handout2o
TRANSCRIPT
INSE 6620 (Cloud Computing Security and Privacy)
Cloud Computing 101
Prof. Lingyu Wang
1
The Big PictureThe Big Picture
Cloud applications: data-intensi e omp te intensi estorage intensiveintensive, compute-intensive, storage-intensive
BandwidthWS
Web-services, SOA, WS standards
Services interfaceWS
Virtualization: bare metal hypervisor
VM0 VM1 VMn
Storage
Multi-core architectures
Virtualization: bare metal, hypervisor. …Storage Models: S3, BigTable, BlobStore,
...
2Ramamurthy et al., Cloud Computing: Concepts, Technologies and Business Implications
64-bit processor
Enabling TechnologiesEnabling Technologies
Cloud computing relies on:
1. Hardware advancements2. Web x.0 technologies3 Vi t li ti3. Virtualization4. Distributed file system
3Slides 3-11 are partially based on: Li et al., Chapter 3 Enabling technologies, In Spatial Cloud Computing: a practical approach, edited by Yang et al., CRC Press: pp. 31-46.
Hardware Advancements: Multi-coreHardware Advancements: Multi core
Single-core and multi-thread computing model bl t t th i t i tiwas unable to meet the intensive computing
demandM lti o e CPU fi t ed in l te 1900Multi-core CPU was first used in late 1900s
Characterized by low electricity consumption, efficient space utilization, and favorableefficient space utilization, and favorable performance
Help cloud providers build energy-efficient and high performance data centers
Virtualization, multi-tenancy
4
Hardware advancements: NetworkingHardware advancements: Networking
Cloud computing provides services in a multi-t t i t h t k i itenant environment where network is serving as the “glue” function.
Intra-cloud network
Wide-area network Virtual
instance networkinstance
• Blob• Table
Queue
StorageCompute
• Queue
5
Storage service
pcluster
“Elastic”Li et al., CloudCmp: Comparing Public Cloud Providers, IMC
Storage/Smart DevicesStorage/Smart Devices
The fast developing storage technologies meet th t d f l d tithe storage need of cloud computing.Smart devices accelerate the development of lo d omp ting b en i hing it ecloud computing by enriching its access
channels for cloud consumers.
6
Enabling TechnologiesEnabling Technologies
Cloud computing relies on:
1. Hardware advancements2. Web x.0 technologies3 Vi t li ti3. Virtualization4. Distributed file system
7
Web X.0: the Evolution of WebWeb X.0: the Evolution of Web
8
Web x.0: Web ServicesWeb x.0: Web Services
A web service is a software system designed to t i t bl hi t hisupport interoperable machine-to-machine
interaction over a network SOAP b ed eb e i eSOAP-based web services:
Web Services Description Language (WSDL)Simple Object Access Protocol (SOAP)Simple Object Access Protocol (SOAP)XML is extensively used
RESTful web services:RESTful web services:retrieve information through simple HTTP methods such as GET, POST, PUT and DELETE.E.g. Google APIs, Yahoo APIs
9
Service-Oriented Architecture (SOA)Service Oriented Architecture (SOA)
A service based component model for d l i ft i th f f i t bldeveloping software in the form of interoperable servicesBenefit of ing SOABenefits of using SOA:
Component reusingExisting system integrationExisting system integrationLanguage and platform independent
10
Web x.0: Cloud computing and SOAWeb x.0: Cloud computing and SOA
Cloud computing, to a large extent, leverages th t f SOA i ll i th S S dthe concept of SOA, especially in the SaaS and PaaS layers.The h e diffe ent emph iThey have different emphasis:
-- SOA is an architecture focusing on i th ti f “h tanswering the question of “how to
develop applications”.-- Cloud computing is an infrastructure
h i i th l ti f “hemphasizing on the solution of “how to deliver applications”.
