From: Chuck Reeves (creeves_at_windows.microsoft.com)
Date: Mon Mar 01 2004 - 10:54:35 PST
I thought this was one of the better written papers we have read. The
paradigm around generic hosting environments presented by this paper is
interesting. The authors did a good job of establishing a strong
association between a real existing class of applications and the
characteristics of the system. It would be ineteresting to contrast in
more detail this approach with a higher level abstractions such as
languages and web servers.
The paper, "Scale and Performance in the Denali Isolation Kernel" was
written by, a number of researchers at the University of Washington in
2002. The document describes the design and testing of a secure and
scaleable isolation kernel called Denali. Denali is designed to host
large numbers of independent internet services running untrusted and
possibly malicious code. It exposes a virtual machine abstraction, but
is different from previous work in that it does not attempt to fully
emulate the underlying phsical architecture. As with the Disco system,
Denali acts as an abstraction of the underlying hardware presenting
multiple virtual machines over the top of a single physical one. While
it's instruction set is a subset of the x86 it is not designed to run
unmodified legacy guest operating systems.
The designers chose to expose low-level abstractions, making the case
that exposing higher-level ones required significant complexity and
invited "layer below" attacks. Targeted at independent internet
services, the system prevents direct sharing by forcing each VM to use a
private namespace. A Zipf distribution is assumed for use of these
services, this emphasizes the need for minimal per VM overhead and an
efficient mechanism for quickly swapping inactive VM's in/out of memory.
The instruction set exposes 2 virtual instructions. The
"idle-with-timeout" function helps VM's halt it's CPU for either a bound
amount of time or until the next interrupt. The kernel avoids TLB
flushes by mapping itself into a portion of each address space.
A full set of I/O devices are exposed including: Ehternet NIC, a disk,
keyboard, console and a timer. The interfaces for these virtual devices
is significantly simplified. This aids in performance as fewer kernel
crossing are necessary to read/write to the virtual device. As a
performance enhancement, Denali batches up interrupts targetted for
inactive VM's.
The CPU is scheduled in 2 stages. The first stage (gatekeeper policy)
chooses a subset of active machines using a FIFO. The second stage uses
a round-robin algorithm for scheduling each of the VM's admitted in the
first stage. In an effort to optimizing the swapping of VM's to/from
disk the swap files are staticly allocated and can be striped across
multiple disks. The VMM uses queues to manage the flow of data through
the virtual network cards. VM's can only process incoming network
packets during their quantum. They are not interupted.
The performance metrics clearly demonstrated the anticipated benefits of
the batching network traffic, the use of a modified idle-with-timeout as
well as the reduction in kernel complexity.
Chuck Reeves, creeves_at_microsoft.com
Microsoft | Windows | Directory Services
This archive was generated by hypermail 2.1.6 : Mon Mar 01 2004 - 10:54:36 PST