not manage or
         control the underlying cloud
         infrastructure; they have control
         over operating systems, storage,
         deployed applications, and possibly
         select networking components, e.g.,
         firewalls, load balancers.

22nd August, 2010
                   Why Virtualize
• Consolidate IT infrastructure,
• Improve QoS and SLA plus logging,
• Potentially reduce energy costs,
• Provide more reliable working environment for
  development and testing,
• Ease replication of environments,
• Partition applications to get security, reliability and

22th August 2010
               Virtualization benefits
• Potential financial savings,
• Logistic benefits – run various OSes, plus libraries,
  and new and old applications.
• Live migration of virtual machines,
• Security through partitioning,
• May be a faster to set up,
• Overheads based on virtualization (15 – 20%),
• SLAs, QoS, and Logging,
• Increased control and convenience.

22th August 2010
                   Platform Virtualization
• Application Virtualization:
   – Running a desktop or server application locally,
     using local resources, using a virtual machine.
   – This is in contrast with running the application as
     conventional local software, i.e. software that has
     been “installed” on the system.
   – A virtualized application runs in a small virtual
     environment containing registry entries, the
     components needed to execute – such as, files,
     environment variables, user interface elements,
     and global objects.
   – This virtual environment acts as a layer between
     the application and the operating system, and
     eliminates application conflicts and application-OS

22th August 2010
                    Resource Virtualization
• Computer clusters, grid computing, and virtual servers
  use the above techniques to combine multiple discrete
  computers into larger metacomputers.
• Partitioning is the splitting of a single resource, such as
  disk space or network bandwidth, into a number of
  smaller, or more easily utilised resources of the same
   – This is sometimes also called zoning, especially in storage
• Encapsulation hides the resource complexity by the
  creation of a simplified interface.
• CPUs often incorporate cache memory or pipelines to
  improve performance, but these elements are not
  reflected in their virtualized external interface.
• Similar virtualized interfaces hiding complex
  implementations are found in disk drives, modems,
  routers, and many other smart devices.
 22th August 2010
            Platform Virtualization
• The creation of a virtual machine is a combination of
  hardware and software that is referred to as platform
• Platform virtualization is performed on a given
  hardware platform by host software that creates a
  simulated computer environment (a virtual machine)
  for its guest software.
• The guest software, which is often itself a complete
  operating system, runs just as if it were installed on a
  stand-alone hardware platform.
• Typically, many such virtual machines are simulated on
  a given physical machine.
• For the guest system to function, the system must be
  robust enough to support all the guest system's
  external interfaces, which depends on the type of
  virtualization that may include hardware drivers.
22th August 2010
                    Platform Virtualization
• There are several approaches to platform virtualization.
• The following terms are not universally-recognised as
  such, but the underlying concepts are all found in the
   – The virtual machine simulates the complete hardware, allowing an
     various guest OSes to be run.
   – This approach has long been used to enable the creation of
     software for new processors before they were physically
   – Examples include VMWare, Xen, KVM, and VirtualBox, and so on…
   – Emulation is implemented using a variety of techniques, from
     state machines to the use of dynamic recompilation on a full
     virtualization platform.

 22th August 2010
 Making Cloud Computing a Reality requires

Integrated virtualization                         Simplified IT infrastructure,
and management with             Services          reduced complexity and
optimised systems and                             management through the
networks to break the                             creation of large, consistent
lock between IT resources                         pools of resources that are
and business services                             managed as one.

                       Autonomic Management
            Software                                      Hardware

      Autonomic management methods for both application and
  infrastructure services to meet user needs and expectations for
                 delivery of high quality of service
22th August 2010  
• Clouds use Paravirtualization.
• Paravirtualization is a technique where the guest operating
  system is modified in order to enable coordination
  between virtual machines and the Hypervisor.
• The Hypervisor provides a different interface to the
  underlying hardware resources for the guest operating
  system – binary, which provides better performance.
• This interface enables the guest operating system to
  directly access various parts of the hardware resource.
• The instructions, which cannot be run directly by the
  guest operating system, must go through the Hypervisor.

  22th August 2010
• The Para-virtualization model requires a split driver
  model in order to allow guest operating system access
  some part of the hardware directly.
• In the general the architecture of split driver model,
  the guest operating system device drivers are provided
  with the different hardware interfaces for the
  physical resources.
• This architecture enables the device drivers in the
  guest operating system to run virtualizable hardware
  instructions directly on the hardware; where there are
  non-virtualizable hardware instructions are sent to the

22th August 2010
• This coordination between guest operating system and
  host operating system device drivers reduces the
  performance overhead because only few instructions
  from guest operating system device drivers are
  translated by the hypervisor.
• This split driver model has been implemented in
  different ways by of the Paravirtualization system.
• The modifications to the guest operating system kernel
  are necessary to enable Paravirtualization in X86
• The modification in the kernel makes it aware of the
  fact that it is running in virtualized environment.

