= Virtualization Cloud Computing Prof. Nikita V Mahajan COEP, PuneThe Traditional Server Concept * System Administrators often talk about servers as a whole unit that includes the hardware, the OS, the storage, and the applications. * Servers are often referred to by their function i.e. the Exchange server, the SQL server, the File server, etc. Web Server App Server Windows Linux is GlassfishAnd if something goes wrong ... + If the File server fills up, or the Exchange server becomes overtaxed, then the System Administrators must add in a new server. * System Admins can implement clusters of servers to make them more fault tolerant. However, even clusters have limits on their scalability, and not all applications work in a clustered environment. xy Web Server App Server DB Server EMail us mysaL, ExchanaeTypical Scenario * The Reality: *Most servers only use 5-15% of their capabilities on average, while consuming 60-90% of their peak power uu ees Tie Opirs ew SuzD0un Heb oplcabors | Processes | PaeMarc®| Networking | Users Teta Phys Memary ) andes tess Teal oseseo Treads 23 volte sseo1ee Procesies SL Syitem Cache 1944032 conn charge Kena Manery 0) Teta sro Tota 200376 Lint 52x06 Paped $5700 Peak 1756064 Nerpaoed 104676 Processes: ot CPUUsape 27% Comm Charge: 594M / 5993"A Typical Solution +All of the servers can be installed on the same computer as separate application by sharing the resources * But, a bug in one server that allows an attacker to attain root privileges on that computer, the attacker will have unrestricted access to all three servers * Stronger isolation between applications is a must, especially fault isolation, resource isolation and security isolationIntroduction * According to a 2009 Gartner Report, virtualization was the top strategic technology poised to change the computer industry Public | Private | | Hybrid Virtual infrastructureThe Virtual Server Concept * Virtual Machine Monitor (VMM) layer (Hypervisor) between Guest OS and hardwareVirtualization + In computing, virtualization means to create a virtual version of a device/resource. + Technology that allow creation of different computing environment * Not to create dependency on physical layer “acne ‘virtual areiteetare Memory NetworkVirtualization * Virtualization means creation of a virtual version of something such as operating system, hardware resources and network resources. * Virtualization provides a layer of abstraction between the user and the physical hardware machine which actually runs the user application. * This layer of abstraction is a key requirement of cloud computing in order to grant scalability and flexibility to support elasticity in the system * An application can be suddenly decoupled from one hardware and moved to another hardware for the reasons like load balancing or server consolidation.Traditional Server * Having a single Operating Svstem Physical Server ApplicationDirect Execution Protocol * When the OS wishes to start a program running —creates a process entry for it in a process list —allocates some memory for it —loads the program code into memory — locates its fan point (main()), jumps to it and starts running the user’s code * Direct Execution is very fast Program Allocate memory for program Load program into memory Set up stack with arge/argy Clear registers Execute call main() Run main() Execute return from main Free memory of process Remove from process listDrawback of Direct Execution * OS wouldn’t be in control of anything —How a process be able to perform |/O and some other restricted operations, without giving the process complete control over the system? —How does the OS stop a process and context switches to another process? —OS cannot prevent a process from doing something it does not want the process to do *How to enable time sharing, but with protection?Privileged instructions * Some instructions are restricted to the OS known as privileged instructions * eg., only the OS can: —directly access I/O devices (disks, network cards) —manipulate memory state management page table pointers, TLB loads, etc. —manipulate special ‘mode bits’, interrupt priority level *So how does the CPU know if a privileged instruction should be executed?CPU Protection Ring + The x86 architecture offers four levels of privilege known as Ring 0, 1, 2 and 3 to operating systems and applications to manage access to the computer hardware. + While user level applications typically run in Ring 3, the operating system needs to have direct access to the memory and hardware and must execute its privileged instructions in Ring 0 Protection “Privilege” Rings Ring 3 ‘Ring 0: Operating system kere! 8 Direct Ring 1: Operating System Cr...) Execution fing Appleton Ring 1 | of User Ring 0 Requests Host Computer Se eC etSystem Stack API * To explore virtualization possibilities SysCall ISALevels of Virtualization Implementation ‘Appication level JVM J NET CLR /Panot Library (user-level APY level WINE/ WABI/LsRun /Vieusl Main Win / vCUDA ‘Operating systom level Jail Vital Environment /Ensi's VPS / FVM Hardware abstraction layer WAL) vel ‘Vwware /Vitual PC /Denali Xen /LA 7 Pex 85 / User mode Linux/ Cooperative Linux Tnatruction set architecture (SA) level Bochs/ Crusoe / OEMU /BIRD / DynamoISA Level Virtualization * Virtualization is performed by emulating a given ISA (Instruction Set Architecture) by the ISA of host machine. * Ex. MIPS binary code can run on an x86-based host machine with the help of ISA emulation. * Benefit: Possible to run binary code written for various processors on any given new hardware host machine. * basic emulation is through code interpretation: interprets the source instructions to target instructions one by one * V-ISA requires adding a processor-specific software translation layer in the complier * Eg. QEMU: — Multiple target ISAs: x86, ARM, PowerPC, Sparc — Full-software and simulated (using mmap()) MMUHardware Abstraction Level * Performed right on top of the bare hardware ——_ * Upgrade the hardware utilization rate by ; permitting multiple users concurrently by virtualizing a computer’s resources, such as its processors, memory, and I/O device * Uses Ring Compression techniques * Has higher performance and good application isolation * Very complex to implementOperating System Level Eg. Need to install different versions of windows on multiple virtual machines Virtualization at OS level shares OS between VMs along with the hardware Keeps base OS same and install only the differences in each single Virtual machine Drawback: can't install ubuntu on a VM whose base OS is windows It is used for performance in speedy set up or security isolation yuirdsted code to run inside a VM container without impacting is 05 provides process [solation by through the interface since system call is the only way of communication from user to kernel space Not suitable for Cloud Computing since user needs own Guest OS Eg. Web-hosting: use OS virtualization to allow a hosted Web site to believe it has complete control of a machine, but in fact each hosted Web site shares the machine with many’ other Web sites, each of which is provided its own container ( \t Viewal |} { Viewal 1 | Environ Viewal Envirowe 08 Virtualization Layer ‘Standard C8,Library Support Level API Calls . polications prefers APIs exported by userlevel libraries rather than using lengthy system calls * Virtualization is RoR by controlling the communication link between applications and the rest of a system through API hooks * Software tool WINE supports Windows applications ‘on top of UNIX hosts. * vCUDA which allows applications executing within VMs to leverage GPU hardware acceleration * Advantage is that a full translation is not needed Instructions because the hardware family is the same, hence very low overhead * Poor application flexibility and isolation System CallsUser-Application Level * When Mac based PowerPC machine switched to Intel, applications that users purchased to run on older Macs would not run on the newer versions —-OS recognizes the PowerPC compiled binary and then dynamically attach Rosetta library (emulation at the application level ) to that binary -Library intercepts every PowerPC instruction on the fly, translates it and executes it natively * Eg. different JVMs for different platforms. Java compiler produces byte code. JVM takes Java Bytecode, interpret and execute * Has the best application isolation and portability * Low performance, low application flexibility and high implementation complexityOverall Picture ISA HAL OS Library | UAL Performance |* sep fob Ek ee Flexibility 2K RR x ee 7K Ease of Impl |** * eK a 2k Degree of ge IK OK 2k eK IsolationMassively Virtualized Model - Cloud * Server Virtualization: -Ability to run multiple operating systems on a single physical system and share the underlying hardware resources —Allows for the key components of cloud computing, elasticity, provisioning, self service, etc. m Physical Server 1 © Windows Server @ Unix Server 1 © Unix Server 2 © Linux ServerVirtualization with Multi-core CPU * System with multiple cores is attractive to use VMs. * Rather than slicing a single CPU across different VMs, each VM can be run on one core * Multiple cores can also be assigned to one VM * Datacenters have large multiple core servers (e.g. some could have 16 cores). * Runa hypervisor to create lots of smaller VMs and inside each run different OSs and applications * Instead of ‘n’ different physical machines, can now be consolidated into one large server using virtualization and multi-coresVirtual Machines + After virtualizing a system, multiple Virtual Machines (VM) get originated. * Each VM runs its own Guest OS independently in an isolated manner so that any critical issues arise/create by one VM do not affect the actual physical machine or other VMs simultaneously running within the same machine (Isolation). + Each VM gets a share of CPU, memory and I/O device