Virtualization of Linux based computers: Virtualization of Linux - - PowerPoint PPT Presentation

virtualization of linux based computers virtualization of
SMART_READER_LITE
LIVE PREVIEW

Virtualization of Linux based computers: Virtualization of Linux - - PowerPoint PPT Presentation

Nov 10, 2023 379 likes •2.37k views

Virtualization of Linux based computers: Virtualization of Linux based computers: the Linux- -VServer project VServer project the Linux Beno t des Ligneris, Ph. D. t des Ligneris, Ph. D. Beno Benoit.des.Ligneris@RevolutionLinux.com

slide-1
SLIDE 1

Beno Benoî ît des Ligneris, Ph. D. t des Ligneris, Ph. D.

Benoit.des.Ligneris@RevolutionLinux.com Benoit.des.Ligneris@RevolutionLinux.com

Virtualization of Linux based computers: Virtualization of Linux based computers: the Linux the Linux-

  • VServer project

VServer project

slide-2
SLIDE 2

Objectives: Objectives:

slide-3
SLIDE 3

Objectives: Objectives:

1) 1) Present the available programs that can Present the available programs that can provide a virtualization of Linux provide a virtualization of Linux computers with different technologies. computers with different technologies.

slide-4
SLIDE 4

Objectives: Objectives:

1) 1) Present the available programs that can Present the available programs that can provide a virtualization of Linux provide a virtualization of Linux computers with different technologies. computers with different technologies. 2) 2) Focus on Linux Focus on Linux-

  • VServers: a very

VServers: a very lightweight and effective technology for lightweight and effective technology for the regular Linux user not intersted in the regular Linux user not intersted in Kernel hacking. Kernel hacking.

slide-5
SLIDE 5

Plan Plan

slide-6
SLIDE 6

Plan Plan

  • Introduction

Introduction

slide-7
SLIDE 7

Plan Plan

  • Introduction

Introduction

  • Overview of the available technology

Overview of the available technology

slide-8
SLIDE 8

Plan Plan

  • Introduction

Introduction

  • Overview of the available technology

Overview of the available technology

  • Classification of the problems: usage criteria

Classification of the problems: usage criteria

slide-9
SLIDE 9

Plan Plan

  • Introduction

Introduction

  • Overview of the available technology

Overview of the available technology

  • Classification of the problems: usage criteria

Classification of the problems: usage criteria

  • Comparative study of the existing technology

Comparative study of the existing technology

slide-10
SLIDE 10

Plan Plan

  • Introduction

Introduction

  • Overview of the available technology

Overview of the available technology

  • Classification of the problems: usage criteria

Classification of the problems: usage criteria

  • Comparative study of the existing technology

Comparative study of the existing technology

  • Technology overview of Linux

Technology overview of Linux-

  • VServers

VServers

slide-11
SLIDE 11

Plan Plan

  • Introduction

Introduction

  • Overview of the available technology

Overview of the available technology

  • Classification of the problems: usage criteria

Classification of the problems: usage criteria

  • Comparative study of the existing technology

Comparative study of the existing technology

  • Technology overview of Linux

Technology overview of Linux-

  • VServers

VServers

  • Conclusion

Conclusion

slide-12
SLIDE 12

Introduction Introduction

slide-13
SLIDE 13

Introduction Introduction

  • Why vservers?

Why vservers?

slide-14
SLIDE 14

Introduction Introduction

  • Why vservers?

Why vservers?

➔ ➔ Virtualization is now more and more acessible for

Virtualization is now more and more acessible for regular users given the extreme processing power of regular users given the extreme processing power of the current computers the current computers

slide-15
SLIDE 15

Introduction Introduction

  • Why vservers?

Why vservers?

➔ ➔ Virtualization is now more and more acessible for

Virtualization is now more and more acessible for regular users given the extreme processing power of regular users given the extreme processing power of the current computers the current computers

➔ ➔ The availability of COTS multi

The availability of COTS multi-

  • processor 64 bit

processor 64 bit architecture accelerates the needs for a mature architecture accelerates the needs for a mature virtualization technique, as it's more and more difficult virtualization technique, as it's more and more difficult for a common application to use 100% of the available for a common application to use 100% of the available resources resources

slide-16
SLIDE 16

Introduction Introduction

  • Why vservers?

Why vservers?

➔ ➔ Virtualization is now more and more acessible for

Virtualization is now more and more acessible for regular users given the extreme processing power of regular users given the extreme processing power of the current computers the current computers

➔ ➔ The availability of COTS multi

The availability of COTS multi-

  • processor 64 bit

processor 64 bit architecture accelerates the needs for a mature architecture accelerates the needs for a mature virtualization technique, as it's more and more difficult virtualization technique, as it's more and more difficult for a common application to use 100% of the available for a common application to use 100% of the available resources resources

➔ ➔ Virtualization also affect scientific computing and could

Virtualization also affect scientific computing and could become, in the near future, the corner stone of the so become, in the near future, the corner stone of the so called called « «grid computing grid computing» » as it solves elegantly most of as it solves elegantly most of the problems (security, resources consumption) of the the problems (security, resources consumption) of the current Grid technology current Grid technology

slide-17
SLIDE 17

Overview of the available technology Overview of the available technology

slide-18
SLIDE 18

Overview of the available technology Overview of the available technology

  • VMware

VMware

slide-19
SLIDE 19

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

slide-20
SLIDE 20

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

  • Bochs

Bochs

slide-21
SLIDE 21

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

  • Bochs

Bochs

  • Linux

Linux-

  • VServers

VServers

slide-22
SLIDE 22

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

  • Bochs

Bochs

  • Linux

Linux-

  • VServers

VServers

  • User Mode Linux (UML)

User Mode Linux (UML)

slide-23
SLIDE 23

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

  • Bochs

Bochs

  • Linux

Linux-

  • VServers

VServers

  • User Mode Linux (UML)

User Mode Linux (UML)

  • Xen

Xen

slide-24
SLIDE 24

Overview of the available technology Overview of the available technology

  • VMware

VMware

  • plex86

plex86

  • Bochs

Bochs

  • Linux

Linux-

  • VServers

VServers

  • User Mode Linux (UML)

User Mode Linux (UML)

  • Xen

Xen

  • QEMU

QEMU

slide-25
SLIDE 25
  • VMware

VMware

slide-26
SLIDE 26
  • VMware

VMware

« « Vmware workstation is a powerfull virtual machine Vmware workstation is a powerfull virtual machine software for the desktop. VMware workstation runs software for the desktop. VMware workstation runs multiple operating systems, including Microsoft Windows, multiple operating systems, including Microsoft Windows, Linux and Novell NetWare, simultaneously on a single PC Linux and Novell NetWare, simultaneously on a single PC in fully networked, portable virtual machines in fully networked, portable virtual machines » » http://www.vmware.com/products/ http://www.vmware.com/products/

slide-27
SLIDE 27
  • VMware

VMware

➔ ➔ Provide complete multi

Provide complete multi-

  • OS emulation on x86 CPU

OS emulation on x86 CPU

  • nly
  • nly
slide-28
SLIDE 28
  • VMware

VMware

➔ ➔ Provide complete multi

Provide complete multi-

  • OS emulation on x86 CPU

OS emulation on x86 CPU

  • nly
  • nly

➔ ➔ The whole installation process of a Linux distribution

The whole installation process of a Linux distribution can be done with VMware can be done with VMware

slide-29
SLIDE 29
  • VMware

VMware

➔ ➔ Provide complete multi

Provide complete multi-

  • OS emulation on x86 CPU

OS emulation on x86 CPU

  • nly
  • nly

➔ ➔ The whole installation process of a Linux distribution

The whole installation process of a Linux distribution can be done with VMware can be done with VMware

➔ ➔ Resource consumption is static (RAM, Disck, etc)

Resource consumption is static (RAM, Disck, etc) and very important (up to 50% of the available and very important (up to 50% of the available computing power!) computing power!)

slide-30
SLIDE 30
  • plex86

plex86

slide-31
SLIDE 31
  • plex86

plex86

« « (...) a very lightweight Virtual Machine (VM) for (...) a very lightweight Virtual Machine (VM) for running Linux/x86 running Linux/x86» » http://plex86.sourceforge.net/ (Feb/2005) http://plex86.sourceforge.net/ (Feb/2005)

slide-32
SLIDE 32
  • plex86

plex86

« « (...) a very lightweight Virtual Machine (VM) for (...) a very lightweight Virtual Machine (VM) for running Linux/x86 running Linux/x86» » http://plex86.sourceforge.net/ (Feb/2005) http://plex86.sourceforge.net/ (Feb/2005)

