Hypervisor
Encyclopedia
In computing
, a hypervisor, also called virtual machine manager (VMM), is one of many hardware virtualization
techniques that allow multiple operating system
s, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program
. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources. Hypervisors are installed on server hardware whose only task is to run guest operating systems.
The term is often used to describe the interface provided by the specific cloud computing
functionality infrastructure as a service (IaaS).
The term "hypervisor" was first used in 1965, referring to software that accompanied an IBM RPQ for the IBM 360/65. It allowed the model IBM 360/65 to share its memory: half acting like a IBM 360; half as an emulated IBM 7080. The software, labeled "hypervisor," did the switching between the 2 modes on split time basis. The term hypervisor was coined as an evolution of the term "supervisor," the software that provided control on earlier hardware.
In other words, Type 1 hypervisor runs directly on the hardware; a Type 2 hypervisor runs on another operating system, such as FreeBSD or Linux.
Note: Microsoft Hyper-V
(released in June 2008) exemplifies a type 1 product that can be mistaken for a type 2. Both the free stand-alone version and the version that is part of the commercial Windows Server 2008 product use a virtualized Windows Server 2008 parent partition to manage the Type 1 Hyper-V hypervisor. In both cases the Hyper-V hypervisor loads prior to the management operating system, and any virtual environments created run directly on the hypervisor, not via the management operating system.
, IBM's one-off research CP-40
system, began production use in January 1967, and became the first version of IBM's CP/CMS
operating system. CP-40 ran on a S/360-40
that was modified at the IBM Cambridge Scientific Center
to support Dynamic Address Translation, a key feature that allowed virtualization. Prior to this time, computer hardware had only been virtualized enough to allow multiple user applications to run concurrently (see CTSS and IBM M44/44X
). With CP-40, the hardware's supervisor state was virtualized as well, allowing multiple operating systems to run concurrently in separate virtual machine
contexts.
Programmers soon re-implemented CP-40 (as CP-67
) for the IBM System/360-67, the first production computer-system capable of full virtualization
. IBM first shipped this machine in 1966; it included page-translation-table hardware for virtual memory, and other techniques that allowed a full virtualization
of all kernel tasks, including I/O and interrupt handling. (Note that its "official" operating system, the ill-fated TSS/360
, did not employ full virtualization.) Both CP-40 and CP-67 began production use in 1967. CP/CMS
was available to IBM customers from 1968 to 1972, in source code form without support.
CP/CMS
formed part of IBM's attempt to build robust time-sharing
systems for its mainframe
computers. By running multiple operating systems concurrently, the hypervisor increased system robustness and stability: Even if one operating system crashed, the others would continue working without interruption. Indeed, this even allowed beta or experimental versions of operating systems – or even of new hardware – to be deployed and debugged, without jeopardizing the stable main production system, and without requiring costly additional development systems.
IBM announced its System/370
series in 1970 without any virtualization features, but added them in the August 1972 Advanced Function announcement. Virtualization has been featured in all successor systems. (All modern-day IBM mainframes, such as the zSeries
line, retain backwards-compatibility with the 1960s-era IBM S/360 line.) The 1972 announcement also included VM/370
, a reimplementation of CP/CMS
for the S/370. Unlike CP/CMS
, IBM provided support for this version (though it was still distributed in source code form for several releases). VM stands for Virtual Machine
, emphasizing that all, and not just some, of the hardware interfaces are virtualized. Both VM and CP/CMS enjoyed early acceptance and rapid development by universities, corporate users, and time-sharing
vendors, as well as within IBM. Users played an active role in ongoing development, anticipating trends seen in modern open source
projects. However, in a series of disputed and bitter battles, time-sharing lost out to batch processing through IBM political infighting, and VM remained IBM's "other" mainframe operating system for decades, losing to MVS
. It enjoyed a resurgence of popularity and support from 2000 as the z/VM
product, for example as the platform for Linux for zSeries.
As mentioned above, the VM control program includes a hypervisor-call handler which intercepts DIAG ("Diagnose") instructions used within a virtual machine. This provides fast-path non-virtualized execution of file-system access and other operations. (DIAG is a model-dependent privileged instruction, not used in normal programming, and thus is not virtualized. It is therefore available for use as a signal to the "host" operating system.) When first implemented in CP/CMS
release 3.1, this use of DIAG provided an operating system interface that was analogous to the System/360
SVC ("supervisor call") instruction, but that did not require altering or extending the system's virtualization of SVC.
In 1985 IBM introduced the PR/SM
hypervisor to manage logical partitions (LPAR).
and Linux
server vendors:
Major UNIX
vendors, including Sun Microsystems
, HP, IBM
, and SGI
, have been selling virtualized hardware since before 2000. These have generally been large systems with hefty, server-class price-tags (in the multi-million dollar range at the high end), although virtualization is also available on some mid-range systems, such as IBM's System-P
servers, Sun
's CoolThreads T1000, T2000 and T5x00 servers and HP Superdome
series.
Multiple host operating systems have been modified to run as guest OSes on Sun's Logical Domains
Hypervisor. , Solaris
, Linux
(Ubuntu and Gentoo), and FreeBSD
have been ported to run on top of Hypervisor (and can all run simultaneously on the same processor, as fully virtualized independent guest OSes). Wind River "Carrier Grade Linux
" also runs on Sun's Hypervisor. Full virtualization on SPARC
processors proved straightforward: since its inception in the mid-1980s Sun deliberately kept the SPARC architecture clean of artifacts that would have impeded virtualization. (Compare with virtualization on x86 processors below.)
