Virtualization

Technology
Introduction
Argentina Software Pathfinding and
Innovation
Intel® Corporation
28 July 2008
 Introduction

Why is Intel giving this course?

Argentina Software Development Center in Córdoba
- Strong investment in developing areas of expertise
Software Pathfinding and Innovation
- Seeking the next technological move
Strategic Area in Virtualization Technology
- Evolving expertise in Virtualization Technology
- Augment critical mass in this area
 Introduction

What are your expectations from this course?

- Learn about virtualization technology
- Academia research
- Research in grids, cloud…
- Planning in participate in an Open Source community from
virtualization
- Business
- Using virtualization in my datacenter
- Planning to use it
- ?
 Introduction

How is this course?

Goal:
- Foster virtualization technology, its usages, its capabilities and
explore possible research and study projects
Audience:
- Beginners: provide a guide to start working/researching in
Virtualization Technologies
- Advanced: solidify concepts and go deep in VMM cases and
Hardware assisted Virtualization
Course Structure:
- Virtualization Technology Introduction
- Usages of Virtualization
- VMMs / Hypervisors
- Hardware Assisted Virtualization
- Virtualization Technology Trends
Agenda
• Introduction
• Virtualization yesterday – virtualization today
• Challenges for x86 virtualization
• Approaches to server virtualization
– Host-based server virtualization
• Full Virtualization
• Para-virtualization
• Hardware-assisted Virtualization
• Approaches to desktop virtualization
 Introduction

What is virtualization?
Virtualization is a broad term (virtual memory, storage, network, etc)
Focus for this course: platform virtualization
Virtualization basically allows one computer to do the job of multiple
computers, by sharing the resources of a single hardware across multiple
environments Virtual Virtual
Container Container

App. A App. B App. C App. D

App. A App. B App. C App. D

Operating System Virtualization Layer

Hardware Hardware

‘Nonvirtualized’ system Virtualized system

A single OS controls all It makes it possible to run multiple
hardware platform resources Virtual Containers on a single
physical platform
 Introduction

Virtualization Requirements
Popek and Goldberg describe in their “Formal
Requirements for Virtualizable Third Generation
Architectures – 1974”:
• A Model of Third Generation Machines
– Machine states: S = (E, M, P, R)
– Instructions classification
• Privileged instructions
• Control sensitive instructions
• Behavior sensitive instructions
• Properties for a Virtual Machine Monitor
– Equivalence
– Resource control
– Efficiency
• Formal analysis described through 2 theorems
 Introduction

The VMM and the VM

Equivalence
Resource Control
Efficiency

Privileged instructions
Control sensitive
Behavior sensitive

• For any conventional third generation computer, a VMM may be constructed if the set of
sensitive instructions for that computer is a subset of the set of privileged instructions
• A conventional third generation computer is recursively virtualizable if it is virtualizable
and a VMM without any timing dependencies can be constructed for it.
The evolution of
virtualization
 Evolution of Virtualization

How did it start?

• Server virtualization has existed for
several decades
– IBM pioneered more than 30 years ago
with the capability to “multitask”
• The inception was in specialized,
proprietary, high-end server and
mainframe systems
• By 1980/90 servers virtualization
adoption initiated a reduction
– Inexpensive x86 hardware platforms
– Windows/Linux adopted as server OSs
 Evolution of Virtualization

Computing Infrastructure – 2000

• 1 machine  1 OS  several applications

• Applications can affect each other
• Big disadvantage: machine utilization is very
low, most of the times it is below than 25%

App App App App App App App App

X86 X86
X86 X86
Windows Windows
Suse Red Hat
XP 2003

12% Hardware 15% Hardware 18% Hardware 10% Hardware

Utilization Utilization Utilization Utilization
 Evolution of Virtualization

Virtualization again…

x86 server deployments introduced new IT challenges:

• Low server infrastructure utilization (10-18%)
• Increasing physical infrastructure costs (facilities,
power, cooling, etc)
• Increasing IT management costs (configuration,
deployment, updates, etc)
• Insufficient failover and disaster protection

