DOCSLIB.ORG

X-Container-Tech-Report.Pdf (403.9Kb)

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan Christina Delimitrou, Robbert Van Renesse, Hakim Weatherspoon Cornell University Abstract operating systems, becomes redundant in most single- “Cloud-native” container platforms, such as Kubernetes, concerned containers. On the other hand, inter-container have become an integral part of production cloud isolation becomes increasingly important, and raises many environments. One of the principles in designing cloud- concerns because containers share a monolithic OS kernel native applications is called “Single Concern Principle”, with a large Trusted Computing Base (TCB), as well as a large which suggests that each container should handle a single attack surface in terms of the number of kernel interfaces. responsibility well. Due to the resulting change in the There have been several proposals to address the issue threat model, process isolation within the container becomes of container isolation. Virtualization-based solutions, such redundant in most single-concerned containers, and inter- as Clear Containers [8], Kata Containers [9], and Hyper container isolation becomes increasingly important. In this Containers [6], wrap containers with a dedicated OS kernel paper, we propose a new exokernel-inspired architecture running in a virtual machine (VM). These platforms require called X-Containers that improves both the security and native hardware virtualization support to reduce the overhead the performance of cloud-native containers. We show that, of adding another layer of indirection. However, most through relatively minor modifications, the Xen hypervisor public and private clouds, including Amazon EC2, do not can serve as an exokernel, and Linux can be turned into support nested hardware virtualization. Even in clouds a LibOS. Doing so results in a highly secure and efficient such as Google Compute Engine where nested hardware LibOS platform that, unlike other available LibOSes, supports virtualization is enabled, its performance overhead is high binary compatibility and multicore processing. X-Containers (see Section5 and [ 15]). LightVM [49] wraps a container in a have up to 27× higher raw system call throughput compared paravirtualized Xen instance without hardware virtualization to Docker containers, while also significantly outperforming support. Unfortunately, it introduces a significant performance recent container platforms such as Google’s gVisor, Intel’s penalty in x86-64 platforms (see Sections 4.1 and5). Finally, Clear Containers, as well as Library OSes like Unikernel and Google gVisor [5] is a user-space kernel written in Go that Graphene on web benchmarks. supports container runtime sandboxing, but it only offers 1. Introduction limited system call compatibility [13] and incurs significant performance overheads (see Section5). An important recent trend in cloud computing is the rise of “cloud-native” container platforms, such as Kubernetes [30], The trend of running a single application in its own which have become an integral part of production VM for enhanced security has led to a renewed interest environments. Such platforms support applications designed in Library Operating Systems (LibOSes), as suggested by specifically for cloud infrastructures that consist of loosely- the Unikernel [46] model. LibOSes avoid the overhead of coupled microservices [51] running in containers, with security isolation between the application and the OS, and distributed management and orchestration. Cloud-native allow each LibOS to be carefully optimized for the application platforms offer support for automated elastic scaling and agile at hand. Designing a container architecture inspired by the DevOps practices [26], which allow companies to bring new exokernel+LibOS [34] model can improve both container ideas to market faster, respond quickly to customer demands, isolation and performance. However, existing LibOSes, such v and handle failures more transparently. as MirageOS [46], Graphene [58], and OS [41], lack features, In cloud-native platforms, container design is similar to such as full binary compatibility or multicore support. This object design in object-oriented (OO) software systems: each makes porting containerized applications very challenging. container should have a single responsibility and handle that In this paper, we propose a new LibOS platform called X- responsibility well [31]. By focusing on a single concern, Containers that improves both the security and performance of cloud-native containers are easier to scale horizontally, and containers without requiring hardware virtualization support. replace, reuse, and upgrade transparently. Similar to the We demonstrate that Xen’s paravirtualization architecture [25] Single