Denial-of-Service attacks on PCI passthrough devices: Demonstrating the impact on network- and storage-I/O performance

PCI Passthrough is an established x86 server technology for directly assigning PCIe devices to Virtual Machines (VMs). In combination with Single Root I/O Virtualization, which enables concurrent sharing of single physical PCIe I/O devices, PCI Passthrough enables low overhead and high performance I/O virtualization. Besides server environments, the combination is also a promising approach for sharing I/O in future multi-core embedded systems. In this paper, we demonstrate that PCI Passthrough has yet-to-be-solved problems regarding performance isolation, because it is prone to Denial-of-Service (DoS) attacks. VMs executing DoS attacks on Passthrough devices can degrade the I/O performance of devices that share PCIe links with the DoS victim, which may affect concurrent VMs and the host. We evaluate how attacks on an SR-IOV capable Gigabit Ethernet NIC cause a degradation of the system’s network- and storage-I/O performance. The attacked NIC’s TCP throughput drops by 35%; other NICs that share PCIe links with the victim see degradations of 46% and 65%; performance of a host-assigned SSD degrades by 77%. We investigate what influences the severity of such attacks and introduce three protection approaches.     

Partial migration technique for GPGPU tasks to Prevent GPU Memory Starvation in RPC-based GPU Virtualization

Graphics processing unit (GPU) virtualization technology enables a single GPU to be shared among multiple virtual machines (VMs), thereby allowing multiple VMs to perform GPU operations simultaneously with a single GPU. Because GPUs exhibit lower resource scalability than central processing units (CPUs), memory, and storage, many VMs encounter resource shortages while running GPU operations concurrently, implying that the VM performing the GPU operation must wait to use the GPU. In this paper, we propose a partial migration technique for general-purpose graphics processing unit (GPGPU) tasks to prevent the GPU resource shortage in a remote procedure call-based GPU virtualization environment. The proposed method allows a GPGPU task to be migrated to another physical server's GPU based on the available resources of the target's GPU device, thereby reducing the wait time of the VM to use the GPU. With this approach, we prevent resource shortages and minimize performance degradation for GPGPU operations running on multiple VMs. Our proposed method can prevent GPU memory shortage, improve GPGPU task performance by up to 14%, and improve GPU computational performance by up to 82%. In addition, experiments show that the migration of GPGPU tasks minimizes the impact on other VMs.     

基于网卡虚拟化的高性能容器网络设计

单根I/O虚拟化技术为传统数据中心提供高效的服务器整合能力和灵活的应用部署能力,通过将多个网卡直通到虚拟机,减少额外包复制带来的性能损失,使得网络I/O具有接近主机的性能。然而,在网络功能虚拟化场景下单独使用单根I/O虚拟化技术会降低传统数据中心的网络I/O虚拟化性能。针对网络功能虚拟化长链场景,结合单根I/O虚拟化技术和软件虚拟化技术,设计基于网卡虚拟化的高性能容器网络。通过转发模块判断网络流量的目的地址,寻找最优的流量转发路径,实现流量的灵活转发。利用基于脚本程序的自动化部署模块,对每个节点业务进行支持动态增删服务的配置,便于用户对网络进行管理和修改。实验结果表明,在网络功能虚拟化长链场景下,相比单根I/O虚拟化技术,该网络延迟降低约20%,同时能够有效提高网络吞吐量,解决数据中心的网络I/O虚拟化问题。     

基于Xen的I／O准虚拟化驱动研究

针对全虚拟化下客户端虚拟机无法“感知”虚拟机监视器的问题,对基于Xen的I／O准虚拟化驱动进行研究,通过实验可知,准虚拟化驱动能够消除全虚拟化方式下虚拟机监视器“黑箱”特性的限制,可以实现和虚拟机监视器的密切配合,从而提高I／O性能。在虚拟机Xen的全虚拟化环境中加入准虚拟化驱动,采用对比测试方法验证了该驱动能大幅提升网络性能。     