The solution for all these problems was to virtualize x86

platforms
 Evolution of Virtualization

Computing Infrastructure - Virtualization

• It matches the benefits of high hardware utilization with running
several operating systems (applications) in separated virtualized
environments
– Each application runs in its own operating system
– Each operating system does not know it is sharing the underlying
hardware with others

App. A App. B App. C App. D

X86 X86 X86 X86

Windows Windows Suse Red Hat
XP 2003 Linux Linux

X86 Multi-Core, Multi Processor

70% Hardware Utilization

Challenges for x86
virtualization
 Challenges of x86
virtualization
x86 virtualization challenge
• The IA-32 instruction set contains 17 sensitive,
unprivileged instructions:
– Sensitive register instructions: read or change sensitive
registers and/or memory locations such as a clock register or
interrupt registers:
• SGDT, SIDT, SLDT, SMSW, PUSHF, POPF
– Protection system instructions: reference the storage protection
system, memory or address relocation system:
• LAR, LSL, VERR, VERW, POP, PUSH, CALL, JMP, INT n,
RET, STR, MOV
• However, x86 is a really big candidate to be virtualized,
mainly for business facts
 Challenges of x86
virtualization
x86 modes: Privilege Levels
• x86 processor’s segment-protection mechanism
recognizes 4 privilege levels (0-high, 3-low level) -
unused
• Recognizes the following three types of privilege levels:
– Current privilege level (CPL)
– Descriptor privilege level (DPL)
– Requested privilege level (RPL)
 Challenges of x86
virtualization
x86 virtualization challenge example: reading
Segment Descriptors

– x86 Code Segment and Stack Segment registers:

• The upper 14 bits of these registers contain the segment index and
descriptor table selector.
• Lower 2 bits of CS and SS registers contains the CPL (Current
Privilege Level).
– Instructions that explicitly or implicitly access the CS/SS selector
(including CALL, MOV from SS and POP SS) do not trap when executed
from user mode.
 Executing POP SS the guest OS will be aware that it is not running on
a privileged level when in ring 1
 The Equivalence Property could be violated
 The Resource Control property is violated
 Challenges of x86
virtualization
X86 virtualization challenge example: reading
Segment Descriptors (segment details)
 Challenges of x86
virtualization
x86 virtualization challenge example (2)
• GDT, LDT, IDT and TR:
– For correct virtualization, these tables should be “shadowing” (the TR,
GDTR, IDTR registers should point to VMM’s shadow tables)
– Non privileged code can read from these registers (that means that
reading these registers do not trap)
 The Equivalence Property could be violated

• Table 2-2. Summary of System Instructions - Software Developer’s Manual Vol

3A
Approaches to server
virtualization
 Server virtualization
approaches
Evolution of Software solutions

• 1st Generation: Full • 2nd Generation: • 3rd Generation:

virtualization Paravirtualizatio Silicon-based
(Binary rewriting) n (Hardware-assisted)
– Software Based – Cooperative virtualization
– VMware and virtualization – Unmodified guest
Microsoft – Modified guest – VMware and Xen on
– VMware, Xen virtualization-aware
Virtual
Machine
… Machine
Virtual hardware platforms
VM … VM
Dynamic Translation Virtual
Machine
… Machine
Virtual

Operating System Hypervisor Hypervisor

Hardware Hardware Hardware

Time
Virtualization Logic
 Server virtualization
approaches
Full Virtualization

• 1st Generation offering of x86/x64

Virtual Machine
server virtualization

App. C

App. B
Guest OS

App. A
• Dynamic binary translation
– The emulation layer talks to an operating Device Drivers

system which talks to the computer

hardware
Emulated
– The guest OS doesn't see that it is used in
Hardware
an emulated environment
• All of the hardware is emulated
Device Drivers
including the CPU
Host OS
• Two popular open source emulators
are QEMU and Bochs
Hardware
 Server virtualization
approaches
Full Virtualization - Advantages
• The emulation layer
– Isolates VMs from the host OS and from each other
– Controls individual VM access to system resources,
preventing an unstable VM from impacting system
performance
• Total VM portability
– By emulating a consistent set of system hardware, VMs
have the ability to transparently move between hosts
with dissimilar hardware without any problems
• It is possible to run an operating system that was developed for
another architecture on your own architecture
• A VM running on a Dell server can be relocated to a Hewlett-
Packard server
 Server virtualization
approaches
Full Virtualization - Drawbacks

