virtualization.info Editors

I am a member of the Secure Systems Department at IBM”s TJ Watson Research Center (http://www.research.ibm.com/secure_systems_department/).

Our group has designed and developed a security architecture for hypervisors (called sHype). We have implemented it on an x86-based IBM research hypervisor. We now plan to contribute this to Xen by integrating our security architecture into it.

sHype is based on mandatory access controls (MAC). This allows Xen to use access rules (formal policy) to control both the sharing of virtual resources as well as the information flow between domains. The Xen port of sHype will leverage the existing Xen interdomain communication mechanism and we expect near-zero performance overhead on the performance-critical paths (e.g., sending or receiving packets on a virtual network, or writing or reading shared memory). The sHype access control architecture separates policy decisions from policy enforcement. It is modeled after the Flask security architecture as implemented in SELinux (http://www.cs.utah.edu/flux/fluke/html/flask.html). Our design is targeted at a flexible medium-assurance architecture that can support anything from simple security domains to multilevel security (MLS) and Chinese Wall policies.

Merging the sHype access control architecture with Xen is the first step toward our goal of hardening Xen to support enterprise-class applications and security requirements. We are working on the following items to achieve this goal (which we intend to contribute spread out over this year):

* Port sHype to Xen

* Add stronger security/isolation guarantees (confinement) to what is currently available through Xen”s (and other hypervisors”) address space separation mechanisms, e.g., to enable information flow Control in Xen

* Enhance Xen to support trusted computing under Linux using TCG/TPM-based attestation mechanisms

* Enhance Xen to support secure resource metering, verification, and control.

* Apply our experience in automated security analysis to Xen to make it more robust

* Make Xen suitable for Common Criteria evaluation

We are confident that our work will significantly contribute to Xen in the security space and that it is a good fit with the Xen roadmap. We look forward to interacting with the Xen community on the design and implementation of our architecture.

Xen is available free under the GPL.

XenSource is hoping to make money by selling support and subscription services to Xen users.

XenSource CEO Nick Gault said the funding would go towards building support and service capabilities, hiring more people, ramping up sales and marketing and developing better packaging for Xen by way of an installer and some management tools.

Gault expects to expand the company’s staff from its current eight people to 30-35 by the end of the year.

According to Gault, Xen has 100 users using it in a production environment.

Gault said XenSource would work with its partners Red Hat and Novell to promote Xen and implied the two Linux distributions would offer Xen soon.

Xen is designed to consolidate servers by letting multiple operating systems and applications run on the same server.

It runs on x86 architecture and currently support Linux 2.4 and 2.6, NetBSD, FreeBSD and Plan 9.

However, Xen does not support Windows yet although Gault expects to be able to by the middle of this year.

Gault acknowledged that Xen didn’t expect to have a Windows port anytime soon because of licensing issues. He credited Intel’s assistance in the form of contributing 20-40 man-years of source code and putting anticipated virtualization support in its hardware for Xen’s decision to move up Windows support.

Xen’s main rival is VMware, now an EMC subsidiary.

Besides Gault, XenSource founders include Xen project leaders Ian Pratt of Cambridge University and openMosix leader Moshe Bar. Pratt is Xen’s chief architect and Bar is XenSource’s CTO.

Virtualisation itself is nothing new — it’s been around since the bad old mainframe days. It’s just that, in the PC environment, hardware is now powerful enough to run one or more virtual computers as containers within a host OS with little perceptible overhead. The only real cost, aside from the virtualisation software itself, is the need for as much memory for each virtual machine as a real one would require. Other than that, you save on all the extra hardware and other overheads.

In addition, you gain more control over virtual systems than over real ones, being able to start and stop it easily and quickly, and prototyping applications and configurations without having to reboot your machine or touch live production systems makes life a lot simpler.

Now, with the launch of VMware’s ACE, at least one of the company’s customers agrees that standardised configurations can be deployed to desktops and other environments more easily. ACE consists effectively of a run-time version of VMware’s virtualisation technology that can, for example, can be shipped out to customers without licensing concerns.

One user, Dave Parsons, software development manager for ALG Software, explains how his company has been using the product since the early beta emerged.
“We’re a small ISV of just 10 people. We’re big workstation users, and the problem we had was doing off-site training with big database applications. If customers don’t have the environment that can support the software needed for training, that becomes an issue.

“The problem is that it takes a lot of time to configure the server systems — we use IIS and SQL Server — and clients when setting up a complex application. With VMware ACE, we have everything configured and loaded beforehand.