Responsibility Principle in OO-languages, this has can be modified to serve as a highly secure and efficient LibOS been termed the “Single Concern Principle” [39], and is platform that supports both binary compatibility and multicore recommended by Docker [3]. processing. An X-Container can support one or more user From a security perspective, single-concerned containers processes that all run at the same privilege level as the LibOS. change the threat model of the container architecture, Different processes inside an X-Container still have their own presenting both a challenge and an opportunity. Process address spaces for resource management and compatibility, isolation, which separates different applications in traditional but they no longer provide secure isolation from one another; in this new model processes are used for concurrency, while mechanisms for grouping containers that need to be tightly X-Containers provide isolation between containers. coupled, e.g., using a “pod” in Google Kubernetes [16], and Without hardware virtualization support, system calls are a “task” in Amazon ECS [2]. It is important to note that expensive, as they are first handled by the exokernel and single-concerned containers are not necessarily single-process. then redirected to the LibOS. The X-Container platform Some applications might spawn multiple worker processes for automatically optimizes the binary of an application during concurrency [3], such as NGINX, or Apache webserver. The runtime to improve performance by rewriting costly system key is that all processes within a single-concerned container calls into much cheaper function calls in the LibOS. As a belong to the same service, thus they are tightly coupled and result, X-Containers have up to 27× higher raw system call mutually trusting. throughput compared to native Docker containers running in 2.2. Application Isolation the cloud, and are competitive to or even outperform native containers for other benchmarks. In traditional operating systems, processes are used for both The X-Container platform also outperforms other LibOS multiprocessing and security isolation between applications. architectures for specialized services, such as serverless Due to the coarse granularity of the process model, compute, which are gaining traction for short-running, user- applications often implement their own security properties driven online services with intermittent behavior. We compare in the application logic, isolating different users within the X-Containers, Unikernel, and Graphene, using NGINX [12], same application. In single-concerned cloud-native containers, a stateless front-end webserver driven by the wrk workload process isolation within the container is unnecessary. generator. We show that X-Containers have comparable Indeed, an informal survey of popular containers shows performance to Unikernel, and twice the throughput compared that multi-client applications rarely rely on processes for to Graphene. Moreover, when running PHP and MySQL, isolating mutually-untrusting clients by dedicating a process X-Container achieves approximately 3× the performance of to each client—many do not even use multiple processes at Unikernel. all. All the top 10 most popular containerized applications [1] This paper includes the following contributions: (NGINX, Redis, ElasticSearch, Registry, Postgres, MySQL, • We demonstrate how the Xen paravirtualization etcd, Fluentd, MongoDB, and RabbitMQ) use either a single- architecture and the Linux kernel can be turned into a threaded event-driven model or multi-threading instead of secure and efficient LibOS platform that supports both multiple processes. NGINX and Fluentd can be configured binary compatibility and multicore processing. to use a process pool to improving concurrency, similar to • We present X-Containers, a new exokernel-based Apache webserver—each process has multiple threads that container architecture that is designed specifically for can be used to serve different clients. These applications cloud-native applications. X-Containers are compatible implement client isolation inside the application logic through with Linux containers, and to the best of our knowledge, mechanisms such as a strongly-typed language runtime, role- they are the first architecture to support secure isolation of based access control, authentication, and encryption. containers in the cloud, without sacrificing compatibility On the other hand, inter-container isolation remains or performance. important, and depends on enforcement by the OS kernel. • We present a technology for automatically changing Unfortunately, modern monolithic OS kernels, such as Linux, system calls into function
Recommended publications
  • Integrating On-Premises Core Infrastructure with Microsoft Azure

