UNIT II

VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Introduction - Virtualization
• Virtualization is a computer architecture technology by which
multiple virtual machines (VMs) are multiplexed in the same
hardware machine.
• Virtual Machine (VM) is not a real machine, but it can be
created from another physical machine.
• More than one VM may share the resources (cpu, memory,
hard disk & network resources) of the same physical machine.
One physical machine may have more than one VM.
• VM used to create different execution environment which may
entirely different from physical host execution environment
• Host system – Physical machine (Host OS)
• Guest system – Virtual machine (Guest OS)
 Virtualization
• The purpose of a VM is to enhance resource sharing by many
users and improve computer performance in terms of resource
utilization and application flexibility.
• The idea is to separate the hardware from the software to yield
better system efficiency.
• A traditional computer runs with a host operating system specially
tailored for its hardware architecture, as shown in Figure (a).
• After virtualization, different user applications managed by their
own operating systems (guest OS) can run on the same hardware,
independent of the host OS. This is often done by adding additional
software, called a virtualization layer as shown in Figure (b).
• This virtualization layer is known as hypervisor or virtual
machine monitor (VMM)
Difference between Traditional Computer and
Virtual machines

(Courtesy of VMWare, 2008)

Copyright © 2012, Elsevier Inc. All rights reserved. 1-5

Difference between Traditional Computer and
Virtual machines

(Courtesy of VMWare, 2008)

Copyright © 2012, Elsevier Inc. All rights reserved. 1-6

 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Characteristics of virtualized environment
Virtualization reference model

Guest Virtual Image Applications Applications

Virtual Hardware Virtual Storage Virtual Networking

Virtualization Layer
Software Emulation

Host Physical
Physical Storage Physical Networking
Hardware
• Virtualization has three characteristics that make it ideal for cloud
computing:
• Partitioning: In virtualization, many applications and operating systems
(OSes) are supported in a single physical system
by partitioning (separating) the available resources.
• Isolation: Each virtual machine is isolated from its host physical system
and other virtualized machines. Because of this isolation, if one virtual-
instance crashes, it doesn’t affect the other virtual machines. In addition,
data isn’t shared between one virtual container and another.
• Encapsulation: A virtual machine can be represented (and even stored) as
a single file, so you can identify it easily based on the service it provides. In
essence, the encapsulated process could be a business service. This
encapsulated virtual machine can be presented to an application as a
complete entity. Therefore, encapsulation can protect each application so
that it doesn’t interfere with another application.
 Taxonomy of Virtualized Environment
Virtualization
How it is done? Technique
Model

Emulation Application

Execution
Programming
Environme Process Level High-Level VM
Language
nt

Storage Operating
Virtualizati Multiprogramming
System
on
Network Hardware-assisted
Virtualization

Full Virtualization
System Level Hardware

…. Paravirtualization

Partial
Virtualization
 Execution virtualization
1)Machine reference model
Applications Applications

API calls
API

Libraries Libraries

User
System calls ISA
ABI
User
ISA

Operative System Operative System

ISA
ISA

Hardware Hardware
2 Hardware Level virtualization
Guest
In memory
representation

Virtual Image
Storage
VMM Host emulation

Virtual Machine

binary translation
instruction mapping
interpretation
……

Host
 3)Hardware Virtualization techniques
• Hardware assisted virtualization
• Full virtualization
• Para virtualization
• Partial virtualization
Hypervisors
4) OS level virtualization offers the opportunity to
create different and separated execution
environments for applications that are managed
concurrently. It is different from hardware
virtualization —there is no virtual machine manager
or hypervisor, and the virtualization is done within a
single operating system, where the OS kernel allows
for multiple isolated user space instances.
5)Programming level virtualization is mostly
used for achieving ease of deployment of
applications, managed execution, and
portability across different platforms and
operating systems. It consists of a virtual
machine executing the byte code of a
program, which is the result of the
compilation process.
6)Application level virtualization
Interpretation
Binary Translation
 Virtualization and cloud
VM

VM VM VM VM VM

Virtual Machine Manager

Server A Server B
(running) (running)
Before Migration

VM VM VM

VM VM VM

Virtual Machine Manager

Server A Server B
(running) (inactive)

After Migration
Advantage and disadvantage of virtualization

Advantages:
• Eliminates the need for numerous dedicated servers;
• Cost effective because many times server software
installation provisioning is available;
• If one virtual server has a software failure, the other
servers will not be affected;
• Reduces energy costs because only one device is
running instead of several;
• Offers a flexibe IT infrastructure;
• Can quickly make changes with little downtime.
• Reduced spending. For companies with fewer than 1,000 employees, up
to 40 percent of an IT budget is spent on hardware. Purchasing multiple
servers is often a good chunk of this cost. Virtualizing requires fewer
servers and extends the lifespan of existing hardware. This also means
reduced energy costs.
• Easier backup and disaster recovery. Disasters are swift and unexpected.
In seconds, leaks, floods, power outages, cyber-attacks, theft and even
snow storms can wipe out data essential to your business. Virtualization
makes recovery much swifter and accurate, with less manpower and a
fraction of the equipment – it’s all virtual.
• More efficient IT operations. Going to a virtual environment can make
everyone’s job easier – especially the IT staff. Virtualization provides an
easier route for technicians to install and maintain software, distribute
updates and maintain a more secure network. They can do this with less
downtime, fewer outages, quicker recovery and instant backup as
compared to a non-virtual environment.
 Disadvantages
• Resource hogging could occur if there are too many
virtual servers within a physical machine;
• As software updates and patches must be compatible
with everything running on the virtual machine, admins
may have reduced control over the physical environment;
• Administration, including backup and recovery, requires
specialized knowledge;
• If user experience is impacted, it can be difficult to
identify the root cause;
• Services offered by a dedicated server are more
accessible.
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Server Virtualization
• Introduction
• History
• Server Virtualization Software
• Server Virtualization Hardware
• Determining Server Hardware
• Pros and Cons of Server Virtualization
• Pros and Cons of Dedicated Servers
• Hyper-V Demo
 Introduction
• What is Virtualization?
– Virtualization is the creation of a virtual resource or device
where the framework divides the resource into one or more
execution environments
• Examples of Virtualization
– Virtual drives
– Virtual memory
– Virtual machines
– Virtual servers

• Why is it popular?
 History
• 1960s Machines
– Did not scale well
– Extremely expensive
– Cost efficiency was desired

• IBM-360 Operating System (1964)

– Virtual Memory

• IBM 370 Operating System (1972)

– Virtual Machines
– Used in many mainframe environments
 Virtualization Software
• Microsoft Virtual Server (2005)
– Came with Microsoft Server 2003
– Did not scale well with 64 bit systems
– Replaced by Hyper-V

• Microsoft Hyper-V (2008 & 2012)

