27. Full Virtualization Flashcards
What does it mean for an operating system to run on a physical machine?
Real hardware resources that the operating system has exclusive access to through hardware interfaces
(instructions set architectures, device I/O ports, etc)
What is a guest OS?
An operating system running inside a virtual machine
How do virtual machines differ from physical machines?
They do not provide the guest OS with exclusive access to the underlying physical machine
Equivalently, the do not provide the guest OS with privileged (or fully-privileged access to the physical machine)
What is the virtual machine monitor (VMM)?
A piece of software running on an operating system (the host OS) that can allow another operating system (the guest OS) to be run as an application alongside other applications.
When we said that the operating system was really just another program, we weren’t kidding!
What are four problems with coupling hardware resources with operating systems?
- Hard to run multiple operating systems on the same machine.
- Difficult to transfer software setups to another machine, unless it has identical or nearly identical hardware
- Messy to adjust hardware resources to system needs. Requires sticking your hand in the box and mucking around
- Requires static, up-front provision of machine resources
What are four issues that operating systems create around “isolation”?
- Operating systems “leak” a lot of information between processes through the file system and other channels
- Multiple applications may require specific (and conflicting) software packages to run
- Certain applications may have very specific operating systems configuration and tuning requirements
- In some cases, software vendors will not provide support if you are running their precious application alongside anything else
What are three reasons why we use virtualization?
- We can package and distribute an entire software development environment which can be used and discarded
- We can dynamically divide up one large machine into multiple smaller machines, each running a different operating system and applications.
- We can easily replicate an entire machine image in order to duplicate or move it
What are the three approaches to virtualization discussed in class?
Full virtualization, paravirtualization, and container virtualization
What is full virtualization?
Should be able to run an unmodified guest OS.
Example: VirtualBox
What is paravirtualization?
Includes small changes to the guest OS to improve interaction with the virtual machine monitor.
Examples: Xen, Amazon EC2
What is container virtualization?
Namespace and other isolation techniques performed by the OS to isolate sets of applications from each other
Ex: Docker (with augmentations)
What is the goal of full virtualization?
Run an unmodified OS and applications in a VM which is itself running on a host OS and potentially next to other VMs
Why is VMware special?
They are the best-known provider of full virtualization software solutions
Why is it hard to achieve full virtualization (unmodified running of an OS on a VM alongside other VMs)?
Two issues:
- How do we handle traps by applications running in the guest OS?
- Guest OS will try to execute privileged instructions!
What happens if we run a guest OS with kernel privileges?
Privileged instructions work as expected, but guest has access to the entire machine! (this violates safety)
What happens if we run the Guest OS with user privileges?
Now we need to figure out how to deal with privileged kernel instructions…
Ideally, when privileged instructions are run by the guest OS at user privilege level, these three things happen:
- The CPU traps the instruction due to a privilege violation
- The trap is handled by the VMM
- Assuming the guest OS is doing something legitimate, the VMM adjusts the VM state and continues the guest OS
This approach is referred to as trap and emulate
What does the VMM do with traps that occur within the virtual machine?
If the trap is caused by an application, pass the trap to the guest OS
If the trap is caused by the guest OS, handle the trap by adjusting the state of the virtual machine
What happens when an application running inside the virtual machine makes a system call?
- syscall: host OS vectors trap to VMM
- VMM inspects trap, identifies it as a system call, and passes control and arguments to the guest OS trap handling code
- rfe: when the guest OS is done, it will also tra back to the VMM by executing a privileged instruction
- VMM will pass arguments back to the process that originated the system call
What happens when a process inside the virtual machine creates a TLB fault?
- Trap to the host OS
- Hand trap to the VMM
- VMM inspects trap, sees that it was generated by the application, passes control to the guest OS
- Guest OS begins handling the TLB fault, tries to load an entry into the TLB
- Trap to the host OS
- Hand trap to the VMM
- VMM inspects trap, sees that it was generated by the guest OS, adjusts the state of the virtual machine appropriately
What is actually being virtualized in hardware virtualization?
The hardware interface
What is the hardware interface?
Load and store
How do we ensure safety when dealing with the hardware interface?
Translate every unprivileged memory access
How do we get good performance when translating unprivileged memory accesses?
Cache translations in the TLB
What is the interface for full hardware virtualization?
All instructions executed on the processor that modify the state of the machine
How do we ensure safety when dealing with full hardware interface?
Intercept or rewrite unsafe instructions that could “pierce” the VM
How do we get good performance when intercepting or rewriting unsafe instructions in full hardware virtualization?
Allow safe instructions to run directly on the physical hardware (or “bare metal”)
Why is the x86 architecture not (or was not) classically virtualizable?
Some instructions did not trap correctly, and others had different side effects when run in kernel or user mode.
What was VMware’s solution to x86 not being classically virtualizable?
Binary translation:
During guest OS execution, scan code pages for non-virtualizable instructions and rewrite them to safe instruction sequences.
Also, cache translations to improve performance
