Showing papers on "Temporal isolation among virtual machines published in 2016"

Altruistic scheduling in multi-resource clusters

Abstract: Given the well-known tradeoffs between fairness, performance, and efficiency, modern cluster schedulers often prefer instantaneous fairness as their primary objective to ensure performance isolation between users and groups. However, instantaneous, short-term convergence to fairness often does not result in noticeable long-term benefits. Instead, we propose an altruistic, long-term approach, CARBYNE, where jobs yield fractions of their allocated resources without impacting their own completion times. We show that leftover resources collected via altruisms of many jobs can then be rescheduled to further secondary goals such as application-level performance and cluster efficiency without impacting performance isolation. Deployments and large-scale simulations show that CARBYNE closely approximates the state-of-the-art solutions (e.g., DRF [27]) in terms of performance isolation, while providing 1:26× better efficiency and 1:59× lower average job completion time.

Scheduling Wireless Virtual Networks Functions

Abstract: Network function virtualization (NFV) sits firmly on the networking evolutionary path. By migrating network functions from dedicated devices to general purpose computing platforms, NFV can help reduce the cost to deploy and operate large IT infrastructures. In particular, NFV is expected to play a pivotal role in mobile networks where significant cost reductions can be obtained by dynamically deploying and scaling virtual network functions (VNFs) in the core network. However, in order to achieve its full potential, NFV needs to extend its reach also to the radio access segment. Here, mobile virtual network operators shall be allowed to request radio access VNFs with custom resource allocation solutions. Such a requirement raises several challenges in terms of performance isolation and resource provisioning. In this work, we formalize the wireless VNF placement problem in the radio access network as an integer linear programming problem and we propose a VNF placement heuristic, named wireless network embedding (WiNE), to solve the problem. Moreover, we present a proof-of-concept implementation of an NFV management and orchestration framework for enterprise WLANs. The proposed architecture builds on a programmable network fabric where pure forwarding nodes are mixed with radio and packet processing capable nodes.

Location-aware virtual service provisioning in a hybrid cloud environment

Abstract: A sense of location is provided for distributed virtual switch components into the service provisioning scheme to reduce latency observed in conducting policy evaluations across a network in a hybrid cloud environment. A management application in a first virtual network subscribes to virtual network services provided by a second virtual network. A first message is sent to the second virtual network, the first message comprising information configured to start a virtual switch in the second virtual network that switches network traffic for one or more virtual machines in the second virtual network that are configured to extend services provided by the first virtual network into the second virtual network. A second message is sent to the second virtual network, the second message comprising information configured to start a virtual service node in the second virtual network that provides network traffic services for the one or more virtual machines.

Improving Resource Efficiency at Scale with Heracles

Abstract: User-facing, latency-sensitive services, such as websearch, underutilize their computing resources during daily periods of low traffic. Reusing those resources for other tasks is rarely done in production services since the contention for shared resources can cause latency spikes that violate the service-level objectives of latency-sensitive tasks. The resulting under-utilization hurts both the affordability and energy efficiency of large-scale datacenters. With the slowdown in technology scaling caused by the sunsetting of Moore’s law, it becomes important to address this opportunity. We present Heracles, a feedback-based controller that enables the safe colocation of best-effort tasks alongside a latency-critical service. Heracles dynamically manages multiple hardware and software isolation mechanisms, such as CPU, memory, and network isolation, to ensure that the latency-sensitive job meets latency targets while maximizing the resources given to best-effort tasks. We evaluate Heracles using production latency-critical and batch workloads from Google and demonstrate average server utilizations of 90p without latency violations across all the load and colocation scenarios that we evaluated.

Memory Bandwidth Management for Efficient Performance Isolation in Multi-Core Platforms

Abstract: Memory bandwidth in modern multi-core platforms is highly variable for many reasons and it is a big challenge in designing real-time systems as applications are increasingly becoming more memory intensive. In this work, we proposed, designed, and implemented an efficient memory bandwidth reservation system, that we call MemGuard . MemGuard separates memory bandwidth in two parts: guaranteed and best effort . It provides bandwidth reservation for the guaranteed bandwidth for temporal isolation, with efficient reclaiming to maximally utilize the reserved bandwidth. It further improves performance by exploiting the best effort bandwidth after satisfying each core's reserved bandwidth. MemGuard is evaluated with SPEC2006 benchmarks on a real hardware platform, and the results demonstrate that it is able to provide memory performance isolation with minimal impact on overall throughput.

