虚拟机缓存划分的设计与实现

阐述了一种基于VMM(virtual machine manager)的虚拟机缓存划分的设计与实现。该方法采用操作系统中的页面着色技术,在虚拟机管理器Xen上进行实现。这种机制对于VMM之上的客户操作系统是完全透明的,便于操作,具有很好的灵活性。经测试表明,提出的缓存划分的方法能够显著地提高同时运行在不同虚拟机上的应用程序的性能。对从SPEC CPU 2006基准测试程序里面挑选出来的并发程序的负载进行测试,结果表明缓存划分最高可以使其性能提升19%。     

基于VMM层系统调用分析的软件完整性验证

在虚拟化云计算平台中,如何保证其上运行软件的可信性是云平台广泛应用的关键.完整性测量与验证技术是保证软件系统可信性的一种主要方法.然而,现有的软件完整性验证系统大多需要修改操作系统内核,很难为大规模虚拟机环境中的众多异构系统提供一致解决方案,且无法抵御内核级恶意攻击.针对当前方法在兼容性、安全性以及可管理性上存在的问题,设计并实现了一种在VMM层基于系统调用分析技术来验证软件完整性的方法VMGuard.它通过截获客户操作系统中的系统调用来识别软件加载,并基于系统调用关联性分析和虚拟机文件系统元数据重构技术来验证客户操作系统中软件的完整性.在Qemu和KVM两种主流虚拟化平台上实现了VMGuard,并通过实验评测VMGuard的有效性和性能.实验结果表明,VMGuard能够有效验证客户操作系统中软件的完整性,且性能开销在10%以内.     

基于协作型VMM的虚拟机执行环境动态配置模型

针对当前各类虚拟机监控器(VMM)在定制虚拟机执行环境过程中灵活性不足、可用性不强方面的问题,提出并设计了一种用户动态配置虚拟机执行环境的模型,并在协作型VMM之上进行了实现。结合Intel VT-x技术的实现机制,充分利用虚拟机控制结构(VMCS)中的执行控制域特性,通过为用户提供接口,对虚拟机配置文件进行操作,实现对虚拟机执行环境的实时动态配置。用户利用该模型能够快速构建具有不同运行时特性的虚拟机执行环境。测试结果表明,该模型能够提高VMM的可用性。     

自适应调整虚拟机权重参数的调度方法

在基于特权服务操作系统的虚拟机架构下客户操作系统需要借助特权服务操作系统来访问真实硬件,目前虚拟机调度算法的优化主要是侧重于I/O密集型虚拟机的研究,而忽视了CPU密集型虚拟机,更忽视了特权服务操作系统的I/O处理能力对虚拟机整体性能的影响.针对这些问题,提出了一种基于Credit算法的自适应调整虚拟机权重参数的优化调度方法,将特权服务操作系统的I/O处理能力作为虚拟机参数调整的一个重要参数,同时兼顾I/O密集型虚拟机和CPU密集型虚拟机对资源的需求.实验结果表明该方法能够及时根据当前的I/O请求数量和特权服务操作系统的处理能力合理调整虚拟机的权重参数,从而大大提高了客户操作系统CPU处理性能和硬件设备的访问性能.     

修改客户操作系统优化KVM虚拟机的I/O性能

目前,运行在虚拟机上的客户操作系统(Guest OS)是面向物理机器开发的普通操作系统,其中存在不适应虚拟化环境的因素,影响虚拟机的I/O性能.作者通过测试发现了影响虚拟机I/O性能的一些问题,针对这些问题提出了优化方法:一方面,通过合并客户操作系统中连续的I/O指令,降低虚拟机的时钟中断频率,从而降低环境切换的开销;另一方面,消除客户操作系统中的冗余操作,包括在虚拟化环境下无效的函数、冗余的I/O调度以及虚拟网卡驱动对NAPI的支持,使虚拟机只执行必要的操作,从而提高系统的性能.     