HP calls its technology to host multiple OS technology on its Itanium
powered systems (Integrity) "Integrity Virtual Machines" (Integrity VM). Itanium can run HP-UX
, Linux, Windows and OpenVMS
. Except for OpenVMS, to be supported in a later release, these environments are also supported as virtual servers on HP's Integrity VM platform. The HP-UX operating system hosts the Integrity VM hypervisor layer which allows for many important features of HP-UX to be taken advantage of and provides major differentiation between this platform and other commodity platforms - such as processor hotswap, memory hotswap, and dynamic kernel updates without system reboot. While it heavily leverages HP-UX, the Integrity VM hypervisor is really a hybrid that runs on bare-metal while guests are executing. Running normal HP-UX applications on an Integrity VM host is heavily discouraged, because Integrity VM implements its own memory management, scheduling and I/O policies that are tuned for virtual machines and are not as effective for normal applications. HP also provides more rigid partitioning of their Integrity and HP9000 systems by way of VPAR and nPar
technology, the former offering shared resource partitioning and the later offering complete I/O and processing isolation. The flexibility of virtual server environment (VSE) has given way to its use more frequently in newer deployments.
IBM provides virtualization partition technology known as logical partitioning
(LPAR) on System/390, zSeries
, pSeries and iSeries systems. For IBM's Power Systems, the Power Hypervisor (PowerVM) functions as a native (bare-metal) hypervisor and provides EAL4+
strong isolation between LPARs. Processor capacity is provided to LPARs in either a dedicated fashion or on an entitlement basis where unused capacity is harvested and can be re-allocated to busy workloads. Groups of LPARs can have their processor capacity managed as if they were in a "pool" - IBM refers to this capability as Multiple Shared-Processor Pools (MSPPs) and implements it in servers with the POWER6
processor. LPAR and MSPP capacity allocations can be dynamically changed. Memory is allocated to each LPAR (at LPAR initiation or dynamically) and is address-controlled by the POWER Hypervisor. For real-mode addressing by operating systems (AIX, Linux, IBM i), the POWER
processors (POWER4
onwards) have architected virtualization capabilities where a hardware address-offset is evaluated with the OS address-offset to arrive at the physical memory address. Input/Output (I/O) adapters can be exclusively "owned" by LPARs or shared by LPARs through an appliance partition known as the Virtual I/O Server (VIOS). The Power Hypervisor provides for high levels of reliability, availability and serviceability (RAS) by facilitating hot add/replace of many parts (model dependent: processors, memory, I/O adapters, blowers, power units, disks, system controllers, etc.)
Similar trends have occurred with x86/x86_64 server platforms, where open-source
projects such as Xen
have led virtualization efforts. These include hypervisors built on Linux and Solaris kernels as well as custom kernels. Since these technologies span from large systems down to desktops, they are described in the next section.
. One of the early PC hypervisors, the commercial-software VMware
, debuted in 1998. Parallels, Inc.
introduced Parallels Workstation
, which is primarily used on PCs, in 2005 and Parallels Desktop for Mac
, which runs on Mac OS X (10.4 for Intel or higher), in 2006.
The x86 architecture used in most PC systems poses particular difficulties to virtualization. Full virtualization (presenting the illusion of a complete set of standard hardware) on x86 has significant costs in hypervisor complexity and run-time performance. Starting in 2005, CPU vendors have added hardware virtualization assistance to their products, for example: Intel's Intel VT-x (codenamed Vanderpool) and AMD's AMD-V (codenamed Pacifica). These extensions address the parts of x86 that are difficult or inefficient to virtualize, providing additional support to the hypervisor. This enables simpler virtualization code and a higher performance for full virtualization.
An alternative approach requires modifying the guest operating-system to make system calls to the hypervisor, rather than executing machine I/O instructions which the hypervisor then simulates. This is called paravirtualization
in Xen
, a "hypercall" in Parallels Workstation
, and a "DIAGNOSE code" in IBM's VM
. VMware supplements the slowest rough corners of virtualization with device drivers for the guest. All are really the same thing, a system call to the hypervisor below. Some microkernels such as Mach and L4
are flexible enough such that "paravirtualization" of guest operating systems is possible.
In June 2008 Microsoft delivered a new Type-1 hypervisor called Hyper-V
(codenamed "Viridian" and previously referred to as "Windows Server virtualization"); the design features OS integration at the lowest level.
Versions of the Windows operating system
beginning with Windows Vista
include extensions to boost performance when running on top of the Hyper-V
hypervisor.
or Microsoft Windows
, while at the same time maintaining traditional real-time operating system
(RTOS) APIs. The low-level RTOS environments need to be retained for legacy support, and because the real-time capabilities of high-level OSes are insufficient for many embedded applications.
Embedded hypervisors
must therefore have real-time
capability, a design criterion not present for hypervisors used in other domains. The resource-constrained nature of many embedded systems, especially battery-powered mobile systems, imposes a further requirement for small memory-size and low overhead. Finally, in contrast to the ubiquity of the x86 architecture in the PC world, the embedded world uses a wider variety of architectures. Support for virtualization requires memory protection
(in the form of a memory management unit
or at least a memory protection unit) and a distinction between user mode and privileged mode, which rules out most microcontrollers. This still leaves x86
, MIPS
, ARM
and PowerPC
as widely deployed architectures on medium- to high-end embedded systems.
As manufacturers of embedded systems usually have the source code to their operating systems, they have less need for full virtualization
in this space. Instead, the performance advantages of paravirtualization
make this usually the virtualization technology of choice. Nevertheless, ARM has recently added full virtualization support as an IP option and has included it in their latest high end processor codenamed Eagle.
Other differences between virtualization in server/desktop and embedded environments include requirements for efficient sharing of resources across virtual machines, high-bandwidth, low-latency inter-VM communication, a global view of scheduling and power management, and fine-grained control of information flows.
and rootkit
s installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system (such as someone entering a password) without the antivirus software necessarily detecting it (since the malware runs below the entire operating system). Implementation of the concept has allegedly occurred in the SubVirt laboratory rootkit (developed jointly by Microsoft
and University of Michigan
researchers) as well as in the Blue Pill malware
package. However, such assertions have been disputed by others who claim that it would indeed be possible to detect the presence of a hypervisor-based rootkit.
In 2009, researchers from Microsoft and North Carolina State University
demonstrated a hypervisor-layer anti-rootkit called Hooksafe that can provide generic protection against kernel-mode rootkit
s.
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, a hypervisor, also called virtual machine manager (VMM), is one of many hardware virtualization
Hardware virtualization
Computer hardware virtualization is the virtualization of computers or operating systems. It hides the physical characteristics of a computing platform from users, instead showing another abstract computing platform...
techniques that allow multiple operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
s, termed guests, to run concurrently on a host computer. It is so named because it is conceptually one level higher than a supervisory program
Supervisory program
A supervisory program or supervisor is a computer program, usually part of an operating system, that controls the execution of other routines and regulates work scheduling, input/output operations, error actions, and similar functions and regulates the flow of work in a data processing system.It...
. The hypervisor presents to the guest operating systems a virtual operating platform and manages the execution of the guest operating systems. Multiple instances of a variety of operating systems may share the virtualized hardware resources. Hypervisors are installed on server hardware whose only task is to run guest operating systems.
The term is often used to describe the interface provided by the specific cloud computing
Cloud computing
Cloud computing is the delivery of computing as a service rather than a product, whereby shared resources, software, and information are provided to computers and other devices as a utility over a network ....
functionality infrastructure as a service (IaaS).
The term "hypervisor" was first used in 1965, referring to software that accompanied an IBM RPQ for the IBM 360/65. It allowed the model IBM 360/65 to share its memory: half acting like a IBM 360; half as an emulated IBM 7080. The software, labeled "hypervisor," did the switching between the 2 modes on split time basis. The term hypervisor was coined as an evolution of the term "supervisor," the software that provided control on earlier hardware.
Classification
Robert P. Goldberg classifies two types of hypervisor:- Type 1 (or native, bare metal) hypervisors run directly on the host's hardware to control the hardware and to manage guest operating systems. A guest operating system thus runs on another level above the hypervisor.
- This model represents the classic implementation of virtual machine architectures; the original hypervisor was CP/CMSCP/CMSCP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
, developed at IBMIBMInternational Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
in the 1960s, ancestor of IBM's z/VMZ/VMz/VM is the current version in IBM's VM family of virtual machine operating systems. z/VM was first released in October 2000 and remains in active use and development . It is directly based on technology and concepts dating back to the 1960s, with IBM's CP/CMS on the IBM System/360-67...
. A modern equivalent of this is the VMware ESXi, Microsoft Hyper-VHyper-VMicrosoft Hyper-V, codenamed Viridian and formerly known as Windows Server Virtualization, is a hypervisor-based virtualization system for x86-64 systems. A beta version of Hyper-V was shipped with certain x86-64 editions of Windows Server 2008, and the finalized version was released on June 26,...
hypervisor, or KVMKernel-based Virtual MachineKernel-based Virtual Machine is a virtualization infrastructure for the Linux kernel. KVM supports native virtualization on processors with hardware virtualization extensions....
hypervisor.- Type 2 (or hosted) hypervisors run within a conventional operating systemOperating systemAn operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
environment. With the hypervisor layer as a distinct second software level, guest operating systems run at the third level above the hardware.
- Type 2 (or hosted) hypervisors run within a conventional operating system
In other words, Type 1 hypervisor runs directly on the hardware; a Type 2 hypervisor runs on another operating system, such as FreeBSD or Linux.
Note: Microsoft Hyper-V
Hyper-V
Microsoft Hyper-V, codenamed Viridian and formerly known as Windows Server Virtualization, is a hypervisor-based virtualization system for x86-64 systems. A beta version of Hyper-V was shipped with certain x86-64 editions of Windows Server 2008, and the finalized version was released on June 26,...
(released in June 2008) exemplifies a type 1 product that can be mistaken for a type 2. Both the free stand-alone version and the version that is part of the commercial Windows Server 2008 product use a virtualized Windows Server 2008 parent partition to manage the Type 1 Hyper-V hypervisor. In both cases the Hyper-V hypervisor loads prior to the management operating system, and any virtual environments created run directly on the hypervisor, not via the management operating system.
Mainframe origins
The first hypervisor providing full virtualizationFull virtualization
In computer science, full virtualization is a virtualization technique used to provide a certain kind of virtual machine environment, namely, one that is a complete simulation of the underlying hardware...