22th August 2010
• In the X86 architecture, there are four different
  privileged level zones.
• These zones are available to the operating system and
  applications in order to gain access to underlying
• These zones are known as Rings in hardware terminology.
• The operating system runs in the most privileged Ring.
• The hardware instructions have different contexts and
  semantics when issued from different privileged zone.
• The Paravirtualization technique runs virtualizable
  instructions directly on the hardware and non-
  virtualizable instructions are sent to the Hypervisor

 22th August 2010
• The Paravirtualization technique is much more efficient
  than emulation, because only non-virtualizable
  instructions involve the Hypervisor,
• Whereas virtualizable instructions are executed directly
  on the physical hardware by the guest operating system.

 22th August 2010
• Paravirtualization is a process where the
  guest operating system is modified to run in
  parallel with other modified systems.
• It is designed to execute on a virtual machine
  that has a “similar” architecture to the
  underlying machine.

     – Pros:
          • Can allow for improved performance,

     – Cons:
          • The operating system must undergo modifications before
            it can be hosted by the Hypervisor (this can be a bit of a

22th August 2010 
                   The Hypervisors
• The Hypervisors:
   – This provides underpinnings for virtualization
       • Policy based virtualization,
       • Storage via a Virtual hard disk,
       • Life cycle management,
       • Live Migration,
       • Real-time resource allocation.
   – Allocate system's CPU, memory and other resources
     needed by the operating system.
   – Multiple OS run securely on the same CPU and
     increase the CPU virtualization

22th August 2010
                 Machine Virtualization

         Virtual Machine 1                     Virtual Machine n

   AppA          AppB          AppC            AppD       AppE       AppF

         Guest Operating System                  Guest Operating System

     Virtual Resources                           Virtual Resources
    CP                                                       Memor        Ne
             Disk   Memory        Net          CPU    Disk
    U                                                          y           t

                        Virtual Machine Monitor (VMM)

                          CP                      Memor
Physical Resources        U             Disk        y
      Linux-related virtualization projects

Project               Type                         License
Bochs                 Emulation                    LGPL
QEMU                  Emulation                    LGPL/GPL
VMware                Full virtualization          Proprietary
IBM z/VM              Full virtualization          Proprietary
Xen                   Paravirtualization           GPL
UML                   Paravirtualization           GPL
Linux-VServer         Operating system-level GPL
OpenVZ                Operating system-level GPL

   22th August 2010
         Meeting the Needs of Business

Infrastructure                Business Continuity        Software Lifecycle          Virtual Clients and
Optimisation                                             Automation                  Desktops

Deploy virtual machines       Keep systems up and        Leverage assets and speed   Secure unmanaged PCs
that run safely and move      running through simple,    software development by     while retaining end-user
transparently across          reliable data protection   automating the setup,       autonomy by layering
shared hardware.              and pervasive failover     sharing and storage of      a security policy in
                              protection.                multi-machine               software around desktop
>   Consolidate servers                                  configurations.             virtual machines.
                              >   Reduce planned and
>   Reduce data center            unplanned downtime                                 >   For enterprises
    operating costs: real                                >   Rapidly provision
                                                                                         and end users
    estate, power, cooling    >   Reduce cost and            machines
                                  complexity of high                                 >   Improve security
    Includes the industry’s       availability           >   Improve software
                                                                                         and mobility
    most widely deployed                                     quality
    Virtualization            >   Simplify disaster
    Infrastructure suite          recovery

22th August 2010                 
       Hardware support for full
  virtualization and paravirtualization
• Intel is producing new virtualization technologies that
  supports hypervisors for both the x86 (VT-x) and
  Itanium (VT-i) architectures.
• The VT-x supports two new forms of operation:
     – one for the VMM (root),
     – one for guest operating systems (non-root).
• The root form is fully privileged, while the non-root
  form is deprivileged (even for ring 0).
• The architecture also supports flexibility in defining
  the instructions that cause a VM (guest operating
  system) to exit to the VMM and store off processor

22th August 2010
• The Guest OS is modified and thus
  run kernel-level operations at Ring 1

                                                       Virtual Machine

                                                                          Guest OS

                                                                                     App. C

                                                                                              App. B
  (or 3):

                                                                                                       App. A
   – The guest is fully aware of how to process                                      Device Drivers
     privileged instructions.
   – Thus, privileged instruction translation by the
     VMM is no longer necessary.                                         Specialized API

