Showing papers on "Temporal isolation among virtual machines published in 2013"

CPI2: CPU performance isolation for shared compute clusters

Abstract: Performance isolation is a key challenge in cloud computing. Unfortunately, Linux has few defenses against performance interference in shared resources such as processor caches and memory buses, so applications in a cloud can experience unpredictable performance caused by other programs' behavior.Our solution, CPI2, uses cycles-per-instruction (CPI) data obtained by hardware performance counters to identify problems, select the likely perpetrators, and then optionally throttle them so that the victims can return to their expected behavior. It automatically learns normal and anomalous behaviors by aggregating data from multiple tasks in the same job.We have rolled out CPI2 to all of Google's shared compute clusters. The paper presents the analysis that lead us to that outcome, including both case studies and a large-scale evaluation of its ability to solve real production issues.

Dynamic Configuration in Cloud Computing Environments

Abstract: Virtual machines, virtualization servers, and other physical resources in a cloud computing environment may be dynamically configured based on the resource usage data for the virtual machines and resource capacity data for the physical resources in the cloud system. Based on an analysis of the virtual machine resource usage data and the resource capacity data of the virtualization servers and other physical resources in the cloud computing environment, each virtual machine may be matched to one of a plurality of virtualization servers, and the resources of the virtualization servers and other physical resources in the cloud may be reallocated and reconfigured to provide additional usage capacity to the virtual machines.

Providing a virtual security appliance architecture to a virtual cloud infrastructure

Abstract: A method in an embodiment includes detecting a change for a virtual machine in a virtual server of a virtual network infrastructure, determining whether a virtual security appliance is configured in the virtual server, and sending a request to create the virtual security appliance in the virtual server. The method further includes allowing the virtual machine to initiate when the virtual security appliance is created in the virtual machine. The virtual security appliance performs security inspections on network packets sent from the virtual machine. In more specific embodiments, the method further includes creating an intercept mechanism in the virtual server to intercept the network packets from the virtual machine. In further embodiments, one or more security policies identify one or more virtual security appliances to process the network packets from the virtual machine.

Optimized resource allocation for virtual machines within a malware content detection system

Abstract: According to one embodiment, a computerized method comprises operations of instantiating a first virtual machine instance and a second virtual machine instance to run concurrently with the first virtual machine instance. The first virtual machine instance provides a first virtual operating environment while the second virtual machine instance is adapted to share the resources allocated to the first virtual machine instance. The second virtual machine instance is further adapted to allocate additional resources upon conducting a Copy-On Write operation.

VDC Planner: Dynamic migration-aware Virtual Data Center embedding for clouds

Abstract: Cloud computing promises to provide computing resources to a large number of service applications in an on demand manner. Traditionally, cloud providers such as Amazon only provide guaranteed allocation for compute and storage resources, and fail to support bandwidth requirements and performance isolation among these applications. To address this limitation, recently, a number of proposals advocate providing both guaranteed server and network resources in the form of Virtual Data Centers (VDCs). This raises the problem of optimally allocating both servers and data center networks to multiple VDCs in order to maximize the total revenue, while minimizing the total energy consumption in the data center. However, despite recent studies on this problem, none of the existing solutions have considered the possibility of using VM migration to dynamically adjust the resource allocation, in order to meet the fluctuating resource demand of VDCs. In this paper, we propose VDC Planner, a migration-aware dynamic virtual data center embedding framework that aims at achieving high revenue while minimizing the total energy cost over-time. Our framework supports various usage scenarios, including VDC embedding, VDC scaling as well as dynamic VDC consolidation. Through experiments using realistic workload traces, we show our proposed approach achieves both higher revenue and lower average scheduling delay compared to existing migration-oblivious solutions.

Systems and methods for path-based management of virtual servers in storage network environments

Abstract: Systems and methods for analyzing the service and performance levels associated with virtual machines in a storage network environment for compliance with a resource capacity policy are provided. Component configuration and connectivity information from components in the network environment is collected without using host agents on the virtual machines. Access paths defining end-to-end access relationships between an application on a virtual machine and storage data objects associated with the virtual machine in the network environment are derived. Access paths comprise sequences of components configured to enable information flow between an application residing on a virtual machine and a data object on a respective storage device. Access path resource consumption is computed and virtual machines with resource consumptions that violate the resource capacity policy are identified.