    Integrating On-Premises Core Infrastructure with Microsoft Azure

    Course 10992 • Microsoft Azure Integrating On-Premises Core Infrastructure with Microsoft Azure Length This 3-day, instructor-led workshop covers a range • 3 days of components, including Azure Compute, Azure Audience Storage, and network services that customers can • IT professionals who have used on- benefit from when deploying hybrid solutions. In premises virtualization technologies, including both this context, the term hybrid means integrating Hyper-V and VMware platforms, but who want to deploy, configure, infrastructure technologies that customers host in and administer services and virtual on-premises datacenters with Azure IaaS and PaaS machines in Azure • IT professionals who have used services. This course offers an overview of these Microsoft System Center to services, providing the knowledge necessary to manage and orchestrate an on- premises server infrastructure design hybrid solutions properly. It also includes • Windows and Linux administrators who are looking to evaluate and several demonstrations and labs that enable migrate on-premises workloads students to develop hands-on skills that are and services to the cloud • IT professionals who need to necessary when implementing such solutions. implement network connectivity between on-premises environments and services that Workshop Outline Azure or Microsoft Office 365 hosts • IT professionals who want to use Module 1: Introduction to Microsoft Azure Azure to increase the resiliency and • Overview of cloud computing and Azure agility of their on-premises • Overview of
  • Industrial Control Via Application Containers: Migrating from Bare-Metal to IAAS

    Industrial Control Via Application Containers: Migrating from Bare-Metal to IAAS

    Industrial Control via Application Containers: Migrating from Bare-Metal to IAAS Florian Hofer, Student Member, IEEE Martin A. Sehr Antonio Iannopollo, Member, IEEE Faculty of Computer Science Corporate Technology EECS Department Free University of Bolzano-Bozen Siemens Corporation University of California Bolzano, Italy Berkeley, CA 94704, USA Berkeley, CA 94720, USA fl[email protected] [email protected] [email protected] Ines Ugalde Alberto Sangiovanni-Vincentelli, Fellow, IEEE Barbara Russo Corporate Technology EECS Department Faculty of Computer Science Siemens Corporation University of California Free University of Bolzano-Bozen Berkeley, CA 94704, USA Berkeley, CA 94720, USA Bolzano, Italy [email protected] [email protected] [email protected] Abstract—We explore the challenges and opportunities of control design full authority over the environment in which shifting industrial control software from dedicated hardware to its software will run, it is not straightforward to determine bare-metal servers or cloud computing platforms using off the under what conditions the software can be executed on cloud shelf technologies. In particular, we demonstrate that executing time-critical applications on cloud platforms is viable based on computing platforms due to resource virtualization. Yet, we a series of dedicated latency tests targeting relevant real-time believe that the principles of Industry 4.0 present a unique configurations. opportunity to explore complementing traditional automation Index Terms—Industrial Control Systems, Real-Time, IAAS, components with a novel control architecture [3]. Containers, Determinism We believe that modern virtualization techniques such as application containerization [3]–[5] are essential for adequate I. INTRODUCTION utilization of cloud computing resources in industrial con- Emerging technologies such as the Internet of Things and trol systems.
  • Kubernetes Security Guide Contents

    Kubernetes Security Guide Contents

    Kubernetes Security Guide Contents Intro 4 CHAPTER 1 Securing your container images and CI/CD pipeline 6 Image scanning 6 What is image scanning 7 Docker image scanning open source tools 7 Open source Docker scanning tool: Anchore Engine 8 Securing your CI/CD pipeline 9 Image scanning in CI/CD 10 CHAPTER 2 Securing Kubernetes Control Plane 14 Kubelet security 14 Access to the kubelet API 15 Kubelet access to Kubernetes API 16 RBAC example, accessing the kubelet API with curl 16 Kubernetes API audit and security log 17 Audit log policies configuration 19 Extending the Kubernetes API using security admission controllers 20 Securing Kubernetes etcd 23 PKI-based authentication for etcd 23 etcd peer-to-peer TLS 23 Kubernetes API to etcd cluster TLS 24 Using a trusted Docker registry 24 Kubernetes trusted image collections: Banning non trusted registry 26 Kubernetes TLS certificates rotation and expiration 26 Kubernetes kubelet TLS certificate rotation 27 Kubernetes serviceAccount token rotation 28 Kubernetes user TLS certificate rotation 29 Securing Kubernetes hosts 29 Kubernetes 2 Security Guide Using a minimal host OS 30 Update system patches 30 Node recycling 30 Running CIS benchmark security tests 31 CHAPTER 3 Understanding Kubernetes RBAC 32 Kubernetes role-based access control (RBAC) 32 RBAC configuration: API server flags 34 How to create Kubernetes users and serviceAccounts 34 How to create a Kubernetes serviceAccount step by step 35 How to create a Kubernetes user step by step 37 Using an external user directory 40 CHAPTER 4 Security
  • Oracle VM Virtualbox Container Domains for SPARC Or X86

