9/13/2024

Virtualization
Virtual Machines and Containers

Module 3
Sheheryar Malik, Ph.D.

Distributed & Cloud Computing

Virtualization
• In computing, virtualization is simulating a hardware platform,
operating system (OS), storage device, or network resources
• The term "virtualization" traces its roots to 1960s mainframes
o during which it was a method of logically dividing the mainframes' resources
for different applications
• Virtualization allows one computer to do the job of multiple
computers
o Virtual environments let one computer host multiple operating systems at the
same time

Virtualization Sheheryar Malik, Ph.D. 2

1
 9/13/2024

Distributed & Cloud Computing

Virtualization
• Virtualization is way to run multiple operating systems and user
applications on the same hardware
o E.g., run both Windows and Linux on the same laptop
• How is it different from dual-boot?
o Both Operating Systems run simultaneously
• The Operating Systems are completely isolated from each other

Virtualization Sheheryar Malik, Ph.D. 3

Distributed & Cloud Computing

Virtualization
Virtual Virtual
Container Container

App. A App. B App. C App. D App. A App. B App. C App. D

Operating System Virtualization Layer

Hardware Hardware

‘Nonvirtualized’ system Virtualized system

A single OS controls all hardware It makes it possible to run multiple
platform resources Virtual Containers on a single physical
platform
Virtualization Sheheryar Malik, Ph.D. 4

2
 9/13/2024

Distributed & Cloud Computing

Virtualization

App. A App. B App. C App. D

x86 x86 x86 x86

Windows Windows Suse Red Hat
10 2003 Linux Linux

x86 Multi-Core, Multi Processor

70% Hardware Utilization

Virtualization Sheheryar Malik, Ph.D. 5

Distributed & Cloud Computing

Uses of Virtualization

Server consolidation Easier development Quality Assurance Cloud computing

Run a web server and a mail
server on the same physical
server
Develop critical operating
system components (file
system, disk driver) without
affecting computer stability
Testing a network product Really helpful in cloud
(e.g., a firewall) may require computing
tens of computers
Try testing thoroughly a
product at each pre-release
milestone

Virtualization Sheheryar Malik, Ph.D. 6

3
 9/13/2024

Distributed & Cloud Computing

Why Virtualize Cloud Infrastructure

Virtualization has three characteristics that make it ideal for cloud computing
• Partitioning
o In virtualization, many applications and operating systems (OSes) are supported in a
single physical system by partitioning (separating) the available resources
• Isolation
o Each virtual machine is isolated from its host physical system and other virtualized
machines
o Because of this isolation, if one virtual instance crashes, it doesn’t affect the other
virtual machines
• Encapsulation
o A virtual machine can be represented (and even stored) as a single file, so you can
identify it easily based on the service it provides
o The encapsulated virtual machine can be presented to an application as a complete
entity

Virtualization Sheheryar Malik, Ph.D. 7

Distributed & Cloud Computing

Hypervisor

Virtualization Sheheryar Malik, Ph.D. 8

4
 9/13/2024

Distributed & Cloud Computing

Hypervisor
• In computing, a hypervisor is a virtualization platform that allows
multiple operating systems to run on a host computer at the same
time
• Also called Virtual Machine Monitor

Virtualization Sheheryar Malik, Ph.D. 9

Distributed & Cloud Computing

Types of Hypervisor

Native (bare-metal) hypervisor Hosted hypervisor

• It runs directly on a given hardware
• A "guest" operating system thus runs at
the second level above the hardware
• It sits directly on the hardware platform
and most likely used to gain better
performance for individual users
• Has complete control over hardware
• Doesn’t have to “fight” an OS
• Typically used in data centers, enterprise
computing workload situations, web
servers, and other primarily fixed-use
applications
• Runs as a distinct software layer above both
the hardware and the OS
• Useful both in private and public clouds to
gain performance improvements
• Avoid code duplication: need not code a
process scheduler, memory management
system – the OS already does that
• Can run native processes alongside VMs
• Familiar environment
• Easy management
• Most often used in desktop and development
environments, where workloads are not as
resource-intensive or critical to operations

