Table of contents
The relationship between vCPU and CPU
Software-assisted full virtualization
Hardware-assisted virtualization
Virtualization of computing resources can be divided into three aspects: CPU virtualization, memory virtualization, and I/O virtualization.
CPU virtualization: multiple virtual machines share CPU resources, intercept and simulate the execution of sensitive instructions in the virtual machines
Memory virtualization: Multiple virtual machines share the same physical memory and need to be isolated from each other
I/O device virtualization: multiple virtual machines share a physical device
The concept of vCPU
The relationship between vCPU and CPU
vCPURelationship with physical CPU
A physical CPU has multiple cores, and each core can have multiple threads
If the physical CPU does not have hyper-threading technology
A core can only handle one task at a time
That is, one core corresponds to one vCPU, and one core is virtualized into a vCPU to provide CPU resources for the virtual machine.
If the physical CPU has hyper-threading technology
If a core has two threads, it can process two tasks at the same time.
That is, one thread corresponds to one vCPU, and one thread is virtualized into a vCPU to provide CPU resources for the virtual machine.
In summary, it can be seen that the same physical CPU can be reused between multiple virtual machines
vCPU distribution
When virtual CPUs are allocated to virtual machines, the number of virtual CPUs cannot exceed the number of vCPUs that a single physical node can provide.
That is: the total amount of CPU allocated to the virtual machine cannot exceed the number of vCPUs provided by a single physical node.
Assignment rules
Allocate an initial CPU value to the virtual machine. This initial value should take into account the configuration required for the virtual machine to run on the physical machine (how many CPU resources are needed to run on the physical machine, the virtual machine will allocate as many CPU resources as possible)
Observe the average and peak value of the resources used by the virtual machine (about 2 weeks), and then modify the allocated number of CPUs to maximize resource utilization (the modified CPU should try to ensure that the average value of the virtual machine is controlled at 50~70%, and the peak value is controlled Between 50~90%)
CPU Ring Level
CPU Command line
A core feature of modern computer CPU technology is that it is divided into different permission levels according to the sensitivity of the instructions to achieve operation, which avoids errors at the user and application levels causing the collapse of the entire system; different types of CPUs are divided into Different permission levels, but the overall idea is the same. Below we mainly use x86 CPU as a representative to explain CPU virtualization.
x86 Permission classification of physical CPU
x86 CPU is divided into 4 levels, namely Ring0, Ring1, Ring2, and Ring3
Ring0Separate (inner core)
Directly acts on the operating system kernel, giving the system core commands permission to use, calling system resources, with the highest priority; it can access all data in the memory
Ring1-2级别
For operating system services (device drivers)
Ring3Level (user mode)
The permissions used by the application APP have the lowest priority; they can only have limited access to memory, and CPU resources can be obtained by other programs.
We focus on Ring0 (kernel state) and Ring3 (user state)
Each layer can only access data of this layer and lower-level permissions. When the user mode directly executes instructions with Ring0 permissions, it will be displayed as an illegal instruction by the system and an error will be reported. This operation may cause system errors.
How does the user state in the physical machine operating system access the kernel state?
When the APP needs to perform operations such as accessing the disk and writing files, the APP needs to execute the system call function. When executing the system call, the CPU's running level will switch from Ring3 to Ring0 and jump to the kernel code location corresponding to the system call. Perform relevant operations. After the relevant operations are completed, return from Ring0 to Ring3 to achieve switching between user mode and kernel mode.
CPUcommand type
Privileged instructions
Instructions that are only used to operate and manage key system resources and must be run at the Ring0 permission level (some privileged instructions may exist under Ring1 permissions)
Ordinary instructions
It can be run at the normal permission level of the CPU, that is, instructions run at the Ring3 level (Ring1-2 also belong to user mode)
sensitive instructions
Special instructions in a virtualized environment are called sensitive instructions
Sensitive instructions refer to instructions that modify the operating mode of the virtual machine or the status of the host. In other words, the privileged instructions in the Guest OS that originally need to be run in Ring 0 mode are deprived of their privileges and handed over to the VMM for execution.
CPU virtualization technology
Virtualization architecture knowledge:
Ring0 is not allowed to appear when multiple operating systems are running at the same time. Because the host operating system works on Ring0, the virtual machine operating system cannot run on Ring0, and errors will be found when the guest operating system executes privileged instructions.