11
Enabling TechnologiesEnabling Technologies
Cloud computing relies on:
1. Hardware advancements2. Web x.0 technologies3 Vi t li ti3. Virtualization4. Distributed file system
12
What Is Virtualization?What Is Virtualization?“Creating a virtual (rather than actual) version of something, including but not limited to a virtual computer hardware platform,including but not limited to a virtual computer hardware platform, operating system (OS), storage device, or computer network resources.”
E.g., Windows and Linux on the same laptopg , p pHow is it different from dual-boot?The OSes are completely isolated from each other
13Slides 13-34 are partially based on: Alex Landau, Virtualization Technologies, IBM Haifa Research Lab
We’ve Been Doing It For Decades!We ve Been Doing It For Decades!Indeed – an OS provides isolation between processes
Each has it’s own virtual memoryEach has it s own virtual memoryControlled access to I/O devices (disk, network) via system callsProcess scheduler to decide which process runs on which CPU core
So why virtual “machine”?So why virtual machine ?Try running Microsoft Exchange requiring Windows and some applications requiring Linux simultaneously on the same box!O b tt t t t d Boei d Ai b t th iOr better yet, try to persuade Boeing and Airbus to run their processes side-by-side on one serverPsychological effect – what sounds better?
’ i l hi d ’ h dYou’re given your own virtual machine and you’re root there – do whatever you wantYou can run certain processes, but you don’t get root, call our helpdesk with your configuration requests and we’ll get back to you
14
helpdesk with your configuration requests and we ll get back to you in 5 business days…
BenefitsBenefits
Decoupling HW/SW leads to many benefits:
Server consolidationRunning web/app/DB servers on same machine, u g eb/app/ se e s o sa e a e,without losing robustnesselectricity savings, room space savings...
Easier backup/restore/upgrade/provisioningEasier testing (e.g., firewall)Making IaaS possible
15
Two Types of HypervisorsTwo Types of Hypervisors
DefinitionsHypervisor (or VMM – Virtual Machine Monitor) is a software layer that allows several virtual machines to run on a physical machineThe physical OS and hardware are called the HostThe virtual machine OS and applications are called the GuestType 1 (bare-metal) Type 2 (hosted)
VM1 VM2
yp ( )
Guest Process Hypervisor
VM1 VM2
yp ( )
Guest
VMware ESX Microsoft Hyper V Xen
Hardware
HypervisorHost
Hardware
OS
VMware Workstation Microsoft Virtual PC
Host
16
VMware ESX, Microsoft Hyper-V, Xen VMware Workstation, Microsoft Virtual PC, Sun VirtualBox, QEMU, KVM
Bare-Metal or Hosted?Bare Metal or Hosted?Bare-metal
Has complete control over hardwareHas complete control over hardwareDoesn’t have to “fight” an OS
HostedAvoid code duplication: need not code a process schedulerAvoid code duplication: need not code a process scheduler, memory management system – the OS already does thatCan run native processes alongside VMsFamiliar environment – how much CPU and memory does a VMFamiliar environment how much CPU and memory does a VM take? Use top! How big is the virtual disk? ls –lEasy management – stop a VM? Sure, just kill it!
A combinationA combinationMostly hosted, but some parts are inside the OS kernel for performance reasonsE.g., KVM
17
g ,
How to Run a VM? Emulate!How to Run a VM? Emulate!
Do whatever the CPU does but in softwareFetch the next instructionDecode – is it an ADD, a XOR, a MOV?Execute – using the emulated registers and memoryg g yExample:addl %ebx, %eaxis emulated as:enum {EAX=0, EBX=1, ECX=2, EDX=3, …};unsigned long regs[8];regs[EAX] += regs[EBX];
Pro: Simple!Con: SlooooooooowExample hypervisor: BOCHS
18
Example hypervisor: BOCHS
How to run a VM? Trap and emulate!How to run a VM? Trap and emulate!
Run the VM directly on the CPU – no l ti !emulation!
