Cloud Computing

#2a - Virtualisation and Networking

 Physical machine Physical machine Physical machine

Virtual machine #1 Virtual machine #2 Virtual machine #3 Virtual machine #1 Virtual machine #2 Virtual machine #3 Virtual machine #1 Virtual machine #2 Virtual machine #3
A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A A
p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p
p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p p

Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System Operating System

Virtualisation layer Virtualisation layer Virtualisation layer

Operating system Operating system Operating system

Hardware Hardware Hardware

Network virtualisation

Storage virtualisation

Ericsson Internal | 2018-02-21

 Cloud Motives
— Server Consolidation — Improved Availability
— Improve utilisation (possible to overcommit) — Checkpointing
— Significant cost savings (equipment, space, power) — Fault tolerance
— Simplified Management — Disaster recovery
— Datacenter provisioning and monitoring — Replication
— Dynamic load balancing — Security
— Migration (dead or alive) — Isolation
— Convenient for users

Ericsson Internal | 2018-02-21

 Yesterday’s News
— Classical VMM
— IBM S/360, IBM VM/370
— Co-designed proprietary hardware, OS,
VMM

— Applications
— Timeshare several single-user OS
instances on expensive hardware
— Compatibility

From IBM VM/370 product announcement, ca. 1972

Ericsson Internal | 2018-02-21

Original Motives ‘65

— Multiprogramming —Legacy applications

— Multiple single application VMs —New systems transitions
— Multiple secure environments —Software development
— Managed application environments —OS training
— Mixed OS environments —Help desk support
—Operating system instrumentation
—Event monitoring
—Check pointing

Ericsson Internal | 2018-02-21

 Popek & Goldberg ‘74
Hypervisor

host

guest

Formally, virtualization involves the construction of an

isomorphism
Ericsson Internal | 2018-02-21 that maps a virtual guest system to a real host
 guest host

state mapping

instruction
sequence

existence of map & instruction sequences such that:

Ericsson Internal | 2018-02-21

Popek & Goldberg ‘74
 Virtual disk guest

The function f()

guest host
write write
operation operation

Virtualization differs from abstraction in host

that virtualization does not necessarily
hide details; the level of detail in a
virtual system is often the same as that
in the underlying real system.
Ericsson Internal | 2018-02-21
 CPU virtualisation
Popek & Goldberg '74

— Three types of instructions

— Control sensitive
— Change the configuration of resources
— Load PSW, Set CPU Timer (S/370)
— Behavior sensitive
— Depend on the configuration of resources
— Load Real Address (S/370), Pop Stack into Flags Register (IA-32)



— Innocuous
— The rest (klabbet)
Ericsson Internal | 2018-02-21
CPU virtualisation
Popek & Goldberg '74

Ericsson Internal | 2018-02-21

CPU virtualisation
Popek & Goldberg '74

— A VMM must satisfy three properties

— Efficiency implies that all instructions that are innocuous must be
executed natively on the hardware, with no intervention or
emulation by the VMM.
— Resource control implies that it should not be possible for guest
software to directly change the configuration of any system
resources available to it, e.g., real memory. The allocator must be
invoked if the guest software makes any such attempt.
— Equivalence implies that any program executing on a virtual
machine must behave in a manner identical to the way it would
have behaved when running directly on the native hardware, with
only a few exceptions.
Ericsson Internal | 2018-02-21
Virtualization Approaches
— Trap-and-emulate
— Binary translation
— Paravirtualization
— Hardware-assisted Virtualization

Ericsson Internal | 2018-02-21

CPU virtualisation
Privileged instructions vs user instructions

Physical machine
ring 3 Most privileged
(System mode)
App App App App ring 2

ring 1
Libraries
ring 0
kernel
Operating System (kernel)
drivers

Hardware drivers
Least privileged
apps (User mode)

