From: Nathan Dire (ndire_at_cs.washington.edu)
Date: Mon Mar 01 2004 - 16:09:54 PST
"Scale and Performance in the Denali Isolation Kernel"
A. Whitaker, M. Shaw, S. Gribble
Internet hosting providers allow authors of multiple Internet services to use
a common, stable hardware infrastructure. Such providers want to support a
maximum number of services while employing minimal hardware, and support them
securely. The solution explored by the authors is an isolation kernel, in the
form of Denali.
The basic advantage of isolation kernels is the ability to "push" untrusted
code out to a hardware infrastructure. Isolation kernels provide the greatest
level of security by minimizing any sharing between the untrusted code and any
other code running on the hardware. The basic design principles of isolation
kernels are: expose low-level resources, prevent direct sharing, scalability,
and optimized virtual architecture.
The main components of the Denali virtual architecture are the ISA, memory,
and I/O. The ISA is mostly a subset of x86. Denali adds two virtual
instructions, an "idle-with-timeout" to avoid wasting CPU on OS idle loops and
a termination instruction. For memory, each VM is given it's own 32-bit
address space, but a VM cannot virtualize it's own address space by default.
Denali exposes simplified virtual I/O devices similar to the physical ones.
Interrupts are handled much as in a conventional OS, except that they can be
batched, spurious ones can be ignored, and timer interrupts don't correspond
to physical time.
The design requires changes to the hosted operating system, so for simplicity,
the authors use a specialized OS library called Ilwaco, similar to an
Exokernel libOS. Measurements show that that Denali imposes a relatively
small overhead for most type of activity, and that it scales well up to the
limits of the hardware resources.
I'm curious about the administration. The authors mention the supervisor VM,
which can potential accepts ssh connections. I would think that the real
value in this idea is the ability to reduce the administration overhead at an
infrastructure provider's data center. I also wonder how many Internet
service authors would be willing to accept this little control of performance.
I would expect that clients who need an entire OS environment would want more
control of their hardware.
Ultimately, I think the need to modify the hosted operating system presents a
major obstacle to this design. Also, there will always be the obvious problem
of performance. But I think this design has a lot of potential for ad hoc
distribution of a service across the Internet.
This archive was generated by hypermail 2.1.6 : Mon Mar 01 2004 - 16:09:56 PST