SurfNoC: a low latency and provably non-interfering approach to secure networks-on-chip

Abstract: As multicore processors find increasing adoption in domains such as aerospace and medical devices where failures have the potential to be catastrophic, strong performance isolation and security become first-class design constraints. When cores are used to run separate pieces of the system, strong time and space partitioning can help provide such guarantees. However, as the number of partitions or the asymmetry in partition bandwidth allocations grows, the additional latency incurred by time multiplexing the network can significantly impact performance.In this paper, we introduce SurfNoC, an on-chip network that significantly reduces the latency incurred by temporal partitioning. By carefully scheduling the network into waves that flow across the interconnect, data from different domains carried by these waves are strictly non-interfering while avoiding the significant overheads associated with cycle-by-cycle time multiplexing. We describe the scheduling policy and router microarchitecture changes required, and evaluate the information-flow security of a synthesizable implementation through gate-level information flow analysis. When comparing our approach for varying numbers of domains and network sizes, we find that in many cases SurfNoC can reduce the latency overhead of implementing cycle-level non-interference by up to 85%.

Configuring vm and io storage adapter vf for virtual target addressing during direct data access

Abstract: A method is provided for use in a system that includes a host computing machine configured to implement a virtualization intermediary and that includes a physical storage adapter, the configures a virtual machine (VM) and a virtual function (VF) to support IO operations to physical storage through a direct IOV path to the VF of the physical storage adapter, the method comprises: creating by the virtualization intermediary mapping information that includes a first mapping between virtual disks and physical regions of physical storage and that includes a second mapping between virtual disks and virtual disk addresses; transmitting the mapping information from the virtualization intermediary over the physical storage adapter from a physical function (PF) of the physical storage adapter to the VF; associating a virtual port with the mapping information within the virtualization intermediary; binding the virtual port to the VF; communicating virtual disk addresses indicated within the second mapping within the transmitted mapping information for the allocated virtual disks to the VM.

Live virtual machine migration techniques: Survey and research challenges

Abstract: Cloud is an emerging technology in the world of information technology and is built on the key concept of virtualization. Virtualization separates hardware from software and has benefits of server consolidation and live migration. Live migration is a useful tool for migrating OS instances across distant physical of data centers and clusters. It facilitates load balancing, fault management, low-level system maintenance and reduction in energy consumption. In this paper, we survey the major issues of virtual machine live migration. We discuss how the key performance metrics e.g downtime, total migration time and transferred data are affected when a live virtual machine is migrated over WAN, with heavy workload or when VMs are migrated together. We classify the techniques and compare the various techniques in a particular class.

On tackling virtual data center embedding problem

Abstract: Virtualizing data center networks has been considered a feasible alternative to satisfy the requirements of advanced cloud services. Proper mapping of virtual data center (VDC) resources to their physical counterparts, also known as virtual data center embedding, can impact the revenue of cloud providers. Similar to virtual networks, the problem of mapping virtual requests to physical infrastructures is known to be NPhard. Although some proposals have come up with heuristics to cope with the complexity of the embedding process focusing on virtual machine placement, these solutions ignore the correlation among other data resources, such as switches and storage. In this paper, we propose a new embedding solution for data centers that, in addition to virtual machine placement, explicitly considers the relation between switches and links, allows multiple resources of the same request to be mapped to a single physical resource, and reduces resource fragmentation in terms of CPU. Simulations show that our solution results in high acceptance ratio of VDC requests, improves utilization of the physical substrate, and generates increased revenue for infrastructure providers.

Failure management for a virtualized computing environment

Abstract: For failure management for multiple operating systems in a virtual environment, an external virtual machine or agent is provided that has been granted rights to full physical memory space to perform a crashdump for the machine. To avoid exposing secret information during a crashdump, private information for a virtual machine or partition is encrypted prior to generating a dump. The storing of crashdump information for virtual machines may avoid storing crashdump information for virtual machines that are stateless. Instead of having an (unstable) operating system running within a virtual machine perform a crashdump, the provision of an external agent, e.g., an external virtual machine, to perform the crashdump avoids many limitations associated with a normal dump when performed by a crashed operating system.

Virtual machine fault tolerance

Abstract: One or more techniques and/or systems are provided for hosting a virtual machine from a snapshot. In particular, a snapshot of a virtual machine hosted on a primary computing device may be created. The virtual machine may be hosted on a secondary computing device using the snapshot, for example, when a failure of the virtual machine on the primary computing device occurs. If a virtual machine type (format) of the snapshot is not supported by the secondary computing device, then the virtual machine within the snapshot may be converted to a virtual machine type supported by the secondary computing device. In this way, the virtual machine may be operable and/or accessible on the secondary computing device despite the failure. Hosting the virtual machine on the secondary computing device provides, among other things, fault tolerance for the virtual machine and/or applications comprised therein.