Ericsson Internal | 2018-02-21

Virtual State

Ericsson Internal | 2018-02-21

 CPU virtualisation
Privileged instructions vs user instructions De-privileging - Run guest OS
in unprivileged mode
Virtual machine#1 (guest) Virtual machine#2 (guest)

App App App App App App App App

Libraries Libraries
ring 3
Most privileged
Operating System (kernel) Operating System (kernel) (System mode)
ring 2

ring 1

ring 0
kernel

drivers

App App drivers

VM#1 VM#2
Least privileged
apps (User mode)

Hypervisor/VMM

Operating System (kernel)

Hardware

Ericsson Internal | 2018-02-21

Physical machine (host)
CPU virtualisation
Virtual machine#1 (guest) Virtual machine#2 (guest)
— The guest is typically just another user-level
process (application) App App App App App App App App

Libraries Libraries

— Facilitates processor sharing using standard Operating System (kernel) Operating System (kernel)

operating system scheduling

— This allows for cloud providers to do App App

overcommit, i.e. sell more compute power than

VM#1 VM#2

is actually available. Hypervisor/VMM

Libraries

— Bet on that not everyone is running at the

same time.
Operating System (kernel)

Hardware

Physical machine (host)

Ericsson Internal | 2018-02-21

 Virtual machine

CPU virtualisation code

Trap and emulate

privileged
instruction trap

— Privileged instructions trap, and VMM

continue

emulates
— E.g., movl %eax, %cr3 ; invalidate the TLB
— Traps into VMM so the effect can be emulated Hypervisor/VMM

— Execute guest instructions on real CPU Emulate changes

when possible
— E.g., addl %eax, %ex

Libraries

Operating System (kernel)

Hardware

Physical machine
Ericsson Internal | 2018-02-21
CPU virtualisation
Trap and emulate

— VMM has three parts

— Dispatcher
— Allocater
— Interpretor routines
Ericsson Internal | 2018-02-21
CPU virtualisation
Binary translation

— Interpret the binary code

Guest code Translated code
— Replace privileged instructions
— Avoids traps, which can be expensive
— Most instructions remain identical, except control flow
(calls, jumps, branches, ret, etc.), and privileged
instructions
— Dynamic or static

— Use cache to speed up

— Popularised by VMWare on x86

Ericsson Internal | 2018-02-21

CPU virtualisation
Paravirtualisation

— OS or system devices are virtualization aware

— Requires recompilation of the OS
— Guest applications unaffected
— In general good performance
—Popularised by XEN for x86

App App App

Virtual
machine
Operating System (kernel) Operating System (kernel) Operating System (kernel)
(guest)
Knows about Knows about
Knows
about

VMM/Hypervisor VMM/Hypervisor
Physical
machine
Hardware Hardware Hardware
(host)

Normal Para virtualisation

Ericsson Internal | 2018-02-21 No virtualisation
virtualisation
 Memory virtualisation
Virtual Memory 101

Process Process
0x0
— Each process has its own space (usually 0x0

starting at 0x0) Virtual memory

— The page table keeps map of virtual memory to page table

physical memory
Physical memory

— TBL is the page mapping cache swap

— Virtual memory enables memory isolation Disk

between user processes

Ericsson Internal | 2018-02-21

Memory virtualisation
When virtual memory is virtually virtualised

Virtual machine #1 Virtual machine #2

Virtual memory

page table page table

Physical memory

Virtual memory

page table

Physical memory

Ericsson Internal | 2018-02-21 Physical machine

Memory virtualisation
When virtual memory is virtually virtualised

Virtual machine #1 Virtual machine #2

Virtual memory

page table page table

Real memory

page table

Physical memory

Ericsson Internal | 2018-02-21 Physical machine

Memory virtualisation
When virtual memory is virtually virtualised

Ericsson Internal | 2018-02-21

Memory virtualisation
When virtual memory is virtually virtualised

Virtual machine #1 Virtual machine #2

Virtual memory

page table page table

Real memory

shadow page table

page table

Physical memory

Ericsson Internal | 2018-02-21

Physical machine
Ericsson Internal | 2018-02-21
 Virtualization Interfaces
Until now we have looked at system level
virtualisation, i.e. the whole machine is
virtualised.