➔ ➔ Use the same Vmware logic but is restricted only to

Use the same Vmware logic but is restricted only to Linux OS (native OS as well as guest OS) Linux OS (native OS as well as guest OS)

slide-33
SLIDE 33
  • plex86

plex86

« « (...) a very lightweight Virtual Machine (VM) for (...) a very lightweight Virtual Machine (VM) for running Linux/x86 running Linux/x86» » http://plex86.sourceforge.net/ (Feb/2005) http://plex86.sourceforge.net/ (Feb/2005)

➔ ➔ Use the same Vmware logic but is restricted only to

Use the same Vmware logic but is restricted only to Linux OS (native OS as well as guest OS) Linux OS (native OS as well as guest OS)

➔ ➔ It's needed to recompile the kernel on the guest OS

It's needed to recompile the kernel on the guest OS

slide-34
SLIDE 34
  • plex86

plex86

« « (...) a very lightweight Virtual Machine (VM) for (...) a very lightweight Virtual Machine (VM) for running Linux/x86 running Linux/x86» » http://plex86.sourceforge.net/ (Feb/2005) http://plex86.sourceforge.net/ (Feb/2005)

➔ ➔ Use the same Vmware logic but is restricted only to

Use the same Vmware logic but is restricted only to Linux OS (native OS as well as guest OS) Linux OS (native OS as well as guest OS)

➔ ➔ It's needed to recompile the kernel on the guest OS

It's needed to recompile the kernel on the guest OS

➔ ➔ Very slow at the time of this writing

Very slow at the time of this writing

slide-35
SLIDE 35
  • Bochs

Bochs

slide-36
SLIDE 36
  • Bochs

Bochs

« « Bochs is a highly portable open source IA Bochs is a highly portable open source IA-

  • 32(x86) PC

32(x86) PC emulator written in C++, that runs on most popular emulator written in C++, that runs on most popular

  • platforms. It includes emulation of the Intel x86 CPU,
  • platforms. It includes emulation of the Intel x86 CPU,

common I/O devices and a custom BIOS. Currently, Bochs common I/O devices and a custom BIOS. Currently, Bochs can be compiled to emulate a 386, 486, Pentium, Pentium can be compiled to emulate a 386, 486, Pentium, Pentium Pro or AMD64 CPU including optional MMX, SSE, SSE2 Pro or AMD64 CPU including optional MMX, SSE, SSE2 and 3DNow instructions and 3DNow instructions » » http://bochs.sourceforge.net/ (Feb/2005) http://bochs.sourceforge.net/ (Feb/2005)

slide-37
SLIDE 37
  • Bochs

Bochs

➔ ➔ The performance of bochs does not compare to Vmware

The performance of bochs does not compare to Vmware

  • r plex86 mainly because it emulates the CPU instead of
  • r plex86 mainly because it emulates the CPU instead of

using the native instruction set of the IA using the native instruction set of the IA-

  • 32 CPUs

32 CPUs

slide-38
SLIDE 38
  • Bochs

Bochs

➔ ➔ The performance of bochs does not compare to Vmware

The performance of bochs does not compare to Vmware

  • r plex86 mainly because it emulates the CPU instead of
  • r plex86 mainly because it emulates the CPU instead of

using the native instruction set of the IA using the native instruction set of the IA-

  • 32 CPUs

32 CPUs

➔ ➔ There is no locking mechanism for the disks.

There is no locking mechanism for the disks.

slide-39
SLIDE 39
  • The Linux

The Linux-

  • VServers

VServers

slide-40
SLIDE 40
  • The Linux

The Linux-

  • VServers

VServers

« « Linux Linux-

  • VServer allows you to create virtual private

VServer allows you to create virtual private servers and security contexts which operate like a normal servers and security contexts which operate like a normal Linux server, but allow many independent servers to be run Linux server, but allow many independent servers to be run simultaneously in one box at full speed simultaneously in one box at full speed» » http://www.linux http://www.linux-

  • vserver.org (Feb/2005)

vserver.org (Feb/2005)

slide-41
SLIDE 41
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ The Linux

The Linux-

  • VServer project consists of a kernel patch and

VServer project consists of a kernel patch and installation of userland tools installation of userland tools

slide-42
SLIDE 42
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ The Linux

The Linux-

  • VServer project consists of a kernel patch and

VServer project consists of a kernel patch and installation of userland tools installation of userland tools

➔ ➔ It manage resources dinamically: a single kernel is in

It manage resources dinamically: a single kernel is in charge of allocating resources. charge of allocating resources.

slide-43
SLIDE 43
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ The Linux

The Linux-

  • VServer project consists of a kernel patch and

VServer project consists of a kernel patch and installation of userland tools installation of userland tools

➔ ➔ It manage resources dinamically: a single kernel is in

It manage resources dinamically: a single kernel is in charge of allocating resources. charge of allocating resources.

➔ ➔ Priority, Memory, Disk space, CPU ticks can be managed

Priority, Memory, Disk space, CPU ticks can be managed dynamically for a given vserver. dynamically for a given vserver.

slide-44
SLIDE 44
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ The Linux

The Linux-

  • VServer project consists of a kernel patch and

VServer project consists of a kernel patch and installation of userland tools installation of userland tools

➔ ➔ It manage resources dinamically: a single kernel is in

It manage resources dinamically: a single kernel is in charge of allocating resources. charge of allocating resources.

➔ ➔ Priority, Memory, Disk space, CPU ticks can be managed

Priority, Memory, Disk space, CPU ticks can be managed dynamically for a given vserver. dynamically for a given vserver.

➔ ➔ Because only one kernel access the hardware and

Because only one kernel access the hardware and interrupts, it uses the advanced management mechanism interrupts, it uses the advanced management mechanism already present in the Linux Kernel already present in the Linux Kernel

slide-45
SLIDE 45
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ As a consequence, this is a very fast and lightweight

As a consequence, this is a very fast and lightweight system as only the necessary services are run (ssh, http, system as only the necessary services are run (ssh, http, postfix, etc) and not a complete boot process. postfix, etc) and not a complete boot process.

slide-46
SLIDE 46
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ As a consequence, this is a very fast and lightweight

As a consequence, this is a very fast and lightweight system as only the necessary services are run (ssh, http, system as only the necessary services are run (ssh, http, postfix, etc) and not a complete boot process. postfix, etc) and not a complete boot process.

➔ ➔ Additional security occurs inside a vserver; the Linux

Additional security occurs inside a vserver; the Linux-

  • VServer use the POSIX capabilities to increase its

VServer use the POSIX capabilities to increase its security. security.

slide-47
SLIDE 47
  • The Linux

The Linux-

  • VServers

VServers

➔ ➔ As a consequence, this is a very fast and lightweight

As a consequence, this is a very fast and lightweight system as only the necessary services are run (ssh, http, system as only the necessary services are run (ssh, http, postfix, etc) and not a complete boot process. postfix, etc) and not a complete boot process.

➔ ➔ Additional security occurs inside a vserver; the Linux

Additional security occurs inside a vserver; the Linux-

  • VServer use the POSIX capabilities to increase its

VServer use the POSIX capabilities to increase its security. security.