– Hyper-V is short for Hypervisor
– Free release with Server 2008 and 2012
– Best option for Microsoft based virtualization
Hyper-V Architecture
 Virtualization Software
• VMware (Company)
– Releases most popular line of virtualization software
– First company to utilize virtualization on x86 machines
– Software runs on Linux, Windows, and MAC
• vSphere (aka ESX)
– Costly
– High overhead
• VMware Server
– Free
– Not as powerful as ESX
ESX Architecture
 Hypervisor
• The Hypervisor is the
piece of software that
enables virtualization

• It allows the host

machine to allocate
resources to guest
machines
 Hypervisor
Type I versus Type II Hypervisor
 Virtualization Hardware
• CPU
– At least one CPU core per virtual machine
– Having free cores for high stress situations
recommended

• RAM
– No set amount for RAM
– Estimate minimum amounts of RAM and upgrade
based on performance
 Virtualization Hardware
• Networking
– Multiple network cards
required for increased
throughput
– Measure peak traffic
amounts
– Network Virtualization
 Virtualization Hardware
• Storage
– Local storage on servers is limited
– Allow for 20% extra storage space for VM files and
server snapshots
– Storage Networks (highly recommended)
• Storage Area Network (SAN) – Large data transfers
• Network Attached Storage (NAS) – File-based data
storage
 Pros and Cons of Server Virtualization
• Pros
– Cost
• Less physical servers
• Less server space (consolidation of servers)
• Less energy costs
• Less maintenance

– Efficient Administration
• Easier management, management through one machine
• Single point of failure
• Smaller IT staff
 Pros and Cons of Server Virtualization
• Pros
– Growth and Scalability
• Upgrading one server upgrades them all
• Easy growth
• Less hardware complications
– Security
• Single server security maintenance
• Hypervisor software often provides security benefits
– Legacy Servers
• Upgrading servers to a virtual setup from old systems
• Goes hand-in-hand with scalability
 Pros and Cons of Server Virtualization
• Cons
– Slow Performance
• High stress on single machine
• Longer processing times
• More network bottlenecking

– Single Point of Failure

• Many servers on one host machine
• Hardware or software failures can be critical
• Backup servers will need to be setup
 Pros and Cons of Server Virtualization
• Cons
– Cost
• High initial investment
• Software licensing costs
– Security
• All servers through one machine
– Learning curve
• Many different types of software
• Different architecture
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
Levels of Virtualization Implementation

• Instruction set architecture (ISA) level

• Hardware abstraction layer (HAL) level
• Operating system level
• Library (user-level API) level
• Application level
Virtualization Ranging from Hardware to Applications in
Five Abstraction Levels
Virtualization at ISA (Instruction Set Architecture) level:
Emulating a given ISA by the ISA of the host machine.
• e.g, MIPS binary code can run on an x-86-based host machine with
the help of ISA emulation.
• Typical systems: Bochs, Crusoe, Quemu, BIRD, Dynamo
Advantage:
• It can run a large amount of legacy binary codes written for
various processors on any given new hardware host machines
• best application flexibility
Shortcoming & limitation:
• One source instruction may require tens or hundreds of native
target instructions to perform its function, which is relatively slow.
• V-ISA requires adding a processor-specific software
translation layer in the complier.
Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 43
• The basic emulation method is through code interpretation. An interpreter
program interprets the source instructions to target instructions one by one.
• For better performance, dynamic binary translation is desired. This approach
translates basic blocks of dynamic source instructions to target instructions.
• The basic blocks can also be extended to program traces or super blocks to
increase translation efficiency. Instruction set emulation requires binary
translation and optimization. A virtual instruction set architecture (V-ISA) thus
requires adding a processor-specific software translation layer to the compiler.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 44

 Virtualization at Hardware Abstraction level:
Virtualization is performed right on top of the hardware.
• It generates virtual hardware environments for VMs, and manages the
underlying hardware through virtualization.
• Typical systems: VMware, Virtual PC, Denali, Xen

Advantage:
• Has higher performance and good application isolation.
Shortcoming & limitation:
• Very expensive to implement (complexity)

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 45

• The idea is to virtualize a computer’s resources,
such as its processors, memory, and I/O devices.
• The intention is to upgrade the hardware
utilization rate by multiple users concurrently.
• More recently, the Xen hypervisor has been
applied to virtualize x86-based machines to run
Linux or other guest OS applications.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 46

 Virtualization at Operating System (OS) level:
It is an abstraction layer between traditional OS and user placations.
• This virtualization creates isolated containers on a single physical
server and the OS-instance to utilize the hardware and software in
datacenters.
• Typical systems: Virtual Environment / Ensim's VPS / FVM

Advantage:
• Has minimal startup/shutdown cost, low resource requirement, and high
scalability; synchronize VM and host state changes.

Shortcoming & limitation:

• All VMs at the operating system level must have the same kind of guest
OS
• Poor application flexibility and isolation.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 47

• OS-level virtualization is commonly used in
creating virtual hosting environments to
allocate hardware resources among a
large number of mutually distrusting users.

• It is also used, to a lesser extent, in

consolidating server hardware by moving
services on separate hosts into containers or
VMs on one server.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 48

 Virtualization at OS Level

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 49

Advantages of OS Extension for Virtualization
1. VMs at OS level has minimum startup/shutdown costs

2. OS-level VM can easily synchronize with its

environment

Disadvantage of OS Extension for Virtualization

All VMs in the same OS container must have the same or
similar guest OS, which restrict application flexibility of different
VMs on the same physical machine.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 50

Library Support level:

It creates execution environments for running alien

programs on a platform rather than creating VM to run the
entire operating system.
• It is done by API call interception and remapping.
• Typical systems: Wine, WAB, LxRun , VisualMainWin

Advantage:
• It has very low implementation effort

Shortcoming & limitation:

• poor application flexibility and isolation

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 51

• Most applications use APIs exported by user-level
libraries rather than using lengthy system calls by the
OS.
• Since most systems provide well-documented APIs, such
an interface becomes another candidate for
virtualization.
• Virtualization with library interfaces is possible by
controlling the communication link between
applications and the rest of a system through API
hooks.
• The software tool WINE has implemented this approach
to support Windows applications on top of UNIX hosts.
• Another example is the vCUDA which allows applications
executing within VMs to leverage GPU hardware
acceleration.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 52

Virtualization with Middleware/Library Support

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 53

User-Application level:

It virtualizes an application as a virtual machine.