Most of the code can execute just fineddl % b %E.g., addl %ebx, %eax
Some code needs hypervisor interventioni t $0 80int $0x80movl something, %cr3I/OI/O
Trap and emulate it!E g if guest runs int $0x80
19
E.g., if guest runs int $0x80, trap it and execute guest’sinterrupt 0x80 handler
Trap and Emulate ModelTrap and Emulate Model
Traditional OS :When application invoke a system call :
CPU will trap to interruptCPU will trap to interrupt handler vector in OS.CPU will switch to kernel mode (Ring 0) and execute OS instructions.
When hardware event :Hardware will interrupt CPU execution, and jump to interrupt handler in OS.
Trap and Emulate Model Cont’dTrap and Emulate Model Cont dVMM and Guest OS :
System CallSystem CallCPU will trap to interrupt handler vector of VMM.VMM jump back into guest OS.
Hardware InterruptHardware make CPU trap to interrupt handler of VMM.VMM jump to correspondingVMM jump to corresponding interrupt handler of guest OS.
Privilege InstructionRunning privilege instructionsg p gin guest OS will be trapped to VMM for instruction emulation.After emulation, VMM jump back to guest OS.to guest OS.
Trap and Emulate Model Cont’dTrap and Emulate Model Cont d
Pro:Pe fo mance!Performance!
Cons:Harder to implementpNeed hardware support
Not all “sensitive” instructions cause a trap when executed in usermodeE.g., POPF, that may be used to clear interrupt flag (IF)This instruction does not trap, but value of IF does not change!
This hardware support is called VMX (Intel) or SVM (AMD)Exists in modern CPUs
Example hypervisor: KVM
22
Example hypervisor: KVM
Dynamic (Binary) TranslationDynamic (Binary) Translation
Take a block of binary VM code that is about to be executedexecutedTranslate it on the fly to “safe” code (like JIT – just in time compilation)p )Execute the new “safe” code directly on the CPU
Translation rules?Translation rules?Most code translates identically (e.g., movl %eax, %ebx translates to itself)“Sensitive” operations are translated into “hypercalls”Sensitive operations are translated into hypercalls
Hypercall – call into the hypervisor to ask for serviceImplemented as trapping instructions (unlike POPF)
23
Dynamic (Binary) Translation Cont’dDynamic (Binary) Translation Cont d
Pros:No hardware support requiredPerformance – better than emulation
CCons:Performance – worse than trap and emulateHard to implementHard to implement
Example hypervisors:VMware QEMUVMware, QEMU
24
How to run a VM? Paravirtualization!How to run a VM? Paravirtualization!
Requires modified guest OS to “know” it is i t f h irunning on top of a hypervisor
E.g., instead of doing cli to turn off interrupts, guest OS should do hypercall(DISABLE INTERRUPTS)guest OS should do hypercall(DISABLE_INTERRUPTS)
25
How to run a VM? Paravirtualization!How to run a VM? Paravirtualization!