➔ ➔ Network access, device access and many more

Network access, device access and many more capabilities can be given or taken in order to have a more capabilities can be given or taken in order to have a more secure virtual server. secure virtual server.

slide-48
SLIDE 48
  • User

User-

  • Mode Linux (UML)

Mode Linux (UML)

slide-49
SLIDE 49
  • User

User-

  • Mode Linux (UML)

Mode Linux (UML)

« « User User-

  • Mode Linux is a safe, secure way of running Linux

Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, versions and Linux processes. Run buggy software, experiment with new Linux Kernel or distributions, and experiment with new Linux Kernel or distributions, and poke around in the internals of Linux, all without risking poke around in the internals of Linux, all without risking your main Linux setup your main Linux setup» » http://user-mode-linux.sourceforge.net/ (Feb/2005) (Feb/2005)

slide-50
SLIDE 50
  • User

User-

  • Mode Linux (UML)

Mode Linux (UML)

« « User User-

  • Mode Linux is a safe, secure way of running Linux

Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, versions and Linux processes. Run buggy software, experiment with new Linux Kernel or distributions, and experiment with new Linux Kernel or distributions, and poke around in the internals of Linux, all without risking poke around in the internals of Linux, all without risking your main Linux setup your main Linux setup» » http://user-mode-linux.sourceforge.net/ (Feb/2005) (Feb/2005)

➔ ➔ very slow performance because only one program can

very slow performance because only one program can run in privileged mode: the host Kernel that support the run in privileged mode: the host Kernel that support the hosted ones hosted ones

slide-51
SLIDE 51
  • User

User-

  • Mode Linux (UML)

Mode Linux (UML)

« « User User-

  • Mode Linux is a safe, secure way of running Linux

Mode Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, versions and Linux processes. Run buggy software, experiment with new Linux Kernel or distributions, and experiment with new Linux Kernel or distributions, and poke around in the internals of Linux, all without risking poke around in the internals of Linux, all without risking your main Linux setup your main Linux setup» » http://user-mode-linux.sourceforge.net/ (Feb/2005) (Feb/2005)

➔ ➔ very slow performance because only one program can

very slow performance because only one program can run in privileged mode: the host Kernel that support the run in privileged mode: the host Kernel that support the hosted ones hosted ones

➔ ➔ the performance penalty is very important and a complete

the performance penalty is very important and a complete boot process is necessary boot process is necessary

slide-52
SLIDE 52
  • Xen

Xen

slide-53
SLIDE 53
  • Xen

Xen

« « Xen is a virtual machine monitor for x86 that supports Xen is a virtual machine monitor for x86 that supports execution of multiple guest operating systems with execution of multiple guest operating systems with unprecedented levels of performance and resource unprecedented levels of performance and resource isolation isolation» » http://www.cl.cam.ac.uk/Research/SRG/netos/xen/ (Feb/2005) (Feb/2005)

slide-54
SLIDE 54
  • Xen

Xen

➔ ➔ this is achieved by installing a king of

this is achieved by installing a king of « «mega mega-

  • bios

bios» » layer layer (Xen) that hides the physical hardware and provides (Xen) that hides the physical hardware and provides supported OS specific supported OS specific « «Xen drivers Xen drivers» » in order to interact in order to interact with the Xen abstraction layer. with the Xen abstraction layer.

slide-55
SLIDE 55
  • Xen

Xen

➔ ➔ this is achieved by installing a king of

this is achieved by installing a king of « «mega mega-

  • bios

bios» » layer layer (Xen) that hides the physical hardware and provides (Xen) that hides the physical hardware and provides supported OS specific supported OS specific « «Xen drivers Xen drivers» » in order to interact in order to interact with the Xen abstraction layer. with the Xen abstraction layer.

➔ ➔ the virtual servers interact with Xen hardware (including

the virtual servers interact with Xen hardware (including CPU) needs a specific kernel but applications can run CPU) needs a specific kernel but applications can run unchanged. unchanged.

slide-56
SLIDE 56
  • Xen

Xen

➔ ➔ this is achieved by installing a king of

this is achieved by installing a king of « «mega mega-

  • bios

bios» » layer layer (Xen) that hides the physical hardware and provides (Xen) that hides the physical hardware and provides supported OS specific supported OS specific « «Xen drivers Xen drivers» » in order to interact in order to interact with the Xen abstraction layer. with the Xen abstraction layer.

➔ ➔ the virtual servers interact with Xen hardware (including

the virtual servers interact with Xen hardware (including CPU) needs a specific kernel but applications can run CPU) needs a specific kernel but applications can run unchanged. unchanged.

➔ ➔ a lightweight technology, but demands complete systems

a lightweight technology, but demands complete systems to be to be « «booted booted» » inside the Xen domains (virtual servers) inside the Xen domains (virtual servers) so resource consumption (RAM, CPU, processes, etc) is so resource consumption (RAM, CPU, processes, etc) is much more important than the Linux much more important than the Linux-

  • VServer project.

VServer project.

slide-57
SLIDE 57
  • QEMU

QEMU

slide-58
SLIDE 58
  • QEMU

QEMU

« « QEMU is a generic and open source processor emulator QEMU is a generic and open source processor emulator which achieves a good emulation speed by using dynamic which achieves a good emulation speed by using dynamic translation translation» » http://fabrice.bellard.free.fr/qemu/ (Feb/2005) (Feb/2005)

slide-59
SLIDE 59
  • QEMU

QEMU

➔ ➔ emulates only the x86 family of processors

emulates only the x86 family of processors

slide-60
SLIDE 60
  • QEMU

QEMU

➔ ➔ emulates only the x86 family of processors

emulates only the x86 family of processors

➔ ➔ supports emulation of user code on other architecture

supports emulation of user code on other architecture (ARM, SPARC, PowerPC) (ARM, SPARC, PowerPC)

slide-61
SLIDE 61
  • QEMU

QEMU

➔ ➔ emulates only the x86 family of processors

emulates only the x86 family of processors

➔ ➔ supports emulation of user code on other architecture

supports emulation of user code on other architecture (ARM, SPARC, PowerPC) (ARM, SPARC, PowerPC)

➔ ➔ emulation, by default, very slow; a non

emulation, by default, very slow; a non-

  • free layer

free layer (QEMU accelerator) gives a much better performance on (QEMU accelerator) gives a much better performance on the same architecture (x86 emulated on x86) the same architecture (x86 emulated on x86)

slide-62
SLIDE 62
  • QEMU

QEMU

➔ ➔ emulates only the x86 family of processors

emulates only the x86 family of processors

➔ ➔ supports emulation of user code on other architecture

supports emulation of user code on other architecture (ARM, SPARC, PowerPC) (ARM, SPARC, PowerPC)

➔ ➔ emulation, by default, very slow; a non

emulation, by default, very slow; a non-

  • free layer

free layer (QEMU accelerator) gives a much better performance on (QEMU accelerator) gives a much better performance on the same architecture (x86 emulated on x86) the same architecture (x86 emulated on x86)

➔ ➔ a young and still very experimental project

a young and still very experimental project

slide-63
SLIDE 63

Classification of problems: Classification of problems: usage usage criteria criteria

slide-64
SLIDE 64

Classification of problems: Classification of problems: usage usage criteria criteria

We present in the following several needs for We present in the following several needs for computer virtualization and will use those computer virtualization and will use those criteria to compare the selected technology criteria to compare the selected technology

slide-65
SLIDE 65

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

usage usage criteria criteria

slide-66
SLIDE 66

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

usage usage criteria criteria

slide-67
SLIDE 67

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

usage usage criteria criteria

slide-68
SLIDE 68

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

  • Resources consumption

Resources consumption

usage usage criteria criteria

slide-69
SLIDE 69

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

  • Resources consumption

Resources consumption

  • Dynamical allocation of resources

Dynamical allocation of resources

usage usage criteria criteria

slide-70
SLIDE 70

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

  • Resources consumption

Resources consumption

  • Dynamical allocation of resources

Dynamical allocation of resources

  • Multi architecture

Multi architecture

usage usage criteria criteria

slide-71
SLIDE 71

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

  • Resources consumption

Resources consumption

  • Dynamical allocation of resources

Dynamical allocation of resources

  • Multi architecture

Multi architecture

  • Maturity

Maturity

usage usage criteria criteria

slide-72
SLIDE 72

Classification of problems: Classification of problems:

  • Multi OS

Multi OS

  • Kernel development / debugging

Kernel development / debugging

  • OS installation process

OS installation process

  • Resources consumption

Resources consumption

  • Dynamical allocation of resources

Dynamical allocation of resources

  • Multi architecture

Multi architecture

  • Maturity

Maturity

  • Security

Security

usage usage criteria criteria

slide-73
SLIDE 73
  • Multi OS

Multi OS

slide-74
SLIDE 74
  • Multi OS

Multi OS

➔ ➔ Some virtualization technology only support a type of OS

Some virtualization technology only support a type of OS (Linux, Windows, FreeBSD, etc) while others are more (Linux, Windows, FreeBSD, etc) while others are more generic and can run Linux on Windows, Windows on generic and can run Linux on Windows, Windows on Linux, etc. Linux, etc.

slide-75
SLIDE 75
  • Multi OS

Multi OS

➔ ➔ Some virtualization technology only support a type of OS

Some virtualization technology only support a type of OS (Linux, Windows, FreeBSD, etc) while others are more (Linux, Windows, FreeBSD, etc) while others are more generic and can run Linux on Windows, Windows on generic and can run Linux on Windows, Windows on Linux, etc. Linux, etc.

