Lec 3: Virtualization & Containerization

Question 1

What are the relevant OS concepts?

Answer 1

Process scheduling
Virtual memory

Question 2

What is a process?

Answer 2

A process is a program that is executed. It is a basic unit of execution in an OS.

Question 3

What is process scheduling (time-sharing)?

Answer 3

-Each process is scheduled and executed within their time share.
-The number of processes can be much larger than that of the CPUs.

Question 4

What are the different queues in process scheduling?

Answer 4

Job Queue
Ready Queue
I/O Waiting Queue > I/O

(then CPU > Exit)

Question 5

Kernel mode: Ring number

Answer 5

Ring 0, most privileged

Question 6

User mode: Ring number

Answer 6

Ring 3

Other: Ring 1 & 2

Question 7

How many protection levels (rings) or CPU privilege levels (CPLs) does x86 has?

Answer 7

four: Ring 0 (most privileged) to 3

Modern OS (Linux, Windows, MacOS) only use ring 0 and 3

Question 8

Kernel mode vs user mode: executing processes

Answer 8

When CPU is in the user mode, it cannot execute sensitive/privileged instructions (e.g., HLT = halt / stop the processor’s operations)

User Mode = User Processes
Kernel Mode = Process Scheduling

Question 9

What is involved in a virtual memory implementation?

Answer 9

Process A
Virtual memory
Memory map
Physical memory
Disk

Question 10

What is on-demand paging?

Answer 10

Only when there is a need to access code / data that the OS will allocate a physical page, otherwise the code / data will just be stored in the disk

Question 11

What is swapping in / out?

Answer 11

The least recently used pages are swapped out from physical memory to the disk

Question 12

What are the three steps to execute a process for the first time?

Answer 12

1. CPU allocates a physical page based on the memory map
2. CPU loads the corresponding data / code from disk to the allocated page
3. CPU executes the code by fetching code from the allocated page

Question 13

What is a memory map?

Answer 13

A memory map maintains the mapping between virtual and physical memory

Question 14

What is a shared memory?

Answer 14

Two processes from virtual memory uses the same physical page, allowing exchanging of data

Question 15

Memory map implementation

Answer 15

Page table
In a modern OS, the OS uses a set of page tables to map virtual memory within a process to their corresponding physical memory in main memory.
Used to map virtual memory within a process to a corresponding physical memory in main memory
Used to implement the memory map
Established by the memory management unit MMU (a hardware component)
All mappings are maintained as page tables

Virtual address VA
pointing to a page-aligned memory location in a virtual page.

Physical address PA
pointing to a page-aligned memory location in a physical page

Question 16

What is MMU?

Answer 16

Memory management unit
Page tables reside in MMU

Question 17

What is a page-aligned address?

Answer 17

In a page-aligned address, VA is mapped to PA via MMU.

Additional note: VA points to the base address of the virtual page
If VA = 0x60001000, then PA = 0x70001000
If VA1 = 0x60001800, then PA1 = 0x70001800 (same last 3 digits)

Question 18

Memory map implementation: x86-32

Answer 18

Page table:
In a modern OS, the OS uses a set of page tables to map virtual memory within a process to their corresponding physical memory in main memory.
Has 2-level page tables: page directory + page table

32-bit version of x86, known as IA-32 (Intel Architecture 32-bit), where 32-bit virtual/linear addresses are used.

Division of the 32 bits:
31-22 (10 bits): index page directory; 2^10
21-12 (10 bits): index page table; 2^10
11-0 (12 bits): index physical page; will be the same last 12 bit of the physical page; the physical page is mapped to the virtual page where the linear address resides

size of entries: 2^12 / 2^10 = 2^2 = 4 bytes for a single entry

Question 19

Memory map implementation: x86-64

Answer 19

63-48: sign-extended, same bit as bit47; allowed entries are 2^9
47-39: page map level 4 offset
38-30: page-directory pointer offset
29-21: page-directory offset
20-12: page-table offset
11-0: physical-page offset

size of entries: 2^12 / 2^9 = 2^3 = 8 bytes for a single entry

Question 20

What is CR3?

Answer 20

Control register 3 stores the physical address of the base of the Page Directory (in x86-32) or the base of the Page-Map Level 4 (PML4) table (in x86-64).
This is essential because the memory management unit (MMU) starts its translation of a virtual address by referring to this base address.

Question 21

What is virtualization?

Answer 21

Virtualization is the ability to run multiple operating systems on a single physical system and share the underlying hardware resources

Allows one computer software (called Virtual Machine Monitor or Hypervisor) to provide the appearance of many computers (called virtual machines).

Question 22

What are the goals of virtualization?

Answer 22

Provide flexibility for users
Amortize hardware costs
Isolate completely separate users

Question 23

What are the characteristics of virtualizable computer architectures

Answer 23

First, the VMM is in complete control of all hardware resources, such as CPUs, memory, disk, etc.

Second, the VMM provides a virtualized hardware environment for a guest OS. The environment looks identical to its physical counterpart.

Last, the OS running in this environment shows minor decreases in performance compared to its execution in a bare-metal environment.

Question 24

What are the VMM types?

Answer 24

Type 1 Hypervisor: Bare-metal/Native architecture
Hardware > Hypervisor > Guest OS + Guest OS
VMM or Hypervisor is installed directly on hardware as the most privileged software.
Acknowledged as preferred architecture for mainstream public clouds

Type 2 Hypervisor: Hosted architecture
Hardware > Host OS > Hypervisor > Guest OS + Guest OS
Install as an application on an existing host OS (Win, Linux, MacOS)

Question 25

What are examples of Type 1 Hypervisor?

Answer 25

KVM
Xen
Hyper-V

Question 26

What are examples of Type 2 Hypervisor?

Answer 26

VirtualBox
UTM
VMware

Question 27

VMM Implementation on x86-64

Answer 27

Hardware support: Intel and AMD assist virtualization
-Intel VT-x and AMD SVM: CPU and memory virtualization
VT-x: Virtualization Technology for Execution
SVM: Secure Virtual Machine

-Intel VT-d and AMD Vi: Device virtualization
VT-d: Virtualization Technology for directed I/O
Vi: Virtualization for I/O

Question 28

Describe what virtualization is. Describe three types of virtualization (Language, Operating System and Hardware) and their respective attribute.

Answer 28

Virtualization is a technology that allows multiple virtual instances of resources (e.g., operating systems) to run on a single physical machine.

-Language virtualization: provides a virtual runtime environment (e.g., JVM) that allows code written in a specific programming language (e.g., Java) to execute.
—-Cross-OS: code can be executed in a runtime environment across OSes without modification.

-Operating system virtualization: allows multiple user-space instances (e.g., docker containers) within a single operating-system kernel (e.g., Linux kernel).
—-Limited Isolation: instances share the host OS kernel, which means a vulnerability in the kernel could affect all instances.

-Hardware virtualization: creates multiple virtual machines sharing a single physical server.
—-VM Snapshots: allows saving the current state of a VM
—-Live VM Migration: enables moving runtime VMs between physical hosts seamlessly.

Question 29

CPU virtualization: Intel VT-x & AMD SVM
What are the two VT-x operating modes?

Answer 29

-Less-privileged mode (guest or VMX non-root) for guest OSes (Ring 0 > 3)
-More-privileged mode (host or VMX root) for VMM (Ring 0 > 3)

Question 30

What is the structure of the VMX non-root?

Answer 30

VMX non-root Guest OS:
Ring 0: Kernel
Ring 3: Apps

Question 31

What is the structure of the VMX root?

Answer 31

VMX root VMM:
Ring 0: Hypervisor core
Ring 3: VM Management Utilities

Question 32

What is the difference between VMX root vs non-root?

Answer 32

VMX root: VMM runs directly on hardware
VMX non-root: Guest OS runs directly on hardware with a few exceptions (e.g., privileged/sensitive instructions)

Question 33

CPU virtualization: Intel VT-x & AMD SVM
What are the two transitions?

Answer 33

VM entry to non-root operation
VM exit to root operation

Question 34

Memory virtualization: Intel EPT & AMD NPT

Answer 34

Host Physical Memory (Host PA) > extended page table >
Guest Physical Memory (Guest PA) > guest page table >
Guest Virtual Memory (Guest VA)

VM1 covers Process 1 > GPA > guest page table > GVA

47-39: points to the address of EPT PDPT inside EPL PML4
38-30: points to the address of EPT PD inside EPT PDPT
29-21: points to the address of EPT PT inside EPT PD
20-12: points to the address of Page inside EPT PT (page table)
11-0: The last 12 bits of GPA refers to the last 12 bits (11-0) of PA

EPT Pointer points to EPL PML4

Question 35

What is a container?

Answer 35

A container is a sandboxed process running on a host OS that is isolated from all other processes running on that host OS

Question 36

What is a container image?

Answer 36

A container image is a stand-alone and executable software package (including software dependencies, binaries, etc) that contains everything needed to run a user application.

A container is a runnable instance of the image.

Question 37

Difference between virtual machines and containers in terms of structure/architecture

Answer 37

VM:
Infrastructure > Hypervisor > (Guest OS > Bins/Libs > App1)
(VM)

Containers:
Infrastructure > OS > Container Engine > (Bins/Libs > App1)
(Container)

Question 38

Containerization vs. Virtualization

Answer 38

Granularity
Containers are an abstraction of the process layer and VMs are a simulation of the hardware layer.

Overhead
-Required resources: containers are created to run one application and VMs support a whole OS.
-Efficiency: containers are launched to run an application. VMs need to boot up an entire OS.

Security/Isolation
Containers are isolated from each other at the process level. VMs are isolated at the OS level.

Question 39

Backbones of containers (3)

Answer 39

namespaces
cgroups
copy-on-write filesystem

Question 40

What are namespaces?

Answer 40

-Namespaces limits what a container can see
-Provide containers with their own view of system resources (e.g., network)

Question 41

What are cgroups?

Answer 41

-cgroups: limits how much a container can use
-Control Groups: manage resource usage and limits for processes within a container.

Question 42

What is copy-on-write filesystem?

Answer 42

copy-on-write filesystem: lightweight container
-Allow containers to share read-only underlying OS files. If a container write-access a file, a copy is created and updated accordingly.
-Similar to the copy-on-write fork

Question 43

What is a Docker container?

Answer 43

-Docker provides an interface on top of the techniques
-Popularized containers (a standard unit of software)

Question 44

Docker commands

Answer 44

docker run – Runs a command in a new container.
docker start – Starts one or more stopped containers
docker stop – Stops one or more running containers
docker build – Builds an image form a Docker file
docker pull – Pulls an image or a repository from a registry
docker push – Pushes an image or a repository to a registry
docker export – Exports a container’s filesystem as a tar archive
docker exec – Runs a command in a run-time container
docker search – Searches the Docker Hub for images
docker attach – Attaches to a running container
docker commit – Creates a new image from a container’s changes

Question 45

Describe what containers are with reference to Docker and discuss their similarities and differences from operating system virtualisation perspective as provided by VirtualBox.

Answer 45

A container is a sandboxed process running on a host OS that is isolated from all other processes running on that host OS

Granularity
Containers are an abstraction of the process layer and VMs are a simulation of the hardware layer.
Similarity: Both allow multiple applications to run on the same hardware without interference

Overhead
-Required resources: containers are created to run one application and VMs support a whole OS.

-Efficiency: containers are launched to run an application. VMs need to boot up an entire OS.

Security/Isolation
Containers are isolated from each other at the process level. VMs are isolated at the OS level.
Similarity: Both provide isolation in terms of running apps to avoid conflicts in software dependencies

Similarity: Both are ways of providing consistency across environments

Question 46

docker command: check what is running

Answer 46

docker ps -a

Question 47

docker command: stop and remove a container

Answer 47

docker stop my-app
docker rm my-app

Question 48

docker command: build docker image

Answer 48

docker build -t my-apache2 .

if with permission errors, run:
sudo usermod -a -G docker <username></username>

Question 49

docker command: run docker image

Answer 49

docker run -p 80:80 -dit –name my-app my-apache2

Open a browser and access address: http://localhost or http://127.0.0.1.

Question 50

[1] Create a security group

Answer 50

aws ec2 create-security-group –group-name <student>-sg --description "security group for development environment"</student>

Question 51

[2] Authorise inbound traffic for ssh

Answer 51

aws ec2 authorize-security-group-ingress –group-name <student>-sg --protocol tcp --port 22 --cidr 0.0.0.0/0</student>

Question 52

[3] Create a key pair

Answer 52

aws ec2 create-key-pair –key-name <student>-key --query 'KeyMaterial' --output text > <student>-key.pem</student></student>

To use this key on Linux, copy the file to a directory ~/.ssh and change the permissions to:
chmod 400 <student>-key.pem</student>

Question 53

[4] Create instance

Answer 53

aws ec2 run-instances –image-id <ami> --security-group-ids <student>-sg --count 1 --instance-type t2.micro --key-name <student>-key --query 'Instances[0].InstanceId'</student></student></ami>

Question 54

[5] Add tag to instance

Answer 54

aws ec2 create-tags –resources <Instance> --tags Key=Name,Value=<student></student></Instance>

Question 55

[6] Get public IP address

Answer 55

aws ec2 describe-instances –instance-ids <Instance> --query 'Reservations[0].Instances[0].PublicIpAddress'</Instance>

Question 56

[7] Connect to the instance via ssh

[8] List the created instance using the AWS console - no code

Answer 56

ssh -i <student>-key.pem ubuntu@<IP></IP></student>

Question 57

Install, start, enable, check docker version

Answer 57

Install: sudo apt install docker.io -y
Start: sudo systemctl start docker
Enable: sudo systemctl enable docker
Check version: docker –version