OS Circular on QEMU/KQEMU/KVM/Xen-HVM http://openlab.jp/oscircular/ Kuniyasu Suzaki, Toshiki Yagi, Kengo Iijima, Nguyen Anh Quynh National Institute of Advanced Industrial Science and Technology (AIST,Japan) ABSTRACT OS Circular is a framework of Internet Disk Image Distributor for virtual machines. The disk images are based on QEMU-DM(device model) and boot on QEMU, KQEMU, KVM and Xen-HVM. They are distributed by the stackable virtual disk "HTTP-FUSE CLOOP". It re-constructs a virtual disk with split and compressed block files on HTTP Servers. The file name of block file is the SHA1 digest of its contents. A block file is checked when it is re-mapped to virtual disk on a client PC. Block files are cached on a local storage and they make possible disconnect operation. Trusted HTTP-FUSE CLOOP is stackable and easy to add news block files for security update. These features enable us to distribute OS images for anonymous users via Internet. 1. Introduction We are developing "OS Circular"[1,2] which boots any OSes on anonymous PC. It makes easy to try new OS features. For this purpose we use virtual machine to get a common PC environment on any PCs. OS Circular is based on "HTTP-FUSE Xenoppix" [3]. HTTP-FUSE Xenoppix offers basic function for Internet Thin Client and enables to boot NetBSD or Plan9. However it is based on para-virtualization of "Xen", which limits Guest OSes and restricts automatic security update of kernel. Furthermore the virtual disk "HTTP-FUSE CLOOP" has no security protection. This paper resolves these problems and offers secure and easy-to-use OS Circulation Environment. FLOZ (Free Live OS Zoo) [4] has similar concept of our OS Circular. It enables us to boot many OSes in the Web browser. FLOZ runs a QEMU virtual machine on the server and users interacts with the Guest OS on the QEMU via a Java-based tight VNC client. It is innovative OS testing environment but the performance and scalability is limited, because it is server centric system and suffers network latency on Internet. Besides the OS on FLOZ doesn©t allow the network connection because of network resource and security restriction on the server. Virtual disk of QEMU and VMware is popular to distribute ready-to-use OS image. However a virtual disk must be treated as one large file because it includes all software. It takes much time to download. Furthermore, a big virtual disk has to re-build when a bit of data is updated. It is not good for urgent security update. Design principle for OS Circular is to utilize existing infrastructure, because it aims global deployment and minimizes maintenance cost. OS Circular is a client centric system, because current client PC has a powerful CPU and network interface and the function of server is limited to file distribution only. We use HTTP for file distribution because Web hosting service is easy-to-get and mirror severs and cache proxies are utilized. The validness of contents is checked by a client PC, which is offered by Trusted HTTP-FUSE CLOOP. HTTP-FUSE CLOOP is stackable virtual disk and enables partial update of virtual disks for application security. OS Circular uses full virtualization because the Guest OSes get automatic security update service. The kernel of Guest OS should be the target of security update. In this paper we describe the detail of OS Circular. In section2 we mention about the virtual machine loader. In section 3 the requirement of virtual disks is described. The detail of Trusted HTTP-FUSE CLOOP is mention in section 4. Current implementation of OS Circular is reported in section 5. We discuss related works and future plans in section 6 and conclude in section 7. 2. Virtual Machine Loader Full virtualization offers an abstraction layer for Guest OSes. The abstraction layer provides a common virtualized PC environment on anonymous PC. There are no restriction for Guest OS. We can install Guest OS with normal installer, update the OS with package management software, and migrate the disk image to other PCs which have the same full virtualization. For this purpose, VMware is used on SoulPad[5] , VAT (Virtual Appliance Transceiver) of Collective[6] , LivePC of Moka5[7] and Internet Suspend/Resume[8]. The drivers for real devices are supported by the host OS. SoulPad and VAT of Collective use KNOPPIX as the host OS, because KNOPPIX has "AutoConfig" function that automatically detects available devices at boot time and loads the appropriate Linux drivers. The combination of AutoConfig and full virtualization on the host OS acts as a virtual machine loader. So we use VMKnoppix[9] for OS Circular. 2.1 VMKnoppix VMKnoppix[9] is a collection of Virtual Machine software on the 1CD Linux "KNOPPIX". KNOPPIX prepares device drivers on any client PC and Full virtualization is offered by Xen-HVM[10], QEMU[11], KEQMU(QEMU Accelerator)[12], and KVM[13]. Xen-HVM and KVM require virtualization instructions (Intel VT or AMD-V) which offer a mode to trap sensitive instructions. VMKnoppix works as a virtual machine loader. 