Virtualization

This document briefly describes our prespective on virtualization. We broadly distinguish between the 3 distinct categories compute, network and storage.

Compute

Compute virtualisation virtualizes CPU and Memory. The following describes a perspective to distinguish different approaches.

Landscape

The possible manifestations of virtualisation technologies are manifold. This section briefly presents the fundamental categories of those including their respective enabling concepts. Namely, these are the three virtualisation classes hypervisor, container and sandbox. A fourth one named hybrid is an encompassing term to denote those, that share characteristics of all classes. This classification is represented in the figure below

Hypervisor-Based

Hypervisor-based virtualisations can be subdivided into two categories; Type-1 and Type-2. The main distinction among them is whether it runs directly on the hardware, or on top of an OS. This is visualized in the figure below.

While these two distinctions categorise hypervisors, further significant properties are important. These namely are Full Virtualisation, Paravirtualisation and Hardware Assisted Virtualisation.

Simply put, they describe the degree a virtualisation technology makes use of special hardware functionality and the amount of system calls intercepted by the Virtual Machine Monitor (VMM).

Popular example representatives for each type are listed below

• Full Virtualization: Qemu emulation
• Para Virtualization: KVM hardware pass-through
• Hardware-assisted Virtualization: CPU features like Intel VT-x

Container-Based

Container-based virtualisation or sometimes called “OS-Virtualisation” is a widely applied approach on Linux systems. They leverage the kernel functionalities (i) namespaces, (ii) cgroups and (iii) capabilities.

(i) Namespaces isolate system specific resources. It does so by wrapping them into an abstraction, in order to present them to a process. This enables processes to yield completely different views of a system compared to the host system. (ii) cgroups are a Linux feature that allows fine-grained control over different system resources. More specifically, it enables to limit access to them. Lastly, (iii) capabilities allow or prohibit the execution of specific operations. They can be granted to a user or group.

Sandbox-Based

Sandboxes can be created by utilising system call filtering provided by the Kernel. Intercepting and thus filtering those system calls can be achieved by different levers. Among those are (i) ptrace and (ii) Seccomp-BPF.

ToDo

This section needs improvement

Network

Network virtualisation is an essential factor in modern infrastructures. It enables operators to decouple physical cabling from logical connection between communication entities. Amonst others, this improves maintainability and security.

Popular technologies that implement network virtualization include:

• Namespaces
• IPIP
• VPN
• VXLAN
• SDN
• Open vSwitch

Both OpenStack and the Kubernetes distribution used by COTB leverage VXLAN. For a great introduction into that topic please refer to the resources below.

ToDo

This section needs improvement

Storage

Storage is a major building block for every kind of infrastructure. It provides the foundation for operator and user generated state. Amongst other benefits virtulizing this gives broader flexibility in the subdivision of huge storage arrays and allows vast scaling.

Technologies and concepts implementing storage virtualisation come in a wide range of manifestations. The following incomplete list gives some examples:

• Partitions
• Block devices
• Distributed filesystems (ceph)
• Fully virtualized appliances (synology)

ToDo

This section needs improvement

Takeaway

This purpose of this document is the creation of a sensibility towards how virtualisation technologies can be combined to create a cloud middleware distribution. Without those technologies cloud middlewares are more API hulls with custom glue processes. The choices for the technologies are highly opinionated and use-case specific.

To learn more about the relationship of the technologies above and OpenStack please refer to the respective OpenStack document.

Further reading

To read more about virtualisation please refer to the following resources by the authors and the community:

• [Volpert et al.] Determination of Isolation Capabilities of Virtualisation Technologies. ICPE 2023 ACM"
• [Goldberg] Architectural Principles for Virtual Computer Systems. Harvard Univ Cambridge Ma Div Of Engineering And Applied Physics 1973.
• [Hwang et al.] A component based performance comparison of four hypervisors. IFIP 2013 IEEE
• Blog: The container is a lie
• Blog: VXLAN & Linux
• Manual: namespaces
• Manual: capabilities