Chapter 4 - Technology informations about different types of virtualization

This chapter aims at equipping you with the technical details associated with virtualization technology. This is an absolute necessity in today’s web world. So many names and acronyms are flaunted these days by desperate vendors that it becomes pretty confusing while making a choice. I’m sure after you're through with this rather long chapter you'll be able to make the correct choice without much of.

Let's start with the very basic question: What is virtualization?
We already have some idea about what it is, but it's time to go into more detail.
The common theme of all virtualization technologies is the hiding of technical detail, through encapsulation. Virtualization creates an external interface that hides an underlying implementation (e.g., by multiplexing access, by combining resources at different physical locations, or by simplifying a control system). Recent development of new virtualization platforms and technologies has refocused attention on this mature concept.
Thus, virtualization is a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource.
As with other terms, such as abstraction and object orientation, virtualization is used in many different contexts, which can be grouped into two main types:

• Platform virtualization which involves simulation of whole computers, &
• Resource virtualization which involves the simulation of combined, fragmented, or simplified resources

 

 


back to index

Chapter 4.2 - Platform virtualization

Platform virtualization is performed on a given hardware platform by host software (a control program), which creates a simulated computer environment, a virtual machine, for its guest software. The guest software, which is often itself a complete operating system, runs just as if it were installed on a stand-alone hardware platform. Generally, many such virtual machines are simulated on a single physical machine, their number limited only by the host’s hardware resources. Also there is no requirement for a guest OS to be the same as the host one. The guest system often requires access to specific peripheral devices to function, so the simulation must support the guest's interfaces to those devices. Usual examples of such devices are hard disk drive or network interface card.

There are several approaches to platform virtualization, the main difference between one approach and the other is the degree of virtualization that is being attempted.

Chapter 4.2.1 - Emulation or simulation?

If looked from the software perspective, an emulator reproduces the behavior of one system on another. It executes, or tries to execute, the same programs as the "original" system, and produces the same results for the same input. It is important that the user of an emulator is not supposed to care how. There are numerous software emulators for old and new hardware architectures, video game consoles, etc.

From the angle of computing, simulation is an imitation of some real system. A simulator can be informally thought of as an "accurate emulator". For example, the ARMn is a multiprocessor cycle-accurate simulator that can simulate a cluster of ARM processor cores connected by custom communication schemes. Again, the VCS Verilog Simulator from Synopsys can do gate-level ASIC simulation, useful to semiconductor people. There exists an instruction-accurate simulator for the picoJava processor core, which is essentially an accurate (reasonably) software model of the real thing.

Thus, simply put, a virtual machine simulates the complete hardware, allowing an unmodified "guest" OS for a completely different CPU to be run. This approach has long been used to enable the creation of software for new processors before they were physically available. Examples include Bochs, PearPC, PowerPC version of Virtual PC, QEMU without acceleration, and the Hercules emulator. Emulation is implemented using a variety of techniques, from state machines to the use of dynamic recompilation on a full virtualization platform.
It might not be entirely out of place to know a little bit about Bochs.

Bochs is an open source x86 emulator written in C++. It is a user-space emulator, and emulates the x86 processor, several I/O devices, and custom BIOS. Bochs is highly portable and rather slow (not surprising since it emulates every instruction and I/O devices); the primary author of Bochs reports 1.5 MIPS on a 400 MHz Pentium II.
Nevertheless, Bochs is extremely flexible and customizable.

back to index

Chapter 4.2.2 - Full virtualization

The virtual machine simulates enough hardware to allow an unmodified "guest" OS (one designed for the same CPU) to be run in isolation. This approach was pioneered in 1966 with IBM CP-40 and CP-67, predecessors of VM family. Examples outside mainframe field include Parallels Workstation, Parallels Desktop for Mac, VirtualBox, Virtual Iron, Virtual PC, VMware Workstation, VMware Server, QEMU, Adeos, Mac-on-Linux, Win4BSD, Win4Lin Pro, and Egenera vBlade technology.
Virtual Iron provides virtual machines for x86 that run unmodified operating systems, such as Windows, Red Hat and SUSE. Virtual Iron open source virtualization technology implements native virtualization, which delivers near-native performance for x86 operating systems.