• This layer sits as an application program on top of an
operating system and exports an abstraction of a VM
that can run programs written and compiled to a
particular abstract machine definition.
• Typical systems: JVM , NET CLI , Panot

Advantage:
• has the best application isolation

Shortcoming & limitation:

• low performance, low application flexibility and high
implementation complexity.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 54

• Virtualization at the application level virtualizes an application as a
VM. On a traditional OS, an application often runs as a process.
Therefore, application-level virtualization is also known as
process-level virtualization.
• The most popular approach is to deploy high level language (HLL)
VMs. In this scenario, the virtualization layer sits as an application
program on top of the operating system, and the layer exports an
abstraction of a VM that can run programs written and compiled
to a particular abstract machine definition.
• Any program written in the HLL and compiled for this VM will be
able to run on it. The Microsoft .NET CLR and Java Virtual
Machine (JVM) are two good examples of this class of VM.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 55

• Other forms of application-level virtualization are known as
application isolation, application sandboxing, or application
streaming. The process involves wrapping the application in a
layer that is isolated from the host OS and other applications.
• The result is an application that is much easier to distribute
and remove from user workstations. An example is the
LANDesk application virtualization platform which deploys
software applications as self-contained, executable files in an
isolated environment without requiring installation, system
modifications, or elevated security privileges.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 56

 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Virtualization Structure / Tools and
Mechanisms
• Several classes of VM architectures
1. Hypervisor architecture
– The Xen Architecture
2. Binary Translation with Full Virtualization
– Full Virtualization
– Binary Translation of Guest OS Requests Using a VMM
– Host-Based Virtualization
3. Para-Virtualization with Compiler
– Para-Virtualization Architecture
– KVM (Kernel-Based VM)
– Para-Virtualization with Compiler Support
 Virtualization Structure / Tools and
Mechanisms
• Before virtualization, the operating system
manages the hardware. After virtualization, a
virtualization layer is inserted between the
hardware and the operating system. In such a
case, the virtualization layer is responsible for
converting portions of the real hardware into
virtual hardware.
 1. Hypervisor and Xen Architecture
• The hypervisor supports hardware-level virtualization (see
Figure 3.1(b)) on bare metal devices like CPU, memory, disk
and network interfaces. The hypervisor software sits directly
between the physical hardware and its OS.
• This virtualization layer is referred to as either the VMM or
the hypervisor.
• The hypervisor provides hypercalls for the guest OSes and
applications.
• Depending on the functionality, a hypervisor can assume a
micro-kernel architecture like the Microsoft Hyper-V. Or it
can assume a monolithic hypervisor architecture like the
VMware ESX for server virtualization.
 1. Hypervisor
• Types
1. Micro-kernal hypervisor - > A micro-kernel hypervisor
includes only the basic and unchanging functions (such as
physical memory management and processor scheduling).
The device drivers and other changeable components are
outside the hypervisor.
2. Monolithic hypervisor -> A monolithic hypervisor
implements all the aforementioned functions, including those
of the device drivers.
• Therefore, the size of the hypervisor code of a micro-kernel
hypervisor is smaller than that of a monolithic hypervisor.
 Xen Architecture
• Xen is an open source hypervisor program developed by
Cambridge University. Xen is a microkernel hypervisor, which
separates the policy from the mechanism. The Xen hypervisor
implements all the mechanisms, leaving the policy to be
handled by Domain 0.
• Xen does not include any device drivers natively. It just
provides a mechanism by which a guest OS can have direct
access to the physical devices. As a result, the size of the Xen
hypervisor is kept rather small. Xen provides a virtual
environment located between the hardware and the OS.
 Xen Architecture
• Many guest Oses can run on top of the hypervisor. However, not
all guest OSes are created equal, and one in particular controls
the others. The guest OS, which has control ability, is called
Domain 0, and the others are called Domain U.
• Domain 0 is a privileged guest OS of Xen. It is first loaded when
Xen boots without any file system drivers being available.
Domain 0 is designed to access hardware directly and manage
devices. Therefore, one of the responsibilities of Domain 0 is to
allocate and map hardware resources for the guest domains
(the Domain U domains).
• If Domain 0 is compromised, the hacker can control the entire
system. So, in the VM system, security policies are needed to
improve the security of Domain 0. Domain 0, behaving as a
VMM.
The XEN Architecture (1)

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 64

 Binary Translation with Full Virtualization

• Depending on implementation technologies, hardware

virtualization can be classified into two categories: full
virtualization and host-based virtualization.
• It relies on binary translation to trap and to virtualize
the execution of certain sensitive, non virtualizable
instructions.
• The guest OSes and their applications consist of
noncritical and critical instructions.
• In a host-based system, both a host OS and a guest OS
are used. A virtualization software layer is built
between the host OS and guest OS.

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 65

 Full Virtualization
• Does not need to modify the host OS
• Noncritical instructions run on the hardware directly while
critical instructions (control sensitive, behavioral sensitive
instructions) are discovered and replaced with traps into the
VMM to be emulated by software.
• Noncritical instructions do not control hardware or threaten
the security of the system, but critical instructions do.
• This is because binary translation can incur a large
performance overhead.
• Therefore, running noncritical instructions on hardware not
only can promote efficiency, but also can ensure system
security.
Binary Translation of Guest OS Requests
Using a VMM
 Binary Translation of Guest OS Requests
Using a VMM
• VMware puts the VMM at Ring 0 and the guest OS at Ring 1.
• The VMM scans the instruction stream and identifies the
privileged, control- and behavior-sensitive instructions.
• When these instructions are identified, they are trapped into
the VMM, which emulates the behavior of these instructions.
• The method used in this emulation is called binary
translation.
• Therefore, full virtualization combines binary translation and
direct execution. The guest OS is completely decoupled from
the underlying hardware. Consequently, the guest OS is
unaware that it is being virtualized.
 Binary Translation of Guest OS Requests
Using a VMM
• The performance of full virtualization may not be ideal,
because it involves binary translation which is rather time-
consuming.
• In particular, the full virtualization of I/O-intensive
applications is a really a big challenge.
• Binary translation employs a code cache to store translated
hot instructions to improve performance, but it increases the
cost of memory usage.
• At the time of this writing, the performance of full
virtualization on the x86 architecture is typically 80 percent to
97 percent that of the host machine.
 Host-Based Virtualization
• An alternative VM architecture is to install a
virtualization layer on top of the host OS.
• This host OS is still responsible for managing
the hardware.
• The guest OSes are installed and run on top of
the virtualization layer. Dedicated applications
may run on the VMs.
• Certainly, some other applications can also run
with the host OS directly
 Host-Based Virtualization
• First, the user can install this VM architecture
without modifying the host OS.
• The virtualizing software can rely on the host
OS to provide device drivers and other low-
level services.
• This will simplify the VM design and ease its
deployment.
 Host-Based Virtualization
• Second, the host-based approach appeals to many host
machine configurations.
• Compared to the hypervisor/VMM architecture, the
performance of the host-based architecture may also be low.
• When an application requests hardware access, it involves
four layers of mapping which downgrades performance
significantly. When the ISA of a guest OS is different from the
ISA of the underlying hardware, binary translation must be
adopted. Although the host-based architecture has flexibility,
the performance is too low to be useful in practice.
Para-Virtualization with Compiler Support

• Para-virtualization needs to modify the guest

operating systems.
• A para-virtualized VM provides special APIs
requiring substantial OS modifications in user
applications.
• Performance degradation is a critical issue of
a virtualized system. No one wants to use a
VM if it is much slower than using a physical
machine.
Para-Virtualization with Compiler Support