一种灵活高效的虚拟CPU调度算法

目前,虚拟化已经广泛应用于数据中心,但主流的虚拟CPU调度策略并没有实现对I/O性能的保障,尤其当延时敏感型负载的虚拟机和计算敏感型负载的虚拟机竞争CPU资源时,其性能显著下降.针对上述问题,本文提出了一种灵活、高效的虚拟CPU调度算法（FLMS）.FLMS通过采用虚拟机分类、虚拟CPU绑定、多类时间片等技术降低了虚拟机的响应延时,同时基于多处理器架构重新设计了负载均衡策略,优化了虚拟CPU迁移.FLMS通用于目前主流的虚拟化方案,在软件虚拟化方式下相比于最新的优化方案延时降低了30%,带宽有10%的提升;在使用硬件辅助虚拟化的系统中,通过FLMS能够获得接近原生系统的I/O性能,并且保证了整个系统的公平性.     

Virtio network paravirtualization driver: Implementation and performance of a de-facto standard

One of the techniques used to improve I/O performance of virtual machines is paravirtualization. Paravirtualized devices are intended to reduce the performance overhead on full virtualization where all hardware devices are emulated. The interface of a paravirtualized device is not identical to that of the underlying hardware. The OS of the virtual guest machine must be ported in order to use a paravirtualized device. In this paper, the network virtualization done by the Kernel-based Virtual Machine (KVM) is described. The KVM model is different from other Virtual Machines Monitors (VMMs) because the KVM is a Linux kernel model and it depends on hardware support. In this work, the overhead of using such virtual networks is been measured. A paravirtualized model by using the virtio [38] network driver is described, and some performance results of web benchmark on the two models are presented.     

Virtual Battery: A testing tool for power-aware software

Virtualization is an inexpensive and convenient method for setting up software test environments. Thus it is being widely used as a test tool for software products requiring high reliability such as mission critical cyber-physical systems. However, existing virtualization platforms do not fully virtualize the battery subsystem. Therefore, it is difficult to test battery-related features of guest systems. In this paper, we propose Virtual Battery, a battery virtualization scheme for type II full virtualization platforms. Virtual Battery takes the form of an ACPI-compatible battery device driver dedicated to each virtual machine, which virtualizes a target system. Through Virtual Battery, developers can easily manipulate the charging and battery status of each virtual machine (VM), regardless of the existence or current status of the host system’s battery. In addition, Virtual Battery emulates the behavior of batteries by discharging the virtual batteries according to the resource usages of their VMs. This feature enables VMs to act as battery resource containers. Three case studies demonstrate the effectiveness of the proposed scheme.     

Enabling OpenCL support for GPGPU in Kernel‐based Virtual Machine

The importance of heterogeneous multicore programming is increasing, and Open Computing Language (OpenCL) is an open industrial standard for parallel programming that provides a uniform programming model for programmers to write efficient, portable code for heterogeneous computing devices. However, OpenCL is not supported in the system virtualization environments that are often used to improve resource utilization. In this paper, we propose an OpenCL virtualization framework based on Kernel‐based Virtual Machine with API remoting to enable multiplexing of multiple guest virtual machines (guest VMs) over the underlying OpenCL resources. The framework comprises three major components: (i) an OpenCL library implementation in guest VMs for packing/unpacking OpenCL requests/responses; (ii) a virtual device, called virtio‐CL, that is responsible for the communication between guest VMs and the hypervisor (also called the VM monitor); and (iii) a thread, called CL thread, that is used for the OpenCL API invocation. Although the overhead of the proposed virtualization framework is directly affected by the amount of data to be transferred between the OpenCL host and devices because of the primitive nature of API remoting, experiments demonstrated that our virtualization framework has a small virtualization overhead (mean of 6.8%) for six common device‐intensive OpenCL programs and performs well when the number of guest VMs involved in the system increases. These results indirectly infer that the framework allows for effective resource utilization of OpenCL devices.Copyright © 2012 John Wiley & Sons, Ltd.     