    Oracle VM Virtualbox Container Domains for SPARC Or X86

    1 <Insert Picture Here> Virtualisierung mit Oracle VirtualBox und Oracle Solaris Containern Detlef Drewanz Principal Sales Consultant SAFE HARBOR STATEMENT The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle. In addition, the following is intended to provide information for Oracle and Sun as we continue to combine the operations worldwide. Each country will complete its integration in accordance with local laws and requirements. In the EU and other non-EU countries with similar requirements, the combinations of local Oracle and Sun entities as well as other relevant changes during the transition phase will be conducted in accordance with and subject to the information and consultation requirements of applicable local laws, EU Directives and their implementation in the individual members states. Sun customers and partners should continue to engage with their Sun contacts for assistance for Sun products and their Oracle contacts for Oracle products. 3 So .... Server-Virtualization is just reducing the number of boxes ? • Physical systems • Virtual Machines Virtualizationplattform Virtualizationplattform 4 Virtualization Use Workloads and Deployment Platforms
  • Running Legacy VM's Along with Containers in Kubernetes!

    Running Legacy VM's Along with Containers in Kubernetes!

    Running Legacy VM’s along with containers in Kubernetes Delusion or Reality? Kunal Kushwaha NTT Open Source Software Center Copyright©2019 NTT Corp. All Rights Reserved. About me • Work @ NTT Open Source Software Center • Collaborator (Core developer) for libpod (podman) • Contributor KubeVirt, buildkit and other related projects • Docker Community Leader @ Tokyo Chapter Copyright©2019 NTT Corp. All Rights Reserved. 2 Growth of Containers in Companies Adoption of containers in production has significantly increased Credits: CNCF website Copyright©2019 NTT Corp. All Rights Reserved. 3 Growth of Container Orchestration usage Adoption of container orchestrator like Kubernetes have also increased significantly on public as well private clouds. Credits: CNCF website Copyright©2019 NTT Corp. All Rights Reserved. 4 Infrastructure landscape app-2 app-2 app-M app-1 app-2 app-N app-1 app-1 app-N VM VM VM kernel VM Platform VM Platform Existing Products New Products • The application infrastructure is fragmented as most of old application still running on traditional infrastructure. • Fragmentation means more work & increase in cost Copyright©2019 NTT Corp. All Rights Reserved. 5 What keeps applications away from Containers • Lack of knowledge / Too complex to migrate in containers. • Dependency on custom kernel parameters. • Application designed for a custom kernel. • Application towards the end of life. Companies prefer to re-write application, rather than directly migrating them to containers. https://dzone.com/guides/containers-orchestration-and-beyond Copyright©2019 NTT Corp. All Rights Reserved. 6 Ideal World app-2 app-2 app-M app-1 app-2 app-N app-1 app-1 app-N VM VM VM kernel VM Platform • Applications in VM and containers can be managed with same control plane • Management/ Governance Policies like RBAC, Network etc.
  • ISSN: 1804-0527 (Online) 1804-0519 (Print) Vol.8 (2), PP. 63-69 Introduction During the Latest Years, a Lot of Projects Have Be

    ISSN: 1804-0527 (Online) 1804-0519 (Print) Vol.8 (2), PP. 63-69 Introduction During the Latest Years, a Lot of Projects Have Be