Virtualization Sheheryar Malik, Ph.D. 10

10

5
 9/13/2024

Distributed & Cloud Computing

Bare-metal Hypervisor (Type 1)

Applications Applications Applications Applications

Guest OS 1 OS 2 OS 3 OS 4

Virtualization Platform
Host

Hardware

Example: VMware ESX, Microsoft Hyper-V, Xen

Virtualization Sheheryar Malik, Ph.D. 11

11

Distributed & Cloud Computing

Hosted Hypervisor (Type 2)

Applications Applications Applications

Guest OS 1 OS 2 OS 3

Virtualization Platform Applications

Host Base Operating System

Hardware

Examples: VMware Workstation, Sun VirtualBox, QEMU, KVM

Virtualization Sheheryar Malik, Ph.D. 12

12

6
 9/13/2024

Distributed & Cloud Computing

VMware Products
• VMware Workstation Pro
o First product launched by VMware in 1999
o It allows users to run multiple instances of x86 or x86-64 compatible operating systems on a single
physical PC
• VMware Workstation Player
o It is for users without a license (for non-commercial use) to use VMware Workstation or VMware
Fusion
• VMware Fusion
o It provides similar functionality for users of the Intel Mac platform, along with full compatibility
with virtual machines created by other VMware products
• VMware vSphere
o It is an enterprise-level product, can deliver greater performance than the freeware VMware
Server, due to lower system overhead
o It is also called "ESXi"
o VMware ESXi, as a "bare-metal" product, runs directly on the server hardware, allowing virtual
servers to also use hardware more or less directly
o In addition, VMware ESXi integrates into VMware vCenter, which offers extra services to enhance
the reliability and manageability of a server deployment

Virtualization Sheheryar Malik, Ph.D. 13

13

Distributed & Cloud Computing

Types of Virtualizations

Virtualization Sheheryar Malik, Ph.D. 14

14

7
 9/13/2024

Distributed & Cloud Computing

Desktop Virtualization
• It is a software technology that separates the desktop environment and
associated application software from the physical client device that is used
to access it
• It may allow all the components of the desktop to be virtualized
o which allows for a highly flexible and much more secure desktop delivery model
• It supports a more complete desktop disaster recovery strategy as all
components are essentially saved in the data center and backed up
through traditional redundant maintenance systems
• If a user's device or hardware is lost, then
o the restore is much more straightforward and simpler, as all the components will be
present at login from another device
o there is much less chance that any critical data cannot be retrieved and
compromised, because no data is saved to the user's device

Virtualization Sheheryar Malik, Ph.D. 15

15

Distributed & Cloud Computing

Remote Desktop Virtualization

• Remote desktop virtualization implementations operate as client/server computing
environments
• Application execution takes place on a remote operating system
o which is linked to the local client device over a network using a remote display protocol through
which the user interacts with applications
• All applications and data used remain on the remote system with only display, keyboard,
and mouse information communicated with the local client device
o Devices can be a conventional PC/laptop, a thin client device, a tablet, or even a Smartphone
• A common implementation of this approach is to host multiple desktop operating system
instances on a server hardware platform running a hypervisor
o It is generally referred to as "Virtual Desktop Infrastructure" or "VDI”
• Remote desktop virtualization is frequently used in the following scenarios
o In distributed environments with high availability requirements and where desk-side technical
support is not readily available, such as branch office and retail environments
o In environments where high network latency degrades the performance of conventional
client/server applications
o In environments where remote access and data security requirements create conflicting
requirements that can be addressed by retaining all (application) data within the data center
Virtualization Sheheryar Malik, Ph.D. 16

16

8
 9/13/2024

Distributed & Cloud Computing

Software Virtualization
• Operating system-level virtualization
o hosting of multiple virtualized environments within a single OS instance
• Application virtualization
o It is a software technology that encapsulates application software from the
underlying operating system on which it is executed
o It is the hosting of individual applications in an environment separated from
the underlying OS
o Application virtualization is closely associated with the concept of portable
applications

