210 likes | 418 Vues
Virtual Devices for Virtual Machines. or Building Extensible Devices with a Chainsaw and some Duct Tape. Andrew Warfield. Despite being a coarse-grained tool, VMMs are a great substrate for low-level extensibility. Take-home message:. “VMMs: They’re boxy, but they’re good!”.
E N D
Virtual Devices for Virtual Machines orBuilding Extensible Deviceswith a Chainsaw and some Duct Tape Andrew Warfield andrew.warfield@cl.cam.ac.uk
Despite being a coarse-grained tool, VMMs are a great substrate forlow-level extensibility. Take-home message: “VMMs: They’re boxy, but they’re good!”
Why do we want to extend devices? • Add new device-level systems features. • Versioning storage, encryption, checksum offload. • Manage I/O for VMs in a cluster. • They move around! • I/O looks a lot like a “service”. Soft Device Physical Device (e.g. disk) Extension (e.g. encryption) VM (OS + Apps)
What are the challenges: • Performance. • “Fast enough to be useful.” • Safety. • Extensions shouldn’t cause system to melt. • “Software Engineering”. • Extension writers shouldn’t have to piece together the internals of an OS, learn undocumented interfaces and locking disciplines, or spend all their time tracking versions. Extensions should be portable across OSes.
The rest of this talk: • Why VMMs are a good platform for device extensions. • a.k.a. how devices work in Xen. • An extension interface for Xen. • Case: Packet symmetry enforcement. • Case: The Parallax storage service. • New and somewhat crazy stuff. • Conclusion.
Devices in Xen. Problem 1: Maintenance. VMM is now in the “driver trap”… has to support new hardware, is constantly chasing driver evolution. Problem 2: Stability. Drivers are a huge amount of (often buggy) code. We don’t want to count on them for reliability. Sometimes they crash. Web Mail OS OS DD VD.D VD.D VMM HW Switch from single OS to VMM: Web and mail servers are now isolated (or consolidated), but how to share devices? Option 1: VMM runs physical device driver. VM drivers for “virtual” device. Either real (emulated) HW, or idealized.
Duct Tape: (Simple yet effective connective mechanism.) No generalized IPC in the VMM Event notification (virtual irqs) Memory sharing primitives Chainsaw: (Somewhat imprecise surgical instrument) The OS is a component. OSes work, have lots of tools, and know how to talk to other OSes. Maintained by other people. A digression…
Devices in Xen. Web Mail OS (Device VM) OS OS VD.S VD.D VD.D VMM DD HW Option 2: VMM exports physical hardware to a device VM. Use OS driver, OS mechanisms (e.g. packet forwarding)
Devices in Xen. 1. Coarse-grained sharing 1. Coarse-grained sharing 2. Simple one-bit notification Mail OS (Device VM) OS R R R DD VD.S VD.D VMM HW Option 2: VMM exports physical hardware to a device VM. Use OS driver, OS mechanisms (e.g. packet forwarding)
Devices in Xen. 1. Coarse-grained sharing 2. Simple one-bit notification 1. Coarse-grained sharing Mail OS (Device VM) OS R R R DD VD.S R R R VD.D VMM HW Option 2: VMM exports physical hardware to a device VM. Use OS driver, OS mechanisms (e.g. packet forwarding)
Devices in Xen. 1. Coarse-grained sharing 1. Coarse-grained sharing 2. Simple one-bit notification Mail • Point of discussing that in (some) detail: • There is a fast, general mechanism for moving requests around. • Classes of drivers use simple protocols for requests. • VMM is largely uninvolved in the details. • Device driver is an extension. OS (Device VM) OS R R R DD VD.S VD.D VMM HW Option 2: VMM exports physical hardware to a device VM. Use OS driver, OS mechanisms (e.g. packet forwarding)
Extending Devices Logging. e.g. debug/analysis Redirecting. e.g. add versioning Rewriting. e.g. encryption Extension App. Mail OS (Device VM) OS (Extention VM) OS Dev. Tap DD VD.S VD.D VMM HW The device tap acts as a switch. In addition to interposing All messages, requests may be terminated or passed through.
Devices in Xen. Mail OS (Device VM) OS DD VD.S VD.D VMM HW
Mail OS VD.D Extending Devices Logging. e.g. debug/analysis Redirecting. e.g. add versioning Rewriting. e.g. encryption • Extension Goals: • Safety. • Software Engineering. • Performance. Extension App. OS (Device VM) OS (Extention VM) Dev. Tap DD VD.S VMM HW The device tap acts as a switch. In addition to interposing All messages, requests may be terminated or passed through. Trading isolation for performance. We may move the tap And extension code onto the device VM.
Extension Case Study: Packet Symmetry • DoS is a big concern in virtual hosting facilities. • Well-connected servers, paying for bandwidth. • exploited into a botnet == not good! • But provider can offer protection: • Enforce a symmetry on RX:TX packet counts. • See our HotNets paper (Kreibich et al) • Interesting extension bits: • Extension written in python. • Never drops packets.
Extension Case Study: Parallax • Managing storage in VM clusters. • Storage service “owns” local disks, and the OSes that manage them. • Parallax virtualizes storage, fast snapshots, etc. • Initially proposed as HotOS’05 paper. • Ongoing, with NetApp and Google. • Local disks as persistent caches. • Candidate selection for migration. • Support explicit snapshot request from OSs. • Not using a big filer.*
Pre-conclusion: Despite being a coarse-grained tool, VMMs are a great substrate forlow-level extensibility. Take-home message: …now the fun new part...
Protected VM VN VD I/O Taint Protected VM VN VD Taint Pagemap Full-system extensions. Qemu* Control VM ND DD VMM Disk Net 3. VM runs in emulation, tracking tainted data. Qemu microcode modified to reflect tainting across data movement. 1. Inbound pages are marked as tainted. Fine-grained taint Details in extension, page-granularity bitmap in VMM. 2. VM traps on access to a tainted page. Tainted pages Marked not-present. Throw VM to emulation. 4. Taint markings are propagated to disk. Disk extension marks tainted data, and re-taints memory on read.
Protected VM VN VD I/O Taint Protected VM VN VD Taint Pagemap Full-system extensions. Qemu* Control VM ND DD VMM Disk Net 2. VM traps on access to a tainted page. Tainted pages Marked not-present. Throw VM to emulation. 3. VM runs in emulation, tracking tainted data. Qemu microcode modified to reflect tainting across data movement. 4. Taint markings are propagated to disk. Disk extension marks tainted data, and re-taints memory on read. 1. Inbound pages are marked as tainted. Fine-grained taint Details in extension, page-granularity bitmap in VMM.
Despite being a coarse-grained tool, VMMs are a great substrate forlow-level extensibility. Conclusion: • VMM is a good base for device extensions. • With device tap, can write extensions in user-space, in any OS, without messing with individual kernels. • Treating devices as services seems to be a good approach to managing I/O in clusters. • V2E/E2V is very cool.