Thursday, 13 November 2014

Cloud Computing ( Public vs Private cloud)


Today we had a (friendly ;-) ) conversation with my colleagues which moved to an argument about the cloud computing. We were discussing (arguing) about the types of cloud services and its pro's / con's which lead me to write this blog post.

 The Cloud Computing is now a trend and a hot discussion in every IT group.  The reason behind is that the cloud infrastructure can offer advantages over traditional datacenters in the areas of performance, scalability, and even security. There is a vast differences between private, public and hybrid clouds for enterprise. The type of cloud service is defined based on the types of data they store.  Sometimes these differences narrow, but each type of cloud has different levels of security and varying degrees of management. One may be more flexible or scalable, while another might be more affordable.  Here we’ll talk about private, public and hybrid cloud computing and some of their primary differences.

What is a public cloud?

 A public cloud provides off-site computing services or set of services that are purchased by a business or a company and infrastructure is been delivered over the Internet.The infrastructure is been hosted, maintained  and delivered by third-part providers. It is set up and maintained by a commercial provider to manage relatively simple processes and share resources. The web-based email's (outlook access anywhere) like gmail, yahoo and file storages like dropbox, one drive ,etc are the best examples for public cloud. In this case the data is been storage in a cloud and you can access them from anywhere , anytime, any device.

What is a private cloud?

 Private clouds are essentially an extension of an enterprise's traditional datacenter and are been designed for the specific needs of an organization, and hosted and maintained on a private network.  The companies who use the private cloud deal with more regulation and they take additional security measures to secure the sensitive data internally. The financial and banking sectors mostly go with private cloud.

What is a hybrid Cloud?

Hybrid cloud computing is basically a combination of both public and private cloud computing. It's now becoming more popular as public cloud users grow more interested in the accessing certain benefits and adaptive capabilities of having a private cloud. It might include multiple providers and usually involves some complexity, as it is a customized solution combining two environments to allow dynamic shifting from one to the other.  For some enterprises, it is beneficial and necessary to place different data in different areas.  An example of this would be to have specific business developments in a private cloud, and to have more transparent production methods in a public cloud.

Conclusion : 

Both public and private clouds have management implications. However, by choosing a public cloud solution, an organization can offload much of the management responsibility to its cloud vendor. In a private cloud , there is significant demand on resources to specify, hosting , purchasing, updating, maintaining, and securing the physical datacenter or components. Financially, deploying a private cloud can also create a large initial capital expense, with subsequent investment required as new equipment and capacity is added.

The capital expense is virtually eliminated in the public cloud scenario . The financial burden is shifted to a fee-for-service, often based on utilization and data volume. Maintaining and securing public cloud infrastructure is the responsibility of the vendor, enabling the customer organization to streamline IT operations and minimize time and money spent on system upkeep.

Wednesday, 12 November 2014

vVOLS (Virtual Volumes)


# Jagadeesh Devaraj

I believe its a hot and trending topic now in internet. By now you guys might heard a lot about the vVols at VMworld 2014 or through various forums and the reason it is important to manage the end-to-end Infrastructure. The vVols takes cares of end-to-end Infra from compute of storage at the virtual machine (VM) and its VMDK ( vDisk) level. Virtualization meant VMs and vDisks are the unit of management at the compute layer. VMware® Virtual Volumes is meant to bridge the gap by extending the paradigm to storage specifically on VMware vSphere® deployments.

What is vVols : 

VVOLs is a provisioning feature for vSphere 6 that changes how virtual machines (VMs) are stored and managed. ( Information source :

VVOLs is an out-of-band communication protocol between vSphere and storage. It allows VMware to associate VMs and vDisks with storage entities, and allows vSphere to offload some storage management functions, like provisioning of VM's to storage. This offloading allows virtualization administrators to get the same performance and scalability through the VMware tools they may expect through their storage.The VM is then automatically placed on the storage array that fits those requirements.

VVOLs' other advantage is the ability to snapshot a single VM instead of just the traditional snapshot of an entire logical unit number that may house several VMs. This feature saves wasted space on the data store and reduces the amount of administrative overhead.

Note : To use VVOLs, the storage hardware has to support the vStorage APIs for Storage Awareness (VASA). VMware introduced VVOLS at VMworld 2011 during a technical preview session.

VM granular data management : 

If you have dealt with VMware datastores, either VMFS or NFS, for any length of time you have run into the granularity problem: you have several hundred virtual machines on a datastore, and you need to recover the one that somebody trashed. If you are using array-based snapshots or replication it is much easier to restore the entire volume than it is to restore a single VMDK.

VVols solves this problem by making each VMDK an addressable object on the storage array. That means that with VVols on VNX you can take array snapshots of individual VMDKs and restore them on a case-by-case basis.


Another design point of VVols is scalability. VVols are designed to scale from thousands of objects up to millions, based on the capabilities of the underlying storage array. This means that whether you are deploying desktops with a single VMDK per VM or email servers with multiple VMDKs, each snapped every hour, you have the ability to deploy at the proper scale.

VVols on VNX will scale across the product family, from low-end arrays suitable for hosting hundreds or thousands of VMs to enterprise-class arrays supporting orders of magnitude more VMs.

Policy Based Management

If you are going to manage that many VVols, you need a system. Nobody wants to manage thousands of VMs individually, so VVols (technically VASA 2.0), includes support for Storage Policy Based Management. This allows you to specify policies, such as Gold, Silver, and Bronze (or Engineering, Sales, and Finance) for classes of service. These policies can specify attributes like performance, backup schedule, thin vs. thick, etc. Once you specify a policy, you can order up a dozen new Engineering desktops, for instance, and vCenter will do the work of finding storage that advertises the required capabilities. Need to upgrade some virtual servers from Bronze to Silver? No problem, just change the profile and vCenter (with a little help from the storage array) will make it happen.

VVols on VNX will allow storage administrators to expose the value-added features of VNX storage to vCenter, including FAST Cache, Multi-tiered pools, Virtual Provisioning, VNX Snapshots, and much more.

You can explore these features soon with the GA version which is going to be launched earlier next year.

Excited about vVols ? Stay tuned for more updates.

Saturday, 8 November 2014

Virtual Processor Scheduling – How VMware and Microsoft Hypervisors Work at the CPU Level

Have you ever wondered how virtual machines get access to the physical processor cores in the server?  Ever wonder why one or two VMs run slow sporadically?  The topic today is Virtual Processor Scheduling.  There are no good books to read on this subject, trust me I’ve looked.  Maybe in 10 years as a look back at the history of virtual computing, but not today.  So let’s try to shed some light on the subject for today’s article in our VMware or Microsoft? – The Complete Series.  

First things first.  It is fairly simple to schedule against physical processors when the virtual machines each have a single virtual processor and there are plenty of physical cores to go around.  We (VMware and Microsoft) can send the workload to the first physical core that is available, easy.  There are algorithms for figuring out the best processor core to send the workload too, but I will not go into advanced crazy algorithm mathematics today.

Now the trick/challenge/opportunity/problem (hey whatever you want to call it) that really comes into play when you have multiple virtual CPUs inside the virtual machines.  The original architecture of operating systems made a perfectly good assumption that basically says “Ok I see 4 CPUs, I own all 4, period.  I mean who else is close by to use them?  No one. I’m lonely, but all powerful.”  Isn’t that nearly always the case?  Take Lord Voldemort for example, sure he had resources, but no one really wanted to be near him.  <voice from overhead> Virtual processing is the subject Tommy. </voice from overhead> Oh right, sorry folks, continue on.

So when VMware re-introduced virtualization into the market, handling the single CPU wasn’t a big issue. However, bigger workloads call for more processors and therefore in order to scale, a new way to schedule CPU cycles against any given processor core was necessary.  This is where Gang Scheduling comes into play.  VMware, drawing upon the methods generated by the older Unix technology, uses a Gang Scheduler approach.  What this means in basic terms is this:  When a multi-vCPU machine requires processor time, all of the vCPUs are “ganged” together and scheduled to perform work against the physical cores. This is done in order to streamline the process, and attempt to keep the processing synchronized.  In other words, like networking, we don’t like a lot of packets arriving out of turn on a load balanced network, the same stance is assumed in the VMware CPU scheduling process. 

Hyper-V does things a bit differently.  Virtual processors ask for time on the physical cores and Hyper-V performs ultrafast calculations to determine which core is ready and available.  There is no need to group the processor calls together since the guest OSes no longer require this type of synchronicity.  In order to appreciate this simpler method of scheduling we need to evaluate how things are done elsewhere.

Microsoft decided to address the challenge/opportunity/problem more directly inside the guest operating system.  Basically the guest operating system should understand that it is residing inside a virtual machine and therefore the Windows kernel team redesigned the Server OS to schedule processes independently versus all at the same time.  The requirement to have processor calls running in lock step with one another no longer exists starting with Server 2008.  In other words, all of the gang scheduling work on VMware’s part is unnecessary to a large degree when dealing with these latest operating systems. Hyper-V understands the CPU calls are coming independently, so oversubscription of the CPU cores is not as big of a deal until all of the processors are simply topped out, which would be the case for either Hypervisor.  The Hyper-V method has much less overhead than previous versions of the hypervisor as well as competition hypervisors.   


If you worked with me on a VMware implementation in the past 5 years you will most likely remember that I stressed the importance of setting up the guest operating systems with the least amount of virtual processors as possible.  So many administrators will listen to the software vendor or champion about the requirements for the virtual machine, and allocate multiple virtual CPUs even when the workload is a consistent 10% trickle for weeks and weeks and years.  If you continue to run on VMware, you still need to heed my words here.  However in a Hyper-V environment this is much less of an issue, in fact you may never see a performance hit at all when multiple CPUs are assigned in each guest.


If you are a VMware administrator then you probably have some level of knowledge for troubleshooting CPU performance, and for those new to the ball game, these are the metrics to get familiar with: CPU Ready, Costop, Wait, and Wait Idle.  At the very minimum get to know the CPU Ready and Costop metrics.   CPU Ready is described as the amount of time in which a virtual machine waits in the queue with a ready-to-run state before it can be scheduled to a CPU (core).Costop is defined as the amount of time waiting for cycles due to CPU Ready, the value will be higher as CPU ready percentage goes up.  So basically, you want low values on both of these metrics if you care anything at all about performance. 
Ok, so here is where Gang Scheduling has yet to be perfected.  Ask anyone who knows deep details about Gang Scheduling and they will tell you that no one has come up with a near perfect method for maintaining high performance.  Consider this scenario, you have a virtual machine with four vCPUs and this machine starts hammering away on some sort of database processing.  The 1st vCPU for Virtual Machine #04 will become impacted by other virtual machines on the same host, contention for the core occurs, and therefore CPU Ready then Costop numbers begin to climb. 

So guess what, because vCPU #01 is having a tough time, the scheduler will automatically slow down the other vCPUs in the gang in order to maintain an appearance of synchronicity inside the guest OS.  Bottom line, slower processing ensues. 

VMware has been touting for a few years the term Relaxed Co-scheduling.  What does this mean in a nutshell?   Straight from the VMware whitepaper: “With relaxed co-scheduling, ESXi achieves high CPU utilization by flexibly scheduling the vCPUs of multiprocessor virtual machines in a consolidated environment. To achieve the best performance for a given situation, ESXi tries to schedule as many sibling vCPUs together as possible. If there are enough available pCPUs, relaxed co-scheduling performs as well as strict co-scheduling.”  Couple of things to point out here, there are some major assumptive type words in here.  “If” and “tries” jump right out at me. 

So you might say well what about Linux workloads, since Microsoft doesn’t own that operating system how does Hyper-V freely schedule Linux workloads across multiple processors?  Lucky for Microsoft, the more recent versions of the Linux kernel allow for out-of-step processing to occur. Possibly this comes from the open source development of Xen Server, though I haven’t done extensive research into the history of Linux processor scheduling, so some of these assertions are assumptions on my part.  My guess is that when the Linux developers took a look at virtualization as they were trying to tackle it, they too found that ineffective gang scheduling was not the right way to go for now, as they had already seen the roadblocks this presented via VMware and old style Unix virtualization technology.  So in short, they tuned the Linux OS kernel to handle independent workloads and therefore created a hypervisor with this in mind.  

Who knows, maybe at a VMWorld in the future we will hear about an all new perfect gang scheduler approach, either built in-house or most likely through an acquisition.  For now, we work with what we have, and continue to re-configure and tweak those types of environments as often as it takes to keep performance in line. 

At the bare minimum, I hope this article sheds some light on the differences between CPU scheduling mechanisms with ESX and Hyper-V.  

For more on our series check out the main schedule of subjects here:

Reference Courtesy : Virually Cloud ,Tommy & 
The CPU Scheduler in VMware vSphere 5.1:

Cloud computing architecture


What is the use of defining cloud architecture?

Cloud architecture is a software application that uses on demand services and access pool of resources from the cloud. Cloud architecture act as a platform on which the applications are built. It provides the complete computing infrastructure and provides the resources only when it is required. It is used to elastically scale up or down the resources according to the job that is being performed.

How does cloud architecture overcome the difficulties faced by traditional architecture?

Cloud architecture provide large pool of dynamic resources that can be accessed any time whenever there is a requirement, which is not being given by the traditional architecture. In traditional architecture it is not possible to dynamically associate a machine with the rising demand of infrastructure and the services. Cloud architecture provides scalable properties to meet the high demand of infrastructure and provide on-demand access to the user.

What are the three differences that separate out cloud architecture from the tradition one?

The three differences that make cloud architecture in demand are:
1. Cloud architecture provides the hardware requirement according to the demand. It can run the processes when there is a requirement for it.
2. Cloud architecture is capable of scaling the resources on demand. As, the demand rises it can provide infrastructure and the services to the users.
3. Cloud architecture can manage and handle dynamic workloads without failure. It can recover a machine from failure and always keep the load to a particular machine to minimum.

What are the advantages of cloud architecture?

Cloud architecture uses simple APIs to provide easily accessible services to the user through the internet medium.
It provides scale on demand feature to increase the industrial strength.
It provides the transparency between the machines so that users don’t have to worry about their data. Users can just perform the functionality without even knowing the complex logics implemented in cloud architecture.
It provides highest optimization and utilization in the cloud platform

What is the business benefits involved in cloud architecture?

1. Zero infrastructure investment:
Cloud architecture provide user to build large scale system with full hardware, machines, routers, backup and other components. So, it reduces the startup cost of the business.

2. Just-in-time Infrastructure: It is very important to scale the infrastructure as the demand rises. This can be done by taking cloud architecture and developing the application in the cloud with dynamic capacity management.

3. More efficient resource utilization: Cloud architecture provides users to use their hardware and resource more efficiently and utilize it in a better way. This can be done only by applications request and relinquish resources only when it is needed (on-demand).

Introduction to Cloud Computing


What is Hypervisor in Cloud Computing and its types?

The hypervisor is a virtual machine monitor (VMM) that manages resources for virtual machines. The name hypervisor is suggested as it is a supervisory tool for the virtual machines. There are mainly two types of hypervisors :

• Type-1: the guest Vm runs directly over the host hardware, e.g Xen, Hyper-V, VmWare ESXi

• Type-2: the guest Vm runs over hardware through a host OS, e.g Kvm, Oracle virtualbox

Are Type-1 Hypervisors better in performance than Type-2 Hypervisors and Why?

