Beyond Hypervisors

By Gail Dutton
published: Thursday, February 21 2008

Virtualization, today, is in much the same state as the telephone in 1876. That’s the year an internal, Western Union memo pronounced, "This 'telephone' has too many shortcomings to be seriously considered as a means of communication. The device is inherently of no value to us." Opinions regarding the value of virtualization are marginally better and, like those early opinions regarding the telephone, are likely to improve as the technology becomes more functional, more secure and easier to deploy.

The goal, some say, is virtualization ubiquity – virtualized networks of virtualized machines that include virtualized applications, storage, infrastructure and storage. “That virtual operating environment is a high level concept that will lead to a lights-out data center,” notes Ben Linder, CEO, Scalent Systems.

 At the forefront of this endeavor, Professor Dongyan Xu and his team at Purdue University’s Department of Computer Science and School of Electrical and Computer Engineering, are working with open source virtual machine systems to enhance adaptivity, reliability and security.

Virtual Networks

Prof.  Xu’s model consists of multiple virtual machines connected by a virtual network. As an integral part of that work, Prof. Xu developed mechanisms that let virtual networks adapt dynamically as both applications’ needs and infrastructure resources change. Each virtual machine, therefore, can dynamically adjust its share of resources and relocate part or all of the virtual networked environment across the physical infrastructure.

 “We envision that in a shared physical infrastructure, mutually isolated virtual networked environments co-exist and belong to different users or user groups. Inside a virtual networked environment, users can run off-the-shelf distributed or parallel applications the same way as in a physical networked environment. Just like people having their own personal computers nowadays, I envision that people can create their own virtual networked environments in the coming future,” Prof. Xu says.

For reliability, his team is developing “techniques that take distributed snapshots of an entire virtual networked environment, store the snapshots and restore the virtual networked environment in reaction to failures or disruptions caused by maintenance or outage,” Prof. Xu says. Because the technique is transparent to the application and to the virtual machine operating system, no modifications are needed in their code. Also, because this is a system-wide snapshot, it captures the application and operating system execution status of the virtual machines, as well as their network status.

This system has been deployed as a prototype within the 20,000 user nanoHUB (http://www.nanohub.org ) cyberinfrastructure grid, which serves nanotechnology research, development and education.

Evolution

A virtualized network has the potential to significantly improve efficiency. As Linder points out, “Between 79 and 80 percent of all servers aren’t used in production. They’re in testing, development, storage and disaster recovery. So, if production is at 10 percent CPU utilization, they’re at 1 percent,” he maintains.

“The challenges of capacity management and workload management faced by the distributed environment as it virtualizes have already been solved in the mainframe world,” according to Kris Domich, principal consultant for Dimension Data North America.  Virtualization experts are leveraging that knowledge, often using the same approaches. For example, virtualization efforts underway today often follow the the design and methodology used for the IBM 360 – “which was truly virtualized,” Domich says.

Despite the similarity of approaches, solutions still need to evolve for the distributed world.  Standards are being developed, but they aren’t yet in place. Vendors have public interfaces to their tools, though, which sheds enough light on the development process to allow third parties to develop compatible applications.

The challenge, according to Vince Biddlecombe, executive VP and chief technology officer for third party logistics provider Transplace, is that best practices haven’t emerged and there’s no cohesive roadmap a company can follow to implement a virtualization strategy.  “When Transplace redesigned its data center last year, it found “there are a lot of papers from storage vendors, but we needed an end-to-end blueprint,” Biddlecombe says.  IBM sees this too. “Clients are struggling,” Kevin Leahy, director of IT optimization at IBM, agrees.

More is Needed

Network virtualization is the goal, “but a lot more needs to be virtualized,” before that goal is realized, according to Linder.  “Today, virtualization is focused on virtualizing a single resource, the CPU. That’s the first of 10 to 20 steps,” that are needed to eventually provide a pool of resources.

One of the strategies being developed actively at HP layers automation atop the virtualized environment.  Automation leverages the flexibility that virtualization presents, explains Nick van der Zweep, director of virtualization for HP.  One opportunity, he says, is to implement policies to monitor all applications’ service levels and then to shift resources to balance supply and demand in real time. “We’ve been innovating in a lot of areas to make that happen,” he says. A similar approach, investigated at IBM, prioritizes workflow so that resources are allocated first to the most critical applications. When resources are stretched, less critical applications are allotted fewer resources, slowing them or causing them to run at a later time.  