    Perspectives of Innovations, Economics & Business, Volume 8, Issue 2, 201 1 EVALUATION OF PERFORMANCE OF SOLARIS TRUSTED EXTENSIONS USING CONTAINERS TECHNOLOGY EVALUATION OF PERFORMANCE OF GENTI DACI SOLARIS TRUSTED EXTENSIONS USING CONTAINERS TECHNOLOGY Faculty of Information Technology Polytechnic University of Tirana, Albania UDC: 004.45 Key words: Solaris Containers. Abstract: Server and system administrators have been concerned about the techniques on how to better utilize their computing resources. Today, there are developed many technologies for this purpose, which consists of running multiple applications and also multiple operating systems on the same hardware, like VMWARE, Linux-VServer, VirtualBox, Xen, etc. These systems try to solve the problem of resource allocation from two main aspects: running multiple operating system instances and virtualizing the operating system environment. Our study presents an evaluation of scalability and performance of an operating system virtualization technology known as Solaris Containers, with the main objective on measuring the influence of a security technology known as Solaris Trusted Extensions. Solaris. We will study its advantages and disadvantages and also the overhead that it introduces to the scalability of the system’s main advantages. ISSN: 1804 -0527 (online) 1804 -0519 (print) Vol.8 (2), PP. 63 -69 Introduction administration because there are no multiple operating system instances in a system. During the latest years, a lot of projects have been looking on virtualizing operating system Operating systems environments, such as FreeBSD Jail, Linux- VServer, Virtuozzo etc. This virtualization technique is based in using only one underlying Solaris/OpenSolaris are Operating Systems operating system kernel. Using this paradigm the performing as the main building blocks of computer user has the possibility to run multiple applications systems; they provide the interface between user in isolation from each other.
  • The Server Virtualization Landscape, Circa 2007

    The Server Virtualization Landscape, Circa 2007

    ghaff@ illuminata.com Copyright © 2007 Illuminata, Inc. single user license Gordon R Haff Illuminata, Inc. TM The Server Virtualization Bazaar, Circa 2007 Inspired by both industry hype and legitimate customer excitement, many Research Note companies seem to have taken to using the “virtualization” moniker more as the hip phrase of the moment than as something that’s supposed to convey actual meaning. Think of it as “eCommerce” or “Internet-enabled” for the Noughts. The din is loud. It doesn’t help matters that virtualization, in the broad sense of “remapping physical resources to more useful logical ones,” spans a huge swath of Gordon Haff technologies—including some that are so baked-in that most people don’t even 27 July 2007 think of them as virtualization any longer. Personally licensed to Gordon R Haff of Illuminata, Inc. for your personal education and individual work functions. Providing its contents to external parties, including by quotation, violates our copyright and is expressly forbidden. However, one particular group of approaches is capturing an outsized share of the limelight today. That would, of course, be what’s commonly referred to as “server virtualization.” Although server virtualization is in the minds of many inextricably tied to the name of one company—VMware—there are many companies in this space. Their offerings include not only products that let multiple virtual machines (VMs) coexist on a single physical server, but also related approaches such as operating system (OS) virtualization or containers. In the pages that follow, I offer a guide to today’s server virtualization bazaar— which at first glance can perhaps seem just a dreadfully confusing jumble.
  • Virtual Containers: Asset Management Best Practices and Licensing Considerations