Virtualization Sheheryar Malik, Ph.D. 17

17

Distributed & Cloud Computing

Memory Virtualization
• Memory virtualization
o aggregating random-access memory (RAM) resources from networked systems into a single
memory pool
• Virtual memory
o giving an application program the impression that it has contiguous working memory,
isolating it from the underlying physical memory implementation

Physical memory
Virtual Each application sees its own logical
Memory memory, independent of physical memory
App

App
Benefits of Virtual Memory
Swap space
•Remove physical-memory limits App
•Run multiple applications at once
Virtualization Sheheryar Malik, Ph.D. 18

18

9
 9/13/2024

Distributed & Cloud Computing

Storage Virtualization
• Storage virtualization
o the process of completely abstracting logical storage from physical storage
• Distributed file system
o any file system that allows access to files from multiple hosts sharing via a computer
network
• Virtual file system
o an abstraction layer on top of a more concrete file system, allowing client
applications to access different types of concrete file systems in a uniform way
• Storage hypervisor
o the software that manages storage virtualization and combines physical storage
resources into one or more flexible pools of logical storage
• Virtual disk drive
o a computer program the emulates a disk drive such as a hard disk drive or optical
disk drive
Virtualization Sheheryar Malik, Ph.D. 19

19

Distributed & Cloud Computing

Storage Virtualization Servers

Benefits of Storage Virtualization

•Increased storage utilization
•Adding or deleting storage without Virtualization Layer
affecting application’s availability
•Non-disruptive data migration

Heterogeneous Physical Storage

Virtualization Sheheryar Malik, Ph.D. 20

20

10
 9/13/2024

Distributed & Cloud Computing

Data Virtualization
• Data virtualization
o the presentation of data as an abstract layer, independent of underlying
database systems, structures and storage
• Database virtualization
o the decoupling of the database layer, which lies between the storage and
application layers within the application stack over all

Virtualization Sheheryar Malik, Ph.D. 21

21

Distributed & Cloud Computing

Network Virtualization
• Network virtualization
o creation of a virtualized network addressing space within or across network subnets
• Virtual private network (VPN)
o a network protocol that replaces the actual wire or other physical media in a network with an
abstract layer, allowing a network to be created over the Internet

VLAN A VLAN B VLAN C

Benefits of Virtual Networks

•Common network links with access-
Switch control properties of separate links
•Manage logical networks instead of
physical networks
Switch
VLAN trunk •Virtual SANs provide similar benefits
for storage-area networks

Virtualization Sheheryar Malik, Ph.D. 22

22

11
 9/13/2024

Distributed & Cloud Computing

x86 Virtualization

Virtualization Sheheryar Malik, Ph.D. 23

23

Distributed & Cloud Computing

x86 modes: Privilege Levels

• x86 processor’s segment-protection mechanism recognizes 4 privilege levels (0-
high, 3-low level) – unused

Virtualization Sheheryar Malik, Ph.D. 24

24

12
 9/13/2024

Distributed & Cloud Computing

Evolution of Virtualization Solutions

1st Generation: Full 2nd Generation: 3rd Generation: Silicon-
virtualization (Binary Paravirtualization based (Hardware-
rewriting) assisted) virtualization

Software Based Cooperative virtualization Unmodified guest

VMware and Microsoft Modified guest VMware and Xen on
VMware, Xen virtualization-aware
hardware platforms

Virtual
… Virtual VM
… VM
Machine Machine Virtual
Machine
… Virtual
Machine
Dynamic Translation Hypervisor
Hypervisor
Operating System

Hardware Hardware Hardware

Virtualization Logic

Virtualization Sheheryar Malik, Ph.D. 25

25

Distributed & Cloud Computing

Full Virtualization
• 1st Generation offering of x86/x64 server
virtualization
Virtual Machine