QEMU is a simulator based on a virtual machine, which gives it the ability to emulate a variety of guest CPU architectures on many different host platforms.
Adeos is a Hardware Abstraction Layer that can be loaded as a Kernel Module in Linux. It allows the loading of a real-time kernel as a module, at the same time as Linux but with higher priority.

Full virtualization is particularly helpful in operating system development, when experimental new code can be run at the same time as older, more stable, versions, each in separate virtual machines. (The process can even be recursive: IBM debugged new versions of its virtual machine operating system, VM, in a virtual machine running under an older version of VM, and even used this technique to simulate new hardware.)

Chapter 4.2.3 - Hardware enabled virtualization

In 2005 and 2006, Intel provided additional hardware in the form of Vanderpool (also known as IVT) x86 architecture virtualization and AMD provided its own version in Pacifica (also known as AMD-V) x86 architecture virtualization. SUN came forward with UltraSPARC T1 hypervisor and IBM offered Advanced POWER virtualization. Examples of hardware enabled virtualization include VMware Workstation, VMware Fusion, Microsoft Virtual PC, Xen, “Parallels” Desktop for Mac, and “Parallels” Workstation.
VMware provides virtual machines for x86 that can run unmodified PC operating systems. The technology involved in doing this is complex and also incurs (sometimes significant) performance overheads with hosted VMware products (VM Server and Workstation). ESX server provides near-native performance and a fully virtualized option (along with paravirtualization of some hardware components).

“Parallels” provides virtualization of x86 for running unmodified PC operating systems. It also uses a lightweight hypervisor technology in order to improve security and to increase the efficiency. “Parallels” has become popular for its ability to run Windows as a guest under Mac OS X on the Apple-Intel architecture.

back to index

Chapter 4.2.4 - Partial Virtualization

Partial virtualization (includes "address space virtualization")

The virtual machine simulates only some parts of the host hardware environment specially “address spaces”. So, such an environment supports resource sharing and process isolation but does not allow any “guest” operating system to function. Such a setup cannot be called a virtual machine as such but Microsoft Windows, Linux and those environments which work through paravirtualization; operating system-level virtualization and application virtualization also use this basic approach.

Chapter 4.2.5 - Paravirtualization

The virtual machine does not necessarily simulate hardware, but instead (or in addition) offers a special API that can only be used by modifying/rewriting the "guest" OS. The guest system calls to the hypervisor, rather than executing machine I/O instructions which are then simulated by the hypervisor. This is called paravirtualization in Xen, a "hypercall" in Parallels Workstation and a “DIAGNOSE” code in IBM’s VM. VMware supplements the slowest rough corners of virtualization with device drivers for the guest. All are really the same thing, a system call to the hypervisor below. Examples include VMware ESX Server, IBM's LPARs, Win4Lin 9x, Sun's Logical Domains, z/VM, and TRANGO.
IBM's Logical Partitioning (LPAR) allows you to run multiple, independent operating system images of AIX and Linux on a single server (that supports such partitioning, such as the pSeries family). The minimum resources needed for a pSeries partition are: one processor, 256 MB memory, an I/O slot and its attached devices. The AIX Workload Manager (WLM) is used for resource management.

IBM introduced Dynamic Logical Partitioning (DLPAR) in AIX 5L Version 5.2. DLPAR allows you to dynamically add and remove resources from active partitions.
Other server families, such as the iSeries, and other IBM operating systems, such as OS/400, also support logical partitioning. There is a primary OS/400 partition, that loads a hypervisor (known as "the Hypervisor"), which provides partition control, mediation, and isolation. You can then have further OS/400 partitions, as well as Linux partitions.
Note that the POWER4 architecture has features that help in virtualization (such as a special Hypervisor mode in the processor, the ability to include an address offset when using non-virtual memory addressing, support for multiple global interrupt queues in the interrupt controller, and so on. The firmware of these machines is also specialized for virtualization.
IBM has a number of server offerings. The zSeries is IBM's mainframe range that can run operating systems such as z/OS, z/OS.e, z/VM, VSE/ESA, a transaction processing OS (TPF), and Linux. The iSeries are midrange servers running OS/400 and Linux. The pSeries exist in various ranges, and run AIX and Linux. There are other server solutions for clustering, storage, etc.