System for virtual machine risk monitoring

Abstract: A virtual machine may allow execution of applications decoupled from physical hardware. The virtual machine may be executed by the physical hardware in a data center. A system can monitor and assess performance and reliability of the virtual machine based on device records of network components of the data center that are supporting operation of the virtual machine.

Method and system for migration of virtual machines and virtual applications between cloud-computing facilities

Abstract: The current document discloses methods and systems for extending an internal network within a first cloud-computing facility to a second cloud-computing facility and deploying a virtual machine or virtual application previously running on a first cloud-computing facility within the context of the extended internal network in the second cloud-computing facility. The currently disclosed methods and systems which provide internal-network extension and redeployment of virtual machines and virtual applications, referred to as “stretch deploy,” allow a virtual machine or virtual application formerly executing on a first cloud-computing facility to resume execution on a second cloud-computing facility, using the computational and storage facilities of the second cloud-computing facility but depending on network support from the first cloud-computing facility, without changing IP and local network addresses and the network connectivity, based on those addresses, between the virtual machines and virtual applications and other local and remote computational entities with which the virtual machines and virtual applications communicate.

Archiving virtual machines in a data storage system

Abstract: The data storage system according to certain aspects can manage the archiving of virtual machines to (and restoring of virtual machines from) secondary storage. The system can determine whether to archive virtual machines based on usage data or information. The usage information may include storage usage, CPU usage, memory usage, network usage, events defined by a virtual machine software or application, etc. The system may archive virtual machines that are determined to have a low level of utilization. For example, a virtual machine can be archived when its usage level falls below a threshold level. The system may create a virtual machine placeholder for an archived virtual machine, which may be a “light” or minimal version of the virtual machine that acts as if it is the actual virtual machine. By using a virtual machine placeholder, a virtual machine may appear to be active and selectable by the user.

Virtual machine communication

Abstract: Two or more virtual machines may be co-located on a same physical machine, and the virtual machines may communicate with each other. To establish efficient communication, memory mapping information for respective virtual machines can be exchanged between the respective virtual machines. An instance of a virtualized network interface can be established, and a direct communications channel can be mapped between respective virtualized network interfaces. Data packet routing information can be updated, such that data packets transferred between two of more co-located virtual machines can be transferred using the virtualized network interface communications channel.

SQLVM: Performance Isolation in Multi-Tenant Relational Database-as-a-Service.

Abstract: A relational Database-as-a-Service provider, such as Microsoft SQL Azure, can share resources of a single database server among multiple tenants. This multi-tenancy enables cost reduction for the cloud service provider which it can pass on as savings to the tenants. However, resource sharing can adversely affect a tenant’s performance due to resource demands of other tenants’ workloads. Service providers today do not provide any assurances to a tenant in terms of isolating its performance from other co-located tenants. We present SQLVM, an abstraction for performance isolation which is built on a promise of reservation of key database server resources, such as CPU, I/O and memory, for each tenant. The key challenge is in supporting this abstraction within a DBMS without statically allocating resources to tenants, while ensuring low overheads and scaling to large numbers of tenants. Our contributions are in (1) formalizing the above abstraction of SQLVM; (2) designing mechanisms to support the promised resources; and (3) proposing low-overhead techniques to objectively meter resource allocation to establish accountability. We implemented a prototype of SQLVM in Microsoft SQL Azure and our experiments demonstrate that SQLVM results in significantly improved performance isolation from other tenants when compared to the state-of-the-art.

Replicating virtual machines across different virtualization platforms

Abstract: A first virtual machine executing in a first computer server is replicated to a second virtual machine executing in a second computer server, where the first computer server and the second computer server are connected over a network and are each connected to one or more disk storage units capable of storing files in a file system. Virtual disks of the first virtual machine on the first server are transmitted to the second server, where each transmitted virtual disk is stored as a file in a storage unit connected to the second server and corresponds to one of a plurality of virtual disks of the second virtual machine running in the second server, and where the virtual disks of the first virtual machine have a first format and the virtual disks of the second virtual machine have a second format that is different from the first format. A plurality of updates to the virtual disks of the first virtual machine is captured, and contiguous data blocks from the virtual disks of the first virtual machine that are subject to the captured updates are identified. The identified contiguous data blocks are then transmitted to the second server for storage in the virtual disks of the second virtual machine.

