Xen: the Past, Present and Exciting Future Ian Pratt Chairman of .org, SVP and Founder of Bromium

Sponsored by:

&

1 Outline • Community Update • Xen 4 Review • Xen and the next wave of virtualization

2 COMMUNITY UPDATE

3 2011 Highlights • Inclusion of Xen into Linux 3 (and distros) • New Initiatives: – Project Kronos – Xen.org Governance – Renewed focus on Xen for ARM • Successful Community Initiatives – Documentation Day – Google Summer of Code – Hackathons: Cambridge (Citrix) and Munich (Fujitsu) • Lars Kurth: (not so) new Community Manager

4 Contribution Statistics

By Change Sets Contributors to Xen.org 5000.0 200

4500.0 180

4000.0 160

3500.0 140

3000.0 120 XenARM** 2500.0 100 PVOPS Individuals 2000.0 XCP 80 Orgs

1500.0 Xen HV 60

1000.0 40

500.0 20

0.0 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011*

*) End of Sept 2011 **) Activity on Development branch (not yet in xen-unstable)

5 2010 & 2011 Contributors (by KLOC)

2010** 2011** *** 1% 2% 3% 4% 5% 4% 6% 5% Citrix HV 28% Citrix XCP Citrix XCP 5% Citrix HV Oracle Samsung* 39% 11% Novell 6% Novell Oracle Fujitsu AMD 7% AMD Individual Individual 13% Intel Misc 18% Misc 8% University

20% 15%

*) Activity on Development branch (not yet in xen-unstable) **) Includes PVOPS ***) Until Sept 2011 6 Developer mailing list traffic Conversations, excluding patches

2500

2000

1500

1000

500

0

Oct-03 Apr-04 Oct-04 Apr-05 Oct-05 Apr-06 Oct-06 Apr-07 Oct-07 Apr-08 Oct-08 Apr-09 Oct-09 Apr-10 Oct-10 Apr-11

Jun-04 Jun-05 Jun-06 Jun-07 Jun-08 Jun-09 Jun-10 Jun-11

Feb-04 Feb-05 Feb-06 Feb-07 Feb-08 Feb-09 Feb-10 Feb-11

Dec-03 Aug-04 Dec-04 Aug-05 Dec-05 Aug-06 Dec-06 Aug-07 Dec-07 Aug-08 Dec-08 Aug-09 Dec-09 Aug-10 Dec-10

xen-devel xen-api

7 Formalized Governance • How to contribute (had this for a long time, but was poorly documented) • Election of Maintainers, Committers & Project Leads – Committer Election in September – Jan Beulich (Novell) : Committer on Xen HV project • 2009 : 107 patches changing 11746 lines of code • 2010 : 147 patches changing 7613 lines of code • 2011 : 130 patches changing 27377 lines of code (as of Sept) • Project Lifecycle – Xen HV & XCP migrated to new lifecycle

8 Xen.org Web site Activity

Website Traffic/Day: Linux 3 Notable traffic increase since September (almost double)

Coincides with changes to content and new content!

Linux 3 Blog Traffic/Month: Xen 4.1 Xen 4.0 100% average increase of traffic compared to one year ago Part of Sept Prediction at tip of arrow

9 Product and project news roundup • Xen support in Linux 3 – More in Linux 3.1 (and subsequent releases) • Xen support (DomU and Dom0) back in Linux distros – Debian – Ubuntu 11.10 – Fedora 16 • Recent product releases that distribute Xen – Oracle VM 3.0 – XenServer 6.0 – XenClient 2.0 – Beta’s of QubesOS and RC’s of openSuse 12.1

10 Where do we need to improve?

Focus for 2012

• New website • Better media presence • More focus on users (individual & commercial) • More and better documentation • New benchmarks, feature comparisons, etc. • Formalize volunteer activities such as “documentation day”

11 2011 & 2012 Event Calendar • LinuxCon Brazil, Sao Paulo, Nov 17-18 • USENIX Lisa, Boston, Dec 4-9 • Planning to co-locate XenSummit NA with LinuxCon (LinuxCon NA, San Diego, Aug 27-28) – Not yet finalized, but should be soon • OSCON, Portland, July 16-20

12 Community Summary • The Xen Developer community is healthy for a 10 year old project • The inclusion of Xen support into Linux 3.x has made a big impact – Getting questions by many new users – Building new and productive relationships with many people in the Linux and BSD communities • Up to now Xen.org was almost exclusively looking after developers – Successful open source communities bring their users and developers together – Xen.org needs to focus on • Reconnecting to its users • On making it easy to get started with Xen and engage new users – Many opportunities in Cloud Projects • On better communicating the Xen advantages • Everybody can help with this!

13 XEN 4.1 REVIEW

14 Xen 4.1 Release – 21 March 2011 • Very large system support – 4 TB; >255 CPUs – Reliability, Availability, Scalability enhancements • CPU Pools for system partitioning • Page sharing enhancements • emergency paging / compression • New “xl” lightweight control stack • Memory Introspection API • Enhanced SR-IOV support • -implemented Hardware Fault Tolerance 15 Hardware Fault Tolerance

Restart-HA monitors hosts and VMs to keep apps running

Hardware Fault Tolerance with deterministic replay or checkpointing

Xen’s Software-Implemented Hardware Fault Tolerance enables true High Availability for unmodified applications and operating systems Hardware Fault Tolerance • University of British Columbia’s “Remus” project is now in Xen 4 • Smart checkpointing approach yields excellent performance – VM executes in parallel with checkpoint transmission, with all externally visible state changes suppressed until checkpoint receipt acknowledged – Checkpoints delta compressed • Checkpointing possible across wide-area, even for multi-vCPU guests