    Virtual Containers: Asset Management Best Practices and Licensing Considerations

    Virtual Containers: Asset Management Best Practices and Licensing Considerations Virtual containers have seen tremendous adoption and growth within all industries. However, in terms of IT asset management, cont- ainers are not being managed and are an unknown area of risk for many of our clients. Because it is a newer technology, there is very little information about managing containers and how to address the emerging SAM & ITAM challenges they bring. Due to this lack of public information, Anglepoint has published this whitepaper on navigating the world of containers, with an empha- sis on asset management and licensing. We will cover everything from the history of containers, to what containers are, the benefits of containers, asset management best practices, and some publisher-specific licensing considerations. A BRIEF HISTORY OF VIRTUAL CONTAINERS The first proper containers came from the Linux world as LXC (LinuX Containers) in 2008. However, it wasn’t until 2013 that containers entered the IT public consciousness, when Docker came onto the scene with Enterprise usage in mind. Even then, though, it was more of an enthusiast’s technology. In 2015, Google released and open sourced Kubernetes which manages and ‘orchestrates’ containers. However, it wasn’t until 2017 that Docker and Kubernetes had matured enough to be considered for production use within corporate environments. 2017 also saw VMware, Microsoft, and Amazon beginning to support and offer solutions for Kubernetes and Docker on their top-tier cloud infrastructure. WHAT IS A CONTAINER? Often, people conflate the term ‘container’ with multiple technologies that make up the container ecosystem. Let’s look at what a modern container is at the most fundamental level.
  • Ovirt and Docker Integration

    Ovirt and Docker Integration

    oVirt and Docker Integration October 2014 Federico Simoncelli Principal Software Engineer – Red Hat oVirt and Docker Integration, Oct 2014 1 Agenda ● Deploying an Application (Old-Fashion and Docker) ● Ecosystem: Kubernetes and Project Atomic ● Current Status of Integration ● oVirt Docker User-Interface Plugin ● “Dockerized” oVirt Engine ● Docker on Virtualization ● Possible Future Integration ● Managing Containers as VMs ● Future Multi-Purpose Data Center oVirt and Docker Integration, Oct 2014 2 Deploying an Application (Old-Fashion) ● Deploying an instance of Etherpad # yum search etherpad Warning: No matches found for: etherpad No matches found $ unzip etherpad-lite-1.4.1.zip $ cd etherpad-lite-1.4.1 $ vim README.md ... ## GNU/Linux and other UNIX-like systems You'll need gzip, git, curl, libssl develop libraries, python and gcc. *For Debian/Ubuntu*: `apt-get install gzip git-core curl python libssl-dev pkg- config build-essential` *For Fedora/CentOS*: `yum install gzip git-core curl python openssl-devel && yum groupinstall "Development Tools"` *For FreeBSD*: `portinstall node, npm, git (optional)` Additionally, you'll need [node.js](http://nodejs.org) installed, Ideally the latest stable version, be careful of installing nodejs from apt. ... oVirt and Docker Integration, Oct 2014 3 Installing Dependencies (Old-Fashion) ● 134 new packages required $ yum install gzip git-core curl python openssl-devel Transaction Summary ================================================================================ Install 2 Packages (+14 Dependent
  • Containerisation Gareth Roy Gridpp 32, Pitlochry �1 Intermodal Containers

    Containerisation Gareth Roy Gridpp 32, Pitlochry 1 Intermodal Containers

    Containerisation Gareth Roy GridPP 32, Pitlochry "1 Intermodal Containers Developed by Malcolm P. McLean & Keith W. Tantlinger. Reaction to slow loading times produced by using “break bulk cargo.” Apparatus for shipping freight (1958): “In 1956, loose cargo cost $5.86 per ton US 2853968 A - Malcolm P McLean to load. Using an ISO shipping container, the cost was reduced to only .16 cents per ton.” IMPERIAL METRIC Length 19’ 10.5” 6.058 m Width 8’ 0” 2.438 m Height 8’ 6” 2.591 m Empty Weight 4,850 lb 2,200 kg Max Weight 66,139 lb 30,400 kg "2 Mærsk Mc-Kinney Møller (18270 TEU) Linux Containers Form of OS Level Virtualisation. Kernel hosts multiple separated user-land instances (Virtual Environment/Engine). Application Low overheads, elastic, multi-tennant. VE Storage can be Copy-on-Write or use UnionFS OS Examples: chroot (1982) Solaris Containers (2005) Physical Hardware FreeBSD Jails (1988) AIX WPARS (2007) Virtuozzo (2001) LXC (2008) OpenVZ (2005) "3 VM’s vs Containers Application Application Application Application Guest OS Guest OS VE VE Virtual HW Virtual HW OS Hypervisor / OS Physical Hardware Physical Hardware Virtual Machine Linux Container "4 VM’s vs Containers (Arguments) Pros: Pros: OS Independent Lightweight / Dense Secure / Isolated Fast Instantiation Flexible Elastic Resource Live Migration Low Memory Consumption Mature Ecosystem Native Performance Cons: Cons: Full System Image Restricted / Linux Only Slow Startup/Shutdown/Build Shared Kernel Memory Consumption Overhead Security Model Opaque to System Young Ecosystem Virtual Machine Linux Container "5 Containers in More Detail Running Application Application Application Instanced Namespace Virtual Environment Virtual Environment Resource Control Group Container CGROUP Container CGROUP Kernel Namespace Layer PID MNT IPC NET UTS USER* Linux Kernel > 2.6.23 OS Physical Hardware "6 Namespaces Application A Namespace wraps a global resource and presents an isolated instance to running process.
  • Xen on X86, 15 Years Later