An Energy-Aware Ant Colony Algorithm for Network-Aware Virtual Machine Placement in Cloud Computing

Abstract: The energy cost is one of the major concerns for the cloud providers. Virtual machine placement has been demonstrated as an effective method for energy saving. In addition to constraints caused by the physical machine resources such as CPU and memory (PM-constraints), the constraints caused by the network resource such as bandwidth (Net-constraints) are also crucial, since virtual machines are not isolated and require communication with each other to exchange data. However, most current research on data center power optimization only focuses on server resource. As a result, the optimization results are often inferior, because server consolidation without considering the network may cause traffic congestion and thus degraded network performance. We take the traffic demands between virtual machines into consideration and formulate the virtual machine placement problem under both PM-constraints and Net-constraints to minimize the energy cost, and propose an approach based on ant colony optimization to solve the problem. We evaluate the expected performance of our proposed algorithm through a simulation study, providing strong indications to the superiority of our proposed solution.

GReM: Dynamic SSD resource allocation in virtualized storage systems with heterogeneous IO workloads

Abstract: In a shared virtualized storage system that runs VMs with heterogeneous IO demands, it becomes a problem for the hypervisor to cost-effectively partition and allocate SSD resources among multiple VMs. There are two straightforward approaches to solving this problem: equally assigning SSDs to each VM or managing SSD resources in a fair competition mode. Unfortunately, neither of these approaches can fully utilize the benefits of SSD resources, particularly when the workloads frequently change and bursty IOs occur from time to time. In this paper, we design a Global SSD Resource Management solution — GReM, which aims to fully utilize SSD resources as a second-level cache under the consideration of performance isolation. In particular, GReM takes dynamic IO demands of all VMs into consideration to split the entire SSD space into a long-term zone and a short-term zone, and cost-effectively updates the content of SSDs in these two zones. GReM is able to adaptively adjust the reservation for each VM inside the long-term zone based on their IO changes. GReM can further dynamically partition SSDs between the long- and short-term zones during runtime by leveraging the feedbacks from both cache performance and bursty workloads. Experimental results show that GReM can capture the cross-VM IO changes to make correct decisions on resource allocation, and thus obtain high IO hit ratio and low IO management costs, compared with both traditional and state-of-the-art caching algorithms.

Topology-Aware Virtual Machine Placement in Data Centers

Abstract: This paper presents the Topology-aware Virtual Machine Placement algorithm, which aims at placing groups of virtual machines in data centers. It was designed to occupy small areas of the data center network in order to consolidate the network flows produced by the virtual machines. Extensive simulation is used to show that the proposed algorithm prevents the formation of network bottlenecks, therefore accepting more requests of allocation of virtual machines. Moreover, these advantages are obtained without compromising energy efficiency. The energy consumption of servers and switches are taken into account, and these are switched off whenever idle.

Interplay of Virtual Machine Selection and Virtual Machine Placement

Abstract: Previous work on optimizing resource provisioning in virtualized environments focused either on mapping virtual machines to physical machines (i.e., virtual machine placement) or mapping computational tasks to virtual machines (i.e., virtual machine selection). In this paper, we investigate how these two optimization problems influence each other. Our study shows that exploiting knowledge about the physical machines and about the virtual machine placement algorithm in the course of virtual machine selection leads to better overall results than considering the two problems in isolation.

Performance-aware server consolidation with adjustable interference levels

Abstract: Virtualization technologies and server consolidation are the main drivers of high resource utilization and energy efficiency in modern Data Centers. However, some combinations of virtual machines into the same server may lead to severe performance degradation. This performance degradation is known as virtual machine interference. In a typical Data Center, different measures of virtual machine interference can be employed, depending on applications importance. Supporting a higher virtual machine interference may result in a higher consolidation, while strict low interference requirements may demand more resources. This paper presents an algorithm for server consolidation that uses an adjustable virtual machine interference threshold to map virtual machines into physical servers, allowing users to get a better trade off between amount of resources and performance according to their needs. Simulation results show that the solution succeeds in maintaining the interference levels below a defined threshold while also providing efficient server consolidation.

MultiLanes: Providing Virtualized Storage for OS-Level Virtualization on Manycores

Abstract: OS-level virtualization is often used for server consolidation in data centers because of its high efficiency. However, the sharing of storage stack services among the colocated containers incurs contention on shared kernel data structures and locks within I/O stack, leading to severe performance degradation on manycore platforms incorporating fast storage technologies (e.g., SSDs based on nonvolatile memories). This article presents MultiLanes, a virtualized storage system for OS-level virtualization on manycores. MultiLanes builds an isolated I/O stack on top of a virtualