Virtualization analysis



Similar documents
Full and Para Virtualization

Virtualization for Cloud Computing

OPEN SOURCE VIRTUALIZATION TRENDS. SYAMSUL ANUAR ABD NASIR Warix Technologies / Fedora Community Malaysia

The Art of Virtualization with Free Software

Virtualizare sub Linux: avantaje si pericole. Dragos Manac

IOS110. Virtualization 5/27/2014 1

Operating Systems Virtualization mechanisms

RPM Brotherhood: KVM VIRTUALIZATION TECHNOLOGY

2972 Linux Options and Best Practices for Scaleup Virtualization

Distributed systems Techs 4. Virtualization. October 26, 2009

Regional SEE-GRID-SCI Training for Site Administrators Institute of Physics Belgrade March 5-6, 2009

Uses for Virtual Machines. Virtual Machines. There are several uses for virtual machines:

PERFORMANCE ANALYSIS OF KERNEL-BASED VIRTUAL MACHINE

Comparing Virtualization Technologies

Virtualization. Jukka K. Nurminen

Virtualization. Dr. Yingwu Zhu

Virtual Machine Monitors. Dr. Marc E. Fiuczynski Research Scholar Princeton University

COS 318: Operating Systems. Virtual Machine Monitors

Virtual Hosting & Virtual Machines

Practical Applications of Virtualization. Mike Phillips IAP 2008 SIPB IAP Series

Virtualization. Pradipta De

Satish Mohan. Head Engineering. AMD Developer Conference, Bangalore

9/26/2011. What is Virtualization? What are the different types of virtualization.

Module I-7410 Advanced Linux FS-11 Part1: Virtualization with KVM

VMware Server 2.0 Essentials. Virtualization Deployment and Management

Professional Xen Visualization

A quantitative comparison between xen and kvm

Virtualization. Types of Interfaces

Virtualization and Performance NSRC

Virtualization. Introduction to Virtualization Virtual Appliances Benefits to Virtualization Example Virtualization Products

The Xen of Virtualization

Virtualization. Jia Rao Assistant Professor in CS

Basics of Virtualisation

Tom Eastep Linuxfest NW April 26-27, 2008 Bellingham, Washington

PROCESSOR VIRTUALIZATION ON EMBEDDED LINUX SYSTEMS

Lightweight Virtualization: LXC Best Practices

Advanced Computer Networks. Network I/O Virtualization

StACC: St Andrews Cloud Computing Co laboratory. A Performance Comparison of Clouds. Amazon EC2 and Ubuntu Enterprise Cloud

Installing & Using KVM with Virtual Machine Manager COSC 495

CPET 581 Cloud Computing: Technologies and Enterprise IT Strategies. Virtualization of Clusters and Data Centers

KVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com

Hypervisors. Introduction. Introduction. Introduction. Introduction. Introduction. Credits:

Open Source Virtualization

Virtualization: Know your options on Ubuntu. Nick Barcet. Ubuntu Server Product Manager

Chapter 14 Virtual Machines

Virtual machines and operating systems

lxc and cgroups in practice sesja linuksowa 2012 wojciech wirkijowski wojciech /at/ wirkijowski /dot/ pl

Basics in Energy Information (& Communication) Systems Virtualization / Virtual Machines

Performance tuning Xen

Cloud Computing CS

Virtualization Technologies and Blackboard: The Future of Blackboard Software on Multi-Core Technologies

Developing a dynamic, real-time IT infrastructure with Red Hat integrated virtualization

Anh Quach, Matthew Rajman, Bienvenido Rodriguez, Brian Rodriguez, Michael Roefs, Ahmed Shaikh

Virtualization and the U2 Databases

Introduction to Virtualization & KVM

Data Centers and Cloud Computing

Introduction to KVM. By Sheng-wei Lee #

kvm: Kernel-based Virtual Machine for Linux

Do Containers fully 'contain' security issues? A closer look at Docker and Warden. By Farshad Abasi,

KVM Security Comparison

How To Compare Performance Of A Router On A Hypervisor On A Linux Virtualbox 2.5 (Xen) To A Virtualbox (Xeen) Xen-Virtualization (X