    Xen on X86, 15 Years Later

    Xen on x86, 15 years later Recent development, future direction QEMU Deprivileging PVShim Panopticon Large guests (288 vcpus) NVDIMM PVH Guests PVCalls VM Introspection / Memaccess PV IOMMU ACPI Memory Hotplug PVH dom0 Posted Interrupts KConfig Sub-page protection Hypervisor Multiplexing Talk approach • Highlight some key features • Recently finished • In progress • Cool Idea: Should be possible, nobody committed to working on it yet • Highlight how these work together to create interesting theme • PVH (with PVH dom0) • KConfig • … to disable PV • PVshim • Windows in PVH PVH: Finally here • Full PVH DomU support in Xen 4.10, Linux 4.15 • First backwards-compatibility hack • Experimental PVH Dom0 support in Xen 4.11 PVH: What is it? • Next-generation paravirtualization mode • Takes advantage of hardware virtualization support • No need for emulated BIOS or emulated devices • Lower performance overhead than PV • Lower memory overhead than HVM • More secure than either PV or HVM mode • PVH (with PVH dom0) • KConfig • … to disable PV • PVshim • Windows in PVH KConfig • KConfig for Xen allows… • Users to produce smaller / more secure binaries • Makes it easier to merge experimental functionality • KConfig option to disable PV entirely • PVH • KConfig • … to disable PV • PVshim • Windows in PVH PVShim • Some older kernels can only run in PV mode • Expect to run in ring 1, ask a hypervisor PV-only kernel (ring 1) to perform privileged actions “Shim” Hypervisor (ring 0) • “Shim”: A build of Xen designed to allow an unmodified PV guest to run in PVH mode
  • Container and Kernel-Based Virtual Machine (KVM) Virtualization for Network Function Virtualization (NFV)

    Container and Kernel-Based Virtual Machine (KVM) Virtualization for Network Function Virtualization (NFV)

    Container and Kernel-Based Virtual Machine (KVM) Virtualization for Network Function Virtualization (NFV) White Paper August 2015 Order Number: 332860-001US YouLegal Lines andmay Disclaimers not use or facilitate the use of this document in connection with any infringement or other legal analysis concerning Intel products described herein. You agree to grant Intel a non-exclusive, royalty-free license to any patent claim thereafter drafted which includes subject matter disclosed herein. No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. All information provided here is subject to change without notice. Contact your Intel representative to obtain the latest Intel product specifications and roadmaps. The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Copies of documents which have an order number and are referenced in this document may be obtained by calling 1-800-548-4725 or by visiting: http://www.intel.com/ design/literature.htm. Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Learn more at http:// www.intel.com/ or from the OEM or retailer. Results have been estimated or simulated using internal Intel analysis or architecture simulation or modeling, and provided to you for informational purposes. Any differences in your system hardware, software or configuration may affect your actual performance. For more complete information about performance and benchmark results, visit www.intel.com/benchmarks. Tests document performance of components on a particular test, in specific systems.