Yes the Type-1 Hypervisors are better in performance as compared to Type-2 hypervisors because Type-1 hypervisors does not run through a host OS, they utilize all resources directly from Host hardware. In cloud implementation Type-1 hypervisors are used rather than Type-2 because Cloud servers need to run multiple OS images and it should be noted that if OS images are run on host a OS as in case of Type-2, the resources will get wasted.

What are the characteristics on which a Cloud Computing Model should be selected for implementing and managing workload?

Scalability is a characteristic of cloud computing through which increasing workload can be handled by increasing in proportion the amount of resource capacity. It allows the architecture to provide on demand resources if the requirement is being raised by the traffic. Whereas, elasticity is being one of the characteristic provide the concept of commissioning and decommissioning of large amount of resource capacity dynamically. It is measured by the speed by which the resources are coming on demand and the usage of the resources.

What do you understand by CaaS?

CaaS is a terminology given in telecom industry as Communication as a Service. The Voice-over-Ip (VoIP) follows a same delivery model. CaaS can offer the enterprise user features such as desktop call control, presence, unified messaging, and desktop faxing. In addition to the enterprise features, CaaS also has a set of services for contact center automation that includes IVR, ACD, call recording, multimedia routing (e-mail and text chat), and screen pop integration.

What is the minimal requirement to implement an IAAS Cloud?

The minimal requirement to implement are basically three things:

• OS to support hypervisor or a hypervisor.
- Preferably open-source software like Linux and Xen hypervisor

• Networking topology and implementation.
- Public Network or Private network with Level 3 Switch

• Selection of cloud model as per requirement or business.
- SaaS, Software as a Service
- PaaS, Platform as a Service
- CaaS, Communication as a Service

How is the Cloud Computing different from primitive Client-Server Architecture?

The primitive Client-Server architecture is a one-to-one communication between only two physical machines namely Client machine and Server machine (datacenter). Whereas the cloud computing, infrastructure is similar at the client side but varies at server-side. The server-side contains a main Cloud Controller that forwards the request to its worker machines known as Nodes. These nodes are a grid computing machines that dedicate all its resources to process application. These nodes are maintained in clusters. So a cloud computing infrastructure is quite complicated on server side that processes all the requests from clients and send the result back.

Why should one prefer public cloud over private cloud?

The cloud technology is the best example of sustainable technology that utilizes all the computing resources. If a person needs to setup a quick business and wants to host its website, he need not require to setup a full-fledged private cloud. Rather he should go for public cloud hosting that provides different pay-per-use subscriptions, which could actually result in being economical. There are numbers of vendors that provide such services like etc.

Is it cost effective to implement a private cloud rather than a public cloud and why?

It depends on the type of business that demands a cloud setup. Suppose if the subscription on a public cloud for an application that is to be deployed on OS images is proving to be more costly then to buy some new datacenters and maintain them. Then obviously the a private cloud has to be setup instead of a public cloud. This public clouds follow utility billing methodology as electricity bill for example.

Does network topology play an important role in deciding the success of a Cloud Infrastructure?

The network topology plays a vital role in selecting a cloud model and success of that model

Public Cloud
These are the platforms which are public means open to the people for use and deployment. For example, google, amazon etc. They focus on a few layers like cloud application, infrastructure providing and providing platform markets.

Private Cloud
Organizations choose to build their private cloud as to keep the strategic, operation and other reasons to themselves and they feel more secure to do it.

Hybrid Clouds
It is the combination of public and private cloud. It is the most robust approach to implement cloud architecture as it includes the functionalities and features of both the worlds.

Is Cloud Computing an application?

The Cloud Computing is not an application but it is a methodology that deploys application in a custom fashion on a server. It can be also learned as an advance model of client-server architecture that is highly flexible, scalable and configurable. This architecture leverages high performance out of machines with quite an ease of management.

Cloud Computing interview questions and answers ( Career Ride)


How does cloud computing provides on-demand functionality?

Cloud computing is a metaphor used for internet. It provides on-demand access to virtualized IT resources that can be shared by others or subscribed by you. It provides an easy way to provide configurable resources by taking it from a shared pool. The pool consists of networks, servers, storage, applications and services.

What is the difference between scalability and elasticity?

Scalability is a characteristic of cloud computing through which increasing workload can be handled by increasing in proportion the amount of resource capacity. It allows the architecture to provide on demand resources if the requirement is being raised by the traffic. Whereas, elasticity is being one of the characteristic provide the concept of commissioning and decommissioning of large amount of resource capacity dynamically. It is measured by the speed by which the resources are coming on demand and the usage of the resources.

What are the different layers of cloud computing?

Cloud computing consists of 3 layers in the hierarchy and these are as follows:

1. Infrastructure as a Service (IaaS) provides cloud infrastructure in terms of hardware like memory, processor speed etc.
2. Platform as a Service (PaaS) provides cloud application platform for the developers.
3. Software as a Service (SaaS) provides cloud applications which are used by the user directly without installing anything on the system. The application remains on the cloud and it can be saved and edited in there only.

What resources are provided by infrastructure as a service?

Infrastructure as a Service provides physical and virtual resources that are used to build a cloud. Infrastructure deals with the complexities of maintaining and deploying of the services provided by this layer. The infrastructure here is the servers, storage and other hardware systems.

How important is platform as a service?

Platform as a Service is an important layer in cloud architecture. It is built on the infrastructure model, which provides resources like computers, storage and network. This layer includes organizing and operate the resources provided by the below layer. It is also responsible to provide complete virtualization of the infrastructure layer to make it look like a single server and keep it hidden from the outside world.

What does software as a service provide?

Software as Service is another layer of cloud computing, which provides cloud applications like google is doing, it is providing google docs for the user to save their documents on the cloud and create as well. It provides the applications to be created on fly without adding or installing any extra software component. It provides built in software to create wide varieties of applications and documents and share it with other people online.

What are the different deployment models?

Cloud computing supports many deployment models and they are as follows:

Private Cloud
Organizations choose to build there private cloud as to keep the strategic, operation and other reasons to themselves and they feel more secure to do it. It is a complete platform which is fully functional and can be owned, operated and restricted to only an organization or an industry. More organizations have moved to private clouds due to security concerns. Virtual private cloud is being used that operate by a hosting company.

Public Cloud
These are the platforms which are public means open to the people for use and deployment. For example, google, amazon etc. They focus on a few layers like cloud application, infrastructure providing and providing platform markets.

Hybrid Clouds
It is the combination of public and private cloud. It is the most robust approach to implement cloud architecture as it includes the functionalities and features of both the worlds. It allows organizations to create their own cloud and allow them to give the control over to someone else as well.

What are the different datacenters deployed for this?

Cloud computing is made up of various datacenters put together in a grid form. It consists of different datacenters like:

Containerized Datacenters
These are the traditional datacenters that allow high level of customization with servers, mainframe and other resources. It requires planning, cooling, networking and power to access and work.

Low-Density Datacenters
These datacenters are optimized to give high performance. In these datacenters the space constraint is being removed and there is an increased density. It has a drawback that with high density the heat issue also creeps in. These datacenters are very much suitable to develop the cloud infrastructure.

What is the use of API’s in cloud services?

API stands for Application programming interface is very useful in cloud platforms as it allows easy implementation of it on the system. It removes the need to write full fledged programs. It provides the instructions to make the communication between one or more applications. It also allows easy to create application with ease and link the cloud services with other systems.

What are the different modes of software as a service?

