S02.

Introducción a la Virtualización
Redes Software
Grados familia Ing. Telecomunicación

Curso 2022-23

Departamento de Ingeniería Telemática

Pedro A. Aranda Gutiérrez – Carlos Jesús Bernardos Cano

Universidad Carlos III de Madrid
[email protected] , [email protected]

Materials taken from the SDN/NFV Master @ UC3M

1 / 46

Outline

1 Intro

2 Introduction to virtualisation

3 Virtual Machines

4 Containers

5 Hardware support to virtualisation

2 / 46
Software networks: overview of the course

• PART I: Introduction
• PART II: Virtualisation
• PART III: Software Defined Networks
• PART IV: Network Functions Virtualisation

3 / 46

Useful references
For today. . .

• “Virtualisation for dummies”, Bernard Golden,

John Wiley and Sons Ltd , 2007

• “Virtualisation essentials”, Matthew Portnoy,

John Wiley and Sons Ltd , 2012

• Books available online through UC3M’s library

4 / 46
Outline

1 Intro

2 Introduction to virtualisation

3 Virtual Machines

4 Containers

5 Hardware support to virtualisation

5 / 46

Virtualisation

6 / 46
Virtualisation
Definitions
• Virtualisation
▶ The abstraction of a physical component into a logical object
▶ Access to a single underlying piece of hardware, like a server, is coordinated so that multiple guest
operating systems can share that single piece of hardware, with no guest operating system being aware
that it is actually sharing anything at all
A guest operating system is an operating system that’s hosted by the underlying virtualisation software layer,
called the host system
• Hypervisor
▶ The software providing the environment to abstract the physical component into the logical object
aka Virtual Machine Monitor (VMM)
▶ Must exhibit 3 properties
1. Fidelity: The environment created for the Virtual Machine (VM) is essentially identical to the original physical
machine the software would execute
2. Isolation: The VMM (and only the VMM) must have complete control of the system resources
3. Performance: There should be little or no difference in performance between the VM and its physical equivalent

7 / 46

Virtualisation
Definitions
• A hypervisor is a layer of software located (somewhere) between
1. The hardware, and
2. The virtual machines that it supports
• We use
▶ Hardware = host
▶ VM = guest

8 / 46
Hypervisor Types
Type 1
• Type 1 Hypervisors run directly on the server hardware
▶ Also known as bare-metal implementation

9 / 46

Hypervisor Types
Type 2
• Type 2 Hypervisors are applications that run on an Operating System (OS)

10 / 46
Hypervisors
The hypervisor and the VMs
• The hypervisor presents the virtual machines with generic resources they can use
• Virtual machines have access to what they see as hardware resources, which are actually virtual
resources
• Once again:
▶ Everything is provided by the hypervisor
▶ VMs see “standard” devices, which are actually virtual
▶ This makes VMs portable across various hardware platforms

11 / 46

Virtualisation
What Vbox says it provides

12 / 46
Virtualisation
What the VM sees

13 / 46

Virtualisation
What is inside the Hypervisor?

14 / 46
Virtualisation Techniques
Protection rings
• Protection rings are hierarchical protection domains
▶ Improve fault tolerance
▶ Protect from malicious behaviour
thus providing computer security

Ring 3
Most privilege
Ring 2
Ring 1

Ring 0

Least privilege

15 / 46

Virtualisation techniques
Traps and interrupts
• User software runs in Ring 3
▶ To allow the Operating System to react to misbehaving software
x=0.0; printf("%.3f", 1/x);
char *ptr=NULL; printf("%c", *ptr);
Trying to access the display memory . . .
▶ But also accessing the resources of the system needs to be done in a controlled way:
char input; input=readchar();
• Misbehaving code triggers interrupts
• Access to OS functionality is done via traps
• Both place the CPU in Ring 0

