In this post, I will cover different virtualization types, virtual machine storages, migrations, hypervisor vendors and basic concepts of virtualization security. Understanding the concepts in this post requires you to have some knowledge of computers and networking already.
This is the second part of virtualization explained. If you haven’t read the first one, I recommend you to read it first. The first part, Virtualization Explained Part 1: Basics can be found here.
Different virtualization types
There are two types of virtualization that we are going to take a look at. These are full and OS assisted virtualization. They both have their use cases and you will run across them both if you are going to buy a cloud server from almost any company. That’s why it’s important to know what you will get for your money and how they work compared to each other.
Full virtualization means that the hypervisor emulates all hardware needed by the virtual machine. The operating system running on it doesn’t know it’s a virtual machine. The commands the user makes are directly executed on the processor, giving the user higher performance.
The benefits of full virtualization are that it reduces the hypervisor management overhead because the processor can isolate instructions natively, meaning it offers higher performance.
The downsides of full virtualization are that the processor needs to support it. Even all modern processors are not supporting full virtualization. The use of resources is higher because all the virtual machines have their own emulated devices and operating system kernels.
Operating System (OS) assisted virtualization
Compared to full virtualization, OS assisted virtualization works at the operating system level (kernel). This means that all the virtual machines on the server share the same operating system kernel. Because there are multiple machines using the same kernel, it is common that the kernel is a customized for increased security and isolation to serve this purpose better. The kernel is responsible for managing resource usage and access. The guest operating systems have usually the same OS as the host, the guests are aware that they are virtualized.
The benefits of OS assisted virtualization are low hypervisor overhead as there is only one kernel which is then used by all the guests. Using OS assisted virtualization allows one physical server to have hundreds of virtual servers on it.
The downsides are that it doesn’t support different types of operating systems and the security of one kernel impacts all of the guest operating systems as it is not true isolation. This is important to note if you are hosting company services on a virtual server.
Virtual machine storages
Virtual machine storages are just files, making them easy to copy, move, clone and transfer. Each location where data is stored is called a datastore. Virtual machine storages can be distributed between many physical hosts (decentralized storage) or clustered in regions (shared storage).
Decentralized storage is less redundant and relies heavily on the network for syncing. Shared storage often uses centralized pooled disks in the form of Storage Area Networks (SANs). It makes live migrations simple and quick. Many hypervisors using this method are diskless, meaning that they are remotely booted via shared storage (PXE boot).
Remote storage protocols:
- iSCSI (often use in SANs)
- Network File System (NFS)
- Fiber Channel (FC)
- Fiber Channel over Ethernet (FCoE)
Thick and thin virtual machine storages (VMs)
Thick VMs are pre-allocated when the virtual machine is created, even if all of it is not used. This gives the storage higher performance than thin storages but wastes a lot of disk space. Also, migrating or cloning thick VMs takes more time and it is inefficient without compression methods.
Thin VMs are equal to the amount of data actually stored, up to a limit set by the user. Migrating and cloning thin VMs is easier as they use storage efficiently. It is a bit slower in performance than thick VMs. Thin VMs may be overprovisioning the underlying storage if migrated from a host to another host which doesn’t have enough storage.
Virtual machine disk formats
There are three main VM disk formats that are commonly used. Below you can see a short introduction to all three disk formats.
The RAW type offers easy ways to create and manipulate the file but is inefficient as storage and network performance are degraded.
QCOW2 can store virtual machine snapshots of VMs and it is thin provisioned. It is efficient when cloning or transferring over a network. It is used by QEMU and KVM.
Virtual machine snapshots are like “pictures” of the current state of the machine. They allow the user to save the exact state and if something goes wrong, the user is able to return to the snapshot’s state. Snapshots are very useful when implementing new applications or trying configurations.
VMDK is thin provisioned open disk format created by VMWare. It can also store virtual machine snapshots and the disks can be split into parts. It is efficient when cloning or transferring over a network. It is used by VMWare and XEN.
Virtual machine migrations
VM migration is the process of moving a virtual machine from one host server or storage location to another. Migrations are essential for data center administrators to facilitate fault tolerance and allow system maintenance.
Regular (cold) migrations
Regular migrations that are also known as cold migrations are the type migrations where the virtual machine is powered off and then its data is migrated to another location. It does not require shared storage.
Live migration means that the virtual machine is not powered-off when its migrated. It is unnoticeable from the end user’s perspective and happens in milliseconds. Network connectivity can be interrupted for a few milliseconds as network resources adapt to the change. It is a great way of doing migrations.
Live migrations need centralized shared storage configured between two nodes, otherwise, it will not work. For example, using a centralized SAN allows the user to do a live migration. Vendors like VMWare (vMotion), Citrix XenServer (XenMotion) and Microsoft Hyper-V (core feature) have implemented live VM migrations.
Some vendors provide automated VM migration between nodes to provide real-time resource balancing. VMWare’s Distributed Resource Scheduler (DRS) is an example of automated migration. Automating VM migrations helps to:
- Handle hardware failure
- Optimize power consumption
- Turn off hosts during low load periods
OpenVZ is OS assisted virtualization, one physical Linux with OpenVZ kernel manages a number of isolated OS instances called containers. It does not offer full virtualization and supports only Linux. This means that you can only run operating systems that use the Linux kernel. All the containers are logically isolated and have their own filesystems.
KVM means Kernel-based Virtual Machines and it is an open source software. It uses QEMU (open source virtualization software) to emulate machines with hardware virtualization support. It is capable of running Linux and Window operating systems. Supports Linux kernel from 2.6.20 onwards.
VMWare’s vSphere and ESXi are enterprise-level hypervisors. They provide full virtualization and hypervisor capabilities in a package that handles scheduling and isolation of hardware resources. The package is extremely small and therefore it is called microkernel. VMWare offers software add-ons that are used to provide more features, like migration, high availability (vMotion, vCenter).
Hyper-V is also an enterprise-level hypervisor, but it is provided by Microsoft. It is included in select versions of Windows Server 2008 and later. It supports full virtualization and allows you to run multiple full versions of Windows Server. It offers advanced features like live migration and high availability when machines are clustered together. It supports Windows and Linux operating systems.
XEN is open source virtualization hypervisor. It has a minimal hypervisor and uses a virtual machine for hypervisor management (dom0). XEN supports full virtualization and paravirtualization (modified guest OS that knows it is virtualized). It is capable of running Windows and Linux guests and it doesn’t require hardware virtualization support. It also has many enterprise-level features like high availability and live migrations.
When not to virtualize
There are cases when virtualization is impossible or ineffective, here are a few examples of when virtualization is not useful:
- Special hardware may be required for licensing purposes
- Applications may use MAC addresses as physical hardware identifiers for licensing reasons
- Applications highly dependent on graphics may not be virtualized effectively
- Vendors may not support applications installed in virtualized environments
- Virtualization overhead may be too great when scaled over an entire enterprise
To achieve the best security possible, virtualized environments are multi-tiered. This follows the defense in depth principle. For the servers and virtual machines in them to be secure in the first place, the data center where they are located must be physically secure. The platform has to be regularly patched and unused services must be turned off to reduce the attack surface. Users and groups must be locked down and their policies must follow the least privilege principle.
The use of IDS/IPS (Intrusion Detection System/Intrusion Prevention System) is recommended. Firewall rules, implementation of VLANs to segregate and isolate traffic should be done properly. Logs should be audited regularly.