- Published on
Virtualization
Virtualization is the process of creating a simulated computing environment or a computer-generated computer. It provides an abstraction layer between computing, storage, and networking hardware and applications. Virtualization makes hardware independent of operating systems (OS) and applications and can be provisioned to any system. The OS can be encapsulated into one virtual system. Virtualization allows us to create multiple computing instances from a single machine. These instances could be computers in the traditional sense, or storage repositories, servers, or networking configurations.
The software that enables virtualization is called a hypervisor. the hypervisor is a lightweight software layer that is installed on top of hardware to create virtualized environments., allowing multiple operating systems to run on the same hardware. The hypervisor acts as a middleman, pulling resources from the raw materials of the infrastructure and directing them to the various computing instances.
Types of hypervisor
Type 1 - Bare Metal Hypervisor
A Type 1 Hypervisor, also known as a Bare Metal Hypervisor, runs directly on computer hardware instead of the operating system. Therefore, Type 1 Hypervisors offer better performance and are commonly used in enterprise applications.
Type 2 - Hosted Hypervisor
A Type 2 hypervisor runs as an application on an operating system. It is used when running various operating systems on a single machine.
Types of Virtualization
OS-level virtualization.
Operating systems allow for the running of multiple secure virtual servers, making subsystems think they are running on their own operating system. Guest OSes are the same as the host OS but appear isolated. Examples include Docker, Linux Vserver, Solaris Containers, and FreeBSD Jails.
Application-level virtualization
The application behaves at runtime in a similar way to when it directly interfaces with the original operating system. The application provides its own copy of components that are not shared. The application virtualization layer replaces part of the runtime environment normally provided by the OS. Examples include the Java Virtual Machine (JVM)
Full/Native Virtualization
Virtual machines simulate enough hardware to allow an unmodified guest to run in isolation. Any software capable of executing on the hardware can be run in the virtual machine. Every operation performed within a given virtual machine must be kept within that virtual machine. Intercepting and simulating privileged operations is challenging. Examples include VirtualBox, Parallels, and Mac on Linux.
Paravirtualization
In paravirtualization, the virtual machine (VM) does not simulate hardware. Instead, it presents a software interface to the VM that is similar to, but not identical to, the underlying hardware. A special API (para-API) is used to achieve this, which the modified guest OS must also use. Hypervisor then traps hypercalls and services them. Example include Xen
Emulation
A virtual machine (VM) emulates complete hardware and software, while an emulator is a hardware or software tool that enables a system (host) to behave like another system (guest). Emulators are useful for reverse engineering, malware analysis, and forensics. Examples include VirtualPC for Mac and the Android emulator.
Virtual Machine
In the early days, software was written for specific hardware. Eventually, instruction sets became more standardized, but the software still requires a certain instruction set architecture and operating system that meets strict standards.
A virtual machine can be categorized as a “system virtual machine” or a “process virtual machine”. The former provides a full execution environment that can support multiple processes and I/O devices, as well as a GUI. The latter is instantiated for a single program and terminates when that process terminates.
Popular VM providers include VirtualBox, Xen Project, Microsoft Hyper-V, and VMware Workstation Player.
Java Virtual Machine
The Java Virtual Machine (JVM) interprets Java bytecode, allowing the same bytecode to run on all architectures. The JVM can also run multiple programs simultaneously.
Linux Containers(LXC)
LXC is an OS-level virtualization method for running multiple isolated Linux systems on a single control host. It does not provide a virtual machine but rather a virtual environment with its own CPU, memory, block I/O, network, etc. This is achieved through namespace and cgroups features in the Linux kernel on the LXC host.
Benefits
This technology allows the execution of multiple operating systems on a single physical machine. This results in cost savings when compared to using separate physical machines. Furthermore, the technology has well-established functionality, robust management tools, and well-known security tools and controls.
Vulnerabilities
Virtual Machines (VMs) are susceptible to various types of attacks. These include:
- Hardware-oriented attacks
- Management interface exploits
- Break out of jail attacks
- Almost-undetectable virtual-machine based rootkits (Blue Pill)
- Application privilege escalation
- Just-in-time spraying
- Untrusted native code execution
VM vs. Containers
| Virtual Machine | Container |
|---|---|
| Provides complete isolation | Provides application-level abstraction |
| Requires large storage space | Lightweight |
| Has high overhead | Works well with Linux, but has limited support for Windows |
| Supports multiple OS | Weak security |
| Provides greater stability for hypervisors and VM | Significant management overhead |
| Provides better security | Not well-suited for large applications |
| Important for microservices design |
Namespaces
Namespaces restrict what a container can see and provide process-level isolation of global resources. Processes have the illusion that they are the only process in the system. There are six namespaces:
mnt(mount points)pid(processes)net(network stack)ipc(System V IPC)uts(hostname)user(UIDs)
Docker
Docker is an open-source project that automates the deployment of applications inside software containers. It provides an additional layer of abstraction and automates OS-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel, such as cgroups and kernel namespaces, to allow independent containers to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines.
Docker includes the libcontainer library as a way to directly use virtualization facilities provided by the Linux kernel, in addition to using abstracted virtualization interfaces via libvirt, LXC, and systemd-nspawn. Docker implements a high-level API to provide lightweight containers that run processes in isolation. Unlike a traditional virtual machine, a Docker container does not require or include a separate operating system. Instead, it relies on the kernel's functionality and user's resource isolation, as well as separate namespaces to isolate the application view of the operating system.
References
- Amazon Web Services. (n.d.). What is Virtualization? AWS. https://aws.amazon.com/what-is/virtualization/