“It also allows us to have the systems back up and running quickly if something crashes and, at the end of the session, we can restore the classroom to its default state quickly.”
The idea of using an alternative did occur to Parsons — the base VMware workstation product.

“But we saw the opportunity that ACE provided. We were thinking about using VMware Workstation but ACE gives you the entire PC in a box. If customers don’t have VMware, ACE allows us to create a run-time version and have it run without problems.

“It also has digital rights management in there, so if we forget to de-install, we’ve set it to expire on specific date – such as five days after the install date, it protects our IP and ensures we don’t break the terms of the VMware license.

“It also means that when we’re with working our partners, such as Fujitsu, it allows us to deliver a working system to them with reproducible quality.”
Parsons said that couldn’t think of any major issues with the product.

“There is an overhead but it’s not huge. Disk space can be an issue but XP is only 1.2GB so a 2.5GB image is fine, eve when using products such as SQL Server.

PlateSpin PowerP2V 4.0 now adds flexible and reusable image support for physical-to-virtual machine (P2V) and virtual-to-virtual machine (V2V) migrations for Windows and Linux based servers. In addition to providing direct source-to-target conversions, users can now stage the conversion process by remotely capturing an image of a source physical server or virtual machine and storing it in PlateSpin’s flexible image format on any file medium. Unlike other image-based solutions on the market which require images to be deployed on identically configured systems, PowerP2Vs flexible image format allows a single image to be repeatedly deployed on different virtual infrastructures that have different hardware and software configurations. PlateSpins image format is usable for P2V, V2V, and will be usable for V2P migrations in a future release. This will allow data centers to redeploy and reuse a single image to any virtual or physical infrastructure.

PowerP2V 4.0 also provides a new lights-out feature that automatically issues email alerts should any conversion job fail. This fully configurable feature provides the user with the option of passively monitoring the progress of jobs in addition to actively monitoring jobs through the use of PowerP2Vs real-time job monitor. Through email alerting, users can perform multiple conversion jobs and be notified any time a significant event occurs throughout the conversion process.

Other enhancements of PlateSpin PowerP2V 4.0 include:
– Support for conversions to VMware ESX Server 2.5
– Support for ESX port groups
– Transfer of files with restricted permissions
– Extended NTFS support, such as compressed and sparse files
– Additional support for Windows dynamic disks
– Support for French language OS Support for Red Hat Linux 8

PlateSpin PowerP2V 4.0 with image support is most useful for solving the following data center challenges:

– Server Consolidation for Geographically Separated Data Centers
Many server consolidation initiatives involve source and target servers that reside in different geographical locations, and have little or no network bandwidth between them. With PowerP2V 4.0, data center users have the option of staging the conversion by first capturing the source server into a PlateSpin image format, and then deploying it to a virtual host server in the central data center. PlateSpins new image format support also allows users to maximize uptime by staggering the capture and deploy processes, which allows users to accommodate different availability and uptime requirements for source and target machines. The ability to provide staged conversions based on PlateSpins image format also allows users to repeatedly perform conversions from an image library as an alternative to performing a direct source server data transfer providing a new form of flexible provisioning. Like PlateSpins direct peer-to-peer data transfer method, the image capture and deploy process does not require any physical contact with the source or target machines. Users simply connect to the network where the source system resides, captures the image onto their machine (even a laptop), connects to the network where the target system resides, and deploys the image to the target host.

– Disaster Recovery using Virtual Machines
Many data centers are using virtual machines as warm-backups as an alternative to or in concert with tape backup, for disaster recovery using PowerP2Vs existing automated peer-to-peer conversion. With PowerP2V 4.0, users now have the option of performing backups of virtual machines to a PlateSpin image format, in addition to replicating a server to another virtual machine directly. Should the primary virtual machine fail, users can easily restore the virtual machine to a previous working state from either a PlateSpin flexible image file or the recovery virtual machine instance.
Load Matching between Virtual Host Servers PowerP2V 4.0 allows users to move virtual machines between heterogeneous virtual host servers such as VMware ESX Server, VMware GSX Server, and Microsoft Virtual Server in order to balance loads. Especially useful for non-SAN based virtual host environments, PowerP2V can migrate a virtual machine from an over-utilized host server to an under-utilized host server by simply dragging and dropping a VM from a source host to a secondary virtual host. This effectively allows the user to quickly and easily match VMs with the most suitable virtual hosts to maximize application performance and balance workload.