from the same hardware machine. * Comparing to physical machines, it is very easy and faster to provision virtual machines. * New virtual machines are created within seconds processes 4 processes processes }__{_ kernel | kernel | kernel M1 vM2 ‘VM3 virtual machine. manager hardwareData Center Model serving an Enterprise Application Dept 2 fs] [ran] fess] Virtual Servers for an Enterprise Application Server || Server | Server | Server erie Physical Servers within e Resource Pool of a Data Centerier eeae amet & Computing capacity Underutilized H/W EASA Nasemett ccs Cen aT Need/Benefits Oy MAYAanTec Oy AZ-1HCOy Oe Rise of administration costCharacteristics [ Increased Security Managed Execution Portability * Control and + Safely move filter on different machine + Hide data from guest + Virtual Image Sharing Aggregation Emulation Isolation Separate computing Separate host tied | [Running siwto| | Separation between environment within together to represent meet system host & guest |_____ same host__ guest as single host __ requirement Separation between uest & guest- filer! | Types of VirtualizationDNL oa ao) OC) OTe} orc ILS Sia) Ls Or Ti ag Tere) Teele ACT Og Virtualization | | Desktop OTC desktop csc Oa) Virtual Desktopam [Viral machine] ie: Virtual machine ree hae] KJ}= Virtualization Cloud Computing Prof. Nikita V Mahajan COEP, PuneHypervisor and VM * A hypervisor (Virtualization Layer) virtualizes a system * After virtualizing, multiple Virtual Machines (VM) get originated three tttett AttHardware Virtualization + Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system * Hides the physical characteristics of a computing platform from the users, presenting instead another abstract computing platform. Responsibilities of hypervisor include memory management and CPU scheduling of all VMs [Domain] g—- “x<* Hardware Hypervisor O10 — — ):Hypervisor: Virtual Machine Monitor Type 1 | Type 2 + Also Known as Bare metal * Also Known as Host based. Hypervisor Hypervisor * Consolidation ratio Increases | * Consolidation ratio decreases as as machine increases machine increases (due to OS) + Data Centre + Organization + Production purpose : Provide | |* Testing Purpose High availability Operating system 1 (hostHypervisor Architectures Type 1: Bare metal Hypervisor Type 2: OS ‘Hosted’ Apure Hypervisor that runs directly on the AHypervisor that runs within a Host OS and hosts hardware and hosts Guest OS's. Guest OS's inside of it, using the host OS services to provide the virtual environmentRequirements for a Cloud * Multi-tenancy -Each VM runs its own Guest OS independently in an isolated manner Each VM gets virtual resources as a share of CPU, memory and I/O device from the same hardware machine —Any critical issues create by one VM do not affect the actual physical machine or other VMs simultaneously running within the same machine —-Very much need for a multi-tenant public cloudRequirements for a Cloud * VM: Instant Provisioning —Comparing to physical machines, it is very easy and faster to provision VMs —New VMs are created within no time —Suitable for an elastic and scalable cloud <1 hrof work 1-2 days lead timeRequirements for a Cloud + VM Migration + Essential Feature for * Load balancing * Server Maintenance * Recovery from host failure ae = <=Hypervisor Responsibilities * VM Resource control: safely and efficiently multiplexes virtual hardware on a physical hardware: * Virtual CPUs on Physical CPU * VMs physical memory on actual hardware memory * V's I/O device on real I/O device Guest OS + Applications Emulation | cpu E Privileged Emulation || Emulation Virtual Machine MonitorVirtual Resources * Virtual CPU managing issues: + AVM usually has at least one virtual CPU * Virtualization layer maps the virtual CPUs of running VM to physical CPUs of the host * Since the number of VMs is more than the number of physical CPUs, the virtualization layer applies scheduling mechanism to assign the share of the physical CPU to each virtual CPU * Virtual Memory + Virtualization layer has to also manage with the memory * It maps physical memory to virtual memory of VMs * Also handles fragmentation and swapping * Virtual I/O. * Virtualization layer provides virtual I/O devices like network cards, hard disks and CD drivesResource Control * VMM must maintain overall control of the hardware resources + Hardware resources are assigned to VMs when they are created/executed * —Should have a way to get them back when they need to assigned to a different VM + = Similar to multi-programming in OS * Privileged Resources * = Certain resources are accessible only to and managed by hypervisor * — Interrupts relating to such resources must then be handled by hypervisor + —Privileged resources are emulated by hypervisor for the VM * All resource that could help maintain control are marked Privileged * — “Interval timer” is used to decide VM scheduling + - “Page table base register” (CR3 on x86) is used to isolate VM