浅谈虚拟机在网络教学中的应用

本文介绍了用VMware虚拟机软件构建虚拟机操作系统的方法。运用虚拟机,可在一台计算机运行真实操作系统的同时运行多个虚拟机,并可模拟出一个局域网网络环境,极大地方便了计算机教学的开展。     

基于硬件虚拟化的虚拟机进程代码分页式度量方法

云环境下恶意软件可利用多种手段篡改虚拟机（VM）中关键业务代码,威胁其运行的稳定性。传统的基于主机的度量系统易被绕过或攻击而失效,针对在虚拟机监视器（VMM）层难以获取虚拟机中运行进程完整代码段并对其进行完整性验证的问题,提出基于硬件虚拟化的虚拟机进程代码分页式度量方法。该方法以基于内核的虚拟机（KVM）作为虚拟机监视器,在VMM层捕获虚拟机进程的系统调用作为度量流程的触发点,基于相对地址偏移解决了不同版本虚拟机之间的语义差异,实现了分页式度量方法在VMM层透明地验证虚拟机中运行进程代码段的完整性。实现的原型系统——虚拟机分页式度量系统（VMPMS）能有效度量虚拟机中进程,性能损耗在可接受范围内。     

基于Xen虚拟机的内存资源实时监控与按需调整

在虚拟计算环境中,难以实时地监控与分配内存资源。针对以上问题,基于Xen虚拟计算环境,提出一种能够实时监控Xen虚拟机内存(VMM)使用情况的XMMC方法并进行了实现。所提方法运用Xen虚拟机提供的超级调用,其不仅能实时地监控虚拟机内存使用情况,而且能实时动态按需分配虚拟机内存。实验结果表明,XMMC方法对虚拟机应用程序造成的性能损失很小,低于5%;能够对客户虚拟机的内存资源占用情况进行实时的监测与按需调整,为多虚拟机的管理提供方便。     

基于VMM的操作系统隐藏对象关联检测技术

恶意软件通过隐藏自身行为来逃避安全监控程序的检测.当前的安全监控程序通常位于操作系统内部,难以有效检测恶意软件,特别是内核级恶意软件的隐藏行为.针对现有方法中存在的不足,提出了基于虚拟机监控器(virtual machine monitor,简称VMM)的操作系统隐藏对象关联检测方法,并设计和实现了相应的检测系统vDetector.采用隐式和显式相结合的方式建立操作系统对象的多个视图,通过对比多视图间的差异性来识别隐藏对象,支持对进程、文件及网络连接这3种隐藏对象的检测,并基于操作系统语义建立隐藏对象间的关联关系以识别完整攻击路径.在KVM虚拟化平台上实现了vDetector的系统原型,并通过实验评测vDetector的有效性和性能.结果表明,vDetector能够有效检测出客户操作系统(guest OS)中的隐藏对象,且性能开销在合理范围内.     

来稿选摘

Windows95下虚拟设备驱动程序的编制与应用Windows95操作系统能够实现多线性、多进程的应用,系统通过一个虚拟机管理器VMM32和其它的设备驱动程序合作,来实现多个进程间的协调工作,防止一个进程的运行导致另一个进程的崩溃。本文对Windows95下的虚拟设备驱动程序进行了...     

Rethinking the design of virtual machine monitors

A virtual machine monitor is a software system that partitions a single physical machine into multiple virtual machines. Traditionally, VMMs have created a precise replica of the underlying physical machine. Through faithful emulation, VMMs support the execution of legacy guest operating systems such as Windows or Linux without modifications. However, traditional VMMs suffer from poor scalability and extensibility. To overcome the poor scalability and extensibility of traditional virtual machine monitors that partition a single physical machine into multiple virtual machines, the Denali VMM uses paravirtualization to promote scalability and hardware interposition to promote extensibility.     

Xen虚拟机的虚拟CPU松弛协同调度方法

目前,Xen虚拟机调度算法均采用独立调度虚拟CPU的方式,而没有考虑虚拟机各虚拟CPU之间的协同调度关系,这会使虚拟机各个虚拟CPU之间产生很大的时钟中断数量偏差等问题,从而导致系统不稳定.为了提高系统的稳定性,基于Credit算法提出了一种比RCS(relaxed co-scheduling)算法更松弛的协同调度算法MRCS(more relaxed co-scheduling).该算法采用非抢占式协同调整方法将各个虚拟CPU相对运行的时间间隔控制在同步时间检测的上限门限值Tmax之内,同时利用同步队列中虚拟CPU优化选择调度方法和Credit算法的虚拟CPU动态迁移方法,能够更加及时地协同处理虚拟CPU,并且保证了各个物理CPU的负载均衡,有效地减少客户操作系统与VMM的环境切换次数,降低了系统开销.实验结果证明该方法不但保证了系统的稳定性,而且使系统性能得到一定程度的提升.虚拟机调度算法不仅影响虚拟机的性能,更会影响虚拟机的稳定性,致力于虚拟机调度算法的研究是一项非常有意义的工作.     