Pros:No hardware support requiredPerformance – better than emulation
CCon:Requires specifically modified guestSame guest OS cannot run in the VM and bareSame guest OS cannot run in the VM and bare-metal
Example hypervisor: XenExample hypervisor: Xen
26
I/O VirtualizationI/O Virtualization
Types of I/O:Block (e.g., hard disk)NetworkInput (e g keyboard mouse)Input (e.g., keyboard, mouse)SoundVideoVideo
Most performance critical (for servers):NetworkNetworkBlock
27
I/O Virtualization ModelsI/O Virtualization Models
VM VM
Monolithic Model
VM VM
Pass-through ModelService VMs Guest VMs
Service VM Model
I/O Services
VM0
Guest OSand Apps
VMn
Guest OSand Apps
VM0
Guest OSand Apps
DeviceDrivers
VMn
Guest OSand Apps
DeviceDrivers
I/O Services
Device Drivers
VMn
VM0
Guest OS
Hypervisor
I/O Services
Device Drivers
Hypervisor
Drivers Drivers
Hypervisor
Driversand Apps
HypervisorSharedDevices
AssignedDevices
SharedDevices
Pro: Higher PerformancePro: I/O Device SharingPro: VM MigrationCon: Larger Hypervisor
Pro: Highest PerformancePro: Smaller HypervisorPro: Device assisted sharingCon: Migration Challenges
Pro: High SecurityPro: I/O Device SharingPro: VM MigrationCon: Lower Performance
28
g yp Con: Migration ChallengesCon: Lower Performance
How Does a NIC Driver Work?How Does a NIC Driver Work?Transmit path:
OS prepares packet to transmit in a buffer in memoryOS prepares packet to transmit in a buffer in memoryDriver writes start address of buffer to register X of the NICDriver writes length of buffer to register YDriver writes ‘1’ (GO!) into register TNIC reads packet from memory addresses [X,X+Y) and sends it on the wireNIC sends interrupt to host (TX complete, next packet please)
Receive path:Driver prepares buffer to receive packet intoDriver writes start address of buffer to register XDriver writes length of buffer to register YDriver writes ‘1’ (READY-TO-RECEIVE) into register RDriver writes 1 (READY-TO-RECEIVE) into register RWhen packet arrives, NIC copies it into memory at [X,X+Y)NIC interrupts host (RX)OS processes packet (e.g., wake the waiting process up)
29
p p ( g , g p p)
I/O Virtualization? Emulate!I/O Virtualization? Emulate!
Hypervisor implements virtual NIC (by the specification of a real NIC e g Intel Realtekspecification of a real NIC, e.g., Intel, Realtek, Broadcom)
NIC registers (X, Y, Z, T, R, …) are just variables in hypervisor (host) memoryIf guest writes ‘1’ to register T, hypervisor reads buffer from memory [X,X+Y) and passes it to physical NIC driver ffor transmissionWhen physical NIC interrupts (TX complete), hypervisor injects TX complete interrupt into guest
Similar for receive path
30
I/O Virtualization? Emulate!I/O Virtualization? Emulate!
Pro:Unmodified guest (guest already has drivers for Intel NICs…)
Cons:Cons:Slow – every access to every NIC register causes a VM exit (trap to hypervisor)( p yp )Hypervisor needs to emulate complex hardware
Example hypervisors: QEMU, KVM, VMware p yp Q , ,(without VMware Tools)
31
I/O Virtualization? Paravirtualize!I/O Virtualization? Paravirtualize!
Add virtual NIC driver into guest OS (frontend)Implement the i t al NIC in the h pe iso (backend)Implement the virtual NIC in the hypervisor (backend)Everything works just like in the emulation case……except – protocol between frontend and backend
Protocol in emulation case: Guest writes registers X, Y, waits at least 3 nano-sec and writes to register Twrites to register THypervisor infers guest wants to transmit packet
Paravirtual protocol: Guest does a hypercall, passes it start address and length as argumentsHypervisor knows what it should do
32
I/O Virtualization? Paravirtualize!I/O Virtualization? Paravirtualize!