17 Enhanced SR-IOV • SR-IOV: Single Root IO Virtualization – Virtualization friendly IO devices • High performance, high efficiency, low latency • Enables even the most demanding applications to now be virtualized • Compatible with live relocation via hotplug of acceleration driver “plugin” module – Retain primary benefit of physical hardware abstraction 18

SR-IOV NIC

Dell 10G Switch

Dell R710 Server Dell R710 Server XenServer and Intel 10G SR-IOV NIC XenServer and Intel 10G SR-IOV NIC

NFS Common Storage w/OpenFiler Dell R710 Server XenServer and Intel 10G SR-IOV NIC • 80 Gb/s bi-directional aggregate throughput between 4 VM pairs • Low latency, High CPU efficiency • Live relocation between hosts - Even hosts with different NICs

Network Performance

35 30 usercopy 25 kern 20 201% Type-0 xen1 15 CPU (%) 123% 103% grantcopy 10 100% kern0 5 xen0 0 s/w only basic smart SR-IOV native NIC NIC • New Smart NICs reduce CPU overhead substantially • Care must be taken with SR-IOV NICs to ensure benefits of VM portability and live relocation are not lost • Need for an industry standard for “driver plugins”

THE NEXT VIRTUALIZATION WAVE

21 Security will drive the Next Wave of Virtualization • Security is key requirement for Cloud • Security is the primary goal of virtualization on the Client – Desktop, Laptops, Smart Phones, etc • Maintaining isolation between VMs is critical – Spatial and Temporal isolation – Run multiple VMs with policy controlled information flow • E.g. Personal VM; Corporate VM; VM for web browsing; VM for banking • Enables “out-of-band” management and policy enforcement – detection, remote access, image update, backup, VPN, etc.

22 Xen Introspection API • Allows a suitably privileged VM to monitor and control the execution of another VM – Interpose on disk and network IO path – Mark VM memory as immutable, no-execute etc – Inspect/modify CPU and memory state • Enables robust anti-malware, anti-root kit – Cannot be disabled/bypassed by guest VM Virtualized can be more secure than physical!

24 Secure Isolation • Use good software engineering practice – Thin hypervisor: minimize code running with privilege – Disaggregate and de-privilege functionality into dedicated Service VMs – Narrow interfaces between components – are simpler than OSes, simpler than OS kernels – Use modern high-level languages where possible • New hardware technologies help – VT-x, VT-d, EPT: reduce software complexity, enhanced protection – TPM/TXT: Enable Dynamic Root of Trust

25 XenClient XT / Qubes OS • First products configured to take advantage of the security benefits of Xen’s architecture • Isolated Driver Domains • Virtual hardware Emulation Domains • Service VMs (global and per-guest) • Xen Security Modules / SElinux • Measured Launch (TXT)

26 Typical Xen Configuration VM0 VM1 VM2 VM3 Device Manager & Applications Applications Applications Control s/w

GuestOS GuestOS GuestOS GuestOS

Back-End Native Device Front-End Front-End Driver Device Drivers Device Drivers Device Emulation

Control IF Safe HW IF Event Channel Virtual CPU Virtual MMU Xen Virtual Machine Monitor Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Xen Driver Domains VM0 VM1 VM2 VM3 Device Manager & Applications Applications Control s/w GuestOS GuestOS GuestOS GuestOS

Back-End Back-End Native Native Device Device Front-End Driver Driver Device Drivers Device Emulation VM3a

Control IF IOMMU Event Channel Virtual CPU Virtual MMU Xen Virtual Machine Monitor Hardware (SMP, MMU, physical memory, Ethernet, SCSI/IDE) Advanced XenClient Architecture Per host/device Per guest

Service VMs Service VMs

User VM

User VM

Device Device

Device

Emulate

Control Control

Domain

Domain

Network Network

Isolation

Emulation

VPN Isolation VPN Management Management

VPN Isolation VPN Policy Granularity Policy Granularity

Xen Xen Security Modules

VT-d TXT Intel vPro Hardware VT-x AES-NI

29 Disaggregation • Unique benefit of the Xen architecture: • Security – Minimum privilege; Narrow interfaces • Performance – Lightweight e.g. minios directly on hypervisor – Exploit locality – service VMs see a subset of the machine, run close to resources with which they interact • Reliability – Able to be safely restarted

30 Isolated Driver VMs for High Availability

• Detect failure e.g. 350

– Illegal access 300 – Timeout 250 • Kill domain, restart 200 150 – E.g. Just 275ms outage from 100 failed Ethernet driver 50 • New work uses restarts to 0 0 5 10 15 20 25 30 35 40 enhance security time (s) Proposal • We should strive to get all Xen products and deployments to take full advantage of the Xen architecture • We need to make this much easier! • Proposal: define and maintain a reference architecture and implementation that embodies best practice recommendations

32 Reference Architecture • Define using new technologies – Latest stable Xen – Linux 3.x pvops • Optimization effort required – Libxl control stack • For easy consumption by other vendor tool stacks

33 Target Features • Network restart-able driver domains – Integrated OpenFlow vswitch • Storage restart-able driver domains – Also allows easier deployment of new storage options e.g. vastsky, ZFS • Qemu emulation domains • Xen Security Modules • Measured Launch via TXT • Roadmap for enhanced security and performance features – E.g. the SR-IOV network plugin / vswitch architecture

34

Implementation • Need an initial reference implementation – Easily consumable by users • XCP could fulfil this role – Showcase latest Xen technologies – Optimized for OpenStack • Aim to be as kernel/toolstack etc agnostic to allow easy adoption by all vendors

35 Summary • Xen project continues to thrive! – Great success in Cloud and Client • Key architectural security, reliability and performance benefits that are unique to Xen – We need to do a better job of getting the message out! – We need to do a better job of actually taking advantage of the benefits in all Xen products

36