Transparently bridging semantic gap in CPU management for virtualized environments

Consolidated environments are progressively accommodating diverse and unpredictable workloads in conjunction with virtual desktop infrastructure and cloud computing. Unpredictable workloads, however, aggravate the semantic gap between the virtual machine monitor and guest operating systems, leading to inefficient resource management. In particular, CPU management for virtual machines has a critical impact on I/O performance in cases where the virtual machine monitor is agnostic about the internal workloads of each virtual machine. This paper presents virtual machine scheduling techniques for transparently bridging the semantic gap that is a result of consolidated workloads. To enable us to achieve this goal, we ensure that the virtual machine monitor is aware of task-level I/O-boundedness inside a virtual machine using inference techniques, thereby improving I/O performance without compromising CPU fairness. In addition, we address performance anomalies arising from the indirect use of I/O devices via a driver virtual machine at the scheduling level. The proposed techniques are implemented on the Xen virtual machine monitor and evaluated with micro-benchmarks and real workloads on Linux and Windows guest operating systems.     

利用虚拟机动态迁移技术整合虚拟和模拟环境

系统虚拟化和模拟技术对当今计算机科学研究和相关产业有着重要的影响.整合虚拟和模拟环境,让运行在虚拟机中的操作系统获得更多重要的服务是一项具有挑战性和有意义的工作.由系统虚拟化提供的虚拟机动态迁移技术作进一步扩展后,可整合这两个计算环境.提出Roam,一个支持在虚拟和模拟环境之间进行虚拟机动态迁移的框架.开发的Roam原型系统实现了Linux虚拟机在Xen和纯Qemu环境之间的动态迁移.相关性能测试表明Roam是一个可行的虚拟机动态迁移方案,并且虚拟机的停机时间和整体迁移时间都在一个可接受的范围内.     

Task mapper and application-aware virtual machine scheduler oriented for parallel computing

We design a task mapper TPCM for assigning tasks to virtual machines, and an application-aware virtual machine scheduler TPCS oriented for parallel computing to achieve a high performance in virtual computing systems. To solve the problem of mapping tasks to virtual machines, a virtual machine mapping algorithm (VMMA) in TPCM is presented to achieve load balance in a cluster. Based on such mapping results, TPCS is constructed including three components: a middleware supporting an application-driven scheduling, a device driver in the guest OS kernel, and a virtual machine scheduling algorithm. These components are implemented in the user space, guest OS, and the CPU virtualization subsystem of the Xen hypervisor, respectively. In TPCS, the progress statuses of tasks are transmitted to the underlying kernel from the user space, thus enabling virtual machine scheduling policy to schedule based on the progress of tasks. This policy aims to exchange completion time of tasks for resource utilization. Experimental results show that TPCM can mine the parallelism among tasks to implement the mapping from tasks to virtual machines based on the relations among subtasks. The TPCS scheduler can complete the tasks in a shorter time than can Credit and other schedulers, because it uses task progress to ensure that the tasks in virtual machines complete simultaneously, thereby reducing the time spent in pending, synchronization, communication, and switching. Therefore, parallel tasks can collaborate with each other to achieve higher resource utilization and lower overheads. We conclude that the TPCS scheduler can overcome the shortcomings of present algorithms in perceiving the progress of tasks, making it better than schedulers currently used in parallel computing.     

Improving the virtualization of rich applications by combining VNC and streaming protocols at the hypervisor layer

Virtual desktop infrastructure (VDI) solutions seek to provide a satisfactory user experience at the client side when accessing remote desktop applications, even from mobile devices with limited capabilities. This paper presents a new approach, improving on previous work by the authors, in which a combination of Virtual Network Computing (VNC) and streaming protocols allowed efficient remote web access to virtualized applications within a cloud architecture. The new approach simplifies virtual machine templates, from which virtual machine instances are deployed, by centralizing software modules, greatly simplifying their management. Our new contribution consists of an integrated solution with specific WebM video encoding modules in charge of application visual output processing, an Hypertext Transfer Protocol (HTTP) streaming server, and a VNC server. The solution can be installed in the hypervisor of the host machines instead of replicating the servers and modules throughout the guest (virtual) machines that run the virtualized applications. Consequently, their implementations are unique and independent of the operating system of the virtual machines. In short, it is not necessary to provide different implementations for different operating systems, which reduces the complexity of virtual machine templates and greatly simplies platform management. To demonstrate our solution, we have modified the Quick Emulator (QEMU)‐Kernel‐based Virtual Machine (KVM) hypervisor source code accordingly. We also present qualitative and quantitative analyses that demonstrate that the new approach is advantageous in terms of software management and quality of experience, compared with our previous work and other well‐known thin clients, contributing to the enhancement of VDI systems. Copyright © 2015 John Wiley & Sons, Ltd.     