App. B
App. C

App. A
Guest OS

• Dynamic binary translation

o The emulation layer talks to an operating system which Device Drivers

talks to the computer hardware

o The guest OS doesn't see that it is used in an emulated Emulated
environment Hardware

• All of the hardware is emulated including the CPU

Device Drivers
• Two popular open source emulators are QEMU Host OS
and Bochs

Hardware
Virtualization Sheheryar Malik, Ph.D. 26

26

13
 9/13/2024

Distributed & Cloud Computing

Full Virtualization
• Advantages
o The emulation layer
▪ Isolates VMs from the host OS and from each other
▪ Controls individual VM access to system resources, preventing an unstable VM from
impacting system performance
o Total VM portability
▪ By emulating a consistent set of system hardware, VMs have the ability to transparently move
between hosts with dissimilar hardware without any problems
• It is possible to run an operating system that was developed for another architecture on your own
architecture
• A VM running on a Dell server can be relocated to a Hewlett-Packard server
• Disadvantages
o Hardware emulation comes with a performance price
o In traditional x86 architectures, OS kernels expect to run privileged code in Ring 0
▪ However, because Ring 0 is controlled by the host OS, VMs are forced to execute at Ring 1/3,
which requires the VMM to trap and emulate instructions
o Due to these performance limitations, paravirtualization and hardware-assisted
virtualization were developed
Virtualization Sheheryar Malik, Ph.D. 27

27

Distributed & Cloud Computing

Para-Virtualization
• Hardware environment is not fully simulated
Virtual Machine

App. B
App. C

App. A
Guest OS

• It involves modifying the OS kernel to replace non-virtualizable

instructions with hypercalls that directly communicate with Device Drivers
the virtualization layer hypervisor
• The Hypervisor is responsible for handling the virtualization Specialized API
requests and putting them to the hardware
Virtual Machine Monitor
• The Guest OS is modified and thus run kernel-level operations
at Ring 1 (or 3)
Device Drivers
o the guest is fully aware of how to process privileged instructions
Hypervisor
o thus, privileged instruction translation by the VMM is no longer
necessary
o The guest operating system uses a specialized API to talk to the VMM
and, in this way, execute the privileged instructions Hardware

Virtualization Sheheryar Malik, Ph.D. 28

28

14
 9/13/2024

Distributed & Cloud Computing

Para-Virtualization Approaches
• Recompiling the OS kernel
o Paravirtualization drivers and APIs must reside in the guest operating system kernel
o You do need a modified operating system that includes this specific API, requiring a
compiling operating systems to be virtualization aware
▪ Some vendors (such as Novell) have embraced paravirtualization and have provided
paravirtualized OS builds, while other vendors (such as Microsoft) have not
• Installing paravirtualized drivers
o In some operating systems it is not possible to use complete paravirtualization, as it
requires a specialized version of the operating system
o To ensure good performance in such environments, paravirtualization can be applied
for individual devices
o For example, the instructions generated by network boards or graphical interface
cards can be modified before they leave the virtualized machine by using
paravirtualized drivers
Virtualization Sheheryar Malik, Ph.D. 29

29

Distributed & Cloud Computing

Hardware-assisted Virtualization
• The guest OS runs at ring 0
Virtual Machine

App. B
App. C

App. A
Guest OS

• The VMM uses processor extensions (such as Intel®-VT

or AMD-V) to intercept and emulate privileged Device Drivers

operations in the guest

• Hardware-assisted virtualization removes many of the
Specialized API

Virtual Machine Monitor

problems that make writing a VMM a challenge
• The VMM runs in a more privileged ring than 0, a virtual Device Drivers

-1 ring is created Hypervisor

• The hypervisor/VMM runs at Ring -1

o super-privileged mode Hardware

Virtualization Sheheryar Malik, Ph.D. 30

30

15
 9/13/2024

Distributed & Cloud Computing

Hardware-assisted Virtualization
• Pros
o It allows to run unmodified Operating systems (so legacy OS can be run
without problems)
• Cons
o Speed and Flexibility
▪ An unmodified OS does not know it is running in a virtualized environment and so, it
can’t take advantage of any of the virtualization features
• It can be resolved using paravirtualization partially

