Virtual Machines vs. Containers Revisited - Part 1

Sponsor

• Circle CI
• Episode on CI/CD with Circle CI

Show Details

In this episode, we cover the following topics:

• VMs vs containers - why revisit?
  • Originally talked about this in episode 1
    • Got most of it right, but some inconsistencies/holes
    • Let's revisit to fill in the gaps, and dive a whole LOT deeper this time around
• Types of virtualization
  • Full virtualization ("virtual machines")
    • Simulates enough hardware to allow an unmodified "guest" OS to be run in isolation
    • Resources of computer are partitioned via hypervisor
    • Examples:
      • VMWare, Parallels, VirtualBox, Hyper-V
  • Operating-system-level virtualization ("containers")
    • Resources of computer are partitioned via the kernel
      • "Guest" OSes share same running instance of OS as the host system
    • Based on the virtualization, isolation, and resource management mechanisms provided by the Linux kernel
      • namespaces and cgroups
    • Examples:
      • Docker, LXC, FreeBSD jails
• Hypervisors
  • Also known as a Virtual Machine Manager (VMM)
  • Creates and runs virtual machines
    • It is a process that separates OS and apps from underlying physical hardware
    • Multiple VMs share virtualized hardware resources
  • When you create a new VM, the following happens:
    • Hypervisor allocates memory and CPU space for VMs exclusive use
    • Complete OS is installed onto the VM
    • The VM's OS communicates with the hypervisor to perform tasks
  • Host OS is able to see all physical hardware, whereas guest OS (VM) can only see hardware to which hypervisor has granted access
  • Two types of hypervisors
    • Type 1 (also called "native" or "bare metal" hypervisors)
      • Run directly on the host’s hardware to control the hardware and manage the guest VMs
        • runs in ring 0
      • Are an OS themselves (simple OS on top of which you run VMs)
        • the physical machine the hypervisor is running on serves only for virtualization purposes
          • Exceptions: Hyper-V, KVM
      • Examples
        • Xen, Microsoft Hyper-V, VMware ESX/ESXi
    • Type 2 (also called "hosted" hypervisors)
      • Run on conventional OS, just like other apps
      • Guest OS runs as a process on the host
      • Hypervisor separates the guest OS from the host OS
      • Examples
        • VirtualBox, Parallels
  • Protection levels (rings)
    • x86 family of CPUs provide a range of protection levels also known as rings
      • Ring 0 has the highest level privilege (kernel/supervisor)
      • Ring 3 lowest level (applications)
    • Hypervisor occupies ring 0 of CPU
    • Kernels for any guest operating systems running on the system must run in less privileged CPU rings
      • But most OS kernels are written explicitly to run in ring 0
      • Techniques to deal with this:
        • Full virtualization
          • hypervisor provides CPU emulation to handle ring 0 operations made by unmodified guest OS kernels
          • emulation process requires both time and system resources
            • inferior performance
        • Paravirtualization
          • Technique in which hypervisor provides an API and the OS of the guest VM calls that API
          • Requires guest OS to be modified (to make API calls)
            • Replace any privileged operations that will only run in ring 0 of the CPU with calls to the hypervisor ("hypercalls")
          • Allows tasks to run in host OS (instead of in guest OS where performance would be worse)
        • Hardware virtualization
          • Requires a CPU with hardware virtualization extensions, such as Intel VT or AMD-V
            • Intel virtualization (VT-x)
              • Virtual Machine Extensions
              • Adds ten new instructions
                • VMPTRLD, VMPTRST, VMCLEAR, VMREAD, VMWRITE, VMCALL, VMLAUNCH, VMRESUME, VMXOFF, and VMXON.
                • These instructions permit entering and exiting a virtual execution mode where the guest OS perceives itself as running with full privilege (ring 0), but the host OS remains protected.
          • Reduces/eliminates any OS modifications in guest OS
          • Provides an additional privilege mode above ring 0 in which the hypervisor can operate
            • essentially leaving ring 0 available for unmodified guest OSes
          • Better performance than paravirtualization

Links

• Virtual machine
• Hypervisor
• What is a hypervisor?
• What Is A Hypervisor? Types Of Hypervisors 1 & 2
  
  

End Song
Time for Trees - Sad Livin in the (New York) City - (David Last Remix)

For a full transcription of this episode, please visit the episode webpage.

We'd love to hear from you! You can reach us at:

• Web: https://mobycast.fm
• Voicemail: 844-818-0993
• Email: ask@mobycast.fm
• Twitter: https://twitter.com/hashtag/mobycast