➔ ➔ Multi OS virtualization systems include VMware and

Multi OS virtualization systems include VMware and Xen. Xen.

slide-76
SLIDE 76
  • Kernel development / debugging

Kernel development / debugging

slide-77
SLIDE 77
  • Kernel development / debugging

Kernel development / debugging

➔ ➔ Some users need to develop the kernel. This criteria will

Some users need to develop the kernel. This criteria will define if, yes or no, those tasks can be achieved with the define if, yes or no, those tasks can be achieved with the chosen virtualization technique chosen virtualization technique

slide-78
SLIDE 78
  • Kernel development / debugging

Kernel development / debugging

➔ ➔ Some users need to develop the kernel. This criteria will

Some users need to develop the kernel. This criteria will define if, yes or no, those tasks can be achieved with the define if, yes or no, those tasks can be achieved with the chosen virtualization technique chosen virtualization technique

➔ ➔ UML has been designed for Kernel Hacking and

UML has been designed for Kernel Hacking and development development

slide-79
SLIDE 79
  • OS installation process

OS installation process

slide-80
SLIDE 80
  • OS installation process

OS installation process

➔ ➔ Some users need to reproduce the complete installation

Some users need to reproduce the complete installation

  • f a system (install CD, network boot, hard disk
  • f a system (install CD, network boot, hard disk

partitioning, etc). partitioning, etc).

slide-81
SLIDE 81
  • OS installation process

OS installation process

➔ ➔ Some users need to reproduce the complete installation

Some users need to reproduce the complete installation

  • f a system (install CD, network boot, hard disk
  • f a system (install CD, network boot, hard disk

partitioning, etc). partitioning, etc).

➔ ➔ VMware supports perfectly the simulation of the

VMware supports perfectly the simulation of the installation process for the supported Linux distributions installation process for the supported Linux distributions

slide-82
SLIDE 82
  • Resources consumption

Resources consumption

slide-83
SLIDE 83
  • Resources consumption

Resources consumption

➔ ➔ This criteria will define how much resources a virtual

This criteria will define how much resources a virtual computer need to use in order to be fully functional. computer need to use in order to be fully functional.

slide-84
SLIDE 84
  • Resources consumption

Resources consumption

➔ ➔ This criteria will define how much resources a virtual

This criteria will define how much resources a virtual computer need to use in order to be fully functional. computer need to use in order to be fully functional.

➔ ➔ For each virtualization technique, the approximative

For each virtualization technique, the approximative resource consumption of a fully functional virtual server resource consumption of a fully functional virtual server has been estimated. has been estimated.

slide-85
SLIDE 85
  • Resources consumption

Resources consumption

➔ ➔ This criteria will define how much resources a virtual

This criteria will define how much resources a virtual computer need to use in order to be fully functional. computer need to use in order to be fully functional.

➔ ➔ For each virtualization technique, the approximative

For each virtualization technique, the approximative resource consumption of a fully functional virtual server resource consumption of a fully functional virtual server has been estimated. has been estimated.

➔ ➔ VMware needs a lot of resources, as does UML, then

VMware needs a lot of resources, as does UML, then Xen and finally Linux Xen and finally Linux-

  • VServers.

VServers.

slide-86
SLIDE 86
  • Dynamical allocation of resources

Dynamical allocation of resources

slide-87
SLIDE 87
  • Dynamical allocation of resources

Dynamical allocation of resources

➔ ➔ Some users need to dynamically change the resources

Some users need to dynamically change the resources used by a virtual computer. Some virtualization programs used by a virtual computer. Some virtualization programs allow the user to live change the resources available for allow the user to live change the resources available for the virtual server while others can not do this. the virtual server while others can not do this.

slide-88
SLIDE 88
  • Dynamical allocation of resources

Dynamical allocation of resources

➔ ➔ Some users need to dynamically change the resources

Some users need to dynamically change the resources used by a virtual computer. Some virtualization programs used by a virtual computer. Some virtualization programs allow the user to live change the resources available for allow the user to live change the resources available for the virtual server while others can not do this. the virtual server while others can not do this.

➔ ➔ UML, Xen and Linux

UML, Xen and Linux-

  • VServers can dynamically alocate

VServers can dynamically alocate resources an ensure QoS criteria between the virtual resources an ensure QoS criteria between the virtual servers and the host system. servers and the host system.

slide-89
SLIDE 89
  • Multi architecture

Multi architecture

slide-90
SLIDE 90
  • Multi architecture

Multi architecture

➔ ➔ Some virtualization technology only support a type of

Some virtualization technology only support a type of architecture, x86 for the most part. architecture, x86 for the most part.

slide-91
SLIDE 91
  • Multi architecture

Multi architecture

➔ ➔ Some virtualization technology only support a type of

Some virtualization technology only support a type of architecture, x86 for the most part. architecture, x86 for the most part.

➔ ➔ UML and Linux

UML and Linux-

  • VServers support several architectures.

VServers support several architectures.

slide-92
SLIDE 92
  • Maturity

Maturity

slide-93
SLIDE 93
  • Maturity

Maturity

➔ ➔ This is a

This is a relative relative indicator of the maturity of the indicator of the maturity of the technology. technology.

slide-94
SLIDE 94
  • Maturity

Maturity

➔ ➔ This is a

This is a relative relative indicator of the maturity of the indicator of the maturity of the technology. technology.

➔ ➔ VMware is very mature (but not well supported with 2.6

VMware is very mature (but not well supported with 2.6 kernel and more experimental kernels) kernel and more experimental kernels)

slide-95
SLIDE 95
  • Maturity

Maturity

➔ ➔ This is a

This is a relative relative indicator of the maturity of the indicator of the maturity of the technology. technology.

➔ ➔ VMware is very mature (but not well supported with 2.6

VMware is very mature (but not well supported with 2.6 kernel and more experimental kernels) kernel and more experimental kernels)

➔ ➔ UML and Linux

UML and Linux-

  • VServer are production ready

VServer are production ready

slide-96
SLIDE 96
  • Maturity

Maturity

➔ ➔ This is a

This is a relative relative indicator of the maturity of the indicator of the maturity of the technology. technology.

➔ ➔ VMware is very mature (but not well supported with 2.6

VMware is very mature (but not well supported with 2.6 kernel and more experimental kernels) kernel and more experimental kernels)

➔ ➔ UML and Linux

UML and Linux-

  • VServer are production ready

VServer are production ready

➔ ➔ Xen is more experimental

Xen is more experimental

slide-97
SLIDE 97
  • Security

Security

slide-98
SLIDE 98
  • Security

Security

➔ ➔ While all virtualization techniques increases security

While all virtualization techniques increases security by allowing system administrators to cleanly by allowing system administrators to cleanly separate services on different virtual servers, some separate services on different virtual servers, some

  • f them offers additional protections with rules/roles
  • f them offers additional protections with rules/roles

and additional security models that can make a and additional security models that can make a virtual server more robust than a real one. virtual server more robust than a real one.

slide-99
SLIDE 99
  • Security

Security

➔ ➔ Linux

Linux-

  • VServer share some code with the guest OS

VServer share some code with the guest OS and this can be considered as a vulnerability. and this can be considered as a vulnerability.

slide-100
SLIDE 100
  • Security

Security

➔ ➔ Linux

Linux-

  • VServer share some code with the guest OS

VServer share some code with the guest OS and this can be considered as a vulnerability. and this can be considered as a vulnerability.

➔ ➔ We did not consider this as a vulnerability because

We did not consider this as a vulnerability because we consider that if a security problem occurs in the we consider that if a security problem occurs in the kernel in a primitive method used by a Linux kernel in a primitive method used by a Linux-

  • VServer (chroot, chcontext, chbind, etc) then every

VServer (chroot, chcontext, chbind, etc) then every Linux server (vserver or not) has this problem and Linux server (vserver or not) has this problem and has to be upgraded. has to be upgraded.

slide-101
SLIDE 101
  • Security

Security

➔ ➔ In this context, the Linux

In this context, the Linux-

  • VServer project is the

VServer project is the more more « «security oriented security oriented» » because it offers because it offers additional security features (POSIX capabilities). additional security features (POSIX capabilities).

slide-102
SLIDE 102
  • Security

Security

➔ ➔ In this context, the Linux

In this context, the Linux-

  • VServer project is the

VServer project is the more more « «security oriented security oriented» » because it offers because it offers additional security features (POSIX capabilities). additional security features (POSIX capabilities).

➔ ➔ The other technologies do not provide additional

The other technologies do not provide additional security. security.

slide-103
SLIDE 103

Comparative study of the Comparative study of the existing technology existing technology

slide-104
SLIDE 104

Comparative study of the Comparative study of the existing technology existing technology

➔ ➔ Only the major virtualization techniques will be

Only the major virtualization techniques will be analyzed analyzed

slide-105
SLIDE 105

Comparative study of the Comparative study of the existing technology existing technology

➔ ➔ Only the major virtualization techniques will be

Only the major virtualization techniques will be analyzed analyzed

➔ ➔ The Bochs and plex86 projects will not be

The Bochs and plex86 projects will not be compared with the others as they are not yet compared with the others as they are not yet fully functional fully functional

slide-106
SLIDE 106

Comparative study of the Comparative study of the existing technology existing technology

K ernel Intall Dynamical N ame M ulti O S Development P rocess R esources R esources S ercurity M aturity Architecture Vmware Y es N

  • Y

es 2 G b N

  • N
  • G
  • od

x86 Linux-VS erver N

  • N
  • N
  • 256 M

b Y es Y es E xcelent x86, IA64, x86_64 U M L N

  • Y

es N

  • 1 G

b N

  • N
  • G
  • od

x86, IA64, x86_64 Xen Y es E xp. Y es 1 G b N

  • N
  • Y
  • ung

x86 Q E M U E xp. N

  • E

xp. 1 G b N

  • N
  • Y
  • ung

x86

slide-107
SLIDE 107

Comparative study of the Comparative study of the existing technology existing technology

➔ ➔ Based on the needs from the user, one should

Based on the needs from the user, one should be able to easily choose the best suited be able to easily choose the best suited virtualization technique virtualization technique

slide-108
SLIDE 108

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

slide-109
SLIDE 109

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

slide-110
SLIDE 110

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

slide-111
SLIDE 111

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

  • Build environment or development environment

Build environment or development environment

slide-112
SLIDE 112

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

  • Build environment or development environment

Build environment or development environment

  • Testing distributed application and/or complex

Testing distributed application and/or complex upgrade process upgrade process

slide-113
SLIDE 113

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

  • Build environment or development environment

Build environment or development environment

  • Testing distributed application and/or complex

Testing distributed application and/or complex upgrade process upgrade process

  • Security usage

Security usage

slide-114
SLIDE 114

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

  • Build environment or development environment

Build environment or development environment

  • Testing distributed application and/or complex

Testing distributed application and/or complex upgrade process upgrade process

  • Security usage

Security usage

  • High availability

High availability

slide-115
SLIDE 115

➔ ➔ In order to facilitate this process, we have

In order to facilitate this process, we have established some basic use established some basic use-

  • cases for the

cases for the virtualization of computers: virtualization of computers:

  • Hosting

Hosting

  • Testing one application

Testing one application

  • Build environment or development environment

Build environment or development environment

  • Testing distributed application and/or complex

Testing distributed application and/or complex upgrade process upgrade process

  • Security usage

Security usage

  • High availability

High availability

  • Disaster recovery

Disaster recovery

slide-116
SLIDE 116
  • Hosting

Hosting

slide-117
SLIDE 117
  • Hosting

Hosting

➔ ➔ An Internet provider or someone that simply have to

An Internet provider or someone that simply have to provide access to one or several hosts on a real provide access to one or several hosts on a real system. system.

slide-118
SLIDE 118
  • Hosting

Hosting

➔ ➔ An Internet provider or someone that simply have to

An Internet provider or someone that simply have to provide access to one or several hosts on a real provide access to one or several hosts on a real system. system.

➔ ➔ The resources consumption is very small because

The resources consumption is very small because

  • nly the needed processes are started on the
  • nly the needed processes are started on the

vservers. vservers.

slide-119
SLIDE 119
  • Hosting

Hosting

➔ ➔ An Internet provider or someone that simply have to

An Internet provider or someone that simply have to provide access to one or several hosts on a real provide access to one or several hosts on a real system. system.

➔ ➔ The resources consumption is very small because

The resources consumption is very small because

  • nly the needed processes are started on the
  • nly the needed processes are started on the

vservers. vservers.

➔ ➔ Additional security is provided by the POSIX

Additional security is provided by the POSIX capabilities capabilities

slide-120
SLIDE 120
  • Hosting

Hosting

➔ ➔ On demand servers can be created in seconds and

On demand servers can be created in seconds and delivered to the customer. delivered to the customer.

slide-121
SLIDE 121
  • Hosting

Hosting

➔ ➔ On demand servers can be created in seconds and

On demand servers can be created in seconds and delivered to the customer. delivered to the customer.

➔ ➔ Every Linux

Every Linux-

  • VServer consist only of files that can be

VServer consist only of files that can be easily backuped and restored on another server if easily backuped and restored on another server if needed. needed.

slide-122
SLIDE 122
  • Hosting

Hosting

➔ ➔ On demand servers can be created in seconds and

On demand servers can be created in seconds and delivered to the customer. delivered to the customer.

➔ ➔ Every Linux

Every Linux-

  • VServer consist only of files that can be

VServer consist only of files that can be easily backuped and restored on another server if easily backuped and restored on another server if needed. needed.

➔ ➔ Unification is a mechanism at the package level that

Unification is a mechanism at the package level that allows Linux allows Linux-

  • VServers to share programs and

VServers to share programs and library library

slide-123
SLIDE 123
  • Testing one application

Testing one application

slide-124
SLIDE 124
  • Testing one application

Testing one application

➔ ➔ Perform stress tests or unitary testing on one

Perform stress tests or unitary testing on one application. application.

slide-125
SLIDE 125
  • Testing one application

Testing one application

➔ ➔ Perform stress tests or unitary testing on one

Perform stress tests or unitary testing on one application. application.

➔ ➔ Is easy to move a Linux

Is easy to move a Linux-

  • VServer on different

VServer on different hardware to compare performance. hardware to compare performance.

slide-126
SLIDE 126
  • Testing one application

Testing one application

➔ ➔ Perform stress tests or unitary testing on one

Perform stress tests or unitary testing on one application. application.

➔ ➔ Is easy to move a Linux

Is easy to move a Linux-

  • VServer on different

VServer on different hardware to compare performance. hardware to compare performance.

➔ ➔ Because the regular device drivers are used, the

Because the regular device drivers are used, the virtualization layer impact on performance virtualization layer impact on performance measurement is expected to be nebligible. measurement is expected to be nebligible.

slide-127
SLIDE 127
  • Build environment or development

Build environment or development environment environment

slide-128
SLIDE 128
  • Build environment or development

Build environment or development environment environment

  • Easily to create on deman different versions of

Easily to create on deman different versions of distributions from a host system distributions from a host system

slide-129
SLIDE 129
  • Build environment or development

Build environment or development environment environment

  • Development starting from a clean virtual

Development starting from a clean virtual server: server:

  • Easily to create on deman different versions of

Easily to create on deman different versions of distributions from a host system distributions from a host system

slide-130
SLIDE 130
  • Build environment or development

Build environment or development environment environment

➔ ➔ Greatly increases bug reproducibility and process of

Greatly increases bug reproducibility and process of development development

  • Development starting from a clean virtual

Development starting from a clean virtual server: server:

  • Easily to create on deman different versions of

Easily to create on deman different versions of distributions from a host system distributions from a host system

slide-131
SLIDE 131
  • Build environment or development

Build environment or development environment environment

➔ ➔ Greatly increases bug reproducibility and process of

Greatly increases bug reproducibility and process of development development

  • Development starting from a clean virtual

Development starting from a clean virtual server: server:

➔ ➔ When a bug is found, the vserver where the bug

When a bug is found, the vserver where the bug can be triggered can be easily copied and can be triggered can be easily copied and « «given given » » to the developer in charge. to the developer in charge.

  • Easily to create on deman different versions of

Easily to create on deman different versions of distributions from a host system distributions from a host system

slide-132
SLIDE 132
  • Testing distributed application and/or

Testing distributed application and/or complex upgrade process complex upgrade process

slide-133
SLIDE 133
  • Testing distributed application and/or

Testing distributed application and/or complex upgrade process complex upgrade process

➔ ➔ One of the problems for complex applications is the

One of the problems for complex applications is the fact that it is very difficult to reproduce, in the fact that it is very difficult to reproduce, in the laboratory, an evironment similar to the production laboratory, an evironment similar to the production

  • ne.
  • ne.
slide-134
SLIDE 134
  • Testing distributed application and/or

Testing distributed application and/or complex upgrade process complex upgrade process

➔ ➔ One of the problems for complex applications is the

One of the problems for complex applications is the fact that it is very difficult to reproduce, in the fact that it is very difficult to reproduce, in the laboratory, an evironment similar to the production laboratory, an evironment similar to the production

  • ne.
  • ne.

➔ ➔ As a consequence, and while this is certainly not

As a consequence, and while this is certainly not the best practices, developers often need to the best practices, developers often need to develop on or develop on or « «near near» » the production systems. the production systems.

slide-135
SLIDE 135
  • Testing distributed application and/or

Testing distributed application and/or complex upgrade process complex upgrade process

➔ ➔ One of the problems for complex applications is the

One of the problems for complex applications is the fact that it is very difficult to reproduce, in the fact that it is very difficult to reproduce, in the laboratory, an evironment similar to the production laboratory, an evironment similar to the production

  • ne.
  • ne.

➔ ➔ As a consequence, and while this is certainly not

As a consequence, and while this is certainly not the best practices, developers often need to the best practices, developers often need to develop on or develop on or « «near near» » the production systems. the production systems.

➔ ➔ With one of the virtualization techniques it is very

With one of the virtualization techniques it is very easy to duplicate the production environment in the easy to duplicate the production environment in the laboratory: just copy your production virtual laboratory: just copy your production virtual computer on a development system. computer on a development system.

slide-136
SLIDE 136
  • Security usage

Security usage

slide-137
SLIDE 137
  • Security usage

Security usage

➔ ➔ The KISS

The KISS1

1 principle encourages the deployment of

principle encourages the deployment of simple systems that only deliver one service per simple systems that only deliver one service per system. system.

1 1 Keep It Simple and Stupid

Keep It Simple and Stupid

slide-138
SLIDE 138
  • Security usage

Security usage

➔ ➔ The KISS

The KISS1

1 principle encourages the deployment of

principle encourages the deployment of simple systems that only deliver one service per simple systems that only deliver one service per system. system.

➔ ➔ This principle is rarely used on the field because

This principle is rarely used on the field because this will lead to a very big increase of the physical this will lead to a very big increase of the physical computers number. computers number.

slide-139
SLIDE 139
  • Security usage

Security usage

➔ ➔ The KISS

The KISS1

1 principle encourages the deployment of

principle encourages the deployment of simple systems that only deliver one service per simple systems that only deliver one service per system. system.

➔ ➔ This principle is rarely used on the field because

This principle is rarely used on the field because this will lead to a very big increase of the physical this will lead to a very big increase of the physical computers number. computers number.

➔ ➔ In turn, because modern computers have a huge

In turn, because modern computers have a huge computing power, those computers will be under computing power, those computers will be under-

  • used

used

slide-140
SLIDE 140
  • High availability

High availability

slide-141
SLIDE 141
  • High availability

High availability

➔ ➔ While Xen is presently one of the first to manage

While Xen is presently one of the first to manage load balancing between lives computers, one can load balancing between lives computers, one can easily set up a high availability system with any easily set up a high availability system with any virtualization technique. virtualization technique.

slide-142
SLIDE 142
  • High availability

High availability

➔ ➔ While Xen is presently one of the first to manage

While Xen is presently one of the first to manage load balancing between lives computers, one can load balancing between lives computers, one can easily set up a high availability system with any easily set up a high availability system with any virtualization technique. virtualization technique.

➔ ➔ A cold swap server that is synced either periodically

A cold swap server that is synced either periodically (cron is your friend) of live, either at the application (cron is your friend) of live, either at the application level (replication for MySQL, PostGreSQL, LDAP, level (replication for MySQL, PostGreSQL, LDAP, etc) or with a low level tool like DR etc) or with a low level tool like DR-

  • DB/

DB/

slide-143
SLIDE 143
  • High availability

High availability

➔ ➔ Then the hot or cold backup virtual

Then the hot or cold backup virtual-

  • server can

server can monitor failures from the other virtual monitor failures from the other virtual-

  • server provide

server provide a very inexpensive high availability layer. a very inexpensive high availability layer.

slide-144
SLIDE 144
  • High availability

High availability

➔ ➔ Then the hot or cold backup virtual

Then the hot or cold backup virtual-

  • server can

server can monitor failures from the other virtual monitor failures from the other virtual-

  • server provide

server provide a very inexpensive high availability layer. a very inexpensive high availability layer.

➔ ➔ One can even use this procedure on a single

One can even use this procedure on a single hardware system: this will provide what we called hardware system: this will provide what we called « «software high availability software high availability» » and protect the user and protect the user from software bugs. from software bugs.

slide-145
SLIDE 145
  • Disaster recovery

Disaster recovery

slide-146
SLIDE 146
  • Disaster recovery

Disaster recovery

➔ ➔ Virtualization deeply modify this area of modern

Virtualization deeply modify this area of modern computing providing an abstraction layer between computing providing an abstraction layer between the hardware and the virtual servers. the hardware and the virtual servers.

slide-147
SLIDE 147
  • Disaster recovery

Disaster recovery

➔ ➔ Virtualization deeply modify this area of modern

Virtualization deeply modify this area of modern computing providing an abstraction layer between computing providing an abstraction layer between the hardware and the virtual servers. the hardware and the virtual servers.

➔ ➔ This meands that heterogeneous hardware can

This meands that heterogeneous hardware can easily be used, without additional risk, to provide easily be used, without additional risk, to provide disaster recovery capacities. disaster recovery capacities.

slide-148
SLIDE 148

Technology overview of Technology overview of Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

slide-149
SLIDE 149

Technology overview of Technology overview of

➔ ➔ http://linux

http://linux-

  • vserver.org

vserver.org

Linux Linux-

  • VServers

VServers

slide-150
SLIDE 150

Technology overview of Technology overview of

➔ ➔ http://linux

http://linux-

  • vserver.org

vserver.org

➔ ➔ Created by Jacques Gelinas, a well know

Created by Jacques Gelinas, a well know Linux hacker from Quebec (Linuxconf, Linux hacker from Quebec (Linuxconf, insmod/modprobe, umsdos, etc). insmod/modprobe, umsdos, etc).

Linux Linux-

  • VServers

VServers

slide-151
SLIDE 151

Technology overview of Technology overview of

➔ ➔ http://linux

http://linux-

  • vserver.org

vserver.org

➔ ➔ Created by Jacques Gelinas, a well know

Created by Jacques Gelinas, a well know Linux hacker from Quebec (Linuxconf, Linux hacker from Quebec (Linuxconf, insmod/modprobe, umsdos, etc). insmod/modprobe, umsdos, etc).

➔ ➔ Project is leaded now by Herbert Poetzl and

Project is leaded now by Herbert Poetzl and a lot of development occurs a lot of development occurs

Linux Linux-

  • VServers

VServers

slide-152
SLIDE 152

Technology overview of Technology overview of

➔ ➔ http://linux

http://linux-

  • vserver.org

vserver.org

➔ ➔ Created by Jacques Gelinas, a well know

Created by Jacques Gelinas, a well know Linux hacker from Quebec (Linuxconf, Linux hacker from Quebec (Linuxconf, insmod/modprobe, umsdos, etc). insmod/modprobe, umsdos, etc).

➔ ➔ Project is leaded now by Herbert Poetzl and

Project is leaded now by Herbert Poetzl and a lot of development occurs a lot of development occurs

➔ ➔ The community is very active and supportive

The community is very active and supportive

Linux Linux-

  • VServers

VServers

slide-153
SLIDE 153

Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

The Linux The Linux-

  • VServer project can be see as the

VServer project can be see as the integration of 4 concepts, half of them having integration of 4 concepts, half of them having been specifically developed for the project: been specifically developed for the project:

slide-154
SLIDE 154

Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

  • chroot: disk isolation

chroot: disk isolation The Linux The Linux-

  • VServer project can be see as the

VServer project can be see as the integration of 4 concepts, half of them having been integration of 4 concepts, half of them having been specifically developed for the project: specifically developed for the project:

slide-155
SLIDE 155

Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

  • chroot: disk isolation

chroot: disk isolation

  • chcontext: process isolation

chcontext: process isolation The Linux The Linux-

  • VServer project can be see as the

VServer project can be see as the integration of 4 concepts, half of them having been integration of 4 concepts, half of them having been specifically developed for the project: specifically developed for the project:

slide-156
SLIDE 156

Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

  • chroot: disk isolation

chroot: disk isolation

  • chcontext: process isolation

chcontext: process isolation

  • chbind: network isolation

chbind: network isolation The Linux The Linux-

  • VServer project can be see as the

VServer project can be see as the integration of 4 concepts, half of them having been integration of 4 concepts, half of them having been specifically developed for the project: specifically developed for the project:

slide-157
SLIDE 157

Technology overview of Technology overview of Linux Linux-

  • VServers

VServers

  • chroot: disk isolation

chroot: disk isolation

  • chcontext: process isolation

chcontext: process isolation

  • chbind: network isolation

chbind: network isolation

  • capabilities: additional security

capabilities: additional security The Linux The Linux-

  • VServer project can be see as the

VServer project can be see as the integration of 4 concepts, half of them having been integration of 4 concepts, half of them having been specifically developed for the project: specifically developed for the project:

slide-158
SLIDE 158
  • chroot: disk isolation

chroot: disk isolation

slide-159
SLIDE 159
  • chroot: disk isolation

chroot: disk isolation

➔ ➔ Once called, the chroot system call allow the

Once called, the chroot system call allow the following commands to start from a different following commands to start from a different filesystem root. filesystem root.

slide-160
SLIDE 160
  • chroot: disk isolation

chroot: disk isolation

➔ ➔ Once called, the chroot system call allow the

Once called, the chroot system call allow the following commands to start from a different following commands to start from a different filesystem root. filesystem root.

➔ ➔ This provides what we can call

This provides what we can call « «disk isolation disk isolation» ». .

slide-161
SLIDE 161
  • chroot: disk isolation

chroot: disk isolation

➔ ➔ Once called, the chroot system call allow the

Once called, the chroot system call allow the following commands to start from a different following commands to start from a different filesystem root. filesystem root.

➔ ➔ This provides what we can call

This provides what we can call « «disk isolation disk isolation» ». .

➔ ➔ It is very common to use a chrooted

It is very common to use a chrooted environment for security sensible services (FTP, environment for security sensible services (FTP, Bind, etc). Bind, etc).

slide-162
SLIDE 162
  • chroot: disk isolation

chroot: disk isolation

➔ ➔ Once called, the chroot system call allow the

Once called, the chroot system call allow the following commands to start from a different following commands to start from a different filesystem root. filesystem root.

➔ ➔ This provides what we can call

This provides what we can call « «disk isolation disk isolation» ». .

➔ ➔ It is very common to use a chrooted

It is very common to use a chrooted environment for security sensible services (FTP, environment for security sensible services (FTP, Bind, etc). Bind, etc).

➔ ➔ If the chrooted service is hacked, only the files

If the chrooted service is hacked, only the files writable inside the chroot can be compromised. writable inside the chroot can be compromised.

slide-163
SLIDE 163
  • chroot: disk isolation

chroot: disk isolation

Briefly: Briefly:

the root of all the commands run in the root of all the commands run in a Linux a Linux-

  • VServer is not the same as the

VServer is not the same as the host system root. This provides file host system root. This provides file system isolation. system isolation.

slide-164
SLIDE 164
  • chcontext: process isolation

chcontext: process isolation

slide-165
SLIDE 165
  • chcontext: process isolation

chcontext: process isolation

➔ ➔ This is a specific vserver system call that

This is a specific vserver system call that creates a new security context. creates a new security context.

slide-166
SLIDE 166
  • chcontext: process isolation

chcontext: process isolation

➔ ➔ This is a specific vserver system call that

This is a specific vserver system call that creates a new security context. creates a new security context.

➔ ➔ This provide what we call

This provide what we call « «process isolation process isolation» ». .

slide-167
SLIDE 167
  • chcontext: process isolation

chcontext: process isolation

➔ ➔ This is a specific vserver system call that

This is a specific vserver system call that creates a new security context. creates a new security context.

➔ ➔ This provide what we call

This provide what we call « «process isolation process isolation» ». .

➔ ➔ The usual or

The usual or « «hosted hosted» » security context is the security context is the context ''0'', which has the same privileges of context ''0'', which has the same privileges of the root user (UID 0): can see and kill other the root user (UID 0): can see and kill other tasks in the other contexts. tasks in the other contexts.

slide-168
SLIDE 168
  • chcontext: process isolation

chcontext: process isolation

➔ ➔ If we except the context number 1 which is used

If we except the context number 1 which is used to to « «view view» » other contexts but can not affect

  • ther contexts but can not affect

them, then the context isolation is complete: them, then the context isolation is complete: processes from one context can not see neither processes from one context can not see neither interact with processes from another context. interact with processes from another context.

slide-169
SLIDE 169
  • chcontext: process isolation

chcontext: process isolation

➔ ➔ If we except the context number 1 which is used

If we except the context number 1 which is used to to « «view view» » other contexts but can not affect

  • ther contexts but can not affect

them, then the context isolation is complete: them, then the context isolation is complete: processes from one context can not see neither processes from one context can not see neither interact with processes from another context. interact with processes from another context.

➔ ➔ This provide the ability to run similar contexts on

This provide the ability to run similar contexts on the same computer without any interaction the same computer without any interaction possible at the application level. possible at the application level.

slide-170
SLIDE 170
  • chcontext: process isolation

chcontext: process isolation the root of all the commands run in the root of all the commands run in a Linux a Linux-

  • VServer is not the same as the

VServer is not the same as the host system root. This provides file host system root. This provides file system isolation. system isolation.

Briefly: Briefly:

slide-171
SLIDE 171
  • chbind: network isolation

chbind: network isolation

slide-172
SLIDE 172
  • chbind: network isolation

chbind: network isolation

➔ ➔ The other vserver specific system call that provides

The other vserver specific system call that provides « «network isolation network isolation» ». .

slide-173
SLIDE 173
  • chbind: network isolation

chbind: network isolation

➔ ➔ The other vserver specific system call that provides

The other vserver specific system call that provides « «network isolation network isolation» ». .

➔ ➔ Once called, all traffic sent by any of the network

Once called, all traffic sent by any of the network interface is alterated so that it comes from the interface is alterated so that it comes from the argument given to chbind (an ipv4 or ipv6 address). argument given to chbind (an ipv4 or ipv6 address).

slide-174
SLIDE 174
  • chbind: network isolation

chbind: network isolation

➔ ➔ The other vserver specific system call that provides

The other vserver specific system call that provides « «network isolation network isolation» ». .

➔ ➔ Once called, all traffic sent by any of the network

Once called, all traffic sent by any of the network interface is alterated so that it comes from the interface is alterated so that it comes from the argument given to chbind (an ipv4 or ipv6 address). argument given to chbind (an ipv4 or ipv6 address).

➔ ➔

Processes run from one chbind send packets with Processes run from one chbind send packets with

  • ne IP address while processes run from another
  • ne IP address while processes run from another

chbind send packets with another IP adress. chbind send packets with another IP adress.

slide-175
SLIDE 175
  • chbind: network isolation

chbind: network isolation

➔ ➔ The other vserver specific system call that provides

The other vserver specific system call that provides « «network isolation network isolation» ». .

➔ ➔ Once called, all traffic sent by any of the network

Once called, all traffic sent by any of the network interface is alterated so that it comes from the interface is alterated so that it comes from the argument given to chbind (an ipv4 or ipv6 address). argument given to chbind (an ipv4 or ipv6 address).

➔ ➔

Processes run from one chbind send packets with Processes run from one chbind send packets with

  • ne IP address while processes run from another
  • ne IP address while processes run from another

chbind send packets with another IP adress. chbind send packets with another IP adress.

➔ ➔ This uses the virtual device infrastructure that allow

This uses the virtual device infrastructure that allow a computer with a single NIC to have numerous IP a computer with a single NIC to have numerous IP address. address.

slide-176
SLIDE 176
  • chbind: network isolation

chbind: network isolation each packet send from a Linux each packet send from a Linux-

  • VServer has its origin sent to a well

VServer has its origin sent to a well defined IP address. This provides defined IP address. This provides network isolation. network isolation.

Briefly: Briefly:

slide-177
SLIDE 177
  • capabilities: additional security

capabilities: additional security

slide-178
SLIDE 178
  • capabilities: additional security

capabilities: additional security

➔ ➔ The POSIX capabilities were designed to

The POSIX capabilities were designed to « «hardened hardened» » a POSIX system. a POSIX system.

slide-179
SLIDE 179
  • capabilities: additional security

capabilities: additional security

➔ ➔ The POSIX capabilities were designed to

The POSIX capabilities were designed to « «hardened hardened» » a POSIX system. a POSIX system.

➔ ➔ A root account in a default Linux

A root account in a default Linux-

  • VServer has

VServer has much less privileges than a root account on a much less privileges than a root account on a regular Linux server regular Linux server

slide-180
SLIDE 180
  • capabilities: additional security

capabilities: additional security

➔ ➔ The POSIX capabilities were designed to

The POSIX capabilities were designed to « «hardened hardened» » a POSIX system. a POSIX system.

➔ ➔ A root account in a default Linux

A root account in a default Linux-

  • VServer has

VServer has much less privileges than a root account on a much less privileges than a root account on a regular Linux server regular Linux server

➔ ➔ For instance, IP addresses cannot be changed

For instance, IP addresses cannot be changed (no ifconfig!), nodes can not be created (no (no ifconfig!), nodes can not be created (no mknod), hardware time can not be set, etc. mknod), hardware time can not be set, etc.

slide-181
SLIDE 181
  • capabilities: additional security

capabilities: additional security

➔ ➔ This is specially intersting because fits very

This is specially intersting because fits very nicely with the Linux nicely with the Linux-

  • VServer model where only

VServer model where only the host server can set up certain properties of the host server can set up certain properties of the vserver (IP address, time, network interface, the vserver (IP address, time, network interface, etc) and the Linux etc) and the Linux-

  • VServers can not alter those

VServers can not alter those settings (for obvious security reasons). settings (for obvious security reasons).

slide-182
SLIDE 182
  • capabilities: additional security

capabilities: additional security each Linux each Linux-

  • VServer has a set of

VServer has a set of capabilities (none by default) in order to capabilities (none by default) in order to be able to work. Strictly speaking, this be able to work. Strictly speaking, this means that a root on a Linux means that a root on a Linux-

  • VServer

VServer has much less has much less « «privileges privileges» » than a root than a root account on a regular Linux server. This account on a regular Linux server. This provides provides « «root root» »-

  • isolation.

isolation.

Briefly: Briefly:

slide-183
SLIDE 183

Host system (context 0) Kernel 2.6.8.1-vs1.9.2 Vserver1 Vserver2 Vserver3 Vserver4 Context 413455 Context 23456 Context 3456 Context 234656 RAM Devices

How it works? How it works?

slide-184
SLIDE 184

How it works? How it works?

slide-185
SLIDE 185

How it works? How it works?

  • Context 0 has power

Context 0 has power

  • ver all the others
  • ver all the others

contexts contexts

slide-186
SLIDE 186

How it works? How it works?

  • Context 0 has power

Context 0 has power

  • ver all the others
  • ver all the others

contexts contexts

  • Context 1 : can only

Context 1 : can only watch the other watch the other contexts (special) contexts (special)

slide-187
SLIDE 187

How it works? How it works?

  • Context 0 has power

Context 0 has power

  • ver all the others
  • ver all the others

contexts contexts

  • Context 1 : can only

Context 1 : can only watch the other watch the other contexts (special) contexts (special)

  • Other contextes : can

Other contextes : can

  • nly see themselves.
  • nly see themselves.
slide-188
SLIDE 188

How it works? How it works?

  • Context 0 has power

Context 0 has power

  • ver all the others
  • ver all the others

contexts contexts

  • Context 1 : can only

Context 1 : can only watch the other watch the other contexts (special) contexts (special)

  • Other contextes : can

Other contextes : can

  • nly see themselves.
  • nly see themselves.
  • Devices : it's the host

Devices : it's the host server (context 0) that server (context 0) that decides who have decides who have acess to what acess to what

slide-189
SLIDE 189

How it works? How it works?

  • Context 0 has power

Context 0 has power

  • ver all the others
  • ver all the others

contexts contexts

  • Context 1 : can only

Context 1 : can only watch the other watch the other contexts (special) contexts (special)

  • Other contextes : can

Other contextes : can

  • nly see themselves.
  • nly see themselves.
  • Devices : it's the host

Devices : it's the host server (context 0) that server (context 0) that decides who have decides who have acess to what acess to what

  • Exemple : network,

Exemple : network, mount points, /proc, mount points, /proc, etc. etc.

slide-190
SLIDE 190

Conclusion Conclusion

slide-191
SLIDE 191

Conclusion Conclusion

  • Because of its maturity (several

Because of its maturity (several production systems with more than 20 production systems with more than 20 Linux Linux-

  • VServers in production for years)

VServers in production for years) and because this is the more lightweight and because this is the more lightweight virtualization technique, we believe that virtualization technique, we believe that Linux Linux-

  • VServer is the best tool for

VServer is the best tool for virtualizing Linux servers on a Linux virtualizing Linux servers on a Linux

  • perating system host.
  • perating system host.
slide-192
SLIDE 192

Conclusion Conclusion

  • There are some cases where other

There are some cases where other techniques are necessary, mainly running techniques are necessary, mainly running another OS and kernel development, but another OS and kernel development, but beside this two cases, the Linux beside this two cases, the Linux-

  • VServer

VServer is really the best virtualization technique is really the best virtualization technique available. available.

slide-193
SLIDE 193

Conclusion Conclusion

  • The use of a single kernel for all the

The use of a single kernel for all the Linux Linux-

  • VServers hosted on one system

VServers hosted on one system provides the project several key provides the project several key advantages when compared to other advantages when compared to other virtualization techniques: virtualization techniques:

slide-194
SLIDE 194

Conclusion Conclusion

  • The use of a single kernel for all the

The use of a single kernel for all the Linux Linux-

  • VServers hosted on one system

VServers hosted on one system provides the project several key provides the project several key advantages when compared to other advantages when compared to other virtualization techniques: virtualization techniques:

➔ ➔Lightweight

Lightweight: only services are started on the hosted : only services are started on the hosted Linux Linux-

  • VServer

VServer, not all the processes , not all the processes resulting from a complete boot process. resulting from a complete boot process.

slide-195
SLIDE 195

Conclusion Conclusion

➔ ➔ Uses the latest Linux kernel development easily

Uses the latest Linux kernel development easily: : for instance, with the O(1) scheduler, all the for instance, with the O(1) scheduler, all the processes are well prioritized. processes are well prioritized.

slide-196
SLIDE 196

Conclusion Conclusion

➔ ➔ Uses the latest Linux kernel development easily

Uses the latest Linux kernel development easily: : for instance, with the O(1) scheduler, all the for instance, with the O(1) scheduler, all the processes are well prioritized. processes are well prioritized.

➔ ➔ Native usage of device drivers

Native usage of device drivers: with the Linux : with the Linux-

  • VServer project, one can use the latest kernel

VServer project, one can use the latest kernel drivers without any performance penalty introduced drivers without any performance penalty introduced by the virtualization layer. by the virtualization layer.

slide-197
SLIDE 197

Acknowledgements Acknowledgements

This research has been funded by the This research has been funded by the National Research Council's Industrial National Research Council's Industrial Research Assistance Program (NRC Research Assistance Program (NRC-

  • IRAP),

IRAP), project number 547017 project number 547017 Jacques Gelinas, for the original idea and Jacques Gelinas, for the original idea and valuable discussion. valuable discussion. Herbert Poetzl, the current project leader Herbert Poetzl, the current project leader The Linux The Linux-

  • VServer community for their

VServer community for their positive attitude. positive attitude.

slide-198
SLIDE 198

... ...