Virtual Hosting
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridSimilar to the network partitioning schemes described
previously, there exist a menu of options that enable a
single piece of server hardware to be paritioned so as to
provide varying levels of isolation to the applications and
users served by this hardware.
Common Virt. Hosting Schemes
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridVirtual hosting methods to be covered:
Environment:
Apache virtual-hosting, Java VM
OS Level:
chroot, Jails, User-mode-Linux
Hypervisors:
VirtualBox, VMWare, Xen
Emulation:
Bochs, VMWare & VirtualBox under special
configuration
Environment Virtual Hosting
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridIn Environment Virtual Hosting, virtualization of the hosted
applications are configured within the space of another
Environment Virtual Hosting (cont.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridGenerally the following ground rules are true:
■
The administrator of the server hardware has full visibility
and control inside the virtual environments
■
The virtual applications may share, privileges, storage and
RAM, unless specifically configured not to
■
Virtual processes are still visible to each other on the
server-side
■
The shared nature of the infrastructure is generally opaque
to the end-user, but counter-measures must be authored
into the applications in order to ensure this remains true.
■
Compromising one virtual server can put all other virtual
Environment Virtual Hosting (dia.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridOS-Level Virtual Hosting
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridWith OS-Level virtualization, you set up independent
deployments of whole application stacks which cannot
share each others’ configurations, libraries, modules, etc.
Configuration of the virtual environments hosting these
deployments will either be configured at the supervisor OS
level, or via specialized "no return" system calls which
request that the OS isolate all future execution and child
processes.
In the case of User Mode Linux, a wholly-contained
execution environment is created to run a different Linux
kernel as a subprocess of a parent kernel, as a new
OS-Level Virtual Hosting (cont.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridProvides the following features beyond the Environment
virtual hosting
■
Can be rooted at a sub-path in the filesystem, restricted
from reads/writes outside of this zone
■
Requires a dedicated instance of the service for each
virtual host
■
Lacks dedicated allocation, still competes for system
resources, but executes with significantly limited visibility
to other services
■
Individual applications need not be specially configured,
and will be relatively isolated from one another
■
Networking and IPC may still be possible between isolation
OS-Level Virtual Hosting (dia.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridExtra cost is incurred by duplicating applications which
were shared under application-level virtual hosting
Hypervisor
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridA hypervisor further pushes isolation logic up to the
hardware level. Requiring special hardware features, the
hypervisor can natively execute code while maintaining
lmost complete resource isolation between the instances.
With a few small exceptions, the virtual hosts will execute
as completely dedicated OS deployments, requiring
complete OS + application installation within the virtual
guest instances.
Parent OS is called "host", while the children are called
"guests".
Hypervisor (cont.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) Hybrid■
Execute most code natively, but expose a false hardware
representation to the "guest" OS
■
Selectively allocate HW devices to guests
■
Dedicate resources or limit resource with fine granularity
■
Abstracted hardware enables suspend, move, restore,
close, snapshot of running guest states
Hypervisor (dia.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridEmulator
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridEmulators provide an environment which attempts to
implement, in software, an entire architecture. The goal is
to provide a method to execute the code in a manner which
most closely replicates the underlying system in which the
software would execute. Minimal assistance is provided by
the host operating system, and typically no kernel-level or
other supervisory hooks are required. The entire virtualized
HW & SW stacks live entirely in user-space.
Emulator (cont.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) Hybrid■
All code is executed at the application layer
■
Absolutely zero access to the host operating system
■
Host can execute guest code which is incompatible with
host architecture (PPC on x86, etc.)
■
100% visibility into hardware-level operations
■
Very slow execution
Emulator (dia.)
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridHybrid Implementations
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) HybridVirtualBox & VMWare both offer hybrid implementations
of Hypervisors and Emulators. This enables these platforms
to adapt to presence/absence of hardwrae & software
Further Reading
Virtual Hosting Common Virt. Hosting Schemes Environment Virtual Hosting Environment Virtual Hosting (cont.) Environment Virtual Hosting (dia.) OS-Level Virtual Hosting OS-Level Virtual Hosting (cont.) OS-Level Virtual Hosting (dia.) Hypervisor Hypervisor (cont.) Hypervisor (dia.) Emulator Emulator (cont.) Emulator (dia.) Hybrid■
Apache "VirtualHost" examples:http://httpd.apache.org/docs/2.2/vhosts/examples.html
■
Best Practices for UNIX chroot() Operations:http://www.unixwiz.net/techtips/chroot-practices.html
■
FreeBSD Handbook, Chapter 15. Jails:http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html