, IBM's one-off research CP-40
IBM CP-40
CP-40 was a research precursor to CP-67, which in turn was part of IBM's then-revolutionary CP[-67]/CMS – a virtual machine/virtual memory time-sharing operating system for the IBM System/360-67, and the parent of IBM's VM family. CP-40 ran multiple instances of client operating systems...
system, began production use in January 1967, and became the first version of IBM's CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
operating system. CP-40 ran on a S/360-40
System/360
The IBM System/360 was a mainframe computer system family first announced by IBM on April 7, 1964, and sold between 1964 and 1978. It was the first family of computers designed to cover the complete range of applications, from small to large, both commercial and scientific...
that was modified at the IBM Cambridge Scientific Center
Cambridge Scientific Center
The IBM Cambridge Scientific Center, established in February 1964 by Norm Rasmussen, was situated at 545 Technology Square , Cambridge, Massachusetts in the same building as MIT's Project MAC...
to support Dynamic Address Translation, a key feature that allowed virtualization. Prior to this time, computer hardware had only been virtualized enough to allow multiple user applications to run concurrently (see CTSS and IBM M44/44X
IBM M44/44X
The IBM M44/44X was an experimental computer system from the mid 1960s, designed and operated at IBM's Thomas J. Watson Research Center at Yorktown Heights, New York. It was based on an IBM 7044 , and simulated multiple 7044 virtual machines , using both hardware and software. Key team members were...
). With CP-40, the hardware's supervisor state was virtualized as well, allowing multiple operating systems to run concurrently in separate virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
contexts.
Programmers soon re-implemented CP-40 (as CP-67
CP-67
CP-67 was the control program portion of CP/CMS, a virtual machine operating system developed for the IBM System/360-67 by IBM's Cambridge Scientific Center. It was a reimplementation of their earlier research system CP-40, which ran on a one-off customized S/360-40...
) for the IBM System/360-67, the first production computer-system capable of full virtualization
Full virtualization
In computer science, full virtualization is a virtualization technique used to provide a certain kind of virtual machine environment, namely, one that is a complete simulation of the underlying hardware...
. IBM first shipped this machine in 1966; it included page-translation-table hardware for virtual memory, and other techniques that allowed a full virtualization
Full virtualization
In computer science, full virtualization is a virtualization technique used to provide a certain kind of virtual machine environment, namely, one that is a complete simulation of the underlying hardware...
of all kernel tasks, including I/O and interrupt handling. (Note that its "official" operating system, the ill-fated TSS/360
TSS/360
The IBM Time Sharing System TSS/360 was an early time-sharing operating system designed exclusively for a special model of the System/360 line of mainframes, the Model 67. Made available on a trial basis to a limited set of customers in 1967, it was never officially released as a supported product...
, did not employ full virtualization.) Both CP-40 and CP-67 began production use in 1967. CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
was available to IBM customers from 1968 to 1972, in source code form without support.
CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
formed part of IBM's attempt to build robust time-sharing
Time-sharing
Time-sharing is the sharing of a computing resource among many users by means of multiprogramming and multi-tasking. Its introduction in the 1960s, and emergence as the prominent model of computing in the 1970s, represents a major technological shift in the history of computing.By allowing a large...
systems for its mainframe
Mainframe computer
Mainframes are powerful computers used primarily by corporate and governmental organizations for critical applications, bulk data processing such as census, industry and consumer statistics, enterprise resource planning, and financial transaction processing.The term originally referred to the...
computers. By running multiple operating systems concurrently, the hypervisor increased system robustness and stability: Even if one operating system crashed, the others would continue working without interruption. Indeed, this even allowed beta or experimental versions of operating systems – or even of new hardware – to be deployed and debugged, without jeopardizing the stable main production system, and without requiring costly additional development systems.
IBM announced its System/370
System/370
The IBM System/370 was a model range of IBM mainframes announced on June 30, 1970 as the successors to the System/360 family. The series maintained backward compatibility with the S/360, allowing an easy migration path for customers; this, plus improved performance, were the dominant themes of the...
series in 1970 without any virtualization features, but added them in the August 1972 Advanced Function announcement. Virtualization has been featured in all successor systems. (All modern-day IBM mainframes, such as the zSeries
ZSeries
IBM System z, or earlier IBM eServer zSeries, is a brand name designated by IBM to all its mainframe computers.In 2000, IBM rebranded the existing System/390 to IBM eServer zSeries with the e depicted in IBM's red trademarked symbol, but because no specific machine names were changed for...
line, retain backwards-compatibility with the 1960s-era IBM S/360 line.) The 1972 announcement also included VM/370
VM (operating system)
VM refers to a family of IBM virtual machine operating systems used on IBM mainframes System/370, System/390, zSeries, System z and compatible systems, including the Hercules emulator for personal computers. The first version, released in 1972, was VM/370, or officially Virtual Machine Facility/370...
, a reimplementation of CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
for the S/370. Unlike CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
, IBM provided support for this version (though it was still distributed in source code form for several releases). VM stands for Virtual Machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
, emphasizing that all, and not just some, of the hardware interfaces are virtualized. Both VM and CP/CMS enjoyed early acceptance and rapid development by universities, corporate users, and time-sharing
Time-sharing
Time-sharing is the sharing of a computing resource among many users by means of multiprogramming and multi-tasking. Its introduction in the 1960s, and emergence as the prominent model of computing in the 1970s, represents a major technological shift in the history of computing.By allowing a large...
vendors, as well as within IBM. Users played an active role in ongoing development, anticipating trends seen in modern open source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
projects. However, in a series of disputed and bitter battles, time-sharing lost out to batch processing through IBM political infighting, and VM remained IBM's "other" mainframe operating system for decades, losing to MVS
MVS
Multiple Virtual Storage, more commonly called MVS, was the most commonly used operating system on the System/370 and System/390 IBM mainframe computers...
. It enjoyed a resurgence of popularity and support from 2000 as the z/VM
Z/VM
z/VM is the current version in IBM's VM family of virtual machine operating systems. z/VM was first released in October 2000 and remains in active use and development . It is directly based on technology and concepts dating back to the 1960s, with IBM's CP/CMS on the IBM System/360-67...
product, for example as the platform for Linux for zSeries.
As mentioned above, the VM control program includes a hypervisor-call handler which intercepts DIAG ("Diagnose") instructions used within a virtual machine. This provides fast-path non-virtualized execution of file-system access and other operations. (DIAG is a model-dependent privileged instruction, not used in normal programming, and thus is not virtualized. It is therefore available for use as a signal to the "host" operating system.) When first implemented in CP/CMS
CP/CMS
CP/CMS was a time-sharing operating system of the late 60s and early 70s, known for its excellent performance and advanced features...
release 3.1, this use of DIAG provided an operating system interface that was analogous to the System/360
System/360
The IBM System/360 was a mainframe computer system family first announced by IBM on April 7, 1964, and sold between 1964 and 1978. It was the first family of computers designed to cover the complete range of applications, from small to large, both commercial and scientific...
SVC ("supervisor call") instruction, but that did not require altering or extending the system's virtualization of SVC.
In 1985 IBM introduced the PR/SM
PR/SM
PR/SM is a type-1 Hypervisor that allows multiple logical partitions to share physical resources such as CPUs, I/O channels and direct access storage devices...
hypervisor to manage logical partitions (LPAR).
UNIX and Linux servers
Several factors led to a resurgence around 2005 in the use of virtualization technology among UNIXUnix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
and Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
server vendors:
- expanding hardware capabilities, allowing each single machine to do more simultaneous work
- efforts to control costs and to simplify management through consolidation of servers
- the need to control large multiprocessorMultiprocessorComputer system having two or more processing units each sharing main memory and peripherals, in order to simultaneously process programs.Sometimes the term Multiprocessor is confused with the term Multiprocessing....
and cluster installations, for example in server farmServer farmA server farm or server cluster is a collection of computer servers usually maintained by an enterprise to accomplish server needs far beyond the capability of one machine. Server farms often have backup servers, which can take over the function of primary servers in the event of a primary server...
s and render farmRender farmA render farm is a computer cluster built to render computer-generated imagery , typically for film and television visual effects, using off-line batch processing. This is different from a render wall, which is a networked, tiled display used for real-time rendering...
s - the improved security, reliability, and device independence possible from hypervisor architectures
- the ability to run complex, OS-dependent applications in different hardware or OS environments
Major UNIX
Unix
Unix is a multitasking, multi-user computer operating system originally developed in 1969 by a group of AT&T employees at Bell Labs, including Ken Thompson, Dennis Ritchie, Brian Kernighan, Douglas McIlroy, and Joe Ossanna...
vendors, including Sun Microsystems
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
, HP, IBM
IBM
International Business Machines Corporation or IBM is an American multinational technology and consulting corporation headquartered in Armonk, New York, United States. IBM manufactures and sells computer hardware and software, and it offers infrastructure, hosting and consulting services in areas...
, and SGI
Silicon Graphics
Silicon Graphics, Inc. was a manufacturer of high-performance computing solutions, including computer hardware and software, founded in 1981 by Jim Clark...
, have been selling virtualized hardware since before 2000. These have generally been large systems with hefty, server-class price-tags (in the multi-million dollar range at the high end), although virtualization is also available on some mid-range systems, such as IBM's System-P
IBM System p
The System p, formerly known as RS/6000, was IBM's RISC/UNIX-based server and workstation product line.In April 2008, IBM announced a rebranding of the System p and its unification with the System i platform. The resulting product line is called IBM Power Systems.-History:It was originally a line...
servers, Sun
Sun Microsystems
Sun Microsystems, Inc. was a company that sold :computers, computer components, :computer software, and :information technology services. Sun was founded on February 24, 1982...
's CoolThreads T1000, T2000 and T5x00 servers and HP Superdome
HP Superdome
The HP Superdome is a high-end server computer developed and produced by Hewlett-Packard. The latest version of product, "" was introduced in 2010. Superdome 2 scales from 2 to 32 sockets and 4 TB of memory. When introduced in 2000, the Superdome used PA-RISC processors...
series.
Multiple host operating systems have been modified to run as guest OSes on Sun's Logical Domains
Logical Domains
Logical Domains is the server virtualization and partitioning technology from Sun Microsystems released in April 2007. It has been re-branded as Oracle VM Server for SPARC since Oracle Corporation completed the acquisition of Sun in January 2010. Each domain is a full virtual machine with a...
Hypervisor. , Solaris
Solaris Operating System
Solaris is a Unix operating system originally developed by Sun Microsystems. It superseded their earlier SunOS in 1993. Oracle Solaris, as it is now known, has been owned by Oracle Corporation since Oracle's acquisition of Sun in January 2010....
, Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
(Ubuntu and Gentoo), and FreeBSD
FreeBSD
FreeBSD is a free Unix-like operating system descended from AT&T UNIX via BSD UNIX. Although for legal reasons FreeBSD cannot be called “UNIX”, as the direct descendant of BSD UNIX , FreeBSD’s internals and system APIs are UNIX-compliant...
have been ported to run on top of Hypervisor (and can all run simultaneously on the same processor, as fully virtualized independent guest OSes). Wind River "Carrier Grade Linux
Carrier Grade Linux
Carrier Grade Linux is a set of specifications which detail standards of availability, scalability, manageability, and service response characteristics which must be met in order for Linux to be considered "carrier grade"...
" also runs on Sun's Hypervisor. Full virtualization on SPARC
SPARC
SPARC is a RISC instruction set architecture developed by Sun Microsystems and introduced in mid-1987....
processors proved straightforward: since its inception in the mid-1980s Sun deliberately kept the SPARC architecture clean of artifacts that would have impeded virtualization. (Compare with virtualization on x86 processors below.)
HP calls its technology to host multiple OS technology on its Itanium
Itanium
Itanium is a family of 64-bit Intel microprocessors that implement the Intel Itanium architecture . Intel markets the processors for enterprise servers and high-performance computing systems...
powered systems (Integrity) "Integrity Virtual Machines" (Integrity VM). Itanium can run HP-UX
HP-UX
HP-UX is Hewlett-Packard's proprietary implementation of the Unix operating system, based on UNIX System V and first released in 1984...
, Linux, Windows and OpenVMS
OpenVMS
OpenVMS , previously known as VAX-11/VMS, VAX/VMS or VMS, is a computer server operating system that runs on VAX, Alpha and Itanium-based families of computers. Contrary to what its name suggests, OpenVMS is not open source software; however, the source listings are available for purchase...
. Except for OpenVMS, to be supported in a later release, these environments are also supported as virtual servers on HP's Integrity VM platform. The HP-UX operating system hosts the Integrity VM hypervisor layer which allows for many important features of HP-UX to be taken advantage of and provides major differentiation between this platform and other commodity platforms - such as processor hotswap, memory hotswap, and dynamic kernel updates without system reboot. While it heavily leverages HP-UX, the Integrity VM hypervisor is really a hybrid that runs on bare-metal while guests are executing. Running normal HP-UX applications on an Integrity VM host is heavily discouraged, because Integrity VM implements its own memory management, scheduling and I/O policies that are tuned for virtual machines and are not as effective for normal applications. HP also provides more rigid partitioning of their Integrity and HP9000 systems by way of VPAR and nPar
HP nPar (Hard Partitioning)
nPar partitions are electrically isolated from other nPar partitions within the same chassis. Cells make up nPar partitions. Being electrically isolated means that if a nPar partition were to fail due to hardware failure, then the other nPar partitions would continue to work...
technology, the former offering shared resource partitioning and the later offering complete I/O and processing isolation. The flexibility of virtual server environment (VSE) has given way to its use more frequently in newer deployments.
IBM provides virtualization partition technology known as logical partitioning
LPAR
A logical partition, commonly called an LPAR, is a subset of computer's hardware resources, virtualized as a separate computer. In effect, a physical machine can be partitioned into multiple logical partitions, each hosting a separate operating system....
(LPAR) on System/390, zSeries
ZSeries
IBM System z, or earlier IBM eServer zSeries, is a brand name designated by IBM to all its mainframe computers.In 2000, IBM rebranded the existing System/390 to IBM eServer zSeries with the e depicted in IBM's red trademarked symbol, but because no specific machine names were changed for...
, pSeries and iSeries systems. For IBM's Power Systems, the Power Hypervisor (PowerVM) functions as a native (bare-metal) hypervisor and provides EAL4+
Evaluation Assurance Level
The Evaluation Assurance Level of an IT product or system is a numerical grade assigned following the completion of a Common Criteria security evaluation, an international standard in effect since 1999. The increasing assurance levels reflect added assurance requirements that must be met to...
strong isolation between LPARs. Processor capacity is provided to LPARs in either a dedicated fashion or on an entitlement basis where unused capacity is harvested and can be re-allocated to busy workloads. Groups of LPARs can have their processor capacity managed as if they were in a "pool" - IBM refers to this capability as Multiple Shared-Processor Pools (MSPPs) and implements it in servers with the POWER6
POWER6
The POWER6 is a microprocessor developed by IBM that implemented the Power ISA v.2.03. When it became available in systems in 2007, it succeeded the POWER5+ as IBM's flagship Power microprocessor...
processor. LPAR and MSPP capacity allocations can be dynamically changed. Memory is allocated to each LPAR (at LPAR initiation or dynamically) and is address-controlled by the POWER Hypervisor. For real-mode addressing by operating systems (AIX, Linux, IBM i), the POWER
IBM POWER
POWER is a reduced instruction set computer instruction set architecture developed by IBM. The name is an acronym for Performance Optimization With Enhanced RISC....
processors (POWER4
POWER4
The POWER4 is a microprocessor developed by International Business Machines that implemented the 64-bit PowerPC and PowerPC AS instruction set architectures. Released in 2001, the POWER4 succeeded the POWER3 and RS64 microprocessors, and was used in RS/6000 and AS/400 computers, ending a separate...
onwards) have architected virtualization capabilities where a hardware address-offset is evaluated with the OS address-offset to arrive at the physical memory address. Input/Output (I/O) adapters can be exclusively "owned" by LPARs or shared by LPARs through an appliance partition known as the Virtual I/O Server (VIOS). The Power Hypervisor provides for high levels of reliability, availability and serviceability (RAS) by facilitating hot add/replace of many parts (model dependent: processors, memory, I/O adapters, blowers, power units, disks, system controllers, etc.)