16 / 46
Virtualisation Techniques
How do we virtualise hosts?
• Modern Operating Systems use the rings to isolate apps from the hardware
▶ Applications run in Ring 3
▶ The Operating System functions run in Ring 0
Access hardware, modify memory management parameters, . . .
▶ OS system calls raise privileges from Ring 3 to Ring 0
• The protection rings are the basis for virtualisation
▶ The idea is to place the hypervisor in the most protected ring and the guest software in different rings
• There are three main ways to virtualise hosts:
▶ Full virtualisation
▶ Para-virtualisation
▶ Hardware assisted virtualisation

17 / 46

Virtualisation Techniques
Full virtualisation
• User level code is directly executed on the Ring 3 User app
processor
• Kernel code is translated: instructions that Ring 2
cannot be virtualised are translated
• Translated instructions have the intended effect Ring 1 Guest OS
on the virtual Hardware (HW)
• Good portability and portability because the Ring 0 VMM
guest OS is unmodified
• Difficult to code all mechanisms needed
Host Computer
System Hardware

18 / 46
Virtualisation Techniques
Para-virtualisation
• aka OS assisted virtualisation Ring 3 User app
• The guest OS kernel is modified by the OS
supplier Ring 2
• Instructions that cannot be virtualised are
Paravirtualised
replaced with hypercalls Ring 1 Guest OS

• Compatibility and portability are poor, because

not all OSes can be modified, however Ring 0 VMM
• Modifying the Guest OS to enable
para-virtualisation is relatively easy
Host Computer
System Hardware

19 / 46

Virtualisation Techniques
Hardware assisted virtualisation
• Modern processors include extensions that Ring 3 User app
simplify virtualisation techniques
• e.g. Intel virtualisation Technology (VT-x), AMD Ring 2
(AMD-V)
Ring 1
• Introduces a new root mode that is more
privileged than ring 0
Ring 0 Guest OS
• Main use case: 64-bit guest Operating Systems
Root Mode
• You enable them in your device through Privilege Modes VMM
BIOS/UEFI

Host Computer
System Hardware

20 / 46
Outline

1 Intro

2 Introduction to virtualisation

3 Virtual Machines

4 Containers

5 Hardware support to virtualisation

21 / 46

Virtual Machines
Virtual Machines
• Modern Central Processing Units (CPUs) have multiple cores
• Each core is presented as a single Virtual CPU (vCPU) to the VMs
• A VM may have been assigned more than one vCPU
▶ The hypervisor has to schedule physical CPUs among VMs as vCPUs

22 / 46
Virtual Machines
Cores vs. hyperthreads
• A core is a full CPU
▶ that uses up space in the Silicon die
• In some processors, there is space for two cores, but not for 4 (e.g. i3, i5 processors from Intel)
• Manufacturers create cores with two full sets of registers
▶ And make the core switch between them
▶ The result is that it looks as if you had a CPU with 4 cores
▶ This is called Hyperthread

23 / 46

Virtual Machines
Networking

• Each VM can be configured with one or more Virtual Network Interface Card (NIC)s )
• The hypervisor supports the creation of a virtual networks that connect the vNICs to one or more
networks composed of virtual switches
• Physical NICs connect to these networks
• The hypervisor normally provides Network Address Translation to some or all of these networks

24 / 46
Virtual Machines
Networking

25 / 46

Virtual Machines
Storage

• Storage is also virtualised

• The hypervisor presents virtual storage to the VM
▶ Normally a mapping to physical file
▶ Exceptionally a physical device directly (e.g. a CDROM)

26 / 46
Virtual Machines
Memory in virtualised environments
• Hot-add memory
▶ Adding memory dynamically
Initially intended for adding physical memory to servers
Quick win in virtualised environments
▶ Modern OSes support hot-add memory
▶ However, removing memory is not supported
• Memory over–commitment
▶ Allocate more virtual memory on a host than physically exists.
▶ Why can this be done?
▶ Because under normal conditions, not all memory is used:

27 / 46

Outline

1 Intro

2 Introduction to virtualisation

3 Virtual Machines

4 Containers

5 Hardware support to virtualisation

28 / 46
Containers
Introduction
• The kernels of most operating systems provide a way to isolate the users in a machine
▶ What gets isolated are the different user-space instances
• Why not just use different users in a machine?
▶ Because they share too many things
• Containers: use the facilities provided by the kernel to run different virtual environments
• Is a container like a Virtual Machine (VM)
▶ Almost
Each container gets its own network interfaces (and networking)
. . . its own filesystem
. . . isolation in terms of security
. . . isolation in terms of resource usage (quotas)
▶ At the same time . . .
They are much lighter than real VMs
. . . because they share the same host operating system

29 / 46

Containers
Hypervisors??
• Wait a sec. . . haven’t we seen this already?
• Isn’t this like a type 2 hypervisor ?
• Actually not, we neither have a hypervisor
• . . . nor a Guest OS as such.
• We just have a thin layer to isolate
▶ the apps running in the different containers
▶ from the apps running on the OS

30 / 46
Containers
Examples
• LinuX Containers (LXC)
▶ Namespaces
▶ Cgroups
• OpenVZ
• FreeBSD jails
• Solaris Containers

31 / 46

Containers
Namespaces
• Provide an isolated view of the global resources to processes within a namespace
• Used to support the implementation of containers
• Linux implements six types of namespaces as an OS functionality:
▶ User namespaces
▶ PID namespaces (process isolation)
▶ Mount namespaces (disk)
▶ Network namespaces
▶ IPC namespaces (communication between processes, pipes)
▶ UTS namespaces

32 / 46
Containers
LXC
• LXC allows the execution of Linux applications within a Linux host
• Inside the container, it looks like an isolated Linux
• Outside the container, it looks like a normal process

$ lxc - create -t download -n my - container

$ lxc - start -n my - container -d
$ lxc - info - n my - container
$ lxc - ls -f
$ lxc - attach -n my - container
my - container$ apt -y install apache2
my - container$ ip address show
my - container$ exit
$ lynx $my - container - ip - address
$ lxc - stop -n my - container

33 / 46

Containers
Docker
• Docker is a wrapper for LXC
• Terminology
▶ Docker image: all the files that make up a software application
Each change that is made to the original image is stored in a separate layer
Each time you commit to a Docker image you are creating a new layer on the Docker image
the original image and previous layers are not affected
▶ A Docker container is the read-write layer on top of the image

34 / 46
Containers
Docker: images, layers, . . .

• You start with a base image

• And add features (layers) to create new images
• And when you execute an image, it becomes an instance

Container Read-Write Instance

Image add apache

Image add emacs

Base Image Debian

35 / 46

Containers
Docker registry
• A Docker Registry is a public repository where users can download from and upload images
▶ Image sharing
• Operations:
▶ search for the Docker images
sudo docker search busybox
▶ download a Docker image
sudo docker pull -a busybox
▶ run a shell in a Docker container
sudo docker run - i -t ubuntu:14.04 /bin/bash
▶ run a Docker container in the background
sudo docker run -d apache2
▶ check all containers
sudo docker ps
▶ pause a container
sudo docker pause 466ab23f11a5
sudo docker pause berserk wescoff

36 / 46
Containers
Docker: dockerfile
• Define containers using a Markup Language

# # # ## # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # #
# Dockerfile to build an apache2 image
# # # # # # # # # ## # # # # # # # ## # # # # # # ## # # # # # # # # # # # # #
# Base image is Ubuntu 18.04
FROM ubuntu :18.04
# Author : Dr . Peter
MAINTAINER Dr . Peter < dr . peter@my - mail . com >
# Install apache2 package
RUN apt update - qq -y &&\
apt install - qq -y apache2
# Set the log directory PATH
ENV APACHE_LOG_DIR / var / log / apache2
# Launch apache2 server in the foreground
ENTRYPOINT [ " / usr / sbin / apache2ctl " , " -D " , " FOREGROUND " ]

37 / 46

Containers
Docker: dockerfile
• Build the Container using docker build
▶ sudo docker build –t apache2:dr-peter .
• This allows to boot one container
▶ sudo docker run - i -t apache2:dr-peter
• However, complex scenarios involve several separate containers
▶ Web server frontend
▶ Web server backend using a Database
• We need to orchestrate these containers

38 / 46
 Containers
Docker: Using docker-compose

• docker-compose allows you to coordinate several containers to build a function

• Start dockerised Wordpress on local computer (with the YAML file in the next slide)
▶ sudo docker-compose up -d
• Browse the web-page
▶ lynx localhost:8080
• Stop the deployment
▶ sudo docker-compose stop

39 / 46

Containers
Docker: docker-compose

version : " 3.9 " wordpress :

depends_on :
services : - db
db : image : wordpress : latest
image : mysql :5.7 volumes :
volumes : - wordpress_data :/ var / www / html
- db_data :/ var / lib / mysql ports :
restart : always - " 8000:80 "
environment : restart : always
MYSQ L_R O OT_PA SSWOR D : somewordpress environment :
MYSQL_DATABASE : wordpress WORDPRESS_DB_HOST : db :3306
MYSQL_USER : wordpress WORDPRESS_DB_USER : wordpress
MYSQL_PASSWORD : wordpress WO R DPRES S _DB_PA S SWOR D : wordpress
WORDPRESS_DB_NAME : wordpress
volumes :
db_data : {}
wordpress_data : {}

40 / 46
Containers
LXD
• LXD is a “next generation system container manager”
• Open Source project founded and currently led by Canonical Ltd
• Built around a REST Application Programming Interface (API)
• Relationship with LXC
▶ Not a rewrite of LXC
▶ Builds on top of LXC:
Uses LXC through liblxc to create and manage the containers
• An alternative to the tools and distribution template system used in LXC
• Controllable over the network

41 / 46

Containers
LXD features
• Secure by design (unprivileged containers, resource restrictions, . . . )
• Scalable (from containers on a laptop to thousand of compute nodes)
• Intuitive (simple API and Command Line Interface (CLI))
• Image based (many Linux distributions published daily)
• Support for Cross-host container and image transfer
• Advanced resource control (CPU, memory, network I/O, block I/O, disk usage and kernel resources)
• Device passthrough (USB, GPU, Unix character and block devices, NICs, disks and paths)
• Network management
• Storage management
• Integration with OpenStack

42 / 46
Outline

1 Intro

2 Introduction to virtualisation

3 Virtual Machines

4 Containers

5 Hardware support to virtualisation

43 / 46

Hardware against virtualisation

• Peripherals contain small micro-processors to free the CPU of shuffling data from/to devices.
• This is done with something called Direct Memory Access (DMA).
• In a virtualised environment,
▶ DMA operations are opaque to the CPU
▶ They need to be re-implemented in a (slow) virtualisation-friendly way
• Lately, some CPU manufacturers have added features to the CPUs and peripherals to take more
advantages of the goodies provided by DMA and similar techniques.
▶ And speed up the processes involved

44 / 46
Just some examples. . .
• Intel Virtualisation Technology for Directed I/O (VT-d)
▶ Hardware assisted remapping
Device isolation
Improve reliability and security
▶ Direct assignment of devices
Improve I/O performance and availability
• Single-Root I/O Virtualisation (SR-IOV)
▶ You need to understand the fastest bus in your computer
PCI Express (PCIe) [1]
▶ The hypervisor creates virtual adapters for VMs
▶ SR-IOV moves the overhead to the I/O adaptor
▶ Physical Functions (PFs) and Virtual Functions (VFs)
One Physical Function with up to 256 Virtual Functions
The hypervisor configures VFs via the PF
PF and VF are PCIe functions

45 / 46

Next sessions
• Hands-on
▶ Virtualisation lab
Did you install the lab VM from Aula Global?
• Software Defined Networks
• Software Defined Networks laboratories
▶ Introduction to Python for Software Defined Networks (SDN)
▶ Read the manuals and come prepared for them
• Network Functions Virtualisation
▶ Including a demo of a real world system

46 / 46