Software as a Service provides cloud application platform on which user can create application with the tools provided. The modes of software as a service are defined as:
1. Simple multi-tenancy: in this each user has its own resources that are different from other users. It is an inefficient mode where the user has to put more time and money to add more infrastructure if the demand rises in less time to deliver.
2. Fine grain multi-tenancy: in this the functionality remains the same that the resources can be shared to many. But it is more efficient as the resources are shared not the data and permission within an application.

What is the security aspects provided with cloud?

Security is one of the major aspects which come with any application and service used by the user. Companies or organizations remain much more concerned with the security provided with the cloud. There are many levels of security which has to be provided within cloud environment such as:
• Identity management: it authorizes the application service or hardware component to be used by authorized users.
• Access control: permissions has to be provided to the users so that they can control the access of other users who are entering the in the cloud environment.
• Authorization and authentication: provision should be made to allow the authorized and authenticated people only to access and change the applications and data.

What is the difference between traditional datacenters and cloud?

Cloud computing uses the concept of datacenter as it is the datacenter is based on the tradition one so the difference between them are as follows:
• Cost of the traditional datacenter is higher, due to heating issues and other hardware/software related issues but this is not the case with the cloud computing infrastructure.
• It gets scaled when the demand increases. Most of the cost is being spent on the maintenance being performed on the datacenters, whereas cloud platform requires minimum maintenance and not very expert hand to handle them.

What are the three cost factors involves in cloud data center?

Cloud data center doesn’t require experts to operate it, but it requires skilled people to see the maintenance, maintain the workloads and to keep the track of the traffic. The labor cost is 6% of the total cost to operate the cloud data center. Power distribution and cooling of the datacenter cost 20% of the total cost. Computing cost is at the end and is the highest as it is where lots of resources and installation has to be done. It costs the maximum left percentage.

How the cloud services are measured?

Cloud computing provides the services to the organizations so they can run their applications and install them on the cloud. Virtualization is used to deploy the cloud computing models as it provides a hidden layer between the user and the physical layer of the system. The cloud services are measured in terms of use. Pay as much as you use that can be on the basis of hours or months or years. Cloud services allow users to pay for only what they use and according to the demand the charges or the prices gets increased.

What are the optimizing strategies used in cloud?

To optimize the cost and other resources there is a concept of three-data-center which provides backups in cases of disaster recovery and allows you to keep all the data intact in the case of any failure within the system. System management can be done more efficiently by carrying out pre-emptive tasks on the services and the processes which are running for the job. Security can be more advanced to allow only the limited users to access the services.

What are different data types used in cloud computing?

Cloud computing is going all together for a different look as it now includes different data types like emails, contracts, images, blogs, etc. The amount of data increasing day by day and cloud computing is requiring new and efficient data types to store them. For example if you want to save video then you need a data type to save that. Latency requirements are increasing as the demand is increasing. Companies are going for lower latency for many applications.

What are the security laws which take care of the data in the cloud?

The security laws which are implements to secure data in the cloud are as follows:
Input validation: controls the input data which is being to any system.
Processing: control that the data is being processed correctly and completely in an application.
File: control the data being manipulated in any type of file.
Output reconciliation: control the data that has to be reconciled from input to output.
Backup and recovery: control the security breaches logs and the problems which has occurred while creating the back.

How to secure your data for transport in cloud?

Cloud computing provides very good and easy to use feature to an organization, but at the same time it brings lots of question that how secure is the data, which has to be transported from one place to another in cloud. So, to make sure it remains secure when it moves from point A to point B in cloud, check that there is no data leak with the encryption key implemented with the data you sending.

What do you understand from VPN?

VPN stands for virtual private network; it is a private cloud which manages the security of the data during the transport in the cloud environment. VPN allows an organization to make a public network as private network and use it to transfer files and other resources on a network.

What does a VPN consists of?

VPN is known as virtual private network and it consists of two important things:
1. Firewall: it acts as a barrier between the public network and any private network. It filters the messages that are getting exchanged between the networks. It also protects from any malicious activity being done on the network.
2. Encryption: it is used to protect the sensitive data from professional hackers and other spammers who are usually remain active to get the data. With a message always there will be a key with which you can match the key provided to you.

Name few platforms which are used for large scale cloud computing

There are many platforms available for cloud computing but to model the large scale distributed computing the platforms are as follows:
1. MapReduce: is software that is being built by Google to support distributed computing. It is a framework that works on large set of data. It utilizes the cloud resources and distributes the data to several other computers known as clusters. It has the capability to deal with both structured and non-structured data.
2. Apache Hadoop: is an open source distributed computing platform. It is being written in Java. It creates a pool of computer each with hadoop file system. It then clusters the data elements and applies the hash algorithms that are similar. Then it creates copy of the files that already exist.

What are some examples of large cloud providers and their databases?

Cloud computing has many providers and it is supported on the large scale. The providers with their databases are as follows:
• Google bigtable: it is a hybrid cloud that consists of a big table that is spilt into tables and rows. MapReduce is used for modifying and generating the data.
• Amazon SimpleDB: is a webservice that is used for indexing and querying the data. It allows the storing, processing and creating query on the data set within the cloud platform. It has a system that automatically indexes the data.
• Cloud based SQL: is introduced by Microsoft and it is based on SQL database. it provides data storage by the usage of relational model in the cloud. The data can be accessed from the cloud using the client application.

What are some open source cloud computing platform databases?

Cloud computing platform has various databases that are in support. The open source databases that are developed to support it is as follows:
1. MongoDB: is an open source database system which is schema free and document oriented database. It is written in C++ and provides tables and high storage space.
2. CouchDB: is an open source database system based on Apache server and used to store the data efficiently
3. LucidDB: is the database made in Java/C++ for data warehousing. It provides features and functionalities to maintain data warehouse.

What essential things a user should know before going for cloud computing platform?

A user should know some parameters by which he can go for the cloud computing services. The parameters are as follows:
1. User should know the data integrity in cloud computing. It is a measure to ensure integrity like the data is accurate, complete and reasonable.
2. Compliance: user should make sure that proper rules and regulations are followed while implementing the structure.
3. Loss of data: user should know about the provisions that are provided in case of loss of data so that backup and recovery can be possible.
4. Business continuity plans: user should think about does the cloud services provide him uninterrupted data resources.
5. Uptime: user should know about the uptime the cloud computing platform provides and how helpful it is for the business.
6. Data storage costs: user should find out about the cost which you have to pay before you go for cloud computing.

What are system integrators?

Systems integrators are the important part of cloud computing platform. It provides the strategy of the complicated process used to design a cloud platform. It includes well defined architecture to find the resources and the characteristics which have to be included for cloud computing. Integrators plan the users cloud strategy implementation. Integrators have knowledge about data center creation and also allow more accurate private and hybrid cloud creation.

What is the requirement of virtualization platforms in implementing cloud?

Virtualization is the basis of the cloud computing and there are many platforms that are available like VMware is a technology that provides the provision to create private cloud and provide a bridge to connect external cloud with private cloud. There are three key features that have to be identified to make a private cloud that is:
• Cloud operating system.
• Manage the Service level policies
• Virtualization keeps the user level and the backend level concepts different from each other so that a seamless environment can be created between both.

What is the use of eucalyptus in cloud computing environment?

Eucalyptus stands for “Elastic Utility Computing Architecture for Linking
Your Programs to Useful Systems” and provides an open source software infrastructure to implement clusters in cloud computing platform. It is used to build private, public and hybrid clouds. It can also produce your own datacenter into a private cloud and allow you to extend the functionality to many other organizations. Eucalyptus provides APIs to be used with the web services to cope up with the demand of resources used in the private clouds.

Explain different layers which define cloud architecture

Cloud computing architecture consists of many layers which help it to be more organized and can be managed from one place. The layers are as follows:
1. Cloud controller or CLC is the top most level in the hirerachy which is used to manage the virtualized resources like servers, network and storage with the user APIs.
2. Walrus is used for the storage and act as a storage controller to manage the demands of the users. It maintains a scalable approach to control the virtual machine images and user data.
3. Cluster Controller or CC is used to control all the virtual machines for executions the virtual machines are stored on the nodes and manages the virtual networking between Virtual machines and external users.
4. Storage Controller or SC provides a storage area in block form that are dynamically attached by Virtual machines.
5. Node Controller or NC is at the lowest level and provides the functionality of a hypervisor that controls the VMs activities, which includes execution, management and termination of many instances.

How user will gain from utility computing?

Utility computing allow the user to pay per use means whatever they are using only for that they have to pay. It is a plug in that needs to be managed by the organizations on deciding what type of services has to be deployed from the cloud. Utility computing allows the user to think and implement the services according to them. Most organizations go for hybrid strategy that combines internal delivered services that are hosted or outsourced services.

Is there any difference in cloud computing and computing for mobiles?

Mobile cloud computing uses the same concept but it just adds a device of mobile. Cloud computing comes in action when a task or a data get kept on the internet rather then individual devices. It provides users on demand access to the data which they have to retrieve. Applications run on the remote server, and then given to the user to be able to, store and manage it from the mobile platform.

Happy Learning! 

Hardware Virtualization-The Nuts and Bolts

Author:   Johan  De  Gelas
Page 1
First dual-core in 2005, then quad-core in 2007: the multi-core snowball is rolling. The desktop market is still trying to find out how to wield all this power; meanwhile, the server market is eagerly awaiting the octal-cores in 2009. The difference is that the server market has a real killer application, hungry for all that CPU power: virtualization.
While a lot has been written about the opportunities that virtualization brings (consolidation, hosting legacy applications, resource balancing, faster provisioning...), most publications about virtualization are rather vague about the "nuts and bolts". We talked to several hypervisor architects at VMWorld 2008. In this article, we'll delve a bit deeper as we look to understand the impact of virtualization on performance.
Performance? Isn't that a non-issue? Modern virtualization solutions surely do not lose more than a few percent in performance, right? We'll show you that the answer is quite a bit different from what some of the sponsored white papers want you to believe. We'll begin today with a look at the basics of virtualization, and we will continue to explore the subject in future articles over the coming months.
In this first article we discuss "hardware virtualization", i.e. the technology that makes it possible to offer several virtualized server such as VMware's ESX, Xen, and Windows 2008's Hyper-V. We recently provided an introduction to application virtualization using Thinstall, SoftGrid. These articles are all about quantifying the performance of virtualized servers and understanding virtualization technologies a bit better.
Hardware or Machine Virtualization versus "Everyday" Virtualization
Every one of us has already used virtualization in some degree. In fact, most of us wouldn't be very productive without the virtualization that a modern OS offers us. A "natively running" server or workstation with a modern OS already virtualizes quite a few resources: memory, disks, and CPUs for example. For example, while there may only be only 4GB RAM in a Windows 2003 server, each of the tens of running application is given the illusion that they can use the full 2GB (or 3GB) user-mode address space. There might only be three disks in a RAID-5 array available, but as you have created 10 volumes (or LUNs), it appears as if there are 10 disks in the machine. Although there might only be two CPUs in the server, you get the impression that five actively running applications are all working in parallel at full speed.
So why do we install a hypervisor (or VMM) to make fully virtualized servers possible if we already have some degree of virtualization in our modern operating systems? Operating systems isolate the applications weakly by giving each process a well-defined memory space, separating data from instructions. At the same time, processes share the same files, may have access to some shared memory, and share the same OS configuration. In many situations, this kind of isolation was and is not sufficient. One process that takes up 100% of the CPU time may slow the other applications to snail speed for example, despite the fact that modern OSes use preemptive multitasking. In case of pure hardware virtualization, you will have completely separate virtual servers with their own OS (guest OS), and communication is only possible via a virtual network.

Page 2
A Matter of Privileges
To create several virtual servers on one physical machine, a new software layer is necessary: the hypervisor, also called Virtual Machine Monitor (VMM). The most important role is to arbitrate the access to the underlying hardware, so that guest OSes can share the machine. You could say that a VMM manages virtual machines (Guest OS + applications) like an OS manages processes and threads.
To understand how the VMM actually works, we first have to understand how a modern operating systems works. Most modern operating system work with two modes:
  • A kernel mode that is allowed to run almost any CPU instructions, including "privileged" instructions that deal with interrupts, memory management, and so on. This is of course the mode that the operating system runs in.
  • A user mode that allows only instructions that are necessary to calculate and process data. Applications run in this mode and can only make use of the hardware by asking the kernel to do some work (a system call).
The whole user/kernel mode arrangement is based on the fact that RAM is divided into pages. (It is also possible to work with segment registers and tables, but that is a discussion for another article.) Before a privileged instruction is executed, the CPU first checks if the page from where the instruction originates actually has the right 2-bit code. The most privileged instructions require a 00 "privilege code". This 2-bit code allows four levels of code, with "11" being the lowest level.
To illustrate this, this 2-bit code is graphically represented in many publications by four "onion rings" (as you can see in this article). Ring 0 is the most privileged layer, ring 1 is a bit less privileged, and ring 3 is where the user applications reside with no privileges to manage the hardware resources at all.

Ring deprivileging with software virtualization: the guest OSes are no longer running in ring 0, but with less rights in ring 1.

A technique that all (software based) virtualization solutions use is thus ring deprivileging: the operating system that runs originally on ring 0 is moved to another less privileged ring like ring 1. This allows the VMM to control the guest OS access to resources. It avoids for example one guest OS kicking another out of memory, or a guest OS controlling the hardware directly.

Page 3
Virtualization Challenges
The grandfathers of virtualization, such as the IBM S/370, used a very robust system to allow the hypervisor to control the virtual machines. Every privileged instruction by a virtual machine caused a "trap", an error, as it was trying to execute a "resource management" instruction while running in a less privileged ring. The VMM intercepts all those traps and emulates the instruction, without jeopardizing the integrity of the other guests. In order to improve performance, the developers of the guest OS and VMM (both at IBM) tried to minimize the number of traps and reduce the time required to take care of the various traps.
This kind of virtualization was not possible on x86 as the 32/64-bit Intel ISA does not trap every incident that should lead to VMM intervention. One example is the POPF instruction that disables and enables interrupts. The problem is that if this instruction is executed by a guest OS in ring 1, an x86 CPU does not make a fuss about it, but simply ignores it. The result is that if a guest OS is trying to disable an interrupt, the interrupt is not disabled at all, and the VMM has no way of knowing that this is happening. As always, the good old x86 ISA is a bit chaotic: it has 17 of these "non-interceptable, cloaked for the VMM" instructions [1]. The conclusion is that x86 cannot be virtualized the way that the old mainframes were virtualized. Incidentally, the PowerPC and Alpha ISA's are clean enough to be virtualized in the classic manner.
The above is much more than a quick simplified history lesson. Keep this in mind when we discuss what Intel and AMD have been doing with VT-x and AMD-V.