CSE 501 Monday, September 09, 2013 Kevin Cleary

KVM KERNEL BASED VIRTUAL MACHINE

Network Virtualization Tools in Linux PRESENTED BY: QUAMAR NIYAZ & AHMAD JAVAID

Enabling Technologies for Distributed Computing

Chapter 16: Virtual Machines. Operating System Concepts 9 th Edition

Virtualization. Michael Tsai 2015/06/08

Servervirualisierung mit Citrix XenServer

Xen Project 4.4: Features and Futures. Russell Pavlicek Xen Project Evangelist Citrix Systems

Long term analysis in HEP: Use of virtualization and emulation techniques

Enabling Technologies for Distributed and Cloud Computing

Hybrid Virtualization The Next Generation of XenLinux

GUEST OPERATING SYSTEM BASED PERFORMANCE COMPARISON OF VMWARE AND XEN HYPERVISOR

Distributed Systems. Virtualization. Paul Krzyzanowski

Intro to Virtualization

nanohub.org An Overview of Virtualization Techniques

COS 318: Operating Systems. Virtual Machine Monitors

x86 ISA Modifications to support Virtual Machines

Knut Omang Ifi/Oracle 19 Oct, 2015

Hardware Based Virtualization Technologies. Elsie Wahlig Platform Software Architect

Week Overview. Installing Linux Linux on your Desktop Virtualization Basic Linux system administration

Chapter 2 Addendum (More on Virtualization)

KVM: Kernel-based Virtualization Driver

Computing Service Provision in P2P Clouds

VMware and CPU Virtualization Technology. Jack Lo Sr. Director, R&D

Table of Contents. Server Virtualization Peer Review cameron : modified, cameron

Computer Virtualization in Practice

Dheeraj K. Rathore 1, Dr. Vibhakar Pathak 2

Options in Open Source Virtualization and Cloud Computing. Andrew Hadinyoto Republic Polytechnic

MontaVista Linux Carrier Grade Edition

Models For Modeling and Measuring the Performance of a Xen Virtual Server

Microkernels, virtualization, exokernels. Tutorial 1 CSC469

RED HAT ENTERPRISE VIRTUALIZATION

How To Understand The Power Of A Virtual Machine Monitor (Vm) In A Linux Computer System (Or A Virtualized Computer)

How do Users and Processes interact with the Operating System? Services for Processes. OS Structure with Services. Services for the OS Itself

Virtualization in Linux

FRONT FLYLEAF PAGE. This page has been intentionally left blank

COM 444 Cloud Computing

Virtualization Technologies (ENCS 691K Chapter 3)

Parallels Virtuozzo Containers

Transcription:

Page 1 of 15 Virtualization analysis CSD Fall 2011 Project owner Björn Pehrson Project Coaches Bruce Zamaere Erik Eliasson HervéNtareme SirajRathore Team members Bowei Dai daib@kth.se 15 credits Elis Kullberg elisk@kth.se 18 credits Gurpreet Singh Sambhy sambhy@kth.se 24 credits Hannes Junnila haju@kth.se 15 credits Nur Mohammad Rashed nmrashed@kth.se 15 credits Siddharth Madan smadan@kth.se 15 credits Vasily Prokopov Prokopov@kth.se 18 credits

Page 2 of 15 Table of Contents 1 Introduction... 4 1.1 Purpose of this document... 4 1.2 Scope of this document... 4 1.3 Audience of this document... 4 1.4 Introduction for virtualization... 4 2 Overview of XEN, KVM and LXC... 6 2.1 XEN... 7 2.2 KVM... 7 2.3 LXC... 8 3 Comparisons among XEN, KVM and LXC... 9 3.1Macro-benchmarks:... 9 3.2 Scalability:... 9 3.3 Security... 10 4 Advantages and disadvantages of XEN, KVM and LXC... 11 4.1 XEN... 11 4.2 KVM... 11 4.3 LXC... 11 5. Practical aspects of container security... 13 6 Conclusions... 14 Reference... 15