Virtualization Sheheryar Malik, Ph.D. 31

31

Distributed & Cloud Computing

Linux-related Virtualization Projects

Project Type License

Bochs Emulation LGPL
QEMU Emulation LGPL/GPL
Xen Paravirtualization GPL
z/VM Full virtualization Proprietary
VMware Full virtualization Proprietary
Linux KVM Full virtualization GPL
Linux-VServer Operating system-level virtualization GPL
OpenVZ Operating system-level virtualization GPL

Virtualization Sheheryar Malik, Ph.D. 32

32

16
 9/13/2024

Containerization
OS Level Virtualization

Cloud Computing Containerization (LXC, Docker, Kubernetes)

33

Distributed & Cloud Computing

Containers

Virtualization Sheheryar Malik, Ph.D. 34

34

17
 9/13/2024

Distributed & Cloud Computing

Virtualization
• Virtualization is a collection of software technologies that enable
software applications to run on virtual hardware
o Virtual hardware (virtualization via virtual machines and hypervisor), or
o virtual operating systems (virtualization via containers)

Virtualization Sheheryar Malik, Ph.D. 35

35

Distributed & Cloud Computing

Operating System Virtualization Container

• OS-level virtualization refers to an operating system paradigm in
which the kernel allows the existence of multiple isolated user space
instances, called containers
• A container is a virtual runtime environment that runs on top of a
single operating system (OS) kernel and emulates an operating system
rather than the underlying hardware

Virtualization Sheheryar Malik, Ph.D. 36

36

18
 9/13/2024

Distributed & Cloud Computing

Containers
• Containers offer a logical packaging mechanism in which applications
can be abstracted from the environment in which they actually run
o This decoupling allows container-based applications to be deployed easily and
consistently, regardless of whether the target environment is a private data
center, the public cloud, or even a developer’s personal laptop
• Containerization provides a clean separation of concerns
o as developers focus on their application logic and dependencies, while IT
operations teams can focus on deployment and management without
bothering with application details such as specific software versions and
configurations specific to the app

Virtualization Sheheryar Malik, Ph.D. 37

37

Distributed & Cloud Computing

Containers vs Virtual Machine

Virtual Machines (VMs) Containers

• are an abstraction of physical • are an abstraction at the app layer

hardware turning one server into
many servers
• The hypervisor allows multiple VMs to
run on a single machine
• Each VM includes a full copy of an
operating system, the application,
necessary binaries and libraries -
taking up tens of GBs
• VMs can also be slow to boot
that packages code and dependencies
together
• Multiple containers can run on the
same machine and share the OS kernel
with other containers, each running as
isolated processes in user space
• Containers take up less space than
VMs (container images are typically
tens of MBs in size), can handle more
applications and require fewer VMs
and Operating systems

Virtualization Sheheryar Malik, Ph.D. 38

38

19
 9/13/2024

Distributed & Cloud Computing

Containers vs Virtual Machine

Container Runtime

Virtualization Containerization

Virtualization Sheheryar Malik, Ph.D. 39

39

Distributed & Cloud Computing

Traditional vs Virtual Machine vs Containers

Virtualization Sheheryar Malik, Ph.D. 40

40

20
 9/13/2024

Distributed & Cloud Computing

Containers Benefit
• Fast Provision (in seconds / milliseconds)
• Near bare metal runtime performance
• VM-like agility – it’s still “virtualization”
• Flexibility
o Containerize a “system”
o Containerize “application(s)”
• Lightweight
o Just enough Operating System (JeOS)
o Minimal per container penalty
• Open source – free – lower TCO
• Growing in popularity
Virtualization Sheheryar Malik, Ph.D. 41