In order to solve the above problems, three solutions are proposed: software-assisted full virtualization, para-virtualization, and hardware-assisted full virtualization.
No matter which virtualization technology is used, the operations of the virtual machine's privileged instructions must be handed over to the VMM, and the VMM will hand it over to the underlying hardware. Different virtualization technologies only mean that the VMM hands it over to the underlying hardware in different ways.
|
|
Software-assisted full virtualization |
paravirtualization |
Hardware virtualization |
| implementation technology |
Implemented through binary conversion and translation |
Implemented through Hypercall |
Achieved by switching privileged instructions to Root mode |
| application vendors |
Vmware Workstation |
Xen |
Vmware ESXi/Hyper-v/KVM/Xen 3.0 |
| performance |
Difference |
Best, almost the same performance as physical host |
CPUNeeds to switch between two modes, resulting in additional overhead |
| compatibility |
Best compatibility |
Need to modify the operating system, poor compatibility |
Best compatibility |
Software-assisted full virtualization
Use VMM to establish an abstraction layer between the underlying hardware and the server to abstract all physical resources (that is, all underlying hardware related to the virtual machine is simulated and implemented by VMM), but the virtual machine thinks that it is on a real host. It runs on the virtual machine, and VMM is the interface through which the virtual machine accesses the physical layer.
Principle of implementation
The VMM runs at the highest privilege level, and the privileged instructions of the Guest OS and other operations are completed by the VMM.
That is:Capture and translate the privileged instructions running on the virtual machine, making them into virtual privileged instructions that can only take effect on the virtual machine,Software interception causes high performance overhead
Provides two working mechanisms (privilege removal, trapped in simulation)
Privilege detoxification (priority compression)
When the virtual machine executes the Ring0 instruction, VMM exceptions will be triggered when the instruction is sent to the VMM. These exceptions are captured by the VMM, and then the VMM virtualizes these privileged instructions into virtual privileged instructions that only work on the virtual CPU.
The essence is to use unprivileged instructions that can run in the user mode of the physical machine to simulate virtual privileged instructions that are only valid for the virtual machine to achieve the downgrading of privileged instructions.
Existing problems:Some privileged instructions will exist in Ring1 permissions, and Ring1 instructions will not trigger VMM exception capture, resulting in privileged execution in the virtual machine The instruction directly affects the physical machine and may cause system failure
Fall into simulation (binary simulation - used more)
The VMM will scan the binary code of instructions transmitted from the virtual machine. Once it finds that a privileged instruction is executed, it will translate these binary codes into the binary code of virtual privileged instructions or translate it into the binary code of privileged instructions running in the kernel state. The code thus forces an exception to be triggered
This solution solves the problem that the virtual machine is not captured by the VMM when running the Ring1 instruction.
paravirtualization
Principle of implementation
By making certain modifications to the kernel code of the Guest OS, some privileged instructions originally executed on the Host OS are modified into a way that can directly interact with the VMM (that is, the virtual machine's call to the privileged instruction is changed to directly Calling the VMM - this calling method is Hypercall), the VMM directly transfers the privileged instructions to the physical machine, so there is no process of catching exceptions, translation, etc., and the performance loss is relatively small; However, the virtual machine operating system needs to be patched, and the image file of the virtual machine system is not universal
At this time, the virtual machine knows that it is running in a virtual environment and is not running on a real physical host.
Hardware-assisted virtualization
In this way, a new execution state (Root state and non-Root state) is formed.
Root and non-Root operating modes divide the original CPU operation into the Root operating area where VMM is located and the non-Root operating area where the virtual machine is located. Operating area, each operating area has all instruction levels of Ring0-3; through this new execution state, the VMM and Guest OS are completely isolated
Implementation principle
Hardware-assisted virtualization is supported by a CPU that supports virtualization functions (Inter-TV and AMD-V technologies can enable CPUs to support virtualization). The virtual machine runs in the non-Root core state. Privileged instructions can be called directly,However, calling privileged instructions is to transfer the privileged instruction call to the VMM in root mode through the virtualization mechanism of the hardware, and the VMM completes the same management of the hardware< /span>
CPU manufacturers are increasing their support for virtualization. The performance of hardware-assisted virtualization technology is gradually approaching that of paravirtualization. In addition, this virtualization does not require modification of the client operating system. This virtualization method is the future development. Trend (hardware-assisted virtualization can be turned on on many servers/CPUs)