2.2 Unified Device Model Xen-HVM, QEMU, KEQMU, and KVM assumes the same devices which is called QEMU-DM(Device model). They are RealTek RTL8029 for NIC, Cirrus Logic GD5446 for Video Card and etc. The guest OS only have to support these devices. The unified device model enables to boot the disk images on the virtual machines. However the CPU architecture is different among Xen-HVM, QEMU, KEQMU, and KVM. Xen-HVM uses the same architecture of the running real CPU. Fortunately the difference doesn©t cause big problem because the current operating system uses common i386 packages. The packages run on Pentium Pro or after IA32 CPU. 3. Requirements for Virtual Disks This section examines other important features that virtual disks should offer, such as versioning, globalization, and security. The main requirements of virtual disks are described in [14]. According to the requirements we shape the design for Trusted HTTP-FUSE CLOOP presented in the next section. 3.1 Versioning Versioning of virtual disks are desirable feature on virtual machine. Non-persistent versioning is used for "undo" of operations and persistent versioning is used for "rollback" of OS image. The versioning is also important for sharing and customizing virtual disks. Some virtual machine softwares have "undo" function. For example VMware has Non-persistent mode and QEMU and UserModeLinux have CopyOnWrite. Xen uses DeviceMapper of Linux for non-persistent versioning. So Virtual Disks should offer persistent versioning. Trusted HTTP-FUSE CLOOP has same versioning of Venti[15]. Venti is Plan9©s archival storage system that permanently stores data blocks. A SHA1 digest of the data (called score by Venti) acts as the address of the data. This enforces a write-once policy since no other data block can be found with the same address. The addresses of multiple writes of the same data are identical, so duplicate data is easily identified and the data block is stored only once. Data blocks cannot be removed, making it ideal for permanent or backup storage. Unfortunately Venti requires special protocol for file system and limits the scalability. Trusted HTTP-FUSE CLOOP saves data blocks to files and utilizes HTTP to distribute them. 3.2 Globalization Virtual disks are desired to be shared via Internet for OS circulation. It doesn©t mean that virtual disks are downloadable. Virtual disks should be accessed partially when the part is requested. Remote Block Device meets the requirement and there are many choices, for example, iSCSI, AOE(ATA over Ethernet), iFCP, etc. Unfortunately they use special protocols and require special daemons on the server. Most of them are designed for LAN and aren©t good for Internet. Trusted HTTP-FUSE CLOOP re-constructs a virtual disk with the partial block files which are downloadable via HTTP. Disconnect operation is also desired for virtual disks to achieve Mobile Computing. As file systems "AFS" and "Coda" deal with disconnect operation but they require special protocol and daemons for servers. Stateless Linux[16] offers disconnect operation for Thin Client PC. Stateless Linux runs with network storage or snapshot image saved local storage. Block files of Trusted HTTP-FUSE CLOOP are also saved to a local storage and re- usable. When whole block files are saved in a local storage, network connection is not required. 3.3 Security Basically security management is independent of virtual disk. Security of kernel and applications should be managed by security software or package manager. The commitment of virtual disk is to keep uncontaminated contents. Especially the security of network virtual disk is to prevent intrusion. One way to prevent intrusion is to establish secure communication. However secure communication has to assign a fixed server and limits scalability. Trusted HTTP-FUSE CLOOP adapts a validation mechanism on a client. The driver checks the validity of block contents when it mapped to the virtual disk. It allows distributing block data by anonymous servers. 4. Stackable Virtual Disk "Trusted HTTP-FUSE CLOOP" The idea of Trusted HTTP-FUSE CLOOP depends on CLOOP of KNOPPIX. CLOOP is convenient because it saves block device to a file and reduces the size. However a CLOOP file is still big. The size of traditional CD- KNOPPIX is about 700MB. It must be treated as one file and takes much time to download. When a bit of data is updated, a big CLOOP file has to re-build. Furthermore CLOOP has no security protection. To solve the problems, we adapt block management style of Venti[15]. Data of a block device is divided by a fixed block size and saved for many small block files.