41

Distributed & Cloud Computing

Containers Benefit
• Agile application creation and deployment
o increased ease and efficiency of container image creation compared to VM
image use
• Continuous development, integration, and deployment
o provides for reliable and frequent container image build and deployment with
quick and easy rollbacks (due to image immutability)
• Dev and Ops separation of concerns
o create application container images at build/release time rather than
deployment time, thereby decoupling applications from infrastructure
• Environmental consistency across development, testing, and
production
o Runs the same on a laptop as it does in the cloud

Virtualization Sheheryar Malik, Ph.D. 42

42

21
 9/13/2024

Distributed & Cloud Computing

Containers Benefit
• Cloud and OS distribution portability
o Runs on Ubuntu, RHEL, CoreOS, on-premises, on major public clouds, and anywhere
else
• Application-centric management
o Raises the level of abstraction from running an OS on virtual hardware to running an
application on an OS using logical resources
• Loosely coupled, distributed, elastic, liberated micro-services
o applications are broken into smaller, independent pieces and can be deployed and
managed dynamically – not a monolithic stack running on one big single-purpose
machine
• Resource isolation
o predictable application performance
• Resource utilization
o high efficiency and density
Virtualization Sheheryar Malik, Ph.D. 43

43

Distributed & Cloud Computing

Containerization Layers

Layer 6
Development Workflow OpenShift, Cloud Foundry, Docker Cloud, Deis, Apcera, Apprenda
Opinionated Containers

Layer 5
Orchestration / Scheduling Kubernetes, Docker Swarm, Marathon/Mesos, Nomad, Diego
Service Model

Layer 4 Container Engine Docker, rkt, runC (OCI), Osv, LXC, LXD

Layer 3 Operating System Ubuntu, RHEL, CoreOS, Unikernels

Layer 2 Virtual Infrastructure vSphere, EC2, GCP, Azure, OpenStack

Layer 1 Physical Infrastructure Raw Compute, Storage, Network

Virtualization Sheheryar Malik, Ph.D. 44

44

22
 9/13/2024

Distributed & Cloud Computing

Containerization Layers

Serverless

PaaS

Swarm/
Container Orchestration
Swarm Mode

Container Engine

Virtualization Sheheryar Malik, Ph.D. 45

45

Distributed & Cloud Computing

Container
• Like a normal Linux program, containers really have two states – rest and running
• Container Image / Repository
o a container is a file (or set of files) that is saved on disk
o This is referred to as a Container Image or Container Repository
• Once running, Containers are just process
o Typing command to start a container, the Container Engine unpacks the required files and meta-data, then
hands them off to the Linux kernel
• Starting a container is very similar to starting a normal process and requires making an API call to
the kernel
o This API call typically initiates extra isolation and mounts a copy of the files that were in the container image
• Containers have existed within operating systems for quite a long time
o A container is the runtime instantiation of a Container Image
o A container is a standard Linux process typically created through a clone() system call instead of fork() or
exec()
o Also, containers are often isolated further through the use of cgroups, SELinux or AppArmo
• There are several competing Container Image formats (Docker, Appc, LXD)
o These Container Engines take a Container Image and turn it into a Container (aka running processes)

Virtualization Sheheryar Malik, Ph.D. 46

46

23
 9/13/2024

Distributed & Cloud Computing

Container Image
• A container image, in its simplest definition, is a file which is pulled down
from a Registry Server and used locally as a mount point when starting
Containers
• Docker, RKT, and LXD, operate on the concept of pulling remote files and
running them as a Container
o Each of these technologies treats container images in different ways
▪ LXD pulls a single container image (single layer), while
▪ Docker and RKT use OCI-based images which can be made up of multiple layers
• Technically, it is much more complicated than a single file on a Registry Server
o The term “container image,” often means to imply Repository and referring to a
bundle of multiple container Image Layers as well as metadata which provides extra
information about the layers
• Historically, each Container Engine had its container images format
• Now major tools and engines have moved to a format defined by the Open
Container Initiative (OCI)