• Hardware emulation comes with a performance price

• In traditional x86 architectures, OS kernels expect to run
privileged code in Ring 0
– However, because Ring 0 is controlled by the host OS, VMs are
forced to execute at Ring 1/3, which requires the VMM to trap and
emulate instructions
• Due to these performance limitations, paravirtualization
and hardware-assisted virtualization were developed
Application Ring 3

Guest OS Ring 1 / 3
Application Ring 3

Virtual
Operating Ring 0 Machine Ring 0
System Monitor
Traditional x86 Architecture Full Virtualization
 Server virtualization
approaches
Para-Virtualization
• The Guest OS is modified and thus run
kernel-level operations at Ring 1 (or 3)

Virtual Machine

App. C

App. B
Guest OS

App. A
– the guest is fully aware of how to process
privileged instructions
– thus, privileged instruction translation by the Device Drivers

VMM is no longer necessary

– The guest operating system uses a
Specialized API
specialized API to talk to the VMM and, in
this way, execute the privileged instructions Virtual Machine Monitor

• The VMM is responsible for handling the

virtualization requests and putting them to Device Drivers
the hardware
Hypervisor

Hardware
 Server virtualization
approaches
Para-Virtualization
• Today, VM guest operating systems are paravirtualized using two different
approaches:
– Recompiling the OS kernel
• Paravirtualization drivers and APIs must reside in the guest operating
system kernel
• You do need a modified operating system that includes this specific API,
requiring a compiling operating systems to be virtualization aware
– Some vendors (such as Novell) have embraced paravirtualization and
have provided paravirtualized OS builds, while other vendors (such
as Microsoft) have not
– Installing paravirtualized drivers
• In some operating systems it is not possible to use complete
paravirtualization, as it requires a specialized version of the operating
system
• To ensure good performance in such environments, paravirtualization can
be applied for individual devices
• For example, the instructions generated by network boards or graphical
interface cards can be modified before they leave the virtualized machine
by using paravirtualized drivers
 Server virtualization
approaches
Hardware-assisted virtualization

• The guest OS runs at ring 0

Virtual Machine
• The VMM uses processor

App. C

App. B
Guest OS

App. A
extensions (such as Intel®-VT or
AMD-V) to intercept and emulate Device Drivers

privileged operations in the guest

• Hardware-assisted virtualization Specialized API

removes many of the problems that Virtual Machine Monitor

make writing a VMM a challenge

• The VMM runs in a more privileged Device Drivers

ring than 0, a virtual -1 ring is Hypervisor

created

Hardware
 Server virtualization
approaches
Hardware-assisted virtualization
• The hypervisor/VMM runs at Ring -1
– super-privileged mode

VMX non-root VMX root

 Server virtualization
approaches
Hardware-assisted virtualization

• Pros
– It allows to run unmodified Oss (so legacy OS can be run
without problems)
• Cons
– Speed and Flexibility
• An unmodified OS does not know it is running in a
virtualized environment and so, it can’t take advantage of
any of the virtualization features
– It can be resolved using paravirtualization partially
Approaches to desktop
virtualization
 Client virtualization
approaches
Extending the concept of virtualization for
desktops
• Servers
– Hosted virtualization - mainframes
– VMMs / Bare Metal hypervisors
– OS virtualization
• Desktops
– Desktop virtualization
– Server-side workspace virtualization
– Client-side workspace virtualization
• Application virtualization
– Application isolation
– Application streaming
 Desktop virtualization
approaches
Desktop Virtualization
• A VMM or hypervisor running on a physical
desktop
• Examples include:
– Microsoft Virtual PC
– Parallels Desktop for Mac
– VMware Fusion
– WINE.
• Use cases include:
– Emulating Windows games on the Macintosh,
– Testing code inside VMs
– Underpinning client-side workspace virtualization