Page 3 of 15 Overview of changes: Version Changes 0.1 Initial document

Page 4 of 15 1 Introduction 1.1 Purpose of this document The purpose of this document is to give a brief introduction of different types of virtualization technologies and make comparisons among them in order to choose the best for Bifrost router. 1.2 Scope of this document The scope of this document is to give a brief introduction and comparison of three main types of virtualization which are XEN, KVM and LXC. 1.3 Audience of this document The audience of this document mainly target at coaches and teams of CareNet. 1.4 Introduction for virtualization Virtualization, in computing, is the creation of a virtual (rather than actual) version of something, such as a hardware platform, operating system, a storage device or network resources.[1] There are several types of virtualizations: hardware virtualization, desktop virtualization, software virtualization and memory, storage and so on. In this document, we mainly focus on hardware virtualization. Hardware virtualization or platform virtualization refers to the creation of a virtual machine that acts like a real computer with an operating system. Software executed on these virtual machines is separated from the underlying hardware resources. For example, a computer that is running Microsoft Windows may host a virtual machine that looks like a computer with Ubuntu Linux operating system. Subsequently, Ubuntu-based software can be run on that virtual machine.[1][2] There are two main techniques for hardware virtualization: Virtual containers share only one kernel on the OS-level. Many virtual operation systems with different kernels run on a real physical machine. A supervisor is needed in order to manage these operation systems on one physical machine; however, there have already been supervisors inside each virtual operation systems. So we have a new name for the supervisor of the real machine: hypervisor (also called VMM) which means the supervisor of

Page 5 of 15 supervisors. In more detail, the hypervisor virtualization can be divided into two categories. Full Virtualization (FV) and Para virtualization (PV), which can be both combined with hardware-assisted virtualization. Full virtualization uses binary translation to run arbitrary, unmodified operating systems on top of the hypervisor. VMware is a good example of this. While there may be an important cost when using the guest system which emulates the real system s resources. This cost can be mitigated by using Hardware-assisted virtualization. Para virtualization also modifies the guest operating system to optimize the interplay between virtual machine monitor and the virtual machine itself. It is also based on a hypervisor, but the devices are not emulated. The aim of the modified interface is to decrease the execution time.

Page 6 of 15 2 Overview of XEN, KVM and LXC Table1: comparisons among Xen, KVM and LXC. [3]

Page 7 of 15 2.1 XEN Ian Pratt started the research project of XEN at University of Cambridge and released the first public edition in October 2003. After that, Ian created Xensource Company and main release 2.0 and 3.0 were delivered in 2004 and 2005. Xen is a hypervisor and can run guest systems which are called domains. There are two types of domains. DomU is a kind of unprivileged domain and Dom0 is a special guest system with privileged functions which contain the applications to control other guest systems. Dom0 uses a modified kernel and is running on Xen hypervisor. It is the only domain interacts with hardware through linux kernel drivers. DomU rely on its virtual drivers to interact with hardware devices. 2.2 KVM KVM (Kernel based Virtual Machine) is an open source Linux kernel virtualization infrastructure which relies on the hardware virtualization technologies. Its first version is linux 2.6.20 which is released in February 2007. KVM developers had an original idea: instead of creating kernels themselves, they choose to use linux kernel itself as a basis for hypervisor. Thus, KVM is currently implemented as loadable kernel modules. kvm.ko, that provides the core virtualization infrastructure and a processor specific module, kvm-intel.ko or kvm-amd.ko. This original approach brings several benefits. The virtualized environment takes advantage of all the ongoing work made on the Linux kernel itself. Using KVM, each virtual machine is a regular linux process which is scheduled by the linux scheduler. KVM emulates virtual devices, such as network interfaces or hard disks. In order to improve performance, recent KVM versions propose a hybrid approach called virtio [4]. Virtio is a kernel API that improves the performance of communications between guest systems and the host system by providing a simpler and faster interface than the emulated devices from QEMU. Virtiobased devices exist both for network interfaces and hard disks.