Virtualization Sheheryar Malik, Ph.D. 47

47

Distributed & Cloud Computing

Container Engine
• A container engine is a managed environment for deploying
containerized applications
• It accepts user requests, including command line options, pulls
images, and from the end user’s perspective runs the container
• The container engine
o allocates cores and memory to containers
o enforces spatial isolation and security, and
o provides scalability by enabling the addition of containers

• There are several competing Container Engines including Docker, CRI-

O, Railcar, RKT, LXC

Virtualization Sheheryar Malik, Ph.D. 48

48

24
 9/13/2024

Distributed & Cloud Computing

Container Engine
• Most container engines don’t actually run the containers, they rely on
an OCI compliant runtime like runc
• There are many container engines, including docker, RKT, CRI-O, and
LXD
o Many cloud providers, Platforms as a Service (PaaS), and Container Platforms
have their own built-in container engines
▪ which consume Docker or OCI compliant Container Images
▪ Having an industry standard Container Image Format allows interoperability between all
of these different platforms

Virtualization Sheheryar Malik, Ph.D. 49

49

Distributed & Cloud Computing

Container Host
• The container host is the system that runs the containerized
processes, often simply called containers
• This could be, for example, RHEL Atomic Host running in a VM, as an
instance in the public cloud, or on bare metal in your datacenter
• Once a container image (aka repository) is pulled from a Registry
Server to the local container host, it is said to be in the local cache

Virtualization Sheheryar Malik, Ph.D. 50

50

25
 9/13/2024

Distributed & Cloud Computing

Container Orchestration
• A container orchestrator does two things
a. Dynamically schedules container workloads within a cluster of computers
b. Provides a standardized application definition file (kube yaml, docker
compose, etc)
• The need for container orchestrator arises due to the requirement for
building multiple containers and deploying them together as a unit
o These containers may be pushed into a pipeline (Dev/QA/Prod) leading
towards production

Virtualization Sheheryar Malik, Ph.D. 51

51

Distributed & Cloud Computing

Container Orchestration
• Allows containers within an application to be scheduled completely
separately
• This is useful if:
o The utilization of large clusters of Container Hosts required
o Individual containers fail (process hang, out of memory (OOM))
o Container Hosts fail (disk, network, reboot)
o Container Engines fail (corruption, restart)
o Individual containers need to be scaled up, or scaled down

Virtualization Sheheryar Malik, Ph.D. 52

52

26
 9/13/2024

Distributed & Cloud Computing

Hybrid Container Architecture

• Hybrid container architecture is an architecture combining
virtualization by both virtual machines and containers, i.e., the
container engine and associated containers execute on top of a virtual
machine
• Use of a hybrid container architecture is also known as hybrid
containerization

Virtualization Sheheryar Malik, Ph.D. 53

53

Distributed & Cloud Computing

Hybrid Container Architecture

As shown in the figure, these three technologies exist at three different layers in an
architecture

Virtualization Sheheryar Malik, Ph.D. 54

54

27
 9/13/2024

Distributed & Cloud Computing

Hybrid Container Architecture

Virtualization layer (containers and

container engine) sits on top of the
infrastructure layer and depends on
certain parts of the operating
system/kernel

Virtualization Sheheryar Malik, Ph.D. 55

55

Distributed & Cloud Computing

Current Trends in Virtualization via Containers

• Containers are becoming more widely used because they provide
many of the isolation benefits of VMs without as much time and
space overhead
• Although containers are typically hosted on some version of Linux,
they are also now hosted on other operating systems, such as
Windows and Solaris

