Virtual Devices for Virtual Machines

1
Virtual Devices for Virtual Machines
orBuilding Extensible Deviceswith a Chainsaw
and some Duct Tape

• Andrew Warfield

2
Despite being a coarse-grained tool, VMMs are a
great substrate forlow-level extensibility.
Take-home message
VMMs Theyre boxy, but theyre good!
3
Why do we want to extend devices?

• Add new device-level systems features.
• Versioning storage, encryption, checksum offload.
• Manage I/O for VMs in a cluster.
• They move around!
• I/O looks a lot like a service.

Soft Device
VM (OS Apps)
Physical Device (e.g. disk)
Extension (e.g. encryption)
4
What are the challenges

• Performance.
• Fast enough to be useful.
• Safety.
• Extensions shouldnt cause system to melt.
• Software Engineering.
• Extension writers shouldnt have to piece
  together the internals of an OS, learn
  undocumented interfaces and locking disciplines,
  or spend all their time tracking versions.
  Extensions should be portable across OSes.

5
The rest of this talk

• Why VMMs are a good platform for device
  extensions.
• a.k.a. how devices work in Xen.
• An extension interface for Xen.
• Case Packet symmetry enforcement.
• Case The Parallax storage service.
• New and somewhat crazy stuff.
• Conclusion.

6
Devices in Xen.
Problem 1 Maintenance. VMM is now in the driver
trap has to support new hardware, is
constantly chasing driver evolution.
Problem 2 Stability. Drivers are a huge amount
of (often buggy) code. We dont want to count
on them for reliability. Sometimes they crash.
Web
Mail
OS
OS
DD
VD.D
VD.D
VMM
HW
Switch from single OS to VMM Web and mail
servers are now isolated (or consolidated), but
how to share devices?
Option 1 VMM runs physical device driver. VM
drivers for virtual device. Either real
(emulated) HW, or idealized.
7
A digression

• Chainsaw
• (Somewhat imprecise surgical instrument)
• The OS is a component.
• OSes work, have lots of tools, and know how to
  talk to other OSes.
• Maintained by other people.

• Duct Tape
• (Simple yet effective connective mechanism.)
• No generalized IPC in the VMM
• Event notification (virtual irqs)
• Memory sharing primitives

8
Devices in Xen.
Web
Mail
OS
OS
OS (Device VM)
VD.D
VD.D
VD.S
VMM
DD
HW
Option 2 VMM exports physical hardware to a
device VM. Use OS driver, OS mechanisms (e.g.
packet forwarding)
9
Devices in Xen.
1. Coarse-grained sharing
1. Coarse-grained sharing 2. Simple
one-bit notification
Mail
OS
OS (Device VM)
R
R
R
DD
VD.D
VD.S
VMM
HW
Option 2 VMM exports physical hardware to a
device VM. Use OS driver, OS mechanisms (e.g.
packet forwarding)
10
Devices in Xen.
1. Coarse-grained sharing
1. Coarse-grained sharing 2. Simple
one-bit notification
Mail
OS
OS (Device VM)
R
R
R
DD
VD.D
VD.S
R
R
R
VMM
HW
Option 2 VMM exports physical hardware to a
device VM. Use OS driver, OS mechanisms (e.g.
packet forwarding)
11
Devices in Xen.
1. Coarse-grained sharing
1. Coarse-grained sharing 2. Simple
one-bit notification
Mail

• Point of discussing that in (some) detail
• There is a fast, general mechanism for moving
  requests around.
• Classes of drivers use simple protocols for
  requests.
• VMM is largely uninvolved in the details.
• Device driver is an extension.

OS
OS (Device VM)
R
R
R
DD
VD.D
VD.S
VMM
HW
Option 2 VMM exports physical hardware to a
device VM. Use OS driver, OS mechanisms (e.g.
packet forwarding)
12
Extending Devices
Logging. e.g. debug/analysis Redirecting. e.g.
add versioning Rewriting. e.g. encryption
Mail
Extension App.
OS
OS (Device VM)
OS (Extention VM)
Dev. Tap
DD
VD.D
VD.S
VMM
HW
The device tap acts as a switch. In addition to
interposing All messages, requests may be
terminated or passed through.
13
Devices in Xen.
Mail
OS
OS (Device VM)
DD
VD.D
VD.S
VMM
HW
14
Extending Devices
Logging. e.g. debug/analysis Redirecting. e.g.
add versioning Rewriting. e.g. encryption

• Extension Goals
• Safety. ?
• Software Engineering. ?
• Performance. ?

Extension App.
OS (Device VM)
OS (Extention VM)
Dev. Tap
DD
VD.S
VMM
HW
The device tap acts as a switch. In addition to
interposing All messages, requests may be
terminated or passed through.
Trading isolation for performance. We may move
the tap And extension code onto the device VM.
15
Extension Case Study Packet Symmetry

• DoS is a big concern in virtual hosting
  facilities.
• Well-connected servers, paying for bandwidth.
• exploited into a botnet not good!
• But provider can offer protection
• Enforce a symmetry on RXTX packet counts.
• See our HotNets paper (Kreibich et al)
• Interesting extension bits
• Extension written in python.
• Never drops packets.

16
Extension Case Study Parallax

• Managing storage in VM clusters.
• Storage service owns local disks, and the OSes
  that manage them.
• Parallax virtualizes storage, fast snapshots,
  etc.
• Initially proposed as HotOS05 paper.
• Ongoing, with NetApp and Google.
• Local disks as persistent caches.
• Candidate selection for migration.
• Support explicit snapshot request from OSs.
• Not using a big filer.

17
Despite being a coarse-grained tool, VMMs are a
great substrate forlow-level extensibility.
Pre-conclusion
Take-home message
now the fun new part...
18
Full-system extensions.
Qemu
Control VM
DD
ND
VMM
Disk
Net
1. Inbound pages are marked as tainted.
Fine-grained taint Details in extension,
page-granularity bitmap in VMM.
2. VM traps on access to a tainted page. Tainted
pages Marked not-present. Throw VM to emulation.
3. VM runs in emulation, tracking tainted data.
Qemu microcode modified to reflect tainting
across data movement.
4. Taint markings are propagated to disk. Disk
extension marks tainted data, and re-taints
memory on read.
19
Full-system extensions.
Qemu
Control VM
DD
ND
VMM
Disk
Net
1. Inbound pages are marked as tainted.
Fine-grained taint Details in extension,
page-granularity bitmap in VMM.
2. VM traps on access to a tainted page. Tainted
pages Marked not-present. Throw VM to emulation.
3. VM runs in emulation, tracking tainted data.
Qemu microcode modified to reflect tainting
across data movement.
4. Taint markings are propagated to disk. Disk
extension marks tainted data, and re-taints
memory on read.
20
Despite being a coarse-grained tool, VMMs are a
great substrate forlow-level extensibility.
Conclusion

• VMM is a good base for device extensions.
• With device tap, can write extensions in
  user-space, in any OS, without messing with
  individual kernels.
• Treating devices as services seems to be a good
  approach to managing I/O in clusters.
• V2E/E2V is very cool.

21
Fin.