Pro: Fast – no need to emulate physical deviceCon: Requires guest driverExample hypervisors: QEMU, KVM, VMware (with VMware Tools), XenHow is paravirtual I/O different from
i t l t?paravirtual guest?Paravirtual guest requires to modify whole OS
Try doing it on Windows (without source code) or evenTry doing it on Windows (without source code), or even Linux (lots of changes)
Paravirtual I/O requires the addition of a single d i t t
33
driver to a guestEasy to do on both Windows and Linux guests
Direct access / direct assignmentDirect access / direct assignment
“Pull” NIC out of the host, and “plug” it into th tthe guest
Guest is allowed to access NIC registers directly, no hypervisor interventionno hypervisor interventionHost can’t access NIC anymore
Pro: As fast as possible!Pro: As fast as possible!Cons:
Need NIC per guest, plus one for hostNeed NIC per guest, plus one for hostCan’t do “cool stuff”
Encapsulate guest packets, monitor, modify them at the h i l l
34
hypervisor level
Example hypervisors: KVM, Xen, VMware
XenXen
The University of Cambridge Computer L b t d l d th fi t i f XLaboratory developed the first versions of Xen
The Xen community develops and maintains Xen as free and open-source software (GPL)free and open source software (GPL)Xen is currently available for the IA-32, x86-64 and ARM instruction sets
(Original) Target: 100 virtual OSes per machine
Slides 35-48 partially based on: Barham et al., Xen and the Art of Virtualization, SOSP’03 35
Xen: Approach OverviewXen: Approach Overview
Conventional approachFull virtualization
Cannot access the hardwareProblematic for certain privileged instructions (e.g., traps)Problematic for certain privileged instructions (e.g., traps)No real-time guarantees
Xen: paravirtualizationProvides some exposures to the underlying HW
Better performanceNeed modifications to the OSNeed modifications to the OSNo modifications to applications
36
TLB (Translation Lookaside Buffer)TLB (Translation Lookaside Buffer)
Hardware cache containing parts of page tableTranslates virtual into real addressesA TLB “miss” will cause an expensive page walk
TLB t b fl h d h t t it hiTLB must be flushed when context switchingMinimum cost on Pentium 4 to change TLB is 516 cycles (184ns)516 cycles (184ns)
http://www.mega-tokyo.com/osfaq2/index.php/Context%20Switching
Thus, Xen avoids context switching on system calls for performance reasons
37
Memory ManagementMemory Management
Depending on the hardware supportsSoftware managed TLB (translation lookaside buffer) can be easily virtualizedTagged TLB will allow coexistence of OSes andTagged TLB will allow coexistence of OSes, and avoid TLB flushing across OS boundaries
X86 has no software managed/tagged TLBg / ggXen exists at the top 64MB of every address space to avoid TLB flushing when a guest enter/exist XenEach OS can only map to memory it ownsWrites are validated by Xen
38
CPUCPU
X86 supports 4 levels of privilegesXen downgrades the privilege of OSesSystem-call and page-fault handlers registered to XenXen“fast handlers” for most exceptions, Xen isn’t involved
I/O: Xen exposes a set of simple device abstractions
I/O data is transferred to and from guest via Xen, using shared-memoryEfficient while allowing Xen to perform validationEfficient while allowing Xen to perform validation
39
The Cost of Porting an OS to XenThe Cost of Porting an OS to Xen
<2% of code-basePrivileged instructionsPage table accessNetwork driverNetwork driverBlock device driver
40
Control ManagementControl Management
Domain0 (a special guest) hosts the li ti l l t ftapplication-level management software
Creation and deletionof other guests processor memoryof other guests, processor, memory,virtual networkinterfaces and blockinterfaces and blockdevicesExposed through anp ginterface to application-level management software
41
Control TransferControl TransferHypercall: synchronous calls from a guest to XXen
Software trap to perform privileged operationAnalogous to system callsAnalogous to system callse.g., page table update requests
Events: asynchronous notifications from XenEvents: asynchronous notifications from Xen to guests
Replace device interrupts for lightweight notificationReplace device interrupts for lightweight notificatione.g., guest termination request, new data received over network
42
Data Transfer: I/O RingsData Transfer: I/O Rings
e.g., requests for received packets
43
NetworkNetwork
Virtual firewall-router attached to each guestVirtual NICs have two I/O rings and rules
e.g., rules for preventing IP source spoofing, incoming connection attemptsincoming connection attempts
To send a packet, enqueue a buffer descriptor into the transmit I/O ringinto the transmit I/O ringA domain needs to exchange unused page frame for each received packetframe for each received packet
use DMA (zero copy)avoid copy of packets between Xen and guestpy p g
44
DiskDisk
Only Domain0 has direct access to disksOth t d t i t l bl k d iOther guests need to use virtual block devices
Use the I/O ringGuest OS will typically reorder requests prior toGuest OS will typically reorder requests prior to enqueuing them on the ringXen will also reorder requests to improve performance since it knows better about the realperformance since it knows better about the real disk layout
Use DMA (zero copy)( py)
45
EvaluationEvaluation
Dell 2650 dual processor 2.4 GHz Xeon server2GB RAM3 Gb Ethernet NIC3 Gb Ethernet NIC1 Hitachi DK32eJ 146 GB 10k RPM SCSI disk
Linux 2 4 21Linux 2.4.21
46
Relative PerformanceRelative Performance
0.8
0.9
1
0.8
0.9
1
0.4
0.5
0.6
0.7
0 4
0.5
0.6
0.7
0.1
0.2
0.3
0.4
0.1
0.2
0.3
0.4
0Linux Xen VMWare UML
CPU Intensive
0Linux Xen VMWare UML
180Mb/s TCP trafficLittle I/O and OS interaction
180Mb/s TCP traffic
Disk read-write on 2GB dataset 47
ScalabilityScalability
48
Live Migration of Virtual MachinesLive Migration of Virtual Machines
Move a running virtual machine from one host t th h t ith i d d tito another host with no perceived downtime
VM is not aware of the migrationMaintain TCP connections of the guest OSMaintain TCP connections of the guest OSVM is treated as a black box
How is Live Migration (LM) different from QuickHow is Live Migration (LM) different from Quick Migration (QM)?
QM: VM is saved and restored on destinationQM: VM is saved and restored on destinationQM: Results in downtime for applications/workloads running inside VMs
49
Use CasesUse Cases
Patching or hardware servicingMigrate VMs to temporary hosts and migrate back after original hosts are patched/upgraded
Load balancingLoad balancingMigrate VMs to hosts with less load
Server consolidationServer consolidationMigrate VMs to a few hosts during off-peak hours and shut down other hosts to reduce power pconsumption
50
MethodologyMethodology
Three phasesPush: source VM continues runningStop and copy: stop source VM, start new VMPull: copy what remainsPull: copy what remains
Possible approachesPure stop and copyPure stop-and-copyPure demand-migrationPre-copyPre copy
Slides 52-56 partially based on: Tewari et al., From Zero to Live Migration 51
Memory Copy: Full CopyMemory Copy: Full Copy
Memory content is Memory content is Memory content is Memory content is copied to new servercopied to new server
VM preVM pre--stagedstaged
SAN
First initial copy is of all
SAN
First initial copy is of all in memory content
VHD
52
Memory Copy: Dirty PagesMemory Copy: Dirty Pages
Client continues Client continues accessing VMaccessing VM
Pages are Pages are b i di i db i di i d
accessing VMaccessing VM
being dirtiedbeing dirtied
SANClient continues to access VM, which results in memory being modified
SAN
VHD
53
Memory Copy: Incremental CopyMemory Copy: Incremental Copy
Smaller set of Smaller set of changeschanges
Recopy of changesRecopy of changes
changeschanges
Transfer the content of the VM’s SANTransfer the content of the VM s memory to the destination host
Track pages modified by the VM, retransfer these pages
SAN
VHD
54
Live Migration Final TransitionLive Migration Final Transition
Partition State Partition State i di dcopiedcopied
Save register and device state of VM on so ce host
SANVM on source hostTransfer saved state and storage ownership to destination host VHD
Restore VM from saved state on destination host
55
Post-Transition: Clean-upPost Transition: Clean upClient directed to Client directed to
new hostnew host
Old VM deleted once Old VM deleted once Old VM deleted once Old VM deleted once migration is verified migration is verified
successfullysuccessfully
SANARP issued to have routing devices update their tablesSince session state is maintained no
SAN
VHDmaintained, no reconnections necessary
VHD
56