负载类型相关的Xen虚拟机系统性能模型

针对Xen虚拟机系统执行网络I/O密集型负载时容易耗尽Domain0的CPU资源而过载和执行计算密集型负载时在客户域平均性能与数目之间存在线性规划的问题,提出了两个负载类型相关的性能模型。首先,通过分析Xen虚拟机系统处理网络I/O操作的CPU资源消耗规律,建立了CPU核共享和CPU核隔离两种情况下的客户域网络I/O操作请求次数计算模型;然后,通过分析多个相同客户域并行执行计算密集型负载的平均性能与一个相同客户域执行相同负载的性能表现之间的关系,建立了并行执行计算密集型负载的客户域平均性能分析模型。实验结果表明,两个性能模型能够有效地限制客户域提交的网络I/O操作请求次数以防止Xen虚拟机系统过载,并求解给定资源配置情况下执行计算密集型负载的Xen虚拟机系统客户域伸缩性数目。     

一种针对Xen超级调用的入侵防护方法

云计算技术已飞速发展并被广泛应用,虚拟化作为云计算的重要支撑,提高了平台对资源的利用效率与管理能力。作为一款开源虚拟化软件,Xen独特的设计思想与优良的虚拟化性能使其被许多云服务商采用,然而Xen虚拟机监视器同样面临着许多安全问题。Xen为虚拟机提供的特权接口可能被虚拟机恶意代码利用,攻击者可以借此攻击Xen或者运行其上的虚拟机。文章针对Xen向虚拟机提供的超级调用接口面临被恶意虚拟机内核代码利用的问题,提出了一种基于执行路径的分析方法,用以追溯发起该超级调用的虚拟机执行路径,与一个最初的路径训练集进行对比,可以避免超级调用被恶意虚拟机内核代码利用。该方法通过追溯虚拟机内核堆栈信息,结合指令分析与虚拟机内核符号表信息,实现了虚拟化平台下对虚拟机执行路径的动态追踪与重构。在Xen下进行实验,通过创建新的虚拟机并让其单独运行来获得训练集,训练集中包含所有发起该超级调用的虚拟机路径信息。在随后虚拟机运行过程中针对该超级调用动态构造出对应的虚拟机执行路径,将其与训练集对比,避免非正常执行路径的超级调用发生。     

Optimizing guest swapping using elastic and transparent memory provisioning on virtualization platform

On virtualization platforms, peak memory demand caused by hotspot applications often triggers page swapping in guest OS, causing performance degradation inside and outside of this virtual machine (VM). Even though host holds sufficient memory pages, guest OS is unable to utilize free pages in host directly due to the semantic gap between virtual machine monitor (VMM) and guest operating system (OS). Our work aims at utilizing the free memory scattered in multiple hosts in a virtualization environment to improve the performance of guest swapping in a transparent and implicit way. Based on the insightful analysis of behavioral characteristics of guest swapping, we design and implement a distributed and scalable framework HybridSwap. It dynamically constructs virtual swap pools using various policies, and builds up a synthetic swapping mechanism in a peer-to-peer way, which can adaptively choose different virtual swap pools.We implement the prototype of HybridSwap and evaluate it with some benchmarks in different scenarios. The evaluation results demonstrate that our solution has the ability to promote the guest swapping efficiency indeed and shows a double performance promotion in some cases. Even in the worst case, the system overhead brought by HybridSwap is acceptable.     

面向虚拟机的远程磁盘缓存

在虚拟机(virtual machine)系统中,随着虚拟机数量和应用程序需求的不断增长,内存容量已经成为应用程序性能的主要瓶颈。为了提升内存密集型和I/O密集型程序的页面交换性能,提出了虚拟机的远程磁盘缓存机制REMOCA,它允许运行在一台物理主机上的虚拟机将其他物理主机的内存作为其二级磁盘缓存。由于网络传输延迟远远小于磁盘访问,用网络传输代替磁盘访问就能够有效地降低虚拟机的平均磁盘访问延迟。REMOCA的目标就要尽可能地减少磁盘访问。REMOCA运行在虚拟机管理器中,其基本工作原理是截获并处理虚拟机的页面淘汰、磁盘访问等事件。REMOCA能够与现有的虚拟机内存管理机制(如气球技术、影子缓存)相结合,从而提供更加灵活的内存资源管理策略。实验数据表明,REMOCA能有效地降低页面抖动对虚拟机性能的影响,并在很大程度上提升虚拟机中I/O密集型应用的性能。