Shulou(Shulou.com)06/03 Report--

CPU virtualization

1. CPU working mechanism

With the rise of cloud computing, virtualization as an integral part of cloud computing has also become popular, but virtualization is not a new technology, as early as the 1960s virtualization technology has emerged. The CPU architecture of the X86 has four protection rings, which are divided into: Ring 0-Ring 3, ring 0 only communicates with the kernel and executes privileged instructions, while ring 3 works in user space. Ring 1 and ring 2 are reserved. Whenever a privilege request is initiated in user space, kernel space will be activated immediately. At this time, the switching between user space and kernel space is called soft interrupt. All privileged instructions in user space must be completed by system call. CPU virtualization is divided into three types according to different working mechanisms: full virtualization, semi-virtualization and hardware-assisted virtualization.

2. full virtualization

Under traditional architecture, the application program will directly initiate system calls to the kernel on ring 0. At this time, the process of system from user space to kernel space is called soft interrupt, and the process of notifying the kernel when the hardware finishes executing instructions is called hard interrupt. In a fully virtualized architecture, the Hypervisor runs in ring 0 and the Guest system runs in ring 1, but it thinks it is running in ring 0, and an exception occurs when the Guest system's application makes a system call to the kernel.(Privileged instructions cannot run in ring 1), Hypervisor catches these exceptions, translates them, simulates them, and then privileged instructions are converted between ring 1 and ring 0, and finally returned to the guest operating system, which considers its privileged instructions to be working properly and continues to run. When the hard interrupt result is returned, it passes through the Hypervisor first, and then the Hypervisor notifies the Guest kernel.

3. a paravirtualized

Unlike a fully virtualized Guest kernel that thinks it is running in ring 0, paravirtualization modifies the Guest kernel to make it aware that it is running in ring 1, so when it wants to run privileged instructions, it will change the request to call the kernel to call the Hypervisor of ring 0, which saves the Hypervisor capture and translation process, but because of the kernel modification, it does not support Windows systems well.

4. CPU-assisted virtualization

For CPU virtualization of X86 series, Intel and AMD have expanded CPU from hardware level since 2006 and 2007, creating ring-1, Hypervisor running in ring-1 and Guest running in ring 0. In this way, when an application in Guest system initiates a system call, it still directly initiates a request to Guest kernel. Except for some sensitive instructions (subset of privileged instructions), other instructions do not need Hypervisor assistance, because it does not need Guest to modify kernel. Compared with full virtualization, it eliminates the process of capturing translation, so it has become the mainstream technology of CPU virtualization at this stage.

5. Type 1 and Type 2 virtualization technologies

Type 1 virtualization technology, also known as bare metal virtualization, is characterized by Hypervisor running directly on the physical host and managing the operating system of the virtual machine, representing the product Xen.

Type 2 virtualization technology, also known as managed virtualization, is characterized by allowing virtualization technology to run on ordinary operating systems, similar to ordinary processes, and represents the product QEMU. KVM is a special implementation that converts traditional operating systems into type 1 virtualization by enabling virtualization libraries in the kernel, but it uses a generic operating system that competes with other virtual operating systems for physical host resources, so KVM is more like a type 2 virtualization technology architecture.

Second, memory virtualization

All operating system memory is provided in the form of virtual memory. Memory virtualization is very similar to the virtual memory mode supported by the current operating system, so let's first introduce the implementation of virtual memory: Each application program needs a continuous address space when running. If it is provided according to the address space required by the application program, there will be many fragments in the memory. Therefore, the kernel adopts the virtual memory method and pages the physical memory in units of 4K. The application program thinks that it has obtained a continuous address space. In fact, it is composed of several memory pages. Each memory page is marked with the location of its previous and next memory pages in a doubly linked list, and memory virtualization is to do another page on this basis, so the memory of the Guest system to the physical memory will go through two mappings, GVA (Guest Virtual Address)-GPA (Guest Physical Address)-HPA (Host Physical Address).

AMD then uses RVI technology, Intel uses EPT technology to map Guest memory directly to physical memory to reduce losses, GVA--HPA.

The current x86 CPU includes a module called Memory Management Unit (MMU) and Translation Lookaside Buffer (TLB), which optimize the performance of virtual memory through MMU and TLB, but in the virtualization scenario, each physical host runs multiple virtual machines, TLB will be repeatedly cleared, so TLB must also be virtualized.

III. Implementation of I/O virtualization

1. I/O virtualization description

Both Xen and KVM virtualize only CPU and memory, traditional or default I/O virtualization is done through the Qemu program in the host system user space, so a complete virtualization consists of Xen or KVM plus Qemu. According to the type can be divided into full virtualization, semi-virtualization and pass-through 3 kinds.

2. full virtualization

When an application writes data to an I/O device in a Guest system, since the I/O device does not know that it is running in a virtualized environment, it will call the physical device driver, which will trigger an exception that will be captured by KVM and handed to Qemu for simulation processing and finally write data to the physical device.

3. a paravirtualized

Unlike full virtualization scenarios, I/O devices under paravirtualization clearly know that they are running in a virtualized environment. By installing drivers on Guest systems, they write data directly to physical devices through Qemu when writing data, eliminating KVM capture and Qemu simulation processes and improving I/O performance.

Unlike modifying the kernel to make sure it knows it is running in a virtualized environment, I/O devices only need to install drivers to let it know that they are running in a virtualized environment. The drivers are divided into two parts, the first half is installed in the Guest system, and the second half is installed in the Hypervisor kernel.

4. through

Whether full virtualization or semi-virtualization, Qemu is required in the I/O virtualization process, because virtual machines share hardware on physical hosts. In fact, drivers for physical I/O devices can also be installed in the Guest system, so that the Guest system can directly access physical devices when writing data, no longer via KVM and Qemu. At this time, the performance of hardware I/O devices is the best, but this physical I/O device can only be used by this virtual machine. This method is called pass-through.

IV. Implementation of KVM and Xen

1. Xen Introduction

Xen is a type 1 virtualization technology before KVM appeared. It does not require CPU to have expansion functions. It supports full virtualization and semi-virtualization. Xen Hypervisor must work with a unique Domain0. All Xen virtual environments need to run Domain0 first before running other virtual clients. Domain0 not only contains the drivers of all hardware devices, but also can be used to manage the whole life cycle of other virtual machines. In the entire Xen architecture, only Domain0 has access to hardware I/O, and other virtual machines DomainU (unprivilege) must access hardware through Domain0.

2. KVM Introduction

KVM is based on the premise that the CPU must have extended functionality. In kernel versions after 2.6.2, KVM is integrated in the form of a module. When the kernel is loaded with this module, it becomes a kernel that supports hypervisor. However, KVM itself can only realize the virtualization of CPU and memory. In terms of I/O virtualization, KVM traditionally or by default uses QEMU pure software in user space to simulate I/O devices, including keyboard, mouse, monitor, hard disk and network card. From this point of view, the original operating system also has some characteristics of Domain0.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.