Similar trends have occurred with x86/x86_64 server platforms, where open-source
Open source
The term open source describes practices in production and development that promote access to the end product's source materials. Some consider open source a philosophy, others consider it a pragmatic methodology...
projects such as Xen
Xen
Xen is a virtual-machine monitor providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently....
have led virtualization efforts. These include hypervisors built on Linux and Solaris kernels as well as custom kernels. Since these technologies span from large systems down to desktops, they are described in the next section.
PCs and desktop systems
Interest in the high-profit server-hardware market sector has led to the development of hypervisors for machines using the Intel x86 instruction set, including for traditional desktop PCsIBM PC
The IBM Personal Computer, commonly known as the IBM PC, is the original version and progenitor of the IBM PC compatible hardware platform. It is IBM model number 5150, and was introduced on August 12, 1981...
. One of the early PC hypervisors, the commercial-software VMware
VMware
VMware, Inc. is a company providing virtualization software founded in 1998 and based in Palo Alto, California, USA. The company was acquired by EMC Corporation in 2004, and operates as a separate software subsidiary ....
, debuted in 1998. Parallels, Inc.
Parallels, Inc.
Parallels, Inc. is a privately held virtualization technology company with offices in the USA, Germany, UK, France, Japan, China, Russia and Ukraine. Parallels' US offices are in Renton, WA.The company has more than 700 employees as of 2010....
introduced Parallels Workstation
Parallels Workstation
Parallels Workstation is the first commercial software product released by Parallels, Inc., a developer of desktop and server virtualization software...
, which is primarily used on PCs, in 2005 and Parallels Desktop for Mac
Parallels Desktop for Mac
Parallels Desktop for Mac by Parallels, Inc., is software providing hardware virtualization for Macintosh computers with Intel processors.-Overview:Parallels, Inc...
, which runs on Mac OS X (10.4 for Intel or higher), in 2006.
The x86 architecture used in most PC systems poses particular difficulties to virtualization. Full virtualization (presenting the illusion of a complete set of standard hardware) on x86 has significant costs in hypervisor complexity and run-time performance. Starting in 2005, CPU vendors have added hardware virtualization assistance to their products, for example: Intel's Intel VT-x (codenamed Vanderpool) and AMD's AMD-V (codenamed Pacifica). These extensions address the parts of x86 that are difficult or inefficient to virtualize, providing additional support to the hypervisor. This enables simpler virtualization code and a higher performance for full virtualization.
An alternative approach requires modifying the guest operating-system to make system calls to the hypervisor, rather than executing machine I/O instructions which the hypervisor then simulates. This is called paravirtualization
Paravirtualization
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware....
in Xen
Xen
Xen is a virtual-machine monitor providing services that allow multiple computer operating systems to execute on the same computer hardware concurrently....
, a "hypercall" in Parallels Workstation
Parallels Workstation
Parallels Workstation is the first commercial software product released by Parallels, Inc., a developer of desktop and server virtualization software...
, and a "DIAGNOSE code" in IBM's VM
VM (operating system)
VM refers to a family of IBM virtual machine operating systems used on IBM mainframes System/370, System/390, zSeries, System z and compatible systems, including the Hercules emulator for personal computers. The first version, released in 1972, was VM/370, or officially Virtual Machine Facility/370...
. VMware supplements the slowest rough corners of virtualization with device drivers for the guest. All are really the same thing, a system call to the hypervisor below. Some microkernels such as Mach and L4
L4 microkernel family
L4 is a family of second-generation microkernels, generally used to implement Unix-like operating systems, but also used in a variety of other systems.L4 was a response to the poor performance of earlier microkernel-base operating systems...
are flexible enough such that "paravirtualization" of guest operating systems is possible.
In June 2008 Microsoft delivered a new Type-1 hypervisor called Hyper-V
Hyper-V
Microsoft Hyper-V, codenamed Viridian and formerly known as Windows Server Virtualization, is a hypervisor-based virtualization system for x86-64 systems. A beta version of Hyper-V was shipped with certain x86-64 editions of Windows Server 2008, and the finalized version was released on June 26,...
(codenamed "Viridian" and previously referred to as "Windows Server virtualization"); the design features OS integration at the lowest level.
Versions of the Windows operating system
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
beginning with Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
include extensions to boost performance when running on top of the Hyper-V
Hyper-V
Microsoft Hyper-V, codenamed Viridian and formerly known as Windows Server Virtualization, is a hypervisor-based virtualization system for x86-64 systems. A beta version of Hyper-V was shipped with certain x86-64 editions of Windows Server 2008, and the finalized version was released on June 26,...
hypervisor.
Embedded systems
virtual machines have started to appear in embedded systems, such as mobile phones. This provides a high-level operating-system interface for application programming, such as LinuxLinux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
or Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, while at the same time maintaining traditional real-time operating system
Real-time operating system
A real-time operating system is an operating system intended to serve real-time application requests.A key characteristic of a RTOS is the level of its consistency concerning the amount of time it takes to accept and complete an application's task; the variability is jitter...
(RTOS) APIs. The low-level RTOS environments need to be retained for legacy support, and because the real-time capabilities of high-level OSes are insufficient for many embedded applications.