memoryMapping of vCPU to pCPU * Single core processor * —One physical CPU (BCPU) is vrtualised into multiple virtualized CPUs (vCPU) for running multiple virtual machine instances * Multi-core Processors: + A dual-core processor can provide almost double the performance of a single-core processor, by allowing two virtual CPUs to execute at the same time. * if |VCPUs| > | pCPUs|, Itis possible to limit the performance of a virtualized CPU in a virtual machine instance. * Needs efficient multiplexing of all the vCPUs on a given system to pCPU cores at the Hypervisor level * Needs to increase and decrease the number of vCPU resources assigned to a Virtual Machine at a later stage * Anumber of efficient CPU schedulers are available to mange each vCPU of pCPU core independently to execute virtual machinesVM State Management * Hypervisor holds the system states of all VMs in memory i aI * When Hypervisor context switches from a VM to another < J * Write the CPU register values back "ugar to memory + Copy the register values of next Z Guest OS to CPU registers — copy rege vats a ran coat ewthPopek and Goldberg Requirements * A Virtual Machine was originally defined by Popek and Goldberg as an efficient, isolated duplicate of a real Machine, which allows the multiplexing of the underlying Physical Machine * Popek and Goldberg virtualization requirements of a Hypervisor: — Fidelity: Should provide an environment for each Guest OS which is essentially identical to the original machine — Safety :Hypervisor should be in complete control of the system resources — Performance: Programs run in this environment should show at worst, only minor decreases in speedTypes of Hardware Level Virtualization Software Fall Virtualization Server Virwalization Virtualization Based Virtualization Hardware ‘Assist Virtualization Para Virtualization Desktop Virtualization Desktop Infrastructure Virwalization Virtual DesktopFull Virtualization using Binary Translation + This approach relies on binary translation to trap (into the VMM) and to virtualize certain sensitive and non-virtualizable instructions with new sequences of instructions that have the intended effect on the virtual hardware. + Meanwhile, user level code is directly executed on the processor for high performance virtualization + Binary translation employs a code cache to store translated instructions to improve performance, but it increases the cost of memory usage. * The performance of full virtualization on the x86 architecture is typically 80% to 97% that of the host machine. Ring 3 Ring 2 Ring 1 Ring 0 Host Computer System Hardware Direct Execution of User Requests Binary Translation of OS RequestsParavirtualization * Paravirtualization involves modifying the OS kernel to replace nonvirtualizable instructions with hypercalls that communicate directly with the virtualization layer hypervisor ee? Direct Execution of User Requests ‘Hypercalls’ to the Virtualization Layer replace Non-virtualizable OS Instructions Cee og euHardware Assisted Virtualization (HVM) + Intel’s Virtualization Technology (VT-x) (e.g. Intel Xeon) and AMD’s AMD- V both target privileged instructions with a new CPU execution mode feature that allows the VMM to run in a new root mode below ring 0, also referred to as Ring OP (for privileged root mode) while the Guest OS runs in Ring 0D (for de-privileged non-root mode) Privileged and sensitive calls are set to automatically trap to the hypervisor and handled by hardware, removing the need for either binary translation or para- virtualization Ring 3 Direct Execution of User — we Requests Privilege — Ring 4 Levels Ring 0 OS Requests Trap to VMM Root Mode without Binary Privilege Translation or Levels Paravirtualization peaks SidApproaches Virtualization Full-Virtualization + OS unaware: not running on physical server Unchanged code of OS + User-Level mode & Privileged Instruction + Trap> Hypervisor > Emulate proper Instruction ° Adv.: + Isolation between 0s308 OS Hypervisor * Install many OS * Dis: Delay Overall system performance affected Para-Virtualization OS aware: as Guest Modify code of OS Know actual resource in HW Adv + Improves over all performances * Solve problem of Full Virtualization Dis: * Modification of OS Hardware-Assisted Commands are directly execute with Hardware Intel/AMD. Adv.: + Eliminates overhead of binary translation Dis: + Lack support from vendorsFull-Virtualization Para-Virtualization Hardware-Assisted Wg) | Waripon Host 0S \Major Hypervisor Providers x86-64 | x86-64 vMM Host CPU | Guest CPU Guest OS Provider | Windows, Linux, Solaris, VMware | X86, X86, ) 2 ' FreeBSD, Netware, OS/2, Workstation | x86-64 x86-64 SCO, BeOS, D: VMware | X86, X86,Student to go through [in simple and virtualized machine * Direct Execution Protocol * Drawback of Direct Execution * Privileged instructions * Traps, Types * Trap during Process Execution * System Call Flow + User Process Invokes System Call * Binary Translation * Hypercall