2.2.1 Background
Virtualization is not a new technology, it was first developed during late 1960s and early 1970s. In a virtualized system environment, a hypervisor or Virtual Machine Manager (VMM) is a layer of software that manages the allocation of hardware re
sources, and also creates, and runs virtual machines. The real hardware resources are owned by the VMM and it is its responsibility to make the resources available to one or more guest operating system that alternately execute on the same hard
ware. Thus, a guest operating system is given the illusion of owning a complete set of standard hardware.
The first version of IBM virtual machine operating system was VM/370 (or of
ficially Virtual Machine Facility/370) released in 1972 [56]. VM/370 was built as a
general purpose OS for IBM System/370 mainframe machines. The virtualization features are mainly used for supporting time-sharing systems, maintaining back
ward compatibility of IBM System/360, and providing a private, secure and reli
able computing environment [56]. The virtual machine manager of VM/370 was called the control program (CP). It ran on the physical hardware to create the vir
tual machine environment. Virtual machines ran a single-user, lightweight operat
ing system called the conversational monitor system (CMS). The CP/CMS design successfully makes a separation of resource management and of the services that users cared about. With the rising of personal computers, interest in these classic virtualization techniques faded.
Virtualization has regained its popularity in recent years because of the promise of improved resource utilization through server consolidation, guaranteed resource allocation, and performance isolation. Disco [41], one of the first research operating systems, has led to a wide range of commercial virtualization techniques [9,10,21, 34].
2.2.2 Virtualization Conditions
In a classic paper [105], Popek and Goldberg formulate the sufficient conditions for an instruction set architecture (ISA) to efficiently support virtual machines. Accord
ing to Popek and Goldberg, there are three properties that a VMM must satisfy:
efficiency, resource control, and equivalence.
1. Efficiency means that a statistically dominant subset of machine instructions must be executed directly by the real processor, with no software intervention by the VMM.
2. Resource control means the VMM must have complete control of the virtual
ized resources.
3. Equivalence means that any program run under the VMM should exhibit an effect identical with that demonstrated if the program had been run on the original machine directly, with only a few exceptions.
Popek and Goldberg [105] derive the sufficient (but not necessary) conditions for virtualization in a famous theorem. They first divide an ISA into three different groups:
• Privileged instructions: Those that trap if the processor is in user mode and do not trap if it is in system mode.
• Control sensitive instructions: Those that attempt to change the configu
ration of resources in the system.
• Behavior sensitive instructions: Those whose behavior or result depends on the configuration of resources (the content of the relocation register or the processor's mode).
With the above definition, Popek and Goldberg state that:
Theorem 1. For any conventional third generation computer, a virtual machine monitor may be constructed if the set of sensitive instructions for that computer is a subset of the set of privileged instructions.
Their reference to "third generation computer" is an integrated circuits based computer with a processor and linear, uniformly addressable memory. The as
sumptions regarding the operation of "third generation computer" are: relocation mechanisms, supervisor/user mode, and trap mechanisms [105].
The theorem says that if sensitive instructions executed in the user mode al
ways trap to the VMM (force control to go back to VMM), an efficient virtual ma
chine implementation can be constructed. All the non-privileged instructions can be executed natively on the host platform and no emulation is needed.
It is known that Intel x86 ISA has several instructions that are sensitive but not privileged [106]. They do not trap when they are executed in user mode. Therefore Intel x86 ISA violates Theorem 1. However, since the theorem provides a sufficient but not necessary condition, it does not mean that it is not virtualizable. It means that additional steps must be taken in order to implement a virtual machine with possible loss of some efficiency. For convenience, the instructions that are sensi
tive but not privileged are called critical instructions. The VMM can scan the guest code when it is first executed and replace the critical instructions with a trap to the VMM. This process is known as patching [112].
Paravirtualization is another technique used to support high performance virtual machines on x86 hardware. Paravirtualization presents a software interface to vir
tual machine to a system that is similar but not identical to the underlying native hardware and requires making modifications to the guest operating system [126].
Xen [34] is an example system that specifically targets the Intel IA-32 ISA. As men
tioned, Intel x86 ISA has critical instructions that are difficult to be efficiently vir
tualized. The Xen [34] system takes the hosted operating system, such as Linux or Windows, and makes minimal modifications to the machine-dependent parts of the system to eliminate the need to perform complex virtualization tasks such as patching.
In this thesis, we focus on the Xen and VMware [23] virtualization platforms.
Both systems support fine grain management of memory and CPU resources, as well as the ability to transparently migrate running virtual machines from one phys
ical server to another.