But that is not the only option!

ISA = Instruction Set Architecture

3 = System ISA (Privileged calls)
4 = User ISA (User level calls)
ABI = Application Binary Interface

API = Application Programming Interface

Ericsson Internal | 2018-02-21
Ericsson Internal | 2018-02-21
 App App

Operating System (kernel) Operating System (kernel)

VMM/Hypervisr

VMM/Hypervisor Operating system

Hardware Hardware

Type 1 hypervisor Type 2 hypervisor

bare metal hosted

Ericsson Internal | 2018-02-21

 System VM vs Process VM

Until now we have looked at system level Virtual App App

machine
virtualisation, i.e. the whole machine is (guest) Operating System (kernel)
virtualised. Virtualising software

But that is not the only option! Physical Virtualising software Operating system

machine
(host) Hardware Hardware

System Process
virtual virtual
machine machine

Ericsson Internal | 2018-02-21

LXC - Linux Containers

— Lightweight process level virtualization

— No VM (or VMM/hypervisor), just a Linux process
— A user space interface for the Linux kernel containment features:
— Kernel namespaces, Apparmor/SELinux, Seccomp, Chroots, Kernel capabilities, cgroups
— Multiple containers share the same kernel
— A long story...
— Chroot (1979) – change root directory for a running process, along with children → segregate
and isolate processes, protecting global environment
— Jails – additional process sandboxing features for isolating filesystems, users, networks (limiting
apps in their functionality)
— Solaris Zones – full application environments, with full user, process and filesystem space
— Cgroups(2006) – process containers designed for isolating and limiting the resource usage of a
process 
Ericsson Internal | 2018-02-21
Enter Docker Containers
— A user-space process (LXC)
— Isolation based on Linux process mechanisms
— Each container has its own network stack and file
system
— Share kernel with host
— Containers can be stopped, paused, restarted
Ericsson Internal | 2018-02-21
Name borrowed from the shipping industry,
hence the aquatic theme.
Portability - can be used on any of supported
types of ships
Wide variety of cargo that can be packed
inside
Standard sizes - standard fittings on ships
Many containers on a ship
Isolates cargo from each other
What does Docker offer?
• A simple way to pack code and dependencies together

• Apps that can run anywhere

• Low overhead

• A complete ecosystem for sharing images

Ericsson Internal | 2018-02-21

 Docker Containers
— Each container is built from a Docker image.
— Images are read-only
— Union mount merges the images together with a
writable top layer
— Copy-on-write

— Docker registries to store and publish images

— DockerHub, etc.
— Tons of applications ready for download

— Docker images are built in an hierarchical fashion, which

facilitates collaboration and innovation

— Fast to start and stop

— Runs equally well on your laptop and in the cloud

— Solves the dependency mess

Ericsson Internal | 2018-02-21
 Docker Files
A recipe for building images

Easy to create repeatable environments

Fits well into the automation workflow

Ericsson Internal | 2018-02-21

 Using Docker
$ docker run -it ubuntu /bin/bash
$ docker create -t -i fedora bash
6d8af538ec541dd581ebc2a24153a28329acb5268abe5ef868c1f1a261221752

$ docker start -a -i 6d8af538ec5

bash-4.2#

$ docker stop <container>

$ docker pause <container>
$ docker restart <container>
$ docker rm <container>

$ docker run -v /host/directory:/container/directory -it ubuntu /bin/bash

$ docker run -v /Users/ejoheke/:/my-host -it ubuntu /bin/bash

$ docker ps
$ docker ps --all
$ docker images
$ docker rmi $(docker images -q)
$ docker stop $(docker ps -q)
$ docker rm $(docker ps --all -q)
Ericsson Internal | 2018-02-21
 Docker vs VMs
— Virtual machines have their own complete guest OS.
— Separate kernels. Takes time to boot.
— A small application we want to run quickly adds
up to much data.
— Consumes host resources
— Thorough isolation

— Docker
— Shares kernel with host OS.
— Runs as a process inside the host.
— Only applications and its dependencies.
— Efficiency, better reuse of host OS resources
— Docker contains OS, but runs natively
— Less isolation

Ericsson Internal | 2018-02-21

Performance

Storage Networking

IBM Research, An Updated Performance Comparison of Virtual Machines and Linux Containers, 2014-07-21, http://
Ericsson Internal | 2018-02-21
domino.research.ibm.com/library/cyberdig.nsf/papers/0929052195DD819C85257D2300681E7B/ $File/rc25482.pdf
Containers empowering microservices

Quicker start times simplified both prototyping and auto-scaling

Allow work to be done independently on modules and facilitates independent

releases for components

Isolated and abstracted runtime environments, that can be tailored for each module

Shared runtime environment, for heterogenous applications

Ericsson Internal | 2018-02-21

Unikernels

The goal of mirageoS is to

restructure entire Vms—
including

all kernel and user-space
code— into more modular
components that
areflexible,secure, and
reusable in
the style of a library
operatingsystem.

Ericsson Internal | 2018-02-21

GPU virtualisation
Basics of GPU computing

Basic behavior of CUDA

GPU

Remark:
GPUs can only be used within
the node they are attached to

Ericsson Internal | 2018-02-21

GPU utilisation often
Are we making becomes
good an issue
use of GPUs?

Ericsson Internal | 2018-02-21

GPU virtualisation

Ericsson Internal | 2018-02-21

GPU virtualisation

Ericsson Internal | 2018-02-21

RemoteA GPU virtualisation
different approach: remote GPU virtualization

No GPU

Ericsson Internal | 2018-02-21

 Basics or rCUDA

Access to remote GPU is

transparent to applications:
no source code
modification is needed

Ericsson Internal | 2018-02-21 rCUDA is a development by Universitat Politècnica de València

FPGA virtualisation

Ericsson Internal | 2018-02-21

 FPGA virtualisation

Fahmy et al., "Virtualized FPGA Accelerators for Efficient Cloud Computing", IEEE 7th International
Conference on|Cloud
Ericsson Internal Computing Technology and Science (CloudCom), 2015
2018-02-21
Storage virtualisation Virtual machine
Block storage (virtual hard disk)

App App App App Works just like a regular disk.

Libraries

Partition, format, mount

Operating System (ABI)

File system
Performance is an issue
Block device driver

App
VM#1

Hypervisor

Libraries

Operating System (ABI)

File system

Block device driver

Disk

Ericsson Internal | 2018-02-21

Physical machine
Storage virtualisation
Remote block storage (virtual hard disk)

Virtual machine

Still works just like a regular disk

App App App App

Libraries Performance is an issue. Latency and throughput bounded by network

Operating System (ABI)

File system

Block device driver

Physical machine (compute node) Physical machine (storage node)

App
VM#1

Hypervisor

Libraries Libraries

Operating System (ABI) Operating System (ABI)

NIC Boot disk NIC Disk

Network
Ericsson Internal | 2018-02-21
Cloud Native
#2b - Networking
Networking 101
The stack

HTTP, FTP

TCP, UDP

IP

Ethernet,
token ring

OSI Model 1000BaseT

Source: Optimizing Network Performance with Content Switching: Server, Firewall, and By Matthew Sym
Network virtualisation

Virtual network (10.0.0.0/24)

Virtual machine#1 Virtual machine#3

App App App

Libraries Libraries

Operating System (kernel) Operating System (kernel)