• The virtualization layer can be inserted at

different positions in a machine software
stack. However, para-virtualization attempts
to reduce the virtualization overhead, and
thus improve performance by modifying only
the guest OS kernel.
Para-Virtualization with Compiler Support
Para-Virtualization with Compiler Support
Para-Virtualization with Compiler Support
• They are assisted by an intelligent compiler to replace the
non virtualizable OS instructions by hypercalls as illustrated in
Figure 3.8.
• The traditional x86 processor offers four instruction
execution rings: Rings 0, 1, 2, and 3.
• The lower the ring number, the higher the privilege of
instruction being executed. The OS is responsible for
managing the hardware and the privileged instructions to
execute at Ring 0, while user-level applications run at Ring 3.
• The best example of para-virtualization is the KVM.
Para-Virtualization with Compiler Support
• When the x86 processor is virtualized, a virtualization layer is
inserted between the hardware and the OS. According to the
x86 ring definition, the virtualization layer should also be
installed at Ring 0.
• Different instructions at Ring 0 may cause some problems.
• In Figure 3.8, we show that para-virtualization replaces
nonvirtualizable instructions with hypercalls that
communicate directly with the hypervisor or VMM.
However, when the guest OS kernel is modified for
virtualization, it can no longer run on the hardware directly.
Para-Virtualization with Compiler Support
• Although para-virtualization reduces the overhead, it has
incurred other problems.
• First, its compatibility and portability may be in doubt,
because it must support the unmodified OS as well.
• Second, the cost of maintaining para-virtualized OSes is
high, because they may require deep OS kernel
modifications.
• Finally, the performance advantage of para-virtualization
varies greatly due to workload variations. Compared with full
virtualization, para-virtualization is relatively easy and more
practical.
Para-Virtualization with Compiler Support

• The main probem in full virtualization is its

low performance in binary translation. To
speed up binary translation is difficult.
Therefore, many virtualization products
employ the para-virtualization architecture.
The popular Xen, KVM, and VMware ESX are
good examples.
 Full Virtualization

Application Application

Guest OS Guest OS

Virtual Hardware Virtual Hardware

Virtual Machine Software Layer

Physical Hardware
Full Virtualization

Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 82

 KVM (Kernel-Based VM)
• This is a Linux para-virtualization system—a part of
the Linux version 2.6.20 kernel.
• Memory management and scheduling activities are
carried out by the existing Linux kernel.
• The KVM does the rest, which makes it simpler than
the hypervisor that controls the entire machine.
• KVM is a hardware-assisted para-virtualization tool,
which improves performance and supports
unmodified guest OSes such as Windows, Linux,
Solaris, and other UNIX variants.
Para-Virtualization with Compiler Support

• Unlike the full virtualization architecture which

intercepts and emulates privileged and sensitive
instructions at runtime, para-virtualization
handles these instructions at compile time.
• The guest OS kernel is modified to replace the
privileged and sensitive instructions with
hypercalls to the hypervisor or VMM. Xen
assumes such a para-virtualization architecture.
• The guest OS running in a guest domain may run at
Ring 1 instead of at Ring 0.
• This implies that the guest OS may not be able to
execute some privileged and sensitive
instructions.
• The privileged instructions are implemented by
hypercalls to the hypervisor. After replacing the
instructions with hypercalls, the modified guest OS
emulates the behavior of the original guest OS.
 Para Virtualization

Application Application

Application
Guest OS Guest OS

Virtual Hardware Virtual Hardware

Host OS
Virtual Machine Software Layer

Physical Hardware
 Full Virtualization vs. Para-Virtualization
Full virtualization
• Does not need to modify guest OS, and critical instructions are
emulated by software through the use of binary translation.
• VMware Workstation applies full virtualization, which uses binary
translation to automatically modify x86 software on-the-fly to replace
critical instructions.
• Advantage: no need to modify OS.
• Disadvantage: binary translation slows down the performance.
Para virtualization
• Reduces the overhead, but cost of maintaining a paravirtualized OS
is high.
• The improvement depends on the workload.
• Para virtualization must modify guest OS, non-virtualizable
instructions are replaced by hypercalls that communicate directly
with the hypervisor or VMM.
• Para virtualization is supported by Xen, Denali and VMware ESX.
Copyright © 2012, Elsevier Inc. All rights reserved. 1 - 88
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
Virtualization of CPU, Memory and I/O Devices

• Hardware Support for Virtualization

• CPU Virtualization
– Hardware-Assisted CPU Virtualization
• Memory Virtualization
• I/O Virtualization
 Hardware Support for Virtualization
• Modern Operating systems and processors permit multiple
processes to run simultaneously. If there is no protection
mechanism in a processor, all instructions from different
processes will access the hardware directly and cause a
system crash.

