Virtalization

Hypervisor

A hypervisor or virtual machine monitor (VMM) is computer software, firmware, or hardware, that creates and runs virtual machines.
it is a piece of software that enables you to run one or more VMs on a physical server.

  • Host
  • Guest
  • Container

Term

  • kernel: supervisor
  • hypervisor: the supervisor of the supervisors

Type-1, native or bare-metal hypervisors

  • Run directly on the host's hardware (without an OS)
  • ex: Xen, Microsoft Hyper-V and VMware ESX/ESXi.

Type-2 or hosted hypervisors

  • These hypervisors run on a operating system just as other computer programs do.
  • A guest operating system runs as a process on the host.
  • VMware Workstation, VMware Player, VirtualBox, Parallels Desktop for Mac and QEMU.

Linux's Kernel-based Virtual Machine (KVM) module effectively convert the host operating system to a type-1 hypervisor.
At the same time, since Linux distributions are still general-purpose operating systems, with other applications competing for VM resources, KVM can also be categorized as type-2 hypervisors.

Basic CPU stuff

Privileges & Rings

A program is usually limited to its own address space so that it cannot access or modify other running programs or the operating system itself, and is usually prevented from directly manipulating hardware devices.

  • What when a simple application needs acces to these components?
    • system calls are a well defined and safe implementations for such operations which operating system provides.

System call

System call is a way in which a computer program requests a service from the kernel of the operating system it is executed on.

  • operation system (kernel) : highest level -> ring0
  • program requests a service via system call
  • cpu goes into a elevated privilege level (passes control to the kernel)
  • kernel: should the program request be granted?
    • the kernel executes a specific set of instructions
    • returns the privilege level to that of the calling program
    • return to calling program

Privileged instruction

a privileged instruction is a processor op-code (assembler instruction) which can only be executed in "supervisor" (or Ring-0) mode.
These types of instructions tend to be used to access I/O devices and protected data structures from the kernel.
Regular programs execute in "user mode" (Ring-3) which disallows direct access to I/O devices, etc.

Virtualization technologies

- Full Virtualization using Binary Translation

  • The guest OS is not aware it is being virtualized
  • User level code is directly executed on the processor for high performance virtualization
  • Requires no modification is os nor hardware assist.
  • Hypervisor translates all operating system instructions on the fly and cache them for future.
  • Binary translation purpose:
    • Replace nonvirtualizable instructions with new sequences of instructions that have the intended effect on the virtual hardware.
      • instead of executing directly on the real hardware, translate them in a way that can be run on virtual ones (Bios, Memory, etc)
    • Different architecture

- OS Assisted Virtualization or Paravirtualization

  • Refers to communication between the guest OS and the hypervisor to improve performance and efficiency.
  • Involves modifying the OS kernel to replace non-virtualizable instructions with hypercalls that communicate directly with the virtualization layer hypervisor.
  • The hypervisor also provides hypercall interfaces for other critical kernel operations such as memory management, interrupt handling and time keeping.
  • paravirtualization is different from full virtualization, where the unmodified OS does not know it is virtualized and sensitive OS calls are trapped using binary translation.
Hypercall

hypercall is to a hypervisor what a syscall is to a kernel.
A hypercall is a software trap from a virtual machine to the hypervisor, just as a syscall is a software trap from an application to the kernel.
Domains will use hypercalls to request privileged operations like updating pagetables.

- Hardware Assisted Virtualization

  • Intel Virtualization Technology (VT-x) and AMD’s AMD-V which both target privileged instructions with a new CPU execution mode feature that allows the VMM to run in a new root mode below ring 0.
  • Guest can execute privileged instructions directly on the processor.
  • Xen calls it hardware virtual machine (HVM).

In [ ]:
https://en.wikipedia.org/wiki/Hypervisor
https://en.wikipedia.org/wiki/X86_virtualization#Intel_virtualization_.28VT-x.29
https://en.wikipedia.org/wiki/Protection_ring
https://en.wikipedia.org/wiki/System_call
https://stackoverflow.com/questions/89607/what-is-a-privileged-instruction
http://www.cs.princeton.edu/courses/archive/spr01/cs217/slides/21.os.pdf
https://wiki.xen.org/wiki/Hypercall
https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/VMware_paravirtualization.pdf

Lecture notes

License

Creative Commons License

Linux Notes by Milad As (Ravexina) is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

ravexina's gitlab

ravexina's github