10.0.0.12 10.0.0.27
00:1a:2c:2F:32:d1 01:2c:1a:4b:12:c2
Network virtualisation

S-MAC: 00:1A:2C:2F:32:D1
D-MAC: 01:2C:1A:4B:12:C2
S-IP: 10.0.0.12
D-IP: 10.0.0.27

<PAYLOAD>
Virtual network (10.0.0.0/24)

Virtual machine#1 Virtual machine#3

App App App

Libraries Libraries

Operating System (kernel) Operating System (kernel)

10.0.0.12 10.0.0.27
00:1a:2c:2F:32:d1 01:2c:1a:4b:12:c2
Network virtualisation
Guest

Turtles all the way down

Host
Network virtualisation
Virtual network (10.0.0.0/24)

Virtual machine#1 Virtual machine#2 Virtual machine#3 Virtual machine#4

App App App App App App

Libraries Libraries Libraries Libraries

Operating System (kernel) Operating System (kernel) Operating System (kernel) Operating System (kernel)

10.0.0.12 10.0.0.27
00:1a:2c:2F:32:d1 01:2c:1a:4b:12:c2

App App App App

VM#1 VM#2 VM#1 VM#2

Bridge Bridge Bridge Bridge

Open vSwitch (OVS) Open vSwitch (OVS)

100.93.56.216 Bridge Bridge 100.93.56.112

b6:00:59:58:f1:06 a2:1b:99:b0:8b:ff
NIC NIC
Router
Physical machine (host) Physical machine (host)
S-MAC: b6:00:59:58:f1:06
D-MAC: a2:1b:99:b0:8b:ff
Network S-IP: 100.93.56.216 Network
D-IP: 100.93.56.112

S-MAC: 00:1a:2c:2f:32:d1
D-MAC: 01:2c:1A:4b:12:c2
S-IP: 10.0.0.12
D-IP: 10.0.0.27

<PAYLOAD>
Tunneling
— Provides a network service that the underlying network cannot provide.
— IPv6 over IPv4
— VPN - Virtual Private Network, provide secure access to a network using non-secure networks. Uses IPSec
“encrypt an IP datagram and put it in an IP datagram”
— Usually violates the OSI model, i.e., the layer m payload contains layer n<m protocol data.
— Communication between data centers typically over tunnels.

— VXLAN
— VLAN on steroids.
— Addresses scalability problem of layer-2 networks.
— Allows 2^24 logical networks. Identified by VXLAN Network Identifier (VNI).
— Encapsulates layer-2 frame in UDP datagram. Layer 2 on top of layer 3!
— Connect separate layer-2 domains to create one domain.
— Machines are identified uniquely by the combination of their MAC address and VNI.
— VXLAN Tunnel End Points (VTEP) encapsulate/decapsulate layer-2 frames.
Cloud Networking

— Dynamics
—mobility, migration of VMs
—short lived services
—on demand scaling
— Scaling
—many VMs on many hosts
— Isolation
—tenants sharing the same physical resource
— Traffic
—North-south/East-west
—Not always on physical links
—Make DNS a bit more complicated (and important)
The Two Networking “Planes”

Data plane: processing and delivery of packets with local forwarding

state
Forwarding state + packet header -> forwarding decision

Control plane: compute the forwarding state in switches/routers

Determines how and where packets are forwarded
 Traditional
Network
SDN Control
of Switches
is “Layers” Mechanisms
and/orPlane
for Control Routers
routing, access control, etc.
Control Program

Global Network View

Distributed algorithm running between neighbors

Network OS (e.g. NOX)
Complicated task-specific distributed algorithm

Forwarding Model

60
SDN
Software Defined Networking

— Introduces a centralized control

plance
— Networks are hard to manage
(=>expensive)
— Computation and storage have
been virtualized
— Networks are hard to evolve
— Simplify the hardware nodes
 Assignment #2

Docker
VM

.....
Internet
Docker
Docker
VM
VM

Volume

Docker
VM

Bonus assignment on SDN for the brave...

fin