• Therefore, all processors have at least two modes, user mode

and supervisor mode, to ensure controlled access of critical
hardware. Instructions running in supervisor mode are called
privileged instructions. Other instructions are unprivileged
instructions.
Hardware Support for Virtualization
 CPU Virtualization
• Unprivileged instructions of VMs run directly on the host
machine for higher efficiency
• The critical instructions are divided into three categories:
privileged instructions, control sensitive instructions, and
behavior-sensitive instructions.
1. Privileged instructions execute in a privileged mode and will
be trapped if executed outside this mode.
2. Control-sensitive instructions attempt to change the
configuration of resources used.
3. Behavior-sensitive instructions have different behaviors
depending on the configuration of resources, including the
load and store operations over the virtual memory.
 CPU Virtualization
• A CPU architecture is virtualizable if it supports the ability to
run the VM’s privileged and unprivileged instructions in the
CPU’s user mode while the VMM runs in supervisor mode.
• When the privileged instructions including control- and
behavior-sensitive instructions of a VM are executed, they
are trapped in the VMM. In this case, the VMM acts as a
unified mediator for hardware access from different VMs to
guarantee the correctness and stability of the whole system.
 Hardware-Assisted CPU Virtualization
• This technique attempts to simplify virtualization because full
or para virtualization is complicated.
• All the privileged and sensitive instructions are trapped in the
hypervisor automatically.
• This technique removes the difficulty of implementing binary
translation of full virtualization. It also lets the operating
system run in VMs without modification.
Hardware-Assisted CPU Virtualization
 Memory Virtualization
• Dynamically allocate the machine memory to the virtual
machines physical memory is called as “Memory
Virtualization”
• In a traditional execution environment, the operating system
maintains mappings of virtual memory to machine memory
using page tables, which is a one-stage mapping from virtual
memory to machine memory
• Memory management unit (MMU) and a translation lookaside
buffer (TLB) to optimize virtual memory performance
• In a virtual execution environment, virtual memory
virtualization involves sharing the physical system memory in
RAM and dynamically allocating it to the physical memory of
the VMs.
 Memory Virtualization
• A two-stage mapping process should be maintained by the guest OS
and the VMM, respectively: virtual memory to physical memory and
physical memory to machine memory.
• The guest OS continues to control the mapping of virtual addresses to
the physical memory addresses of VMs. But the guest OS cannot
directly access the actual machine memory. The VMM is responsible
for mapping the guest physical memory to the actual machine
memory.
• Since each page table of the guest OSes has a separate page table in
the VMM corresponding to it, the VMM page table is called the
“Shadow page table”.
• Processors use TLB hardware to map the virtual memory directly to
the machine memory to avoid the two levels of translation on every
access.
• It provides hardware assistance to the two-stage address translation
in a virtual execution environment by using a technology called
“nested paging”.
Memory Virtualization
Memory Virtualization
 I/O Virtualization
• I/O virtualization involves managing the routing of I/O
requests between virtual devices and the shared physical
hardware.
• Three ways to implement I/O virtualization: full device
emulation, para-virtualization, and direct I/O.
1. In the Full device emulation, All the functions of a device or
bus infrastructure, such as device enumeration, identification,
interrupts, and DMA, are replicated in software. This software
is located in the VMM and acts as a virtual device. The I/O
access requests of the guest OS are trapped in the VMM
which interacts with the I/O devices.
I/O Virtualization
 I/O Virtualization
2. The para-virtualization method of I/O virtualization is typically
used in Xen. It is also known as the split driver model
consisting of a frontend driver and a backend driver. The
frontend driver is running in Domain U and the backend driver
is running in Domain 0. They interact with each other via a
block of shared memory. The frontend driver manages the I/O
requests of the guest OSes and the backend driver is
responsible for managing the real I/O devices and
multiplexing the I/O data of different VMs. Although para-I/O-
virtualization achieves better device performance than full
device emulation
3. Direct I/O virtualization lets the VM access devices directly. It
can achieve close-to-native performance without high CPU
costs.
 I/O Virtualization
• Direct I/O virtualization lets the VM access devices directly. It
can achieve close-to-native performance without high CPU
costs. If it functioning incorrectly or even crash the whole
system.
• Another way to help I/O virtualization is via self-virtualized
I/O (SV-IO).
• SV-IO defines one virtual interface (VIF) for every kind of
virtualized I/O device, such as virtual network interfaces,
virtual block devices (disk), virtual camera devices, and
others. The guest OS interacts with the VIFs via VIF device
drivers. Each VIF consists of two message queues. One is for
outgoing messages to the devices and the other is for
incoming messages from the devices. In addition, each VIF has
a unique ID for identifying it in SV-IO.
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
• Data-center automation means that huge volumes of hardware, software, and
database resources in these data centers can be allocated dynamically to millions of
Internet users simultaneously, with guaranteed QoS and cost-effectiveness
• The latest virtualization development highlights high availability (HA), backup
services, workload balancing, and further increases in client bases
 Server Consolidation in Data Centers
• In data centers, a large number of heterogeneous workloads can run on servers at
various times. These heterogeneous workloads can be roughly divided into two
categories: chatty workloads and noninteractive workloads. Chatty workloads may
burst at some point and return to a silent state at some other point. Eg. Web video
service
• Noninteractive workloads do not require people’s efforts to make progress after
they are submitted. High-performance computing is a typical example of this
• most servers in data centers are underutilized. Server consolidation is an approach
to improve the low utility ratio of hardware resources by reducing the number of
physical servers. Among several server consolidation techniques such as centralized
and physical consolidation, virtualization-based server consolidation is the most
powerful. Data centers need to optimize their resource management
• Server virtualization enables smaller resource allocation than a physical machine.
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION

• The use of VMs increases resource management complexity

 server virtualization has the following side effects:
• Consolidation enhances hardware utilization. Consolidation also facilitates
backup services and disaster recovery
• In a virtual environment, the images of the guest OSes and their
applications are readily cloned and reused.
• The total cost of ownership is reduced (purchases of new servers, a
smaller data-center footprint, lower maintenance costs, and lower power,
cooling, and cabling requirements)
• This approach improves availability and business continuity. The crash of a
guest OS has no effect on the host OS or any other guest OS. easier to
transfer a VM from one server to another
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Virtual Storage Management
• storage virtualization was largely used to describe the aggregation and
repartitioning of disks at very coarse time scales for use by physical machines. In
system virtualization, virtual storage includes the storage managed by VMMs
and guest Oses
• The most important aspects of system virtualization are encapsulation and
isolation. Traditional operating systems and applications running on them can be
encapsulated in VMs
• System virtualization allows multiple VMs to run on a physical machine and the
VMs are completely isolated
• In virtualization environments, a virtualization layer is inserted between the
hardware and traditional operating systems
• guest OS performs as though it is operating in a real hard disk while the guest
OSes cannot access the hard disk directly. Therefore, storage management of
the underlying VMM is much more complex than that of guest OSes (traditional
OSes).
• thousands of VMs, which cause the VM images to become flooded. Content
Addressable Storage (CAS) is a solution to reduce the total size of VM images
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Virtual Storage Management
• Parallax provides virtual disk images (VDIs) to VMs. A VDI is a single-writer virtual
disk which may be accessed in a location-transparent manner from any of the
physical hosts in the Parallax cluster
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Cloud OS for Virtualized Data Centers
• Data centers must be virtualized to serve as cloud providers. Nimbus, Eucalyptus,
and OpenNebula are all open source software available to the general public
• OpenNebula has additional features to provision dynamic resources and make
advance reservations
• The three resource managers
1. Instance Manager controls the execution, inspection, and terminating of VM
instances on the host where it runs.
2. Group Manager gathers information about and schedules VM execution on
specific instance managers, as well as manages virtual instance network.
3. Cloud Manager is the entry-point into the cloud for users and administrators. It
queries node managers for information about resources, makes scheduling
decisions, and implements them by making requests to group managers.
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Cloud OS for Virtualized Data Centers
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Cloud OS for Virtualized Data Centers
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 Trust Management in Virtualized Data Centers
• A VMM changes the computer architecture. It provides a layer of software
between the operating systems and system hardware to create one or more VMs
on a single physical platform
• VMM can provide secure isolation and a VM accesses hardware resources through
the control of the VMM
• Once a hacker successfully enters the VMM or management VM, the whole system
is in danger
 VM-Based Intrusion Detection
• Intrusions are unauthorized access to a certain computer from local or network
users and intrusion detection is used to recognize the unauthorized access. An
intrusion detection system (IDS) is built on operating systems
• A typical IDS can be classified as a host-based IDS (HIDS) or a network-based IDS
(NIDS), depending on the data source. A HIDS can be implemented on the
monitored system. When the monitored system is attacked by hackers, the HIDS
also faces the risk of being attacked. A NIDS is based on the flow of network traffic
which can’t detect fake actions.
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 VM-Based Intrusion Detection
• Virtualization-based intrusion detection can isolate guest VMs on the same hardware
platform.
• VMM monitors and audits access requests for hardware and system software. This can
avoid fake actions and possess the merit of a HIDS. There are two different methods
for implementing a VM-based IDS: Either the IDS is an independent process in each
VM or a high-privileged VM on the VMM; or the IDS is integrated into the VMM
• The VM-based IDS contains a policy engine and a policy module. The policy framework
can monitor events in different guest VMs by operating system interface library and
PTrace indicates trace to secure policy of monitored host. It’s difficult to predict and
prevent all intrusions without delay
• most computer systems use logs to analyze attack actions, but it is hard to ensure the
credibility and integrity of a log. The IDS log service is based on the operating system
kernel. Thus, when an operating system is invaded by attackers, the log service should
be unaffected.
• Besides IDS, honeypots and honeynets are also prevalent in intrusion detection. They
attract and provide a fake system view to attackers in order to protect the real system.
A honeypot is a purposely defective system that simulates an operating system to
cheat and monitor the actions of an attacker.
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 VM-Based Intrusion Detection
 VIRTUALIZATION FOR DATA-CENTER AUTOMATION
 VM-Based Intrusion Detection
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Storage Virtualization

