VirtualisationVirtualisation

Havard Bjerke

CERN openlab

● Virtual machines● Benefits of virtualisation● Computer architecture

– Memory management– Privilege separation– Interrupts

● Virtualisation● Para-virtualisation

OverviewOverview

Virtual MachinesVirtual Machines

● Software level– Java– Software

compatibility● Hardware level

– Ex: VMWare– Multiple OS

instances

● Encapsulation● Isolation

Abstraction vs VirtualisationAbstraction vs Virtualisation

● Abstraction– TCP/IP stack– Replaceable layers– Friction between

layers

TCP

IPv4

LAN

● Virtualisation– Virtual Private

Networking (VPN)

TCP

IPv4

VPN

ADSL

Abstraction vs VirtualisationAbstraction vs Virtualisation

● Computer abstraction layers

● Computer virtualisation

TCP

IP

Ethernet

User apps

OS

Hardware

User apps

OS

Virtual hardware

Hardware

Benefits of HW virtualisationBenefits of HW virtualisation

● General application:– Server consolidation

● HPC specific:– Software flexibility

● Let each user manage their own OS● And satisfy their own software dependencies

– Utilisation of SMP and multi-core resources.– Secure isolation between users– Migration between nodes– Checkpointing– Utilisation of public computing resources

Computer architecture

Computer architectureComputer architecture

● X86 – 80386, Pentium, Xeon● X86_64 – AMD64, EM64T● IA-64 – Itanium (IPF)

Page

Pagetable

Virtual memoryVirtual memory

Directory index

Globaldirectory

Globaldirectorypointer

0n

+

+

+

Table index Offset

Physicalmemory

Virtual address

Translation Lookaside BufferTranslation Lookaside Buffer

OffsetVirtual page number

Virtual page number

OffsetPhysical page number

Physical page number

VRN

RID

RID

Region registers

Protection ringsProtection rings

● Protect kernel from faulty or malicious code

● Protection of– Privileged state– Privileged

instructions– Privileged pages or

segments

KernelKernelKernelKernel

User

Kernel entryKernel entry

● From ring 3 to ring 0 – From User space to Kernel space

● System calls● Interrupt Service Routines● Device access

Interrupts and exceptionsInterrupts and exceptions

● Kernel entry– Exceptions

● General protection fault● Segmentation fault● Page fault● Divide-by-zero

– External interrupts● Keyboard● DMA finished● Packet on network● Timer

Interrupts and exceptionsInterrupts and exceptions

Interruption vectortable

Interrupt vector

External interrupt

CPUPIC

I/Odevice

InterruptServiceRoutine

ProcessesProcesses

● Multitasking

Process A Switch

Timerinterrupt

Process BSwitch

Timerinterrupt

Process A

Hardware Virtualization

VirtualisationVirtualisation

● Interpretation● Binary patching

or translation– Privileged

operations– Privilege-

sensitive operations

Physical hardware

Host OS kernel

VMM

User apps

Guest OS Guest OS

Ring 0

Ring 3User apps

User apps

Privileged operationsPrivileged operations

● The guest OS must think that it is privileged

Host OS

CPU

Privop

Ring 0

Ring > 0

Virtual CPU

CPU

Privop

Exception

Guest OS

Host OS

CPU

Privop

Exception

User app

Notification

Privilege-sensitive operationsPrivilege-sensitive operations

● Operations that are not protected, but– Access privileged state or– Whose results depend on CPL

Host OS

CPU

Privsens

Ring 0

Ring > 0

VMM

CPU

Privsens

Guest OS

Para-virtualisationPara-virtualisation

● Replace sensitive operations with calls to the Hypervisor - hypercalls

Physical hardware

Hypervisor

Guest OS Guest OSRing 1

Ring 0

User appsRing 3

User apps

Ring 0

Ring > 0

Hypervisor

Virtual CPU

Hypercall

Guest OS

Xen memory managementXen memory management

● X86– Page table updates through hypercalls– Direct mapping between physical and

virtual memory space● IA-64

– Logically separated address spaces using RIDs

– Physical memory space has its own RID

Vanderpool (VT)Vanderpool (VT)

● VTx, VTi

0 Guest kernel

1

2

3 User apps

0 Hypervisor

1

2

3 Control

VMX Nonroot VMX Root

VMEXIT

VMENTRY