• Desktop hypervisors and VMMs don’t

necessarily scale to meet enterprise needs;
that’s why most of the providers have server
products as well
 Desktop virtualization
approaches
Server-side workspace virtualization
• A workspace (desktop operating system with custom configuration)
running inside a virtual machine hosted on a server
• Examples include:
– VMware VDI
• Use cases include:
– Centrally managed desktop infrastructure
– Security enforcement and lockdown

• A pool of virtual workspaces resides on the server. Remote users log

into them from any networked device via Microsoft’s Remote Desktop
Protocol (RDP)
• Users can customize their virtual workspace to their heart’s content,
while operators enjoy the relatively straightforward task of managing
desktop configuration on one central server
• Connection brokers arbitrate between a pool of virtual workspaces
residing on a central server
• The biggest problem with server-hosted workspace virtualization is
that it’s a bandwidth hog. Performance is constrained by the
performance of your network
 Desktop virtualization
approaches
Client-side workspace virtualization
• A workspace (desktop operating system with custom
configuration) running inside a virtual machine hosted on a
desktop
• Examples include:
– Kidaro Managed Workspace
– Sentillion vThere
• Use cases include:
– Secure remote access
– Protection of sensitive data for defense, healthcare industries
– Personal computer running corporate desktops remotely

• A virtual workspace is served out to execute on the client

device
• Centralizes management
• Its big advantage over other models is the security and
isolation of data and logic on the client
• It’s the right model for organizations that need to ensure the
security of environments served to remote users
– Defense contractors
– Healthcare providers
 Desktop virtualization
approaches
Application Isolation
• An application packaged with its own virtual copies of the
operating system resources it might otherwise need to change
(registries, file systems, libraries)
• Examples include:
– Thinstall
– Trigence
• Use cases include:
– Preventing DLL hell
– Sandboxing desktop applications for secure execution

• Applications use a virtual registry (Thinstall) and file system

embedded in the package with the application
– These extra tools insulate applications from changes to and
incompatibility with the underlying desktop operating system
• Mostly in Windows, although Linux and Solaris as well
• Drawback: increased footprint of the application package and
the correspondingly greater memory requirements
 Desktop virtualization
approaches
Application Streaming
• Just-in-time delivery of a server-hosted application to the
desktop, such that the desktop application can execute before
the entire file has been downloaded from the server
• Examples include:
– AppStream
– Microsoft SoftGrid
• Use cases include:
– Managing the number of instances of running applications, in the
case of license constraints

• Superset of Application Isolation, including a delivery method

and an execution mode
– You stream the application code to the desktop, where it runs in
isolation
• No full PC environment, just the application, so you have to
provide a workspace
– Requires to maintain the client-side operating system and ensuring
compatibility. This may be why application streaming, which has
been around for a long time (AppStream has already raised over
$50m in venture capital), has not really lived up to its early hype.
Periodic table of Virtualization

Extracted from Virtualization II: Desktops and applications are next – the 451 group
Day wrap-up
• Requirements for HW Architecture Virtualization – Popek and
Goldberg
• Evolution for virtualization: from mainframes to x86 architecture due
to business reasons
• Challenges around x86 virtualization -> ISA doesn’t comply with P&G
• Server virtualization approaches
– Full Virtualization
– Paravirtualization
– Hardware Assisted Virtualization
• Client virtualization approaches
– Desktop virtualization
– Server-side workspace virtualization
– Client-side workspace virtualization
• Application virtualization
– Application isolation
– Application streaming
Questions?
Backup
References
• http://en.wikipedia.org/wiki/Platform_virtualization
• http://en.wikipedia.org/wiki/Popek_and_Goldberg_virtualization_requirements
• http://www.vmware.com/virtualization/
• http://www.vmware.com/overview/history.html
• Formal Requirements for Virtualizable Third Generation Architectures – 1974 -
Popek (UCLA) and Goldberg (Honeywell Information Systems and Harvard
University)
• Virtualization II: Desktops and applications are next – the 451 group
Contacts
Argentina Software Pathfinding and Innovation team from Virtualization
Technology:
• Guillermo Colsani: [email protected]
• Gisela Giusti: [email protected]
• Pablo Pássera: [email protected]
• Duilio Protti: [email protected]