• Overview
– Introduction
– What to be virtualized
– Where to be virtualized
– How to be virtualized
 Overview
• Introduction
• What to be virtualized ?
– Block, File system
• Where to be virtualized ?
– Host-based, Network-based, Storage-based
• How to be virtualized ?
– In-band, Out-of-band
 Introduction
• Desirable properties of storage virtualization:
– Manageability
• Storage resource should be easily configured and deployed.
– Availability
• Storage hardware failures should not affect the application.
– Scalability
• Storage resource can easily scale up and down.
– Security
• Storage resource should be securely isolated.
 Introduction
• Storage concept and technique
– Storage resource mapping table
– Redundant data
– Multi-path
– Data sharing
– Tiering
 Concept and Technique
• Storage resource mapping table
 Maintain tables to map storage resource to target.
 Dynamic modify table entries for thin provisioning.
 Use table to isolate different storage address space.
 Concept and Technique
• Redundant data
– Maintain replicas to provide high availability.
– Use RAID technique to improve performance and
availability.
 Concept and Technique
• Multi-path
– A fault-tolerance and performance
enhancement technique.
– There is more than one physical path
between the host and storage devices
through the buses, controllers,
switches, and bridge devices
connecting them.
 Concept and Technique
• Data sharing
– Use data de-duplication technique to eliminate duplicated data.
– Save and improve the usage of storage space
 Concept and Technique
• Tiering
– Automatic migrate data across storage resources with
different properties according to the significance or access
frequency of data.
– Example: iMac fusion drive

Storage Policies Access Group

• Introduction
• What to be virtualized
• Where to be virtualized
• How to be virtualized
• Case study

STORAGE VIRTUALIZATION
 What To Be Virtualized
• Layers can be virtualized

User Space
– File system
Application
• Provide compatible system call
interface to user space System call interface
applications.

Kernel Space
– Block device File System
• Provide compatible block
Block interface
device interface to file system.
• Through the interface such as Device driver
SCSI, SAS, ATA, SATA, etc.
Storage Device
 File System Level
• Data and Files
– What is data ?
• Data is information that has been converted to a machine-
readable, digital binary format.
• Control information indicates how data should be processed.
• Applications may embed control information in user data for
formatting or presentation.
• Data and its associated control information is organized into
discrete units as files or records.
– What is file ?
• Files are the common containers for user data, application code,
and operating system executables and parameters.
 File System Level
• About the files
– Metadata
• The control information for file management is known as
metadata.
• File metadata includes file attributes and pointers to the location
of file data content.
• File metadata may be segregated from a file's data content.
• Metadata on file ownership and permissions is used in file access.
• File timestamp metadata facilitates automated processes such as
backup and life cycle management.
– Different file systems
• In Unix systems, file metadata is contained in the i-node structure.
• In Windows systems, file metadata is contained in records of file
attributes.
 File System Level
• File system
– What is file system ?
• A file system is a software layer responsible for organizing and
policing the creation, modification, and deletion of files.
• File systems provide a hierarchical organization of files into
directories and subdirectories.
• The B-tree algorithm facilitates more rapid search and retrieval of
files by name.
• File system integrity is maintained through duplication of master
tables, change logs, and immediate writes off file changes.
– Different file systems
• In Unix, the super block contains information on the current state
of the file system and its resources.
• In Windows NTFS, the master file table contains information on all
file entries and status.
 File System Level
• File system level virtualization
– File system maintains metadata
(i-node) of each file.
– Translate file access requests to
underlining file system.
– Sometime divide large file into
small sub-files (chunks) for
parallel access, which improves
the performance
 Block Device Level
• Block level data
– The file system block
• The atomic unit of file system management is the file system
block.
• A file's data may span multiple file system blocks.
• A file system block is composed of a consecutive range of
disk block addresses.
– Data in disk
• Disk drives read and write data to media through cylinder,
head, and sector geometry.
• Microcode on a disk translates between disk block numbers
and cylinder/head/sector locations.
• This translation is an elementary form of virtualization.
 Block Device Level
• Block device interface
– SCSI (Small Computer System Interface)
• The exchange of data blocks between the host system and
storage is governed by the SCSI protocol.
• The SCSI protocol is implemented in a client/server model.
• The SCSI protocol is responsible for block exchange but does
not define how data blocks will be placed on disk.
• Multiple instances of SCSI client/server sessions may run
concurrently between a server and storage.
 Block Device Level
• Logical unit and Logical volume
– Logical unit
• The SCSI command processing entity within the storage target
represents a logical unit (LU) and is assigned a logical unit number
(LUN) for identification by the host platform.
• LUN assignment can be manipulated through LUN mapping, which
substitutes virtual LUN numbers for actual ones.
– Logical volume
• A volume represents the storage capacity of one or more disk drives.
• Logical volume management may sit between the file system and the
device drivers that control system I/O.
• Volume management is responsible for creating and maintaining
metadata about storage capacity.
• Volumes are an archetypal form of storage virtualization.
 Block Device Level
• Data block level virtualization
– LUN & LBA
• A single block of information is
addressed using a logical unit
identifier (LUN) and an offset
within that LUN, which known as
a Logical Block Address (LBA).
– Apply address space remapping
• The address space mapping is
between a logical disk and a
logical unit presented by one or
more storage controllers.
• Introduction
• What to be virtualized
• Where to be virtualized
• How to be virtualized
• Case study