Page 4
Binary Translation
VMware didn't wait for Intel or AMD to solve the "x86 stealth instructions" problem and launched their solution at the end of the previous century (1999). To uncloak the stealthy x86 instructions, VMware used Binary translation (unfortunately, a Tachyon detection grid proved too expensive) . VMware's Binary Translation is a lot lighter than the binary translation technology that the Intel Itanium (x86 to IA64), Transmeta (x86 to VLIW), Digital FX!32 (Alpha to x86), or Rosetta software use. It doesn't have to translate from one Instruction Set Architecture (ISA) to another but it is based on an x86 to x86 translator. In fact, in some cases it just makes an exact copy of the original instruction.
VMware translates the binary code that the kernel of a guest OS wants to execute on the fly and stores the adapted x86 code in a Translator Cache (TC). User applications will not be touched by VMware's Binary Translator (BT) as it knows/assumes that user code is safe. User mode applications are executed directly as if they were running natively.

User applications are not translated, but run directly. Binary Translation only happens when the guest OS kernel gets called.

It is the kernel code that has go through the "x86 to slightly longer x86" code translation. You could say that the kernel of the guest OS is no longer running. The kernel code in the memory is nothing more than an input for the BT; it is the BT translated kernel that will run in ring 1.
In many cases, the translated kernel code will be an exact copy. However, there are several cases where BT must make the "translated" kernel code a bit longer than the original code. If the kernel of the guest OS has to run a privileged instruction, the BT will change this kind of code into "safer" user mode code. If the kernel needs to get control of the physical hardware, the BT will replace that binary code with code that manipulates the virtual hardware.

Binary translation from x86 to x86 virtualized in action. (Image: VMware[2])

Binary translation is all about scanning the code that the kernel of the guest OS should execute at a certain moment in time and replacing it with something safe (virtualized) on the fly. With "safe", we mean safe for the other guest OSes and the VMM. VMware also keeps the overhead of the translation as low as possible. The BT does not optimize the binary instruction stream, and an instruction stream that has been translated is kept in a cache. In case of a loop, this means that the translation is done only once.
The TC is not only a Translator Cache but also a bit of a Trace Cache as it keeps track of the control flow of the program. Each time the kernel jumps to another address location, the BT cannot copy this exactly. If the original code had to jump 100 bytes for example, it is very unlikely that the translated part of the kernel in the TC has to jump the same number of bytes. The BT has probably lengthened the "in between" code a bit.
It is clear that replacing code with "safer" code is a lot less costly than letting privileged instructions result in traps and then handling those traps afterwards. Nevertheless, that doesn't mean that the overhead of this kind of virtualization is always low. The "Translator overhead" is rather low, and its impact gets lower and lower over time, courtesy of the Translator cache. However, BT cannot completely crack several hard nuts:
  1. System Calls
  2. Accesses to chipset and I/O, interrupts and DMA
  3. Memory management
  4. "Weird and complex code" (Self-modifying, indirect control flows, etc.)
Especially the first three are interesting. The last one is hard in an OS running in "native mode" too, so it is only normal that this doesn't get any better if you run more than one OS.

Page 5
System Calls
Much has been written about kernels, but it remains one of the most confusing subjects. Some publications give the impression that the kernel is some kind of "overlord" process that is always watching in the background. This is wrong of course, because this would mean that modern multitasking operating systems would not work on a single-threaded, single-core CPU. When only one thread can be active at a given time, how can the OS keep control?
A kernel is just another process that gets time slices from the multitasking CPU. The difference from other processes is that it has privileged access to CPU instructions that other processes don't have. Therefore, "normal" (user) processes will have to switch to the kernel to perform a privileged task like getting access to the hardware. If they don't, the CPU will cause an exception and the kernel will take over anyway. At the same time, a scheduler of the kernel uses the timer interrupt to intervene from time to time, making sure that no process tries to keep the CPU to itself (preemption) for too long. You could also say that the CPU is forced to load the OS scheduler process from time to time[5].
A system call is thus the result of a user application that requests a service of the kernel. x86 provides a very low latency way to get system calls done: SYSENTER (or SYSCALL) and SYSEXIT. A system call will give the Virtual Machine Monitor, especially with binary Translation (BT), quite a bit of extra work. As we have stated before, software virtualization techniques (such as BT) place the (32-bit) operating system at a slightly less privileged ring than normal (1 instead of 0). The problem is that a SYSENTER (request the service of the kernel) is sent to a page with privilege 0. It expects to find the operating system but it arrives in the VMM. So the VMM has to emulate every system call, translate the code, and then hand over the control to the translated kernel code which runs in ring 1[3].

A system call is a lot more complex when it happens on a virtualized machine.

When the binary translated guest OS code is done, it will use a SYSEXIT to return to the user application. However, the guest OS is running at level one and doesn't have the necessary privileges to perform SYSEXIT, so the CPU faults to the level zero and the VMM has to emulate what the guest OS should have done. It is clear that system calls cause a lot of overhead. A system call on virtualized machine will cost roughly 10 times more than on a native machine. Engineers at VMware measured on a 3.8 GHz Pentium 4 [4]:
  • A native system calls takes 242 cycles
  • A binary translated one with the 32-bit guest OS running on ring 1 takes 2308 cycles
If you have a few of those virtualized machines running, system calls are suddenly much more than the background noise they were on a modern OS running on a native machine.

Page 6
I/O Virtualization
I/O is a big issue for any form of virtualization. If your virtualized server lacks CPU power, you can just add more CPUs or cores (i.e. replace dual-core CPUs with quad-cores). However, the memory bandwidth, the chipset, and storage HBA are in most cases shared by all virtual machines and a lot harder to "upgrade". Moreover, contrary to the CPU, the rest of the hardware in most virtualization software is emulated. This means that each access to the driver of a virtual hardware component must be translated to the real driver.

A real 3.46 GHz Intel Xeon processors runs on an emulated BX-chipset: we are running inside a VM.

If you inspect the hardware of a virtual machine in ESX for example, you can see that modern CPUs have to work together with the good but nine years old BX chipset, and that your HBA is always an old bus logic or LSI card. This also means that the newest tricks that your hardware uses to improve performance cannot be used.

Page 7
Memory Management
An OS maintains page tables to translate the virtual memory pages into physical memory addresses. All modern x86 CPUs provide support for virtual memory in hardware. The translation from virtual to physical addresses is performed by the memory management unit, or MMU. The current address is in the CR3 register (hardware page table pointer), and the most used parts of the page table are cached in the TLBs.
It is clear that a guest OS running on a virtual machine cannot have access to the real page tables. Instead, the guest OS sees page tables which run on an emulated MMU. These tables give the guest OS the illusion that it can translate the virtual guest OS addresses into real physical addresses, but in reality the VMM is dealing with this "in the shadow", out of sight of the guest OS. The real page tables are hidden and managed by the VMM and still run on the real MMU. So the real page tables consist of "shadow page tables", which are used to translate the virtual addresses of the guest OS into the real physical pages.
Every time the guest OS modifies its page mapping, the virtual MMU module will capture (trap) the modification and adjust the shadow page tables accordingly. As you've likely guessed, this costs a lot of CPU cycles. Depending on the virtualization technique and the changes made in the page tables, this bookkeeping takes 3 to 400 (!) times more cycles than in the native situation[3]. The result is that in memory intensive applications, memory management causes the largest part of the performance penalty you have to pay for virtualization.

Page 8
Paravirtualization is not that different from Binary Translation. BT changes "critical" or "dangerous" code into harmless code on the fly; paravirtualization does the same thing, but in the source code. Of course, changing the source code allows a bit more flexibility than changing everything on the fly, which has to happen quickly. One advantage is that paravirtualization eliminates a lot of unnecessary "traps" by the VMM (or Hypervisor), even more than BT.
The hypervisor provides hypercall interfaces for critical kernel operations such as memory management, interrupt handling, and time keeping. These hypercalls will only happen when it is necessary. For example, most of the memory management is done by the different guest OSes. The Hypervisor will only be "called" for things like page table updates and DMA accesses.

