Virtualization vs. traditional operating systems
The OS binds all hardware resources to a single entity. This fact limits the flexibility of the system, not only in terms of applications that can run concurrently and share resources, but also in terms of isolation. Isolation is crucial in cloud computing where many users share cloud infrastructure. A system is considered to provide full isolation when it supports a combination of fault isolation, resource isolation, and security isolation.1 Fault isolation reflects the ability to limit a buggy program from affecting another program. Complete fault isolation requires no sharing code or data. Resource isolation corresponds to the ability of enforcing/controlling resource usage of programs. This requires careful allocation and scheduling of resources. Security isolation refers to the extent to which access to logical objects or information (e.g., files, memory addresses, port numbers) are limited. Security isolation promotes safety by which one application cannot reveal information (e.g., names of files or process IDs) to any other application. General-purpose OSs provide a weak form of isolation (only the process abstraction), not full isolation.
On the other hand, virtualization relaxes physical constraints and enables optimized system flexibility and isolation. Hypervisors allow running multiple OSs side by side while providing full isolation (i.e., security isolation, resource isolation, and failure isolation). First, hypervisors can effectively authorize multiplex access to physical resources. Second, undesired interactions between VMs are sometimes called cross-talk. Hypervisors can incorporate sophisticated resource schedulers and allocators to circumvent cross-talk. Third, hypervisors offer the option of sharing nothing among different OS distributions. The only code and data shared among VMs is indeed the hypervisor itself. One exception is page-sharing mechanisms. The performance of VMs can be improved by sharing memory pages between VMs in hypervisors such as VMware. However, this is done in a transparent, isolated fashion and only with data that is binary-identical. This topic is covered in detail in the module on memory virtualization.
Nonetheless, the unique benefits offered by virtualization come at some cost. For instance, the degree of isolation comes at the cost of efficiency. Efficiency can be measured in terms of overall execution time. In general, VMs provide inferior performance compared to equivalent physical machines. This is mainly due to (1) the overhead of context switching between VMs and the hypervisor, and (2) the duplication of efforts by the hypervisor and the OSs running in VMs (e.g., all might be running schedulers, managing virtual memories, and interpreting I/O requests).
Figure 4 demonstrates approximate logical locations of the two leading examples in virtualization, Xen Project and VMware ESXi (more on these later in the module) vis-à-vis some traditional OSs along the efficiency and isolation dimensions. The x-axis indicates the kind of isolation supported by the shown hypervisors and OSs, and the y-axis exhibits qualitative efficiency. A basic observation is that, to date, there is no VM technology that has reached the ideal case of maximizing both efficiency and isolation.
Figure 4: Traditional operating systems and popular hypervisors along the efficiency and isolation dimensions
References
- Soltesz et al. (2007). Container-Based Operating System Virtualization: A Scalable, High-Performance Alternative to Hypervisors In ACM SIGOPS Operating Systems Review (Vol. 41, No. 3, pp. 275-287), ACM