Automatic allocation, Leahy continues, will permit the infrastructure, rather than the administrator, to deploy resources. And, expanding automation throughout the system will change the delivery model of the business, he states. Early examples of that capability are just appearing in the form of service oriented architecture (SOA) and service oriented infrastructure (SOI), as implemented by Amazon and a few other firms.

In the near-term, developers are looking beyond hypervisors to develop a management  layer that lets virtual and physical devices be managed as one. “A lot of innovation needs to happen,” van der Zweep emphasizes, just to allow virtual machines to be moved among blades or servers without disrupting workflow.  HP is developing a management layer that provides “a single pane of glass” between the hypervisor and systems management. By partnering with the leading hypervisor vendors, HP plans to ensure that the resulting application transitions smoothly among vendors’ hypervisors.

Tracking Malware

One of the challenges in ensuring security for virtual systems is the ability of malware to infiltrate the system. Virtualization –based security solutions typically assume the hypervisor or underlying virtual machine monitor is in safe hands and that it is isolated, Prof. Xu explains. If that assumption is wrong, malware could compromise the monitor (as some virtualization rootkits – programs designed to take administrator or “root” control of a system without authorization – have done).

At the academic level, Professor Xu is developing Collapsar, a virtual machine-based honeyfarm architecture that allows real-world malware capture and containment. The honeyfarm approach lets a center host and manage multiple honeypots – targets – in one environment. To malicious attackers, “the honeypots appear as real systems in their respective production networks,” he explains. The benefit is centralized management and the ability to very quickly learn the details and timing of attacks without involving multiple data centers.

To study the captured malware, Professor Xu uses his vGround application to safely unleash the captured worms and identify their behavioral footprints for profiling and detection. Then, using the Processing Coloring methodology his lab has developed, alerts can be issued based on anomalous information flows to improve the efficiency of malware investigations.

At the data center level, Prof Xu and colleague Xuxian Jian at George Mason University, “advocate moving malware detecting and defense facilities outside the virtual machine being monitored and protected,” to achieve a higher level of tamper-resistance. “The state-of-the-art anti-malware systems typically run in the very same hosts that they are protecting, which is a fundamentally flawed paradigm,” Prof. Xyu says. Because they “run at the same level of privileges, there is no clear winner between them. Virtualization provides an additional level of privilege where security solutions can be deployed and executed with higher privileges than those of the malware, thus foiling the malware’s attempt to subvert anti-malware facilities.”

Another approach, Prof. Xu continues, is to virtualize sub-systems of a computer. Describing two approaches, he says, “RandSys, for example, virtualizes the system service interface between the application and the operating system. Virtual split memory virtualizes a Harvard architecture for split memories for code and data on top of the von Neumann architecture. Both lead to a virtual runtime system that is more robust against malicious code injection attacks.”

Desktop Virtualization
Desktop virtualization is another coming trend. It is reminiscent of the dumb terminals that linked to mainframes in the 1970s, with an important difference. Rather than merely being a portal to the mainframe, these terminals would allow clients to log into their own virtual PC regardless which terminal they used. Aside from the convenience of accessing one’s own files without the need to export them to notebooks or other systems, this strategy has the strong benefit of allowing central file management and centralized backup.

Workload Shifting
The next few years are likely to see dynamic workload shifting that, ideally, will be linked to high density power and cooling. “There are a given number of machines capable of hosting,” Domich says, which makes a virtual system busier in some places than others and causes the heat load to jump. He hopes for a cooling plan that can jump, too.

IBM’s Leahy considers the energy component of virtualization a key trend and “a cultural enabler for green computing.” In that context, he advocates increasing virtualization and building active energy management policies that govern resource movement based at least partially on energy considerations.  When systems administrators can ensure that service level agreements are met and identify under- or over-used resources, utilization can be adjusted to create an optimum computing and cooling environment that ultimately consumes less power. That will result in saved energy by focusing cooling where it’s needed.

“Where virtual management can play a role is when virtual workloads can connect back to the cooling system,” van der Zweep says. To reach that point, administrators must be able to look wholistically at the capacity of the data center – not just the CPU cycles, but the impact of running virtual workloads or fail-over space. And, IT managers must begin looking at wattage per rack rather than wattage per square foot.

Conclusion

Virtualization is well on its way to becoming pervasive, even ubiquitous, Leahy says. To make the most effective use of the technology, “the data center needs to change in multiple ways,” van der Zweep opines. “With virtualization, you need a management system that understands that things are in flux,” and adjusts appropriately.  

Professor XU , NanoHUB , Dimension Data , IBM