Virtualization Sheheryar Malik, Ph.D. 56

56

28
 9/13/2024

Distributed & Cloud Computing

Pros of Virtualization via Containers

• Hardware costs
o Virtualization via containers decreases hardware costs by enabling consolidation
o It enables to replace several lightly-loaded machines with fewer, more heavily-loaded
machines to minimize SWAP-C (size, weight, power, and cooling)
• Scalability
o A single container engine can efficiently manage large numbers of containers,
enabling additional containers to be created as needed
• Ship more software
o Accelerate development, CI and CD pipelines by eliminating headaches of setting up
environments and dealing with differences between environments
o On average, Docker users ship software 7X more frequently
• Continuous integration
o Containers support Agile and continuous development processes by enabling the
integration of increments of container-hosted functionality
Virtualization Sheheryar Malik, Ph.D. 57

57

Distributed & Cloud Computing

Pros of Virtualization via Containers

• Spatial isolation
o Containers support lightweight spatial isolation by providing each container with its
own resources (e.g., core processing unit, memory, etc.) and container-specific
namespaces
• Portability
o Isolated containers package the application, dependencies and configurations
together
o These containers can then seamlessly move across environments and infrastructures
• Storage
o Compared with virtual machines, containers are lightweight with regard to storage
size
• Performance
o Compared with virtual machines, containers increase performance (throughput)
because they do not emulate the underlying hardware

Virtualization Sheheryar Malik, Ph.D. 58

58

29
 9/13/2024

Distributed & Cloud Computing

Pros of Virtualization via Containers

• Real-time applications
o Containers provide more consistent timing than virtual machines, although
this advantage is lost when using hybrid virtualization
• Reliability and robustness
o The modularity and isolation provided by VMs improve reliability, robustness,
and operational availability by localizing the impact of defects to a single VM
• Safety
o Safety is improved by localizing the impact of faults and failures to individual
containers
• Security
o The modular architecture provided by the containers increases the complexity
and difficulty of attacks
o Spatial isolation largely limits impact of malware to a single container

Virtualization Sheheryar Malik, Ph.D. 59

59

Distributed & Cloud Computing

Cons of Virtualization via Containers

• Although there are many advantages to moving to virtualization via
containers, architects must address challenges and associated risks in the
following areas:
• Shared Resources
o Applications within containers share many resources including
▪ container-specific resources including the container, container engine, and OS kernel
▪ virtualization by VM resources including the virtual machine, the hypervisor, and the host
operating system if using a type-2 hypervisor, and
▪ multicore processing resources including
• processor-internal resources (L3 cache, system bus, memory controller, I/O controllers, and
interconnects)
• processor-external resources (main memory, I/O devices, and networks)
o Such shared resources imply
▪ single points of failure exist
▪ two applications running in the same container can interfere with each other
▪ software running in one container can impact software running in another container (i.e.,
interference can violate spatial and temporal isolation)

Virtualization Sheheryar Malik, Ph.D. 60

60

30
 9/13/2024

Distributed & Cloud Computing

Cons of Virtualization via Containers

• Interference Analysis
o Shared resources imply interference
o Virtualization via containers increases the difficulty of the analysis of temporal
interference (e.g., meeting timing deadlines) and tends to make the resulting timing
estimates overly conservative
o Interference analysis becomes more complex as the number of containers increases
and virtualization via containers is combined with virtualization via VMs and
multicore processing
• Safety
o Use of containers does not guarantee isolation
o Temporal interference may cause delays that cause hard real-time deadlines to be
missed
o Spatial interference can cause memory clashes
o Whether by VM or containers, traditional safety accreditation and certification
processes and policies do not take virtualization into account, making safety
(re)accreditation and (re)certification difficult

Virtualization Sheheryar Malik, Ph.D. 61

61

Distributed & Cloud Computing

Cons of Virtualization via Containers

• Security
o Containers are not by default secure and require significant work to make
them secure
o One must to ensure that
▪ no data is stored inside containers
▪ container processes are forced to write to container-specific file systems
▪ the container's network namespace is connected to a specific, private intranet
▪ the privileges of container services are minimized (e.g., non-root if possible)
• Container Sprawl
o Excessive containerization is relatively common and increases the amount of
time and effort spent on container management

Virtualization Sheheryar Malik, Ph.D. 62

62

31