Post on 26-Sep-2020
VirtualisationVirtualisation
Havard Bjerke
CERN openlab
● Virtual machines● Benefits of virtualisation● Computer architecture
– Memory management– Privilege separation– Interrupts
● Virtualisation● Para-virtualisation
OverviewOverview
Virtual MachinesVirtual Machines
● Software level– Java– Software
compatibility● Hardware level
– Ex: VMWare– Multiple OS
instances
● Encapsulation● Isolation
Abstraction vs VirtualisationAbstraction vs Virtualisation
● Abstraction– TCP/IP stack– Replaceable layers– Friction between
layers
TCP
IPv4
LAN
● Virtualisation– Virtual Private
Networking (VPN)
TCP
IPv4
VPN
ADSL
Abstraction vs VirtualisationAbstraction vs Virtualisation
● Computer abstraction layers
● Computer virtualisation
TCP
IP
Ethernet
User apps
OS
Hardware
User apps
OS
Virtual hardware
Hardware
Benefits of HW virtualisationBenefits of HW virtualisation
● General application:– Server consolidation
● HPC specific:– Software flexibility
● Let each user manage their own OS● And satisfy their own software dependencies
– Utilisation of SMP and multi-core resources.– Secure isolation between users– Migration between nodes– Checkpointing– Utilisation of public computing resources
Computer architecture
Computer architectureComputer architecture
● X86 – 80386, Pentium, Xeon● X86_64 – AMD64, EM64T● IA-64 – Itanium (IPF)
Page
Pagetable
Virtual memoryVirtual memory
Directory index
Globaldirectory
Globaldirectorypointer
0n
+
+
+
Table index Offset
Physicalmemory
Virtual address
Translation Lookaside BufferTranslation Lookaside Buffer
OffsetVirtual page number
Virtual page number
OffsetPhysical page number
Physical page number
VRN
RID
RID
Region registers
Protection ringsProtection rings
● Protect kernel from faulty or malicious code
● Protection of– Privileged state– Privileged
instructions– Privileged pages or
segments
KernelKernelKernelKernel
User
Kernel entryKernel entry
● From ring 3 to ring 0 – From User space to Kernel space
● System calls● Interrupt Service Routines● Device access
Interrupts and exceptionsInterrupts and exceptions
● Kernel entry– Exceptions
● General protection fault● Segmentation fault● Page fault● Divide-by-zero
– External interrupts● Keyboard● DMA finished● Packet on network● Timer
Interrupts and exceptionsInterrupts and exceptions
Interruption vectortable
Interrupt vector
External interrupt
CPUPIC
I/Odevice
InterruptServiceRoutine
ProcessesProcesses
● Multitasking
Process A Switch
Timerinterrupt
Process BSwitch
Timerinterrupt
Process A
Hardware Virtualization
VirtualisationVirtualisation
● Interpretation● Binary patching
or translation– Privileged
operations– Privilege-
sensitive operations
Physical hardware
Host OS kernel
VMM
User apps
Guest OS Guest OS
Ring 0
Ring 3User apps
User apps
Privileged operationsPrivileged operations
● The guest OS must think that it is privileged
Host OS
CPU
Privop
Ring 0
Ring > 0
Virtual CPU
CPU
Privop
Exception
Guest OS
Host OS
CPU
Privop
Exception
User app
Notification
Privilege-sensitive operationsPrivilege-sensitive operations
● Operations that are not protected, but– Access privileged state or– Whose results depend on CPL
Host OS
CPU
Privsens
Ring 0
Ring > 0
VMM
CPU
Privsens
Guest OS
Para-virtualisationPara-virtualisation
● Replace sensitive operations with calls to the Hypervisor - hypercalls
Physical hardware
Hypervisor
Guest OS Guest OSRing 1
Ring 0
User appsRing 3
User apps
Ring 0
Ring > 0
Hypervisor
Virtual CPU
Hypercall
Guest OS
Xen memory managementXen memory management
● X86– Page table updates through hypercalls– Direct mapping between physical and
virtual memory space● IA-64
– Logically separated address spaces using RIDs
– Physical memory space has its own RID
Vanderpool (VT)Vanderpool (VT)
● VTx, VTi
0 Guest kernel
1
2
3 User apps
0 Hypervisor
1
2
3 Control
VMX Nonroot VMX Root
VMEXIT
VMENTRY