   – The guest operating system uses a specialised         Virtual Machine Monitor
     API to talk to the VMM and, in this way,
     execute the privileged instructions.
• The VMM is responsible for handling
                                                                               Device Drivers

  the virtualization requests and

  putting them to the hardware

  22th August 2010 
• The VM guest operating systems are paravirtualized using two
  different approaches:
   – Recompiling the OS kernel:
       • Paravirtualization drivers and APIs must reside in the guest
         operating system kernel,
       • A modified operating system that includes this specific API,
         requiring a compiling operating systems to be virtualization
   – Installing paravirtualized drivers:
       • In some operating systems it is not possible to use complete
         paravirtualization, as it requires a specialised version of the
         operating system,
       • To ensure good performance in such environments,
         paravirtualization can be applied for individual devices,
       • The instructions generated by network boards or graphical
         interface cards can be modified before they leave the
         virtualized machine by using paravirtualized drivers.
  22th August 2010
  Hardware support for full virtualization
                   and paravirtualization
• AMD is also producing hardware-assisted
  virtualization technology, under the name Pacifica.
• Among other things, Pacifica maintains a control block
  for guest operating systems that are saved on
  execution of special instructions.
• The VMRUN instruction allows a virtual machine (and
  its associated guest operating system) to run until
  the VMM regains control, which is also configurable.
• The configurability allows the VMM to customize the
  privileges for each of the guests.
• Pacifica also amends address translation with host
  and guest memory management unit (MMU) tables.

22th August 2010
Linux KVM (Kernel Virtual Machine)
• The most recent news out of Linux is the
  incorporation of the KVM into the Linux kernel.
• KVM is a full virtualization solution that is unique in
  that it turns a Linux kernel into a hypervisor using a
  kernel module.
• This module allows other guest operating systems to
  then run in user-space of the host Linux kernel (see
  Figure in the next slide).
• The KVM module in the kernel exposes the virtualized
  hardware through the /dev/kvm character device.
• The guest operating system interfaces to the KVM
  module using a modified QEMU process for PC
  hardware emulation.

22th August 2010
  Linux KVM (Kernel Virtual Machine)
• The KVM module introduces a new execution mode into
  the kernel.
• Where vanilla kernels support kernel mode and user
  mode, the KVM introduces a guest mode.
• The guest mode is used to execute all non-I/O guest
  code, where normal user mode supports I/O for guests.
• The introduction of the KVM is an interesting evolution
  of Linux, as it represents the first virtualization
  technology that is part of the mainline Linux kernel.
• It exists in the 2.6.20 tree, but can be used as a kernel
  module for the 2.6.19 kernel.
• When run on hardware that supports virtualization,
  Linux (32-and 64-bit) and Windows (32-bit) guests are
22th August 2010
                   Virtualization Examples
• Portable applications - The Microsoft Windows
  platform has a well-known issue involving the creation
  of portable applications, needed, when running an
  application from a removable drive, without installing
  it on the system's main disk drive.
• This is a particular issue with USB drives.
  Virtualization can be used to encapsulate the
  application with a redirection layer that stores
  temporary files, Windows Registry entries, and other
  state information in the application's installation
  directory – and not within the system's permanent
  file system.
• It is unclear whether such implementations are
  currently available.

22th August 2010
                   Virtual Infrastructure

• All data centre resources can be virtualized to create a
  Virtual Infrastructure.
• The components described in the chart below provide
  the foundation to create virtual servers.
• A virtual server consists of 32 or 64-bit CPUs, memory,
  disks, network adapters, fibre channel adapters,
  keyboard, video, and mouse.
• A virtual server can run standard Linux and Windows
  operating systems and applications.

22th August 2010
                   Virtual Infrastructure
Physical Resource                       Virtual Infrastructure

Industry standard Intel and AMD         A Virtualized Node consists of a
servers upon which the                  collection of CPUs and RAM that can be
virtualization layer is automatically   allocated to a virtual server

Each server can have multiple           Virtual servers connect through virtual
gigabit Ethernet cards (NICs) to        NICs to physical or virtual networks
provide required throughput and

iSCSI, SAN and NAS storage              A collection of storage resources can
technologies are used for reliable      be partitioned and allocated to virtual
persistent storage                      servers using raw mappings or virtual
                                        hard disks

22th August 2010    
                    Security Tips
• Some organisations use too much surrounding security
  and end up making their environment slower, more
  difficult and expensive to manage.
• When dealing with the VMs, all of the standard
  procedures should be followed.
• The host systems themselves should often be considered
  appliances, and organisations should limit the amount of
  customised agents and security hacks performed on
  these systems.
• The most common mistakes made with virtual security
  are based on ignorance, lack of knowledge of the Linux
  console, failure to understand how virtual switch
  architecture works, and what the host does not directly
  see in the data in the VM disk files.
 22th August 2010
                     Security Tips
• The same practices that are performed to secure a
  physical environment can, and should, be used in a virtual
  environment as well.
• Everything from proper VLAN/firewall organisation to
  host-based intrusion detection should be leveraged to
  keep the environment secure.
• The more complicated the design and infrastructure, the
  less scalable it will be.