Live VM migration techniques in cloud environment — A survey

Abstract: Cloud computing is a service where storage and computing resources can be accessed on subscription basis. Cloud computing is powered by the concept of virtualization technology. The virtual machines (VM) are hosted in servers so that user's requests are serviced in an optimal manner. The process of moving a running virtual machine or application between different physical machines without disconnecting the client or application is referred to as Live Migration. System resources memory, storage, process and Network resources like connectivity that are allocated to the virtual machine are transferred from the original host machine to the destination machine. Live Migration is performed for achieving Energy efficiency, Load Balancing and High availability of physical servers in Cloud Data center. This paper presents a detailed survey on Live Migration of Virtual machines in cloud environment.

Packet forwarding optimization with virtual machine mobility

Abstract: In one embodiment, a method includes tracking at a network device in communication with a plurality of virtual machines, virtual machine movement based on a device identifier in a packet received from one of the virtual machines and storing location information for the virtual machine in a virtual machine move list at the network device. The location information from the virtual machine move list is inserted into a forwarding information base for use in optimized forwarding of packets destined for the virtual machine. An apparatus and logic are also disclosed herein.

Performance Analysis of Network I/O Workloads in Virtualized Data Centers

Abstract: Server consolidation and application consolidation through virtualization are key performance optimizations in cloud-based service delivery industry. In this paper, we argue that it is important for both cloud consumers and cloud providers to understand the various factors that may have significant impact on the performance of applications running in a virtualized cloud. This paper presents an extensive performance study of network I/O workloads in a virtualized cloud environment. We first show that current implementation of virtual machine monitor (VMM) does not provide sufficient performance isolation to guarantee the effectiveness of resource sharing across multiple virtual machine instances (VMs) running on a single physical host machine, especially when applications running on neighboring VMs are competing for computing and communication resources. Then we study a set of representative workloads in cloud-based data centers, which compete for either CPU or network I/O resources, and present the detailed analysis on different factors that can impact the throughput performance and resource sharing effectiveness. For example, we analyze the cost and the benefit of running idle VM instances on a physical host where some applications are hosted concurrently. We also present an in-depth discussion on the performance impact of colocating applications that compete for either CPU or network I/O resources. Finally, we analyze the impact of different CPU resource scheduling strategies and different workload rates on the performance of applications running on different VMs hosted by the same physical machine.

Management of prioritizing virtual machines in an operating environment

Abstract: Embodiments directed toward a method, system, and computer program product for placement of a plurality of virtual machines on a hardware resource are provided. The method can also include generating a user location vector for each candidate virtual machine from the plurality of candidate virtual machines by aggregating a plurality of user location metrics for each candidate virtual machine. The method can also include ranking, in response to a performance resource demanded by the plurality of candidate virtual machines being at or above a threshold of the performance resource available on the hardware resource, the candidate virtual machines as a function of an aggregate user location vector for each candidate virtual machine. The method can include selecting a subset of the candidate virtual machines for migration based on the ranking.

Systems and methods for repurposing virtual machines

Abstract: Software, firmware, and systems repurpose existing virtual machines. After a virtual machine is created, the system stores data associated with the virtual machine to permit its later repurposing. Repurposing data includes data associated with the virtual machine when the virtual machine is in a generic state from which it may be configured for use by two or more users/applications. When the system receives a request to create a new virtual machine, rather than create a brand new virtual machine, the system repurposes an existing virtual machine. The system identifies a virtual machine to repurpose, deletes data associated with the identified virtual machine, and loads a saved copy of repurposing data. The system may then load user data or otherwise customize the database and virtual machine.

Detection and handling of virtual network appliance failures

Abstract: Methods and apparatus for detection and handling of virtual appliance failures. In one aspect, a method is implemented on a host platform on which a hypervisor (aka Virtual Machine Manager) and a plurality of virtual machines (VMs) are running, the plurality of VMs collectively hosting a plurality of Software Defined Networking (SDN) and/or Network Function Virtualization (NFV) appliances that are communicatively coupled via a virtual network. A software-based entity running on the host platform is configured to monitor the plurality of virtual network appliances to detect failures of the virtual network appliances. In response to detection of a virtual network appliance failure, messages containing configuration information are implemented to reconfigure packet flows to bypass the virtual network appliance that has failed.