Denali (it is virtualization software) uses paravirtualization to provide high-performance virtual machines on x86 computers. Denali's virtual machines support special minimal OSs for Internet services. The system can scale to thousands of virtual machines. Denali does not preserve the application binary interface (ABI), and so applications must be recompiled to run within a library operating system; in this sense it is similar to the MIT Exokernel Operating System.

However, Xen Virtualization system differs from that of Denali in that it is intended to run a moderate number of full-featured operating systems, rather than a large number of specialized, lightweight ones.

back to index

Chapter 4.2.6 - Operating system level virtualization

Operating System-level Virtualization is a server virtualization technology which virtualizes servers on an operating system (kernel) layer. It can be thought of as partitioning: a single physical server is sliced into multiple small partitions (otherwise called virtual environments (VE), virtual private servers (VPS), guests, zones, etc); each such partition looks and feels like a real server, from the point of view of its users. Examples are Linux-VServer, Virtuozzo (for Windows or Linux), OpenVZ, Solaris Zones and FreeBSD Jails.

In Solaris you can have multiple guest OS running under the same OS (This is allowed on Solaris 10). But all guest OSs have to use the same kernel level--you cannot run a different version; And also you cannot run a different OS than Solaris. According to Sun, the concept is derived from the FreeBSD "jail" concept: a Zone (also known as a "trusted container") is an isolated and secure execution environment that appears as a "real machine" to applications. The FreeBSD "jail" mechanism allows you to create an isolated existing environment via software means. Jail uses chroot (2), and each jail has its own "root". Processes in a jail do not have access to or visibility of files, processes, or network services in other jails. A jail can be restricted to a single IP address. However, there is only one copy of the Solaris kernel.

AIX also provides the same technique called Micro Partitioning.
The operating system level architecture has low overhead that helps to maximize efficient use of server resources. The virtualization introduces only a negligible overhead and allows running hundreds of virtual private servers on a single physical server. In contrast, approaches such as virtualization (like VMware) and paravirtualization (like Xen or UML) cannot achieve such level of density, due to overhead of running multiple kernels. From the other side, operating system-level virtualization does not allow running different operating systems (i.e. different kernels), although different libraries, distributions etc. are possible.

Chapter 4.2.7 - Application Virtualization

Application Virtualization solutions such as Thinstall, Softricity, and Trigence attempt to separate application specific files and settings from the host operating system, thus allowing them to run in more-or-less isolated sandboxes without installation and without the memory and disk overhead of full machine virtualization. Application Virtualization is tightly tied to the host OS and thus does not translate to other operating systems or hardware. Thinstall and Softricity are Intel Windows centric, while Trigence supports Linux and Solaris. Unlike machine virtualization, Application virtualization does not use code emulation or translation so CPU related benchmarks run with no changes, though filesystem benchmarks may experience some performance degradation. On Windows, Thinstall and Softricity essentially work by intercepting filesystem and registry requests by an application and redirecting those requests to a preinstalled isolated sandbox, thus allowing the application to run without installation or changes to the local PC. Though Thinstall and Softricity both began independent development around 1998, behind the scenes Thinstall and Softricity are implemented using different techniques.

Thinstall works by packaging an application into a single "thinstalled" EXE which includes the runtime plus the application data files and registry. Thinstall’s runtime is loaded by Windows as a normal Windows application; from there the runtime replaces the Windows loader, filesystem, and registry for the target application and presents a merged image of the host PC as if the application had been previously installed. Thinstall replaces all related API functions for the host application, for example the ReadFile API supplied to the application must pass through Thinstall before it reaches the operating system. If the application is reading a virtual file, Thinstall handles the request itself otherwise the request will be passed on to the operating system. Since Thinstall is implemented in user-mode without device drivers and it does not have a client that is preinstalled, applications can run directly from USB Flash or network shares without previously needing elevated security privileges.

Softricity (acquired by Microsoft) operates on a similar principle using device drivers to intercept file request in ring0 at a level closer to the operating system. Softricity installs a client in Administrator mode which can then be accessed by restricted users on the machine. An advantage of virtualizing at the kernel level is the Windows Loader (responsible for loading EXE and DLL files) does not need to be reimplemented and greater application compatibility can be achieved with less work (Softricity claims to support most major applications). A disadvantage for ring0 implementation is it requires elevated security privileges to be installed and crashes or security defects can occur system-wide rather than being isolated to a specific application.
As Application Virtualization runs all application code natively, it can only provide security guarantees as strong as the host OS is able to provide. Unlike full machine virtualization, Application virtualization solutions currently do not work with device drivers and other code that runs at ring0 such as virus scanners. These special applications must be installed normally on the host PC in order to function.

Chapter 4.2.8 - Cross-platform virtualization

It involves running an application compiled for a specific CPU and operating system on a platform with a different CPU and operating system, without modification to source code or binaries. Examples include Apple Rosetta and Transitive QuickTransit.

back to index

Chapter 4.2.9 - Managed runtimes

Another technique sometimes referred to as virtualization, is portable byte code execution using a standard portable native runtime (aka Managed Runtimes). The two most popular solutions today include Java and Dot NET. These solutions both use a process called JIT (Just in time) compilation to translate code from a virtual portable machine language into the local processor’s native code. This allows applications to be compiled for a single architecture and then run on many different machines. Beyond machine portable applications, an additional advantage to this technique includes strong security guarantees. Because all native application code is generated by the controlling environment, it can be checked for correctness (possible security exploits) prior to execution. Programs must be originally designed for the environment in question or manually rewritten and recompiled to work for these new environments. For example, one cannot automatically convert or run a Windows / Linux native app on .NET or Java. Because portable runtimes try to present a common API for applications for a wide variety of hardware, applications are less able to take advantage of OS specific features. Portable application environments also have higher memory and CPU overheads than optimized native applications, but these overheads are much smaller compared with full machine virtualization. Portable Byte Code environments such as Java have become very popular on the server where a wide variety of hardware exist and the set of OS-specific APIs required is standard across most Unix and Windows flavors. Another popular feature among managed runtimes is garbage collection, which automatically detects unused data and reclaims it without the developer having to explicitly invoke free operations.

Chapter 4.3 - Resource Virtualization

Resource virtualization attempts resource aggregation, spanning, or concatenation to combine individual components into larger resources or resource pools such as,

Computer clusters, grid computing, and virtual servers use the above techniques to combine multiple discrete computers into larger metacomputers.
Now is the time for a quick run-through of the various virtualization technologies that are currently available and attempt a comparison between them.

The system emulator approach (i.e. virtual machines) allows the emulator to run an arbitrary guest operating system without modifications because guest OS is not aware that it is not running on real hardware. The main issue with this approach is that some CPU instructions require additional privileges and may not be executed in user space thus requiring a virtual machines monitor (VMM) to analyze executed code and make it safe on-the-fly.

back to index

Chapter 4.3.1 - Paravirtualization

Paravirtualization technique also requires a VMM, but most of its work is performed in the guest OS code, which in turn is modified to support this VMM and avoid unnecessary use of privileged instructions. The paravirtualization technique also enables running different OSs on a single server, but requires them to be ported, i.e. they should "know" they are running under the hypervisor.

When virtualization is done at the OS level most applications running on a server can easily share a machine with others, if they could be isolated and secured. Further, in most situations, different operating systems are not required on the same server, merely multiple instances of a single operating system. OS-level virtualization systems have been designed to provide the required isolation and security to run multiple applications or copies of the same OS (but different distributions of the OS) on the same server.
The three techniques differ in complexity of implementation, breadth of OS support, performance in comparison with standalone server, and level of access to common resources. For example, VMs have wider scope of usage, but poor performance. Para-VMs have better performance, but can support fewer OSs because of need to modify the original OSs.
Virtualization on the OS level provides the best performance and scalability compared to other approaches. Performance difference of such systems can be as low as 1…3%, comparing with that of a standalone server. Virtual Environments are usually also much simpler to administer as all of them can be accessed and administered from the host system. Generally, such systems are the best choice for server consolidation of same OS workloads.

<- CHAPTER 3 | CHAPTER 5 ->