  22th August 2010
                   Scalability Tips

• When designing a virtual infrastructure, one should
  never look at the environment and try to plan one
  large infrastructure for the entire virtualization
• Organize the overall environment into smaller
  groupings of servers and addressed individually.
• When approached this way, at the end of the project,
  a very scalable deployment methodology that uses the
  same principals with a manageable number of servers
  in various phases of the project will be in place

22th August 2010
            Security is the Major Issue

22th August 2010
         General Security Advantages
• Shifting public data to a external cloud reduces the
  exposure of the internal sensitive data.
• Cloud homogeneity makes security auditing/testing
• Clouds enable automated security management
• Redundancy / Disaster Recovery.
• Trusting vendor’s security model.
• Customer inability to respond to audit findings.
• Obtaining support for investigations.
• Indirect administrator accountability.
• Proprietary implementations can’t be examined.
• Loss of physical contro.l
 22th August 2010
          Cloud Security Advantages
•      Data Fragmentation and Dispersal,
•      Dedicated Security Team,
•      Greater Investment in Security Infrastructure,
•      Fault Tolerance and Reliability,
•      Greater Resiliency,
•      Hypervisor Protection Against Network Attacks,
•      Possible Reduction Access to Pre-Accredited Clouds.

22th August 2010
Balancing Threat Exposure and Cost
• Private clouds may have less threat exposure than
  community clouds which have less threat exposure
  than public clouds.
• All else being equal, massive public clouds may be
  more cost effective than large community clouds
  which may be more cost effective than small private
• Strong security controls mean that I can adopt the
  most cost effective approach?

22th August 2010
   Cloud Migration and Cloud Security
• Clouds typically have a single security architecture but
  have many customers with different demands:
   – Clouds should attempt to provide configurable
     security mechanisms.
• Organisations have more control over the security
  architecture of private clouds followed by community
  and then public:
   – This doesn’t say anything about actual security
• Higher sensitivity data is likely to be processed on
  clouds where organisations have control over the
  security model

22th August 2010
                   Putting it Together
• Most clouds will require very strong security controls.
• All models of cloud may be used for differing
  tradeoffs between threat exposure and efficiency.
• There is no one “cloud”. There are many models and

22th August 2010
  Cloud Migration and Cloud Security
• Clouds typically have a single security architecture
  but have many customers with different demands:
   – Clouds should attempt to provide configurable
     security mechanisms.
• Organisations have more control over the security
  architecture of private clouds followed by community
  and then public:
   – This does not say anything about actual security.
• Higher sensitivity data is likely to be processed on
  clouds where organisations have control over the
  security model

22th August 2010
                   Putting it Together

• Most clouds will require very strong security controls.
• All models of cloud may be used for differing
  tradeoffs between threat exposure and efficiency.
• There is no one “cloud”. There are many models and
• How does one choose?

22th August 2010
Migration Paths for Cloud Adoption
• Use public clouds.
• Develop private clouds:
   – Build a private cloud,
   – Procure an outsourced private cloud,
   – Migrate data centers to be private clouds (fully
• Build or procure community clouds:
   – Organization wide SaaS,
   – PaaS and IaaS,
   – Disaster recovery for private clouds.
• Use hybrid-cloud technology:
   – Workload portability between clouds.

22th August 2010
                   Monitoring and Logging
• For the purpose of Service Level Agreement (SLAs),
  it is important to undertake monitoring and logging.
• The users need to know how much resources they are
  paying for, and whether the systems is using the
  resources needed.
• Using VMs, has an overhead of about 15 – 20%.
• Logging resources is also a useful system, that helps
  users know what resources they are using – they can
  examine the logs.

22th August 2010
                   System Monitoring

22th August 2010
                   System Monitoring

22th August 2010
                   Virtual Machines
• Using VMs has many possibilities.
• Paravirtualization is the most efficient means of
  using VMs.
• Instead of running on bare metal, you run on VMs,
  which potentially has greater use.
• We have compared the benchmarks running
  on bare metal versus the overheads on VMs.
• VMs, also provide the ability to optimise the amount
  of power being used.
• Need to create an architecture that utilises the core
  efficiently, and manages the use of such systems.

22th August 2010

Shared By: