03. Virutalization

• computer architecture technology

• by which multiple virtual machines

• -> are multiplexed in the same hardware

• => creating virtual resources (such as server, storage, network, …) in a layer abstracted form real hardware

• enhance resource sharing by many users at a time

• replace and upgrade HW on the fly

• add new devices (i.e. network cards, virtual sockets, processors,…) without reboots

• reduce down time

• offer administrative tasks (such as installing software, planning new VMs, optimizing number of VMs, …,) at runtime

• faster provisioning of multiple machines

• user mode

• kernel mode

  
  

• OS allows all CPU instruciotns to execute on the unterlying hardware

• kernel codes do not execute in the USER mode

• OS allows only a few instructions to be executed

• if user applicatios have to execute the privileged instructions

  • -> applications ask kernels to do the work (i.e. System call)

• user applcations can’t:

  • open files

  • send network packets

  • print to the screen

  • allocate memory

• run in KERNEL mode

• with supervisor or superuser privilege

• run in USER mode

• with user privileges

• OS

• process management (start, run, stop processes)

• memory management (allocate, deallocate memory)

• file management (open, close, modfy, read, rename, create)

• network management

• scheduling

• timing

• user space request

• of a kernel service

• around 242 cycles

• Type I -> bare metal virtualization

• Type II -> Hosted virtualization

• usually harder to setup

• easy to setup

• hypervisor loaded on top of an OS (contrary to type I where directly loaded on hardware)

• guest OS runs on hosted hypervisors

• User requests directly on underlying HW (as regular)

• kernel instructions:

  • trapped by VMM (i.e. requires s/w interrupt)

  • VMM emulates instruction on the fly (-> directly translates to corresponding underlying hardware…)

advantages:

• OS needs no modificatoin

• maximum decoupling

• full isolation

• high overhead

• e.g. in 32 bit -> 2300 cycles

• memory virtualizaton introduced to reduce system crash

• -> virtual memory is a memory management technique

  • -> map programs memory address (virtual addresses) to underlying physical memory (in computer)

  • usually -> OS maintains mapping or virtual memory to physical memory

• increased security

• isolation

• freeing applicaionts

• 2-stage mapping process for any guest OS

• guest OS cannot directly access machine memory

• VMM does mapping of addresses

• page table in VMM is called shadw page table

• shadow paging takes 3 to 400 times more cycles than native sutiations

• modify the OS so that sys call trapping and rewriting can be avoided

• hypervisor provides interface to accomodate critical kernel operatoins

  • such as memory management and interrupt handling

  
  

• comparatively good

• -> avoid unnecessary trapping of critical instructions

• -> lower virtualization overhead

  
  

• need modified guest OS!!!

• full:

  • guest OS -> VMM -> (translates) -> HW

• para:

  • (modified) guest OS -> VMM

    -> (interfaces) -> HW

• add layer that is able to

  • quickly identify privilege instrunctions

  • and efficiently execute them

• containers share underlying OS kernel

• -> thus can only run flavors of the same OS

• namespaces

• cgroups

• used in linux to limit the views

• wrap a group of resources

• different types of namespaces exist

  • pid

  • cgroup

  • network

  • mount

  • user

• process ID

• -> allows to create another set of PID starting from PID for that specific namespace

  • if not, init process gets PID1

• without namespaces -> all processes descend from init process

• processes within new namespace cannot view parent process

• parent can view child processes

• offers new views to root directories

• poor: -> chroot() may also set roor directory -> only changes lookup -> not secure and good…

• cgroup isolage and manage resources…

• namespace creates new interfaces, routing tables etc.

• -> i.e. new interface lo

• -> but: must ensure mapping of global namespace to locally framed new namespace…!)

• provide isolaiton of mountpoints

• usolates user and group IDs

• APIs

• -> clone()

• -> setns()

• linux kernel feature which limits applicaiton to specific set of resources

• -> proves mechanism for aggregating/partitioning set of tasks

  • -> how much to use

  • -> what to use?

• limit resources

• isolate resources

• audit utility of resources

• to guarantee certain amount of resources

  • e.g. CPU, memory, disk, I/O

• for a group of processes

• memory cgroup

• cpu cgroup

• blkio cgroup

• cpuset cgroup

• devices cgroup

• freezer cgroup

• …

• memory resource controller

• -> isolates memory behavior of group of tasks from rest of system

• creates cgroup with limited amount of memory

• separates memory hungry applications from other applicaiotns

• 
  

• accounting

  • how much memory pages are utilized by specific group of running processes?

    • in file pages (pages on disk)

    • in anonymous pags (pages not located on disk -> e..g heaps, stacks,…)

• limiting

  • soft limit - memory is alloted if available

  • hard limit - memory is not allotted to the group of tasks

• kernel trigers OOM killer (out of memory) process

  • -> to kill any running processes (based on badness score)

  • => thus advisable to only run one application on a container

• override hart limits

steps:

1. all processes are stopped from processing (freeze option)

2. notify user space

3. user could kill specific processes

4. or user could increase hard limit specified in cgroups

5. when done, unfreeze the group

• lightweight VM

• use kernel featuers (cgroups, namespaces)

• shared hardware among multiple users

• multiple isolated linux systems of same kind

• on single host

• => thus called self-contained executoin environment

• utilizes container technology

  • -> easily ports containers

  • replicates containers across envbironments

  
  

• reduces time between writing code and producint them

• removes unnecessary configuraiotn hurdles of applicaionts

-> do not require guest os

-> overcome problems of VM

• size

• memory

• integration

• unionfs

• filesystem service for linux, freeBDS and netBDS

• -> inplements a union mount for other file systems

• -> allows files and directories of separate file systems (branches) to be transparently overlaid

• -> forming single coherent file system

• => used by docker

• docker caches layers the first time of building them

• -> initial install e.g. ubuntu is cached (base)

• -> for second build, only rest such as apache or mysql is built

• -> deployment is faster…

• follows client-server

• docker client talks to docker daemon

• docker daemon does

  • building

  • running

  • distributing docker containers

• docekr registry stores docker images

  • either in local

  • or public registries (e.g. docker hub, docker cloud,…)

• created

• restarting

• running

• paused

• exited

• dead

• docker desktop

• docker compose

• docker swarm

• bundled package which contains all components of dockers –

• docker engine, cli, credential helper, and so forth.

• tool for defining instances specific to certain applications.

• able to build and run the multi-container docker applications.

• It is represented as YAML files.

• tool to manage docker containers hosted on clusters.

• has features such as

  • scaling,

  • multi-host orchestration,

  • service discovery,

  • load balancing,

  • …

• follows init and join approach (as like in kubernetes)

• virtualizes and aggregates underlygin physical hadrware resources of a datacenter

• type-I cloud OS -> aggregate infrastructure of datacenter…

• enables to manage IT resources