PR 55642: Virtual machines fail to power off cleanly (updated 2005.01.07)
Under some circumstances, a virtual machine would fail to power off, either appearing to hang or displaying a blank screen. This was fixed in build 11888.

PR 57020: Failures When Performing Multiple File Drag-and-Drop Operations (updated 2005.01.07)
Using drag-and drop-to copy multiple files from host to guest could cause unexpected behavior, such as a virtual machine crashing or VMware Workstation freezing. This was fixed in build 11888.

PR 56435: Virtual Machine Crashes When Installing Windows Server 2003 SP1 RC1 (updated 2005.01.07)
When upgrading a virtual machine from Windows 2003 to the latest release candidate of Windows 2003 SP1, the virtual machine process crashed on the subsequent reboot. This was fixed in build 11888.

PR 56469: Unrecoverable Error During Virtual Machine Power Operations (updated 2005.01.07)
Virtual machines configured with a large amount of memory (usually more than 1 GB) could crash during power operations. The logged error message was:
ASSERT C:/ob/bora-11571/bora/devices/mainmem/mainMemHosted.c:216
This was fixed in build 11888.

PR 56479: Panic When Using CTRL-ALT-DEL to Reboot a Virtual Machine (updated 2005.01.07)
Under some circumstances, using CTL-ALT-DEL or CTL-ALT-INS from within a virtual machine would cause the virtual machine to crash. The logged error message was:
MONITOR PANIC: VMM fault
This was fixed in build 11888.

PR 56693: Virtual Machine Crashes on Power Off (updated 2005.01.07)
Under some circumstances, a virtual machine in full screen mode might crash at power off. The logged error message was:
ASSERT /build/mts/release/bora-11608/bora/mks/main/xinfo.c:501
This was fixed in build 11888.

PR 56907: Virtual Machine Crashes During Disk Operation (updated 2005.01.07)
Under rare circumstances, it was possible for a virtual machine to crash while performing disk operations. The logged error message was:
MONITOR PANIC: ASSERT vmcore/vmm/cpu/dt.c:2375
This was fixed in build 11888.

“As with typical service packs from Microsoft, Virtual Server 2005 Service Pack 1 will be primarily a rollup of fixes we have seen since the product was released to improve performance and increase scalability. In addition, with Service Pack 1, Virtual Server 2005 will have host support for Windows Server 2003 Service Pack 1 x64 Edition (note that this does not include IA64), provide PXE support, qualify Windows XP SP2 as a host and as a guest, and include the Virtual Disk Precompactor, a utility that is designed to “zero out” — that is, overwrite with zeros — any available blank space on a virtual hard disk.

Hewlett-Packard Co., Intel Corp. and Advanced Micro Devices Inc. are already working with Xen, according to officials at each of those companies. Intel and AMD are particularly interested in ensuring that Xen works well with their chip-partitioning technologies, which are due out next year.

Xen is available for download from the Web site of the University of Cambridge in England, where the 3-year-old open-source effort is based. The creators of Xen plan to open a company called XenSource Inc. in Palo Alto, Calif., within the next few weeks to support users of the technology.

Waiting for Acceptance

But corporate users may not embrace Xen until mainstream IT vendors back the technology.

That’s the case for Bob Armstrong, director of technical services at Delaware North Cos., a Buffalo, N.Y.-based hospitality services provider. Armstrong uses VMware Inc.’s virtualization software to run 19 guest operating systems on two production servers, each with two CPUs. He has virtualized about 25% of his data center and plans to increase that to about half of his systems over the next 18 months.

Armstrong said the technology from Palo Alto-based VMware, which is a division of EMC Corp., has allowed him to cut hardware spending by one-third. He also uses NetWare servers and will look at Novell’s virtualization technology. “Anywhere we can leverage our Novell investment, we would love to do that,” Armstrong said. “If we weren’t a Novell shop, we wouldn’t consider it.”

Xen supports Linux but not Windows, which means it’s unlikely to be adopted by Carmine Iannace, manager of IT architecture at Welch Foods Inc. in Concord, Mass. Iannace is running VMware environments that support Windows, Linux and Solaris. “We want to have the ability to run Windows, Solaris and Linux on the same server, and we really haven’t found anyone else who can provide that for us,” he said.

But Iannace added that the emergence of Linux vendors will increase competition in the virtualization market and help corporate users “by keeping a check on prices.”