STORAGE VIRTUALIZATION
 Where To Be Virtualized
• Storage interconnection
– The path to storage
• The storage interconnection provides the data path
between servers and storage.
• The storage interconnection is composed of both hardware
and software components.
• Operating systems provide drivers for I/O to storage assets.
• Storage connectivity for hosts is provided by host bus
adapters (HBAs) or network interface cards (NICs).
 Where To Be Virtualized
• Storage interconnection protocol
– Fibre Channel
• Usually for high performance requirements.
• Supports point-to-point, arbitrated loop, and fabric interconnects.
• Device discovery is provided by the simple name server (SNS).
• Fibre Channel fabrics are self-configuring via fabric protocols.
– iSCSI ( internet SCSI )
• For moderate performance requirements.
• Encapsulates SCSI commands, status and data in TCP/IP.
• Device discovery by the Internet Storage Name Service (iSNS).
• iSCSI servers can be integrated into Fibre Channel SANs through IP
storage routers.
 Where To Be Virtualized
• Abstraction of physical storage
– Physical to virtual
• The cylinder, head and sector geometry of individual disks is
virtualized into logical block addresses (LBAs).
• For storage networks, the physical storage system is
identified by a network address / LUN pair.
• Combining RAID and JBOD assets to create a virtualized
mirror must accommodate performance differences.
– Metadata integrity
• Storage metadata integrity requires redundancy for failover
or load balancing.
• Virtualization intelligence may need to interface with upper
layer applications to ensure data consistency.
 Where To Be Virtualized
• Different approaches :
– Host-based approach
• Implemented as a software
running on host systems.
– Network-based approach
• Implemented on network
devices.
– Storage-based approach
• Implemented on storage target
subsystem.
 Storage-based Virtualization
• Storage-based approach
– File level Block 1 Block 1 Block 1

• Run software on storage device

to provide file based data
storage services to host
through network.
– Block level
• Embeds the technology in the
target storage devices.
– Provide services Replica
Block 1
Sub-file
1.bak
1
Replica
Block 1
Sub-file
2.bak
2
Replica
Block 1
Sub-file
3

• Storage pooling
• Replication and RAID
• Data sharing and tiering
 Storage-based Virtualization
• Array-based virtualization
– Storage controller
• Provide basic disk virtualization in the form of RAID
management, mirroring, and LUN mapping or masking.
• Allocate a single LUN to multiple servers.
• Offer Fibre Channel, iSCSI,
and SCSI protocol.
– Cache memory
• Enhance performance.
– Storage assets coordination
• Coordination between
multiple storage systems
is necessary to ensure high
availability.
 Storage-based Virtualization
• Data replication
– Array-based data replication
• Referred to as disk-to-disk replication.
• Requires that a storage controller function concurrently as
both an initiator and target.
– Synchronous vs. Asynchronous
• Synchronous data replication ensures that a write operation
to a secondary disk array is completed before the primary
array acknowledges task completion to the server.
• Asynchronous data replication provides write completion by
the primary array, although the transaction may still be
pending to the secondary array.
 Storage-based Virtualization
Synchronous Asynchronous
To preserve performance, synchronous data Asynchronous data replication is largely
replication is limited to metropolitan distances immune to transmission latency
 Storage-based Virtualization
• Other features
– Point-in-time copy ( snapshot )
• Provide point-in-time copies of an entire storage volume.
• Snapshot copies may be written to secondary storage arrays.
• Provide an efficient means to quickly recover a known good
volume state in the event of data from the host.
– Distributed modular virtualization
• Decoupling storage controller logic from physical disk banks
provides flexibility for supporting heterogeneous disk assets and
facilitates distributed virtualization intelligence.
• Accommodates class of storage services and data lifecycle
management.
 Storage-based Virtualization
Distributed Modular Virtualization
Decoupling storage controller intelligence and virtualization engines from
physical disk banks facilitates multi-protocol block data access and
accommodation of a broad range of disk architectures.
 Storage-based Virtualization
• Storage-based implementation
– Pros
• Provide most of the benefits of storage virtualization
• Reduce additional latency to individual IO
– Cons
• Storage utilization optimized only across the connected
controllers
• Replication and data migration only possible across the
connected controllers and the same vendors devices
– Examples
• Disk array products
 UNIT II
VIRTUALIZATION

Introduction, Virtualized Environment

characteristics, Server Virtualization
Implementation levels of virtualization –
virtualization structure – virtualization of CPU,
Memory and I/O devices – Virtualization for data
center automation - Virtualization Management-
Storage Virtualization – Network Virtualization.
 Network Virtualization
• Introduction
• External network virtualization
– What to be virtualized ?
• Network device virtualization
• Network data path virtualization
– How to be virtualized ?
• Protocol approach
• Internal network virtualization
– Traditional approach
– New techniques
– Case study
150
 Network Virtualization
• What is network virtualization ?

151
 Network Virtualization
• What is network virtualization ?
– In computing, Network Virtualization is the process of
combining hardware and software network resources and
network functionality into a single, software-based
administrative entity, a virtual network.

• Two categories :
– External network virtualization
• Combining many networks, or parts of networks, into a virtual unit.
– Internal network virtualization
• Providing network-like functionality to the software containers on a
single system.
 Network Virtualization
• Desirable properties of network virtualization :
– Scalability
• Easy to extend resources in need
• Administrator can dynamically create or delete virtual network
connection
– Resilience
• Recover from the failures
• Virtual network will automatically redirect packets by redundant links
– Security
• Increased path isolation and user segmentation
• Virtual network should work with firewall software
– Availability
• Access network resource anytime
153
 Network Virtualization
• External network virtualization in different layers :
– Layer 1
• Seldom virtualization implement in this physical data transmission layer.
– Layer 2
• Use some tags in MAC address packet to provide virtualization.
• Example, VLAN.
– Layer 3
• Use some tunnel techniques to form a virtual network.
• Example, VPN.
– Layer 4 or higher
• Build up some overlay network for some application.
• Example, P2P.
 Network Virtualization
• Internal network virtualization in different layers :
– Layer 1
• Hypervisor usually do not need to emulate the physical layer.
– Layer 2
• Implement virtual L2 network devices, such as switch, in hypervisor.
• Example, Linux TAP driver + Linux bridge.
– Layer 3
• Implement virtual L3 network devices, such as router, in hypervisor.
• Example, Linux TUN driver + Linux bridge + iptables.
– Layer 4 or higher
• Layer 4 or higher layers virtualization is usually implemented in guest
OS.
• Applications should make their own choice.
Introduction
External network virtualization
Internal network virtualization

NETWORK VIRTUALIZATION
 Network Virtualization
• Two virtualization components :
– Device virtualization
• Virtualize physical devices in the
network
– Data path virtualization Data Path
• Virtualize communication path
between network access points Router

Switch
157
 Network Virtualization
• Device virtualization
 Layer 3 solution 3
– Layer 2 solution • VRF technique
• Divide physical switch ( Virtual Routing and Forwarding )
• Emulate isolated routing tables
into multiple logical
within one physical router.
switches.

158
 Network Virtualization
• Data path virtualization
– Hop-to-hop case
• Consider the
virtualization applied on
a single hop data-path.

– Hop-to-cloud case
• Consider the
virtualization tunnels
allow multi-hop data-
path.

159
 Network Virtualization
• Protocol approach
– Protocols usually used to approach data-path
virtualization.
– Three implementations
• 802.1Q – implement hop to hop data-path virtualization
• MPLS ( Multiprotocol Label Switch ) – implement
router and switch layer virtualization
• GRE (Generic Routing Encapsulation ) – implement
virtualization among wide variety of networks with
tunneling technique.

