From: Raz Mathias (razvanma_at_exchange.microsoft.com)
Date: Mon Mar 01 2004 - 17:44:56 PST
Scale and Performance in the Denali Isolation Kernel
This paper introduced us to the virtualization architecture of Denali,
which is optimized for scalability, security, fault tolerance and
simplicity. These properties make this system particularly useful for
the development of web services.
The paper begins by listing a number of novel applications that are
enabled by the Denali architecture. The first was the ability to
download dynamic content and run it without security worries. Next,
virtual hosting services on the Internet can actually host dynamic
content (code, scripts, etc.) without worrying about malicious users;
this just seems like a novel, cost-effective business idea to me. Next
there is the ability to allow large-scale distributed experiments based
upon web services to peacefully coexist (this seems "highly tailored" to
fit the needs of other Ph.D.'s :). Finally, the idea of mobile code is
introduced which is relevant to Grid Computing, in which the underlying
machine cannot necessarily trust the code it downloads but must run it
anyway.
The system implements a virtual memory monitor (VMM), which abstracts
the underlying physical architecture from the current running operating
system. Unlike previous systems, Denali actually changes the system
machine's architecture to both simplify it and to allow it to scale to a
large number of VM's. This tradeoff is made at the heavy expense of
losing support for existing operating systems (although this is not as
big a problem as it seems in the Linux world where the kernel is freely
available and can be modified). Inactive systems are swapped to disk in
their entirety. This policy allows for conformity with typical web
service usage where certain services are very highly used, whereas
others are rarely touched.
To get around the typical problem of information sharing between VMM and
VM (like we've seen with the Disco), the architecture introduces a
couple of virtual instructions. The "idle-with-timeout" instruction
rewards a VM for giving up its CPU to other VM's. This reward structure
encourages virtual machine to give up CPU cycles to each other. New
virtual registers are exposed to allow the virtual machine to have
access to various pieces of information otherwise abstracted out by the
VMM. Unsafe machine instructions are not emulated in order to maintain
system security. To avoid the impact of TLB flushes (that plagued
Disco) when transitioning between Denali and the VM's OS, Denali itself
is mapped into the VM's physical address space. Furthermore, Denali
virtualizes the I/O of the system to decrease complexity and to increase
performance (by avoiding numerous PIO calls). Another interesting
aspect of the system is the subtle redefinition of interrupts. Because
entire virtual machines may be swapped to disk, the authors of the
system decided to batch interrupts and deliver them when the VM wakes up
again. This had the effect of changing the definition of the timer
interrupt to mean that "it will eventually fire" rather than "it will
fire about every x milliseconds."
This system is very similar to the Exokernel system we looked at
earlier, except that this system does not provide a mechanism for
building complex security policy on top of it. The security policy is
made implicit by the private, virtualized hardware, no one can see
anyone else's virtual hardware and all sharing occurs through the
virtualized network. This simplicity solves the problem of complex
administration (which weakens a security system) and complex
implementation (which can introduce security-related bugs) at the
expense of flexible security policies and some performance (data needs
to be explicitly marshaled across VM's). This seems like exactly the
right kind of tradeoff to make, especially in the context of web
services, in which all communication occurs over the network anyway.
The system as presented in this paper seemed to achieve its goals of
scalability and security through isolation. I believe that the ability
to safely run untrusted code will play a very critical part in the
adoption and dissemination of distributed (web) services.
This archive was generated by hypermail 2.1.6 : Mon Mar 01 2004 - 17:44:43 PST