Simplified front end drivers interface to "normal" Linux backend drivers.

The best feature of the Xen implementation of virtualization is the way I/O is handled. I/O devices in the VM are just simplified interfaces that link to real native drivers in a privileged VM (called Domain 0 in Xen). This means there is no emulation involved, and the overhead is significantly reduced. That this is more than Xen propaganda is illustrated by VMware ESX: while VMs running on early ESX versions had rather low network performance, VMs running on ESX 3.x have very acceptable network performance thanks to a cleverly implemented paravirtualized vmxnet network driver.
To resume, paravirtualization is an excellent concept, as you eliminate (binary) translation overhead completely, I/O driver overhead significantly, and system call overhead somewhat. Very frequent interrupts and system calls can still cause overhead. We'll study Xen in more detail in later articles. The biggest disadvantages are:
  1. You cannot use unmodified OS guests (if you use paravirtualization only)
  2. 64-bit guests have to run in a non-privileged ring (ring 3). [6]

Software paravirtualization doesn't handle 64-bit OSes very well.

The second problem might not seem like a big problem, but in order to protect the OS, page table switching is necessary. This results in two system calls and a TLB flush, which is very costly. Let us see what Intel's VT-x and AMD-V can offer us.

Page 9
Hardware Accelerated Virtualization: Intel VT-x and AMD SVM
Hardware virtualization should reduce all that overhead to a minimum, right? Unfortunately, that is not the case. Hardware virtualization is not an improved version of binary translation or paravirtualization. No, the first idea behind hardware virtualization is to fix the problem that the x86 instructions architecture cannot be virtualized. This means that hardware virtualization is based on the philosophy of trying to trap all exceptions and privileged instructions by forcing a transition from the guest OS to the VMM, called a "VMexit". You could call this an improved version of the IBM S/370 virtualization methods.
One big advantage is the fact that the guest OS runs at its intended privilege level (ring 0), and that the VMM is running at a new ring with an even higher privilege level (Ring -1, or "Root mode"). System calls do not automatically result in VMM interventions: as long as system calls do not involve critical instructions, the guest OS can provide kernel services to the user applications. That is a big plus for hardware virtualization.

With HW virtualization, the guest OS is back where it belongs: ring 0.

The problem is that - even though it is implemented in hardware - each transition from the VM to the VMM (VMexit) and back (VMentry) requires a fixed (and large) number of CPU cycles. The specific number of these "overhead cycles" depends on the internal CPU architecture. Depending on the exact operation (VMexit, VMentry, VMread, etc.), these kinds of events can take a few hundred up to a few thousand CPU cycles!
The VM/VMM roundtrip of hardware virtualization is thus a rather heavy event. When Intel VT-x or AMD SVM (or AMD-V) have to handle relatively complex operations such as system calls (which take a lot of CPU cycles to handle anyway), the VMexit/VMentry switching penalty has little impact. On the other hand, if the actual operation that the VMM has to intercept and emulate is rather simple, the overhead of switching back and forth to and from the VMM is huge!
Relatively simple operations such as creating processes, context switches, small page table updates, etc. take a few cycles when run natively, so the "switching to VMM and back" time wastes a proportionally (compared to the non-virtualized native situation) huge amount of cycles. With BT, the translator simply replaces the code with slightly longer code that the VMM handles. The same is true for paravirtualization, which is a lot faster than hardware virtualization at handling these kinds of events.

The enter VMM and exit VMM latency has been lowered over time with the different Xeon families.

The first way Intel and AMD countered this problem is to reduce the number of cycles that the VT-x instructions take. For example, the VMentry latency was reduced from 634 (Xeon Paxville or Xeon 70xx) to 352 cycles in the Woodcrest (Xeon 51xx), Clovertown (Xeon 53xx), and Tigerton (Xeon 73xx). As you can see in the graph above, the first implementations of VT-x back in 2005 were not exactly doing wonders for the speed of virtualized machines. The newest Xeon 54xx ("Harpertown") has reduced the typical VMM latencies even more with 12%-25% for the most important ones, and up to 75% for some less frequent instructions. We found a few numbers that are more precise, as you can see below.

Enter and exit VMM numbers (in ns) for the different Intel families.

The second strategy is to reduce the number of VMM events. After all, total virtualization overhead equals the numbers of events times the cost per event. In equation form:
Total VT overhead = Sum of (Frequency of "VMM to VM" events * Latency of event)
The Virtual Machine Control Block - a sort of table that is place in memory (in cache) and which is part of VT-x and AMD SVM - can help. It contains the state of the virtual CPU(s) for each guest OS. It allows the guest OSes to run directly without interference from the VMM. Depending on control bits set in the VMCB, the VMM can allow the guest OS to handle some hardware parts, interrupts, or perform some of the page table operations. The VMM thus configures the VMCS to cause the VM (guest OS) to exit on certain behaviors, while the VMM can let the guest OS continue on others. This can potentially reduce the number of times that the CPU forces the guest OS to stop (VMexit), after which the CPU switches to VMX root mode (ring -1) and the VMM takes over.

Page 10
The second generation: Intel's EPT and AMD's NPT
As we discussed in "memory management", managing the virtual memory of the different guest OS and translating this into physical pages can be extremely CPU intensive.

Without shadow pages we would have to translate virtual memory (blue) into "guest OS physical memory" (gray) and then translate the latter into the real physical memory (green). Luckily, the "shadow page table" trick avoids the double bookkeeping by making the MMU work with a virtual memory (of the guest OS, blue) to real physical memory (green) page table, effectively skipping the intermediate "guest OS physical memory" step. There is catch though: each update of the guest OS page tables requires some "shadow page table" bookkeeping. This is rather bad for the performance of software-based virtualization solutions (BT and Para) but wreaks havoc on the performance of the early hardware virtualization solutions. The reason is that you get a lot of those ultra heavy VMexit and VMentry calls.
The second generation of hardware virtualization, AMD's nested paging and Intel's EPT technology partly solve this problem by brute hardware force.

EPT or Nested Page Tables is based on a "super" TLB that keeps track of both the Guest OS and the VMM memory management.

As you can see in the picture above, a CPU with hardware support for nested paging caches both the Virtual memory (Guest OS) to Physical memory (Guest OS) as the Physical Memory (Guest OS) to real physical memory transition in the TLB. The TLB has a new VM specific tag, called the Address Space IDentifier (ASID). This allows the TLB to keep track of which TLB entry belongs to which VM. The result is that a VM switch does not flush the TLB. The TLB entries of the different virtual machines all coexist peacefully in the TLB… provided the TLB is big enough of course!
This makes the VMM a lot simpler and completely annihilates the need to update the shadow page tables constantly. If we consider that the Hypervisor has to intervene for each update of the shadow page tables (one per VM running), it is clear that nested paging can seriously improve performance (up to 23% according to AMD). Nested paging is especially important if you have more than one (virtual) CPU per VM. Multiple CPUs have to sync the page tables often, and as a result the shadow page tables have to update a lot more too. The performance penalty of shadow page tables gets worse as you use more (virtual) CPUs per VM. With nested paging, the CPUs simply synchronize TLBs as they would have done in a non-virtualized environment.
There is only one downside: nested paging or EPT makes the virtual to real physical address translation a lot more complex if the TLB does not have the right entry. For each step we take in the blue area, we need to do all the steps in the orange area. Thus, four table searches in the "native situation" have become 16 searches (for each of the four blue steps, four orange steps).
In order to compensate, a CPU needs much larger TLBs than before, and TLB misses are now extremely costly. If a TLB miss happens in a native (non-virtualized) situation, we have to do four searches in the main memory. A TLB miss then results in a performance hit. Now look at the "virtualized OS with nested paging" TLB miss situation: we have to perform 16 (!) searches in tables located in the high latency system RAM. Our performance hit becomes a performance catastrophe! Fortunately, only a few applications will cause a lot of TLB misses if the TLBs are rather large.