Page 8 of 15 2.3 LXC LXC is the user space control package for Linux Containers, a lightweight virtual system mechanism sometimes described as chroot on steroids. LXC builds up from chroot to implement complete virtual systems, adding resource management and isolation mechanisms to Linux s existing process management infrastructure. Linux Containers (lxc) implement: Resource management via process control groups (implemented via the cgroup filesystem) Resource isolation via new flags to the clone system call (capable of create several types of new namespaces for things like PIDs and network routing) Several additional isolation mechanisms (such as the -o newinstance flag to the devpts file system).

Page 9 of 15 3 Comparisons among XEN, KVM and LXC In this section, we evaluate the different virtualization solutions with a set of benchmarks. 3.1 Macro-benchmarks: Table2: comparisons among native Linux, Xen and KVM in CPU, Kernel compile, Disk I/O. [5] We can get some distinct results from this table: Xen and KVM had similar CPU performance: Xen: 0.999, KVM: 0.993 Xen was better than KVM on kernel compile: Xen: 0.487, KVM: 0.384 KVM was better on disk I/O:Write Xen: 0.855, KVM: 0.934 Read Xen: 0.852, KVM: 0.994 3.2 Scalability: Picture1: compile time and number of guests that run to completion. [5] Results we get from this picture: Xen scaled linearly with respect to number of guests KVM had many guest crashes

Page 10 of 15 4 guests: 1 crashed guest 8 guests: 4 crashed guests 16 guests: 7 crashed guests 30 guests: system crashed during compile 3.3 Security XEN and KVM usually allow you to run any operating system, since the emulation platform actually gets right down to emulating the hardware. While LXC uses cgroups to create a restricted view of the host operating system. Within the LXC guest environment, you can only see what the admin allows you to see of the host system; you can have a separate process space, for example and also create a separate file system for the guest.

Page 11 of 15 4 Advantages and disadvantages of XEN, KVM and LXC 4.1 XEN Advantages of XEN: Concerning on micro benchmarks, XEN has an excellent performance which has been show above in table 2. XEN uses a very good management tool which is xm. XEN already has a large market share. Some vendors have supported XEN and XEN users and developers are very active. Disadvantages: XEN requires too many interrupts and hops between kernel and user space 4.2 KVM Advantages: It uses linux kernel as its hypervisor and does not duplicate scheduler and memory management code which means KVM is simpler and that Linux is capable of being a good hypervisor. RedHat supports KVM camp now and will be pushing it as the virtualization platform of choice. KVM ships as an official kernel module which means less maintenance for the distro creators Disadvantages: It does not work on CPUs that don t have hardware virtualization support Not very stable yet. Real mode evaluation does not work perfectly on Intel machines. 4.3 LXC Linux Containers take a completely different approach than system virtualization technologies such as KVM and Xen, which started by booting separate virtual systems on emulated hardware and then attempted to lower their overhead via Paravirtualization and related mechanisms. Instead of retrofitting efficiency onto full isolation, LXC started out with an efficient mechanism (existing Linux process management) and added isolation, resulting in a system virtualization mechanism as scalable and portable as

Page 12 of 15 chroot, capable of simultaneously supporting thousands of emulated systems on a single server while also providing lightweight virtualization options to routers and smart phones. The LXC is small enough to easily manage a container with simple command lines and complete enough to be used for other purposes. It has virtually no overhead, and it provides a degree of flexibility because of its ability to share resources between different LXC guests. Also, LXC supports not only virtualzing a running instance of an operating system but also individual applications, for which devoting an entire virtual machine is overkill. Advantages: [6] Better isolation as compared to a chroot (chroot jail). Low overhead. LXC uses minimal resources in terms of RAM and hard drive space without the overhead of installing a guest OS in a virtual machine (VMWare / VirtualBox / KVM ). Applications and services (servers) run at native speed. There is support for Linux containers in libvirt. Linux containers work well with btrfs. No special hardware is required, runs on 32 and 64 bit processors. Linux containers are Open source. Unlike XEN or OpenVZ, no patch is required to the kernel. Disadvantages: Linux containers run Linux processes on a Linux kernel. This means you can run Linux (Fedora container on an Ubuntu host) but not other operating systems (Not BSD / OSX / Windows). There are no GUI (graphical) interfaces to configure or manage the containers. There is a paucity of documentation on how to install and configure a container. Configuring a container requires a modest technical knowledge and skill (and a large grain of patience).