Systems and methods for rule-based virtual machine data protection

Abstract: A data storage system backs up or protects virtual machines. For instance, the system identifies the different virtual machines executing in the system and provides a number of factors that can be used to create a backup policy. The system further creates specific rules for virtual machine backup policies using a user interface with drop down boxes of relevant criteria and Boolean operators. A preview of included virtual machines allows the rule to be refined. Particular virtual machines can be excluded during the preview. The system further dynamically updates the list of virtual machines satisfying the rules at time of backup.

Concurrent virtual machine snapshots and restore

Abstract: Various mechanisms are disclosed herein for the saving and restoring of virtual machine environment state. For example, virtual machine state can be either be saved or (multiple) snapshots can be taken of the virtual machine state. In the latter case, virtual processors can be allowed to run while the memory of the virtual machine state is being saved. In either case, virtual devices associated with the virtual machine environment can be quiesced such that these devices can prepare themselves to be saved. Once such virtual devices and memory are saved, they can also be restored. For example, restoration of memory can occur while virtual processors are running at the same time. And, moreover, restoration can occur in batches of pages, thus optimizing the response time for restoring saved data.

Intermediary virtual machine task management

Abstract: A system in which a virtual machine manager determines tasks that are to be performed on virtual machines executing on a host computing system. The host computing system further executes an intermediary virtual machine task management module that receives virtual machine tasks from the virtual machine manager. Upon request from the virtual machines, the intermediary module identifies the tasks that are to be performed on the requesting virtual machine to the requesting virtual machine. The virtual machines may perhaps also initiate the performance of such identified tasks. Since the virtual machine itself is initiating contact with the intermediary module, and is not interacting directly with the virtual machine manager, the virtual machine manager need not be in the same sphere of trust as the virtual machine.

CPU sharing techniques for performance isolation in multi-tenant relational database-as-a-service

Abstract: Multi-tenancy and resource sharing are essential to make a Database-as-a-Service (DaaS) cost-effective. However, one major consequence of resource sharing is that the performance of one tenant's workload can be significantly affected by the resource demands of co-located tenants. The lack of performance isolation in a shared environment can make DaaS less attractive to performance-sensitive tenants. Our approach to performance isolation in a DaaS is to isolate the key resources needed by the tenants' workload. In this paper, we focus on the problem of effectively sharing and isolating CPU among co-located tenants in a multi-tenant DaaS. We show that traditional CPU sharing abstractions and algorithms are inadequate to support several key new requirements that arise in DaaS: (a) absolute and fine-grained CPU reservations without static allocation; (b) support elasticity by dynamically adapting to bursty resource demands; and (c) enable the DaaS provider to suitably tradeoff revenue with fairness. We implemented these new scheduling algorithms in a commercial DaaS prototype and extensive experiments demonstrate the effectiveness of our techniques.

Virtual machine consolidation based on interference modeling

Abstract: Server consolidation is very attractive for cloud computing platforms to improve energy efficiency and resource utilization. Advances in multi-core processors and virtualization technologies have enabled many workloads to be consolidated in a physical server. However, current virtualization technologies do not ensure performance isolation among guest virtual machines, which results in degraded performance due to contention in shared resources along with violation of service level agreement (SLA) of the cloud service. In that sense, minimizing performance interference among co-located virtual machines is the key factor of successful server consolidation policy in the cloud computing platforms. In this work, we propose a performance model that considers interferences in the shared last-level cache and memory bus. Our performance interference model can estimate how much an application will hurt others and how much an application will suffer from others. We also present a virtual machine consolidation method called swim which is based on our interference model. Experimental results show that the average performance degradation ratio by swim is comparable to the optimal allocation.

Power-Efficient Virtual Machine Placement and Migration in Data Centers

Abstract: In this paper, we propose a power-efficient solution for virtual machine placement and migration in a fat tree data center network. This solution reduces power consumption as well as job delay by aggregating virtual machines to a few hyper visors and migrating communicating parties to close locations. In this work, we consider OpenFlow as the implementation protocol. In an OpenFlow environment, a centralized controller oversees job loads, virtual machine requirements and hardware availability. Given observation of such global knowledge, the OpenFlow controller can schedule jobs and distribute virtual machines accordingly. As jobs change and flows shift, the OpenFlow controller dynamically adjusts virtual machine assignments by aggregating virtual machines to close locations in order to save energy. With this placement and migration proposal, more jobs can operate concurrently with close sources and destinations of flows, thus both job and flow delay can be reduced.