Page 11
Standardization Please!
AMD and Intel are doing it again: incompatible x86 extensions. The specialized hardware virtualization extensions are not standardized. This means that software developers have to develop and support separate modules to support Intel's VT-x and AMD SVM. Xen 3.0.2 supports both technologies, accounting for about 9500 of the lines or 8% of the code base of Xen 3.0.2. AMD's and Intel's lack of standardization is causing the Xen VMM to expand by about 4%, which is still manageable. Let us hope that this doesn't get out of hand, because the difference between AMD's and Intel's extensions is so small that you really need to ask yourself what the point of these two different extensions is.
So which CPU's have support? The table below lists the most important server CPUs.
CPUs with Virtualization Support
ProcessorType of VirtualizationDegree of support
Xeon 50xx, Xeon 70xxx and Xeon 71xxHardware Virtualization support
(HVT only)
Rather slow
Opteron Socket-F, Xeon 53xxHardware Virtualization support
(HVT only)
Xeon 54xxHardware Virtualization support
(HVT only)
Relatively fast
Nehalem, Quad-core OpteronHVT and Nested paging

It important to note that the AMD Opteron 8xx and 2xx with support for DDR do not support HVT; however, they were quite a bit faster than comparable Xeons with early HVT support.

Page 12
The Benchmarks
Performance is somewhat a less popular subject among the virtualization evangelists and little detail is provided in the glossy brochures. A superficial look at most of the published benchmarks seems to justify this lack of interest: who's worried about a 3% to 10% performance loss with the current powerful quad-core CPUs? Indeed, hypervisor or VMM based virtualization - ESX, Xen - perform quite well, especially if you compare it with a typical host-based solution such as VMware server and Microsoft Virtual Server 2005. The latter run their virtualization layer on top of a host OS, which results in rather low performance.
Look at the graph[6] below. It shows the benchmarks performed by the university of Cambridge. The benchmark compares the native Linux performance (L) with the Xen performance (X) and with VMware Workstation (V) and User Mode Linux. The latter are based on host OS virtualization: the virtualization layer runs on top of a host OS.

Virtualization on top of host OS is a bad idea for many typical business applications.

The most quoted benchmark by the virtualization vendors is SPEC CPU 2000 integer. As you can see in those links, every kind of virtualization technology scores very well. According to these numbers, Xen performs just as well as native. However, once you start a memory intensive benchmark such as a Linux kernel compile, it is clear that the OS hosted virtualization solutions cannot keep up. Throw in OLTP and web applications and performance is simply abysmal.
There is a reason why SPEC CPU 2000 integer is quite popular. It's a CPU intensive benchmark that rarely accesses any other hardware, and it avoids using the OS kernel much of the time. It is also quite remarkable that the "2000" version is used. The 2006 version has a larger memory footprint, which will probably cause a bit more performance loss when virtualized.
Anyway, it is clear that SPEC CPU 2000 integer numbers on virtualized machines prove very little. This kind of software completely avoids the more challenging code that a VMM has to deal with. What happens with Specjbb2005? That server benchmark is also mentioned a lot in the performance numbers of the virtualization vendors. It's true that they show some results, but most Specjbb2005 benchmarks are run one CPU, and if they are run on more than one virtual CPU, only one VM is active. That is of course not very realistic: you do not virtualize your server to run only one VM.
We will keep our full benchmark report for the next article, but let's take a quick look at some of the benchmarks that we ran. We used our quad Xeon MP Intel SR6850HW4 (4 x 3.2GHz dual-core Xeon 7130M, Full configuration here) and ran Specjbb2005 the same way we configured it here. Hyper-Threading was disabled to avoid inconsistencies in our benchmarks.
Virtualization Performance Testing
Number of VMsCPUs per VMSUSE SLES 10
Xen 3.0.3
VMware ESX 3.0.2

For our impatient readers: yes, there is a fully updated report with the newest Xeons, Opterons, and hypervisors coming (ESX 3.5 etc.). We are well aware that these numbers do not give you a decent picture of the virtualization landscape, but they are not meant to be comprehensive. They are nothing more than a teaser.
However, even these slightly outdated results are very interesting. If you do not pay attention, a "one CPU on one VM" benchmark tells you that virtualization comes without any performance loss whatsoever. However, a much more realistic setup is that you run four virtual machines and you assign two virtual CPUs to each, as there are eight CPU cores available. The performance loss is not dramatic, but it is measurable now.
In the last line (four vCPUs per VM), we still used exactly the same load as in the 2-2-2-2 configuration. At the highest load, we only ran eight threads. The performance loss was on average a bit higher, but the table above is not telling the whole story. Look at the graph below.

If you assign more virtual CPUs than you have, it is important to know that the virtualized performance that you get at lower loads can be a lot lower when you assign one virtual CPU for each real CPU.
Don't get us wrong: the current virtualization products offer very good performance in most cases. Nevertheless, the impression that virtualization comes without any significant performance loss in almost any situation is not accurate either. For example, we have noticed that even a simple OLTP sysbench load loses more than 20% on a very powerful Xeon 5472 server. We have even seen performance losses in 40% range in some cases. It is too early to analyze this as the testing efforts are still in progress, but we feel that more performance research will yield some interesting results.

Page 13
When we first heard about Intel's VT-x and AMD's SVM technology we expected to see performance improvements over the software based solutions such as Binary Translation and Paravirtualization. Both AMD and Intel gave the impression that they were about to "enhance" and "accelerate" the current purely software based solutions.
What AMD and Intel did was extend x86 to make "Classic Virtualization" possible, very similar to the old IBM mainframe virtualization. In other words, hardware virtualization support does not really "enhance" Binary Translation or Paravirtualization; it is a completely different approach. First generation hardware virtualization was even a step back from a performance view, but one that enabled many steps forward. The first generation of virtualization has been improved, and is now adopted by VMware to support 64-bit guest OSes and by Xen to run unmodified OSes (such as Windows). So right now, hardware virtualization still has a long way to go while software virtualization is mature and represents the current standard.
Second generation virtualization (VT-x+EPT and AMD-V+NPT) is more promising, but while it can improve performance significantly it is not guaranteed that it will improve performance across all applications due to the heavy TLB miss cost. On the flip side of the coin: software virtualization is very mature, but there is very little headroom left to improve. The smartest way is to use a hybrid approach, and that is exactly what VMware, Xen, and Microsoft have been doing.
VMware ESX is the best example of this. ESX uses paravirtualized drivers for the most critical I/O components (but not for the CPU), uses emulation for the less important I/O, Binary Translation to avoid the high "trap and emulate" performance penalty, and hardware virtualization for 64-bit guests. In this way, virtualized applications perform quite well, in some cases almost as if there is no extra layer (the VMM).
That doesn't mean that there are no performance issues at all. The huge number of people that populated the numerous VMWorld 2008 sessions about performance and our own (early) benchmark results tell us that the real world performance of virtual servers is still a very interesting challenge despite the multi-core powerhouses they are running on. As long as you are running CPU intensive applications, there is no problem at all - they are running directly after all. However, consider applications with one or more of the following characteristics:
  • Have a high frequency of system calls or interrupts
  • Access the memory intensively (DMA)
  • Perform a lot accesses to I/O devices
  • Require SMP to perform well
These applications will need more attention to perform well on a virtualized server. Now, it's time for more in-depth benchmarking. Stay tuned.