160
 Network Virtualization
• 802.1Q
– Standard by IEEE 802.1
– Not encapsulate the
original frame
– Add a 32-bit field between
MAC address and
EtherTypes field
• ETYPE(2B): Protocol
identifier
• Dot1Q Tag(2B): VLAN
number, Priority code
CE: Customer Edge router
PE: Provider Edge router
161
 Network Virtualization
• Example of 802.1Q
VN 1

Source destination

Physical Network

VN 2

162
Source destination
 Network Virtualization
• MPLS ( Multiprotocol Label Switch )
– Also classified as layer 2.5 virtualization
– Add one or more labels into package
– Need Label Switch Router(LSR) to read MPLS
header

163
 Network Virtualization
• Example of MPLS
5
4 VN 1
2
7 9
8

LSR Physical Network

LER LER
CE LSR CE
LER
CE
5 VN 2
4 2
7
9
164
 Network Virtualization
• GRE ( Generic Routing Encapsulation )
– GRE is a tunnel protocol developed by CISCO
– Encapsulate a wide variety of network layer
protocol
– Stateless property
• This means end-point doesn't keep information about
the state
Built Tunnel

165
Introduction
External network virtualization
Internal network virtualization

NETWORK VIRTUALIZATION
 Internal Network Virtualization
• Internal network virtualization
– A single system is configured with containers, such as the Xen
domain, combined with hypervisor control programs or pseudo-
interfaces such as the VNIC, to create a “network in a box”.
– This solution improves overall efficiency of a single system by
isolating applications to separate containers and/or pseudo
interfaces.
– Virtual machine and virtual switch :
• The VMs are connected logically to each other so that they can send
data to and receive data from each other.
• Each virtual network is serviced by a single virtual switch.
• A virtual network can be connected to a physical network by
associating one or more network adapters (uplink adapters) with the
virtual switch.
 Internal Network Virtualization
• Properties of virtual switch
– A virtual switch works much like a physical Ethernet switch.
– It detects which VMs are logically connected to each of its
virtual ports and uses that information to forward traffic to the
correct virtual machines.
• Typical virtual network configuration
– Communication network
• Connect VMs on different hosts
– Storage network
• Connect VMs to remote storage system
– Management network
• Individual links for system administration
Internal Network Virtualization
Network virtualization example form VMware
 Traditional Approach
• In KVM system
– KVM focus on CPU and memory virtualization, so IO
virtualization framework is completed by QEMU project.
– In QEMU, network interface of virtual machines connect
to host by TUN/TAP driver and Linux bridge.

– Work with TUN/TAP and Linux Bridge :

• Virtual machines connect to host by a virtual network
adapter, which is implemented by TUN/TAP driver.
• Virtual adapters will connect to Linux bridges, which play the
role of virtual switch.
 Traditional Approach
• TUN/TAP driver
– TUN and TAP are virtual network kernel drivers :
• TAP (as in network tap) simulates an Ethernet device and it operates
with layer 2 packets such as Ethernet frames.
• TUN (as in network TUNnel) simulates a network layer device and it
operates with layer 3 packets such as IP.

– Data flow of TUN/TAP driver

• Packets sent by an operating system via a TUN/TAP device are
delivered to a user-space program that attaches itself to the device.
• A user-space program may pass packets into a TUN/TAP device.
TUN/TAP device delivers (or "injects") these packets to the operating
system network stack thus emulating their reception from an external
source.
Traditional Approach
 Traditional Approach
• Linux bridge
– Bridging is a forwarding technique used in packet-
switched computer networks.
– Unlike routing, bridging makes no assumptions about
where in a network a particular address is located.
– Bridging depends on flooding and examination of source
addresses in received packet headers to locate unknown
devices.
– Bridging connects multiple network
segments at the data link layer
(Layer 2) of the OSI model.
Traditional Approach
TAP/TUN driver + Linux Bridge
 New Techniques
• In Xen system
– Since implemented with para-virtualization type, guest OS load
modified network interface drivers.
– Modified network interface drivers communicate with virtual
switches in Dom0, which act as TAP in traditional approach.
– Virtual switch in Xen can be
implemented by Linux bridge
or work with other
optimization.
New Techniques
Detail in Xen System
 New Techniques
• Some performance issues :
– Page remapping
• Hypervisor remap memory page
for MMIO.
– Context switching
• Whenever packets send, induce
one context switch from guest to
Domain 0 to drive real NIC.
– Software bridge management
• Linux bridge is a pure software
implementation.
– Interrupt handling
• When interrupt occur, induce one
context switch again.
 New Techniques
• Improve Xen performance by software
– Large effective MTU
– Fewer packets
– Lower per-byte cost
 New Techniques
• Improve Xen performance by hardware
– CDNA (Concurrent Direct Network Access) hardware adapter
– Remove driver domain from data and interrupts
– Hypervisor only responsible for virtual interrupts and
assigning context to guest OS
Case Study

• VMware offer a hybrid

solution of network
virtualization in Cloud.
– Use redundant links to
provide high availability.
– Virtual switch in host OS
will automatically detect
link failure and redirect
packets to back-up links.
 Network Virtualization Summary
• Virtualization in layers
– Usually in Layer 2 and Layer 3
• External network virtualization
– Layer 2
• 802.1q
– Layer 3
• MPLS, GRE
• Internal network virtualization
– Traditional approach
• TAP/TUN + Linux bridge
– New technique
• Virtual switch, CDNA
 IaaS Case Study
• IaaS open source project – Eucalyptus
– Elastic Utility Computing Architecture
for Linking Your Programs to Useful Systems
IaaS Architecture of Eucalyptus
IaaS Case Study
Server Virtualization
 IaaS Case Study
• System Component :
– Cloud Controller (CLC)
• Dispatch user request to some clusters.
– Cluster Controller (CC)
• Determine enough resource for virtual machine deployment.
– Node Controller (NC)
• Run user’s virtual machines.
IaaS Case Study
Storage Virtualization
 IaaS Case Study
• Two kinds of storage systems :
– Walrus ( S3 compatible )
• Mainly store the images, which provided by users or
administrator, for VMs booting.
– Storage Controller
• Mainly store user created logical volumes which can
be attached to specified VMs in run-time.
• Each storage controller in a cluster is controlled by
the corresponding cluster controller, and each VM
can utilize these logical volumes through networks.
IaaS Case Study
Network Virtualization
 IaaS Case Study
• Network architecture :
– Bridge ( Virtual Switch )
• Make virtual machines on one node share physical NICs.
– DHCP
• Map virtual MAC addresses of VMs to private IPs in the LAN.
– NAT
• Forward the packages to public network (WAN).
– IP/MAC mapping table
• IP addresses are assigned by Eucalyptus.
• MAC addresses are assigned by hypervisor.
• This mapping table is maintained by Eucalyptus system.