Embedded hypervisors
Embedded Hypervisor
Software virtualization has been a major topic in the enterprise space for quite some time, but has become an important technology for embedded systems only in the last few years. The application of the technology to the enterprise space has been well described elsewhere by companies such as...
must therefore have real-time
Real-time computing
In computer science, real-time computing , or reactive computing, is the study of hardware and software systems that are subject to a "real-time constraint"— e.g. operational deadlines from event to system response. Real-time programs must guarantee response within strict time constraints...
capability, a design criterion not present for hypervisors used in other domains. The resource-constrained nature of many embedded systems, especially battery-powered mobile systems, imposes a further requirement for small memory-size and low overhead. Finally, in contrast to the ubiquity of the x86 architecture in the PC world, the embedded world uses a wider variety of architectures. Support for virtualization requires memory protection
Memory protection
Memory protection is a way to control memory access rights on a computer, and is a part of most modern operating systems. The main purpose of memory protection is to prevent a process from accessing memory that has not been allocated to it. This prevents a bug within a process from affecting...
(in the form of a memory management unit
Memory management unit
A memory management unit , sometimes called paged memory management unit , is a computer hardware component responsible for handling accesses to memory requested by the CPU...
or at least a memory protection unit) and a distinction between user mode and privileged mode, which rules out most microcontrollers. This still leaves x86
X86 architecture
The term x86 refers to a family of instruction set architectures based on the Intel 8086 CPU. The 8086 was launched in 1978 as a fully 16-bit extension of Intel's 8-bit based 8080 microprocessor and also introduced segmentation to overcome the 16-bit addressing barrier of such designs...
, MIPS
MIPS architecture
MIPS is a reduced instruction set computer instruction set architecture developed by MIPS Technologies . The early MIPS architectures were 32-bit, and later versions were 64-bit...
, ARM
ARM architecture
ARM is a 32-bit reduced instruction set computer instruction set architecture developed by ARM Holdings. It was named the Advanced RISC Machine, and before that, the Acorn RISC Machine. The ARM architecture is the most widely used 32-bit ISA in numbers produced...
and PowerPC
PowerPC
PowerPC is a RISC architecture created by the 1991 Apple–IBM–Motorola alliance, known as AIM...
as widely deployed architectures on medium- to high-end embedded systems.
As manufacturers of embedded systems usually have the source code to their operating systems, they have less need for full virtualization
Full virtualization
In computer science, full virtualization is a virtualization technique used to provide a certain kind of virtual machine environment, namely, one that is a complete simulation of the underlying hardware...
in this space. Instead, the performance advantages of paravirtualization
Paravirtualization
In computing, paravirtualization is a virtualization technique that presents a software interface to virtual machines that is similar but not identical to that of the underlying hardware....
make this usually the virtualization technology of choice. Nevertheless, ARM has recently added full virtualization support as an IP option and has included it in their latest high end processor codenamed Eagle.
Other differences between virtualization in server/desktop and embedded environments include requirements for efficient sharing of resources across virtual machines, high-bandwidth, low-latency inter-VM communication, a global view of scheduling and power management, and fine-grained control of information flows.
Security implications
The use of hypervisor technology by malwareMalware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
and rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s installing themselves as a hypervisor below the operating system can make them more difficult to detect because the malware could intercept any operations of the operating system (such as someone entering a password) without the antivirus software necessarily detecting it (since the malware runs below the entire operating system). Implementation of the concept has allegedly occurred in the SubVirt laboratory rootkit (developed jointly by Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
and University of Michigan
University of Michigan
The University of Michigan is a public research university located in Ann Arbor, Michigan in the United States. It is the state's oldest university and the flagship campus of the University of Michigan...
researchers) as well as in the Blue Pill malware
Blue pill (malware)
Blue Pill is the codename for a controversial rootkit based on x86 virtualization. Blue Pill originally required AMD-V virtualization support, but was later ported to support Intel VT-x as well...
package. However, such assertions have been disputed by others who claim that it would indeed be possible to detect the presence of a hypervisor-based rootkit.
In 2009, researchers from Microsoft and North Carolina State University
North Carolina State University
North Carolina State University at Raleigh is a public, coeducational, extensive research university located in Raleigh, North Carolina, United States. Commonly known as NC State, the university is part of the University of North Carolina system and is a land, sea, and space grant institution...
demonstrated a hypervisor-layer anti-rootkit called Hooksafe that can provide generic protection against kernel-mode rootkit
Rootkit
A rootkit is software that enables continued privileged access to a computer while actively hiding its presence from administrators by subverting standard operating system functionality or other applications...
s.
See also
- Comparison of platform virtual machines
- Nanokernel
- Virtual disk imageVirtual disk imageA virtual disk image is a file on a physical disk, which has a well-defined, published or proprietary, format and is interpreted by a Virtual Machine Monitor as a hard disk. IT administrators and software developers administer them through offline operations using built-in or third-party tools...
- PowerVMPowerVMPowerVM, formerly known as Advanced Power Virtualization , is a chargeable feature of IBM POWER5, POWER6 and POWER7 servers and is required for support of micro-partitions and other advanced features...
- Storage HypervisorStorage hypervisorIn computing, a storage hypervisor is a portable software program that runs on a physical hardware platform, on a virtual machine, inside a hypervisor OS or in all three places. It may co-reside with virtual machine supervisors or have exclusive control of its platform...