Page 13 of 15 5. Practical aspects of container security 5.1 Overview For the time being, it seems that container based virtualization is the only option for the residential gateways. The main issue regarding container based virtualization solutions is security. In this section we provide an overview of the most important security related aspects of Linux Containers. These guidelines should provide full guest-to-host isolation. This is needed to assure custodians that administrators with container access cannot view the internet traffic on unrelated ports of the residential gateway. 5.2 Filesystem When setting up the fstab of the guest operating system, it is possible to simply mount elements of the host s filesystem to the guest. This decreases redundancy of for example library files, but leads to security issues in terms of privacy. More importantly though mounting the /dev/ folder or /proc/ folder will enable a root user inside a container to reboot the entire host using for example: echo 1 > /proc/sys/kernel/sysrq echo b > /proc/sysrq-trigger which could be a security issue. On the other hand, it is quite useful in the CareNet case since it enables administrators to change the host kernel settings (using the /proc/ filesystem) from the guest. 5.3 Cgroups Every new container needs a separate cgroups filesystem that provides a data structure for storing most control information. 5.4 Networking There exists multiple ways of connecting network devices to a host, with different demands for hardware and different security considerations. On lxc the following four are implemented: phys: A network device is dedicated for a container. This is the most secure one, as other containers and the host userspace can t access the network device. An issue, however, is that dedicated hardware is

Page 14 of 15 needed for running multiple hosts. This makes it not only more expensive, but less efficient, if the cards wouldn t be needed otherwise. vlan: The host is connected to a virtual lan on a physical device on the host machine. From a security standpoint this would be similar to the above. However, this comes with the need of the routers/swithces for the network to be able to do vlan tagging. veth: A virtual hub is created, to that the host can share one physical network device. This is the most widely used, as it doesn t need any extra hardware, and enables easy communication between the host computer and the containers. However, it comes with one big security issue, which is that all the containers and the host machine can listen to all communication through the network device. This allows eavesdropping on other hosts, which is especially a concern if the hosts are not supposed to have knowledge of each other, such as at commercial provider. macvlan: This method allows the kernel to create virtual lans based on the mac-address of the client, so that the physical device corresponds to multiple mac-addresses and can separate the traffic going to any of the virtual interfaces on the client machines. This gives a good separation between the host and the different clients, as for them it looks like they would be connected to a switch forwarding the traffic to only the actual destination of the traffic, which disables eavesdropping on the other clients and the host. [7] 6 Conclusions Considering the aspects of overload and speed, LXC is much better than the other two options. Furthermore, only static files can be run on Bifrost and in these three alternatives, only LXC support this kind of files which means LXC is the most suitable choice for Bifrost. If configured correctly LXC does provide a secure guest environment. For the time being, namespace isolation is the only option for CareNet since the residential gateways do not feature the VT-Z (or similar) CPU instruction set extensions needed for full virtualization.

Page 15 of 15 7 References 1 Turban, E; King, D; Lee, J; Viehland, D (2008). "Chapter 19: Building E-Commerce Applications and Infrastructure". Electronic Commerce A Managerial Perspective (5th ed.). Prentice-Hall. pp. 27. 2 "Virtualization in education". IBM. October 2007. Retrieved 6 July 2010. "A virtual computer is a logical representation of a computer in software. By decoupling the physical hardware from the operating system, virtualization provides more operational flexibility and increases the utilization rate of the underlying physical hardware." 3 http://virt.kernelnewbies.org/techcomparison 4 Rusty Russell. virtio: towards a de-facto standard for virtual I/O devices. SIGOPS Oper. Syst. Rev.,42(5):95 103, 2008. 5 Quantitative Comparison of Xen and KVM, Todd Deshane, Ph.D. Student, Clarkson University Xen Summit, June 23-24, 2008, Boston, MA, USA. 6 http://blog.bodhizazen.net/linux/lxc-linux-containers/ 7 http://blog.flameeyes.eu/2010/09/04/linux-containers-and-networking

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information