基于轻量操作系统的虚拟机内省与内存安全监测

针对在传统特权虚拟机中利用虚拟机内省实时监测其他虚拟机内存安全的方法不利于安全模块与系统其他部分的隔离,且会拖慢虚拟平台的整体性能的问题,提出基于轻量操作系统实现虚拟机内省的安全架构,并提出基于内存完整性度量的内存安全监测方案。通过在轻量客户机中实现内存实时检测与度量,减小了安全模块的可攻击面,降低了对虚拟平台整体性能的影响。通过无干涉的内存度量和自定义的虚拟平台授权策略增强了安全模块的隔离性。基于Xen中的小型操作系统Mini-OS实现了虚拟机内省与内存检测系统原型,评估表明该方案比在特权虚拟机中实现的同等功能减少了92%以上的性能损耗,有效提高了虚拟机内省与实时度量的效率。     

Performance models of storage contention in cloud environments

We propose simple models to predict the performance degradation of disk requests due to storage device contention in consolidated virtualized environments. Model parameters can be deduced from measurements obtained inside Virtual Machines (VMs) from a system where a single VM accesses a remote storage server. The parameterized model can then be used to predict the effect of storage contention when multiple VMs are consolidated on the same server. We first propose a trace-driven approach that evaluates a queueing network with fair share scheduling using simulation. The model parameters consider Virtual Machine Monitor level disk access optimizations and rely on a calibration technique. We further present a measurement-based approach that allows a distinct characterization of read/write performance attributes. In particular, we define simple linear prediction models for I/O request mean response times, throughputs and read/write mixes, as well as a simulation model for predicting response time distributions. We found our models to be effective in predicting such quantities across a range of synthetic and emulated application workloads.     

SR-IOV技术在OpenStack中的应用

在OpenStack云平台中,一台物理服务器上可能同时运行着十几台虚拟机,这对于物理服务器的I/O性能要求是非常高的.因此,I/O虚拟化技术的效率对于整个OpenStack云平台的网络性能提升都有着至关重要的作用.为了提高系统整体的网络性能,在OpenStack云平台中引入SR-IOV技术成为了一种可选的方式.本文通过对比实验测试了SR-IOV技术对于OpenStack云平台上网络I/O性能的影响.最终对实验结果进行分析可知,在引入SR-IOV技术后,OpenStack云平台上的计算节点I/O虚拟化性能提升了大概50%.     

基于硬件队列扩展的网卡虚拟化方案

多核架构的虚拟平台对偏重于I/O访问的应用普遍存在虚拟化性能开销大的问题。为此,提出一种基于驱动域的网卡虚拟化方案。通过具有独立中断的硬件队列对网卡进行硬件扩展,减少网卡I/O访问中虚拟机监控器的参与,提高访问效率。测试结果表明,在消息长度达到1 024 Byte时,使用虚拟接口的时延仅比非虚拟化环境高10%。     

Energy-efficiency enhanced virtual machine scheduling policy for mixed workloads in cloud environments

Virtualization technology is an effective approach to improving the energy-efficiency in cloud platforms; however, it also introduces many energy-efficiency losses especially when I/O virtualization is involved. In this paper, we present an energy-efficiency enhanced virtual machine (VM) scheduling policy, namely Share-Reclaiming with Collective I/O (SRC-I/O), with aiming at reducing the energy-efficiency losses caused by I/O virtualization. The proposed SRC-I/O scheduler allows VMs to reclaim extra CPU shares in certain conditions so as to increase CPU utilization. Meanwhile, it separates I/O-intensive VMs from CPU-intensive ones and schedules them in a collective manner, so as to reduce the context-switching cost when scheduling mixed workloads. Extensive experiments are conducted on various platforms to investigate the performance of the proposed scheduler. The results indicate that when the system is in presence of mixed workloads, SRC-I/O scheduler outperforms many existing VM schedulers in terms of energy-efficiency and I/O responsiveness.     

Virtual machine cluster mobility in inter-cloud platforms

Modern cloud computing applications developed from different interoperable services that are interfacing with each other in a loose coupling approach. This work proposes the concept of the Virtual Machine (VM) cluster migration, meaning that services could be migrated to various clouds based on different constraints such as computational resources and better economical offerings. Since cloud services are instantiated as VMs, an application can be seen as a cluster of VMs that integrate its functionality. We focus on the VM cluster migration by exploring a more sophisticated method with regards to VM network configurations. In particular, networks are hard to managed because their internal setup is changed after a migration, and this is related with the configuration parameters during the re-instantiation to the new cloud platform. To address such issue, we introduce a Software Defined Networking (SDN) service that breaks the problem of network configuration into tractable pieces and involves virtual bridges instead of references to static endpoints. The architecture is modular, it is based on the SDN OpenFlow protocol and allows VMs to be paired in cluster groups that communicate with each other independently of the cloud platform that are deployed. The experimental analysis demonstrates migrations of VM clusters and provides a detailed discussion of service performance for different cases.     

Latency-aware virtual desktops optimization in distributed clouds

Distributed clouds offer a choice of data center locations for providers to host their applications. In this paper, we consider distributed clouds that host virtual desktops which are then accessed by users through remote desktop protocols. Virtual desktops have different levels of latency-sensitivity, primarily determined by the actual applications running and affected by the end users’ locations. In the scenario of mobile users, even switching between 3G and WiFi networks affects the latency-sensitivity. We design VMShadow, a system to automatically optimize the location and performance of latency-sensitive VMs in the cloud. VMShadow performs black-box fingerprinting of a VM’s network traffic to infer the latency-sensitivity and employs both ILP and greedy heuristic based algorithms to move highly latency-sensitive VMs to cloud sites that are closer to their end users. VMShadow employs a WAN-based live migration and a new network connection migration protocol to ensure that the VM migration and subsequent changes to the VM’s network address are transparent to end-users. We implement a prototype of VMShadow in a nested hypervisor and demonstrate its effectiveness for optimizing the performance of VM-based desktops in the cloud. Our experiments on a private as well as the public EC2 cloud show that VMShadow is able to discriminate between latency-sensitive and insensitive desktop VMs and judiciously moves only those that will benefit the most from the migration. For desktop VMs with video activity, VMShadow improves VNC’s refresh rate by 90% by migrating virtual desktop to the closer location. Transcontinental remote desktop migrations only take about 4 min and our connection migration proxy imposes 13 μs overhead per packet.     

HPC Cloud环境中基于网络Ⅰ/O负载的虚拟机放置算法

随着虚拟化技术和云计算技术的发展,越来越多的高性能计算应用运行在云计算资源上.在基于虚拟化技术的高性能计算云系统中,高性能计算应用运行在多个虚拟机之中,这些虚拟机可能放置在不同的物理节点上.若多个通信密集型作业的虚拟机放置在相同的物理节点上,虚拟机之间将竞争物理节点的网络Ⅰ/O资源,如果虚拟机对网络Ⅰ/O资源的需求超过物理节点的网络Ⅰ/O带宽上限,将严重影响通信密集型作业的计算性能.针对虚拟机对网络Ⅰ/O资源的竞争问题,提出一种基于网络Ⅰ/O负载均衡的虚拟机放置算法NLPA,该算法采用网络Ⅰ/O负载均衡策略来减少虚拟机对网络Ⅰ/O资源的竞争.实验表明,与贪心算法进行比较,对于同样的高性能计算作业测试集,NLPA算法在完成作业的计算时间、系统中的网络Ⅰ/O负载吞吐率、网络Ⅰ/O负载均衡3个方面均有更好的表现.     

Xen2MX: High-performance communication in virtualized environments

Cloud computing infrastructures provide vast processing power and host a diverse set of computing workloads, ranging from service-oriented deployments to high-performance computing (HPC) applications. As HPC applications scale to a large number of VMs, providing near-native network I/O performance to each peer VM is an important challenge. In this paper we present Xen2MX, a paravirtual interconnection framework over generic Ethernet, binary compatible with Myrinet/MX and wire compatible with MXoE. Xen2MX combines the zero-copy characteristics of Open-MX with Xen's memory sharing techniques. Experimental evaluation of our prototype implementation shows that Xen2MX is able to achieve nearly the same raw performance as Open-MX running in a non-virtualized environment. On the latency front, Xen2MX performs as close as 96% to the case where virtualization layers are not present. Regarding throughput, Xen2MX saturates a 10 Gbps link, achieving 1159 MB/s, compared to 1192 MB/s of the non-virtualized case. Scales efficiently with the number of VMs, saturating the link for even smaller messages when 40 single-core VMs put pressure on the network adapters.     

Precise contention-aware performance prediction on virtualized multicore system

Multicore systems are widely deployed in both the embedded and the high end computing infrastructures. However, traditional virtualization systems can not effectively isolate shared micro architectural resources among virtual machines (VMs) running on multicore systems. CPU and memory intensive VMs contending for these resources will lead to serious performance interference, which makes virtualization systems less efficient and VM performance less stable. In this paper, we propose a contention-aware performance prediction model on the virtualized multicore systems to quantify the performance degradation of VMs. First, we identify the performance interference factors and design synthetic micro-benchmarks to obtain VM’s contention sensitivity and intensity features that are correlated with VM performance degradation. Second, based on the contention features, we build VM performance prediction model using machine learning techniques to quantify the precise levels of performance degradation. The proposed model can be used to optimize VM performance on multicore systems. Our experimental results show that the performance prediction model achieves high accuracy and the mean absolute error is 2.83%.     

基于SR-IOV的IO虚拟化技术

虚拟技术经过多年的发展,CPU虚拟化与内存虚拟化均已成熟,而I/O虚拟化方面却未出现大的变化,成为当前虚拟技术性能提高的瓶颈。近期Intel公司提出的SR-IOV技术通过在硬件层增加虚拟支持,与原有I/O虚拟化中采用的Passthrough技术相结合,极大的提高了物理设备的使用效率和客户域的I/O性能。文章在总结虚拟技术中采用过的I/O模型基础上,分析了SR-IOV技术的实现和特点。     

Anomaly detection and identification scheme for VM live migration in cloud infrastructure

Virtual machines (VM) offer simple and practical mechanisms to address many of the manageability problems of leveraging heterogeneous computing resources. VM live migration is an important feature of virtualization in cloud computing: it allows administrators to transparently tune the performance of the computing infrastructure. However, VM live migration may open the door to security threats. Classic anomaly detection schemes such as Local Outlier Factors (LOF) fail in detecting anomalies in the process of VM live migration. To tackle such critical security issues, we propose an adaptive scheme that mines data from the cloud infrastructure in order to detect abnormal statistics when VMs are migrated to new hosts. In our scheme, we extend classic Local Outlier Factors (LOF) approach by defining novel dimension reasoning (DR) rules as DR-LOF to figure out the possible sources of anomalies. We also incorporate Symbolic Aggregate ApproXimation (SAX) to enable timing information exploration that LOF ignores. In addition, we implement our scheme with an adaptive procedure to reduce chances of performance instability. Compared with LOF that fails in detecting anomalies in the process of VM live migration, our scheme is able not only to detect anomalies but also to identify their possible sources, giving cloud computing operators important clues to pinpoint and clear the anomalies. Our scheme further outperforms other classic clustering tools in WEKA (Waikato Environment for Knowledge Analysis) with higher detection rates and lower false alarm rate. Our scheme would serve as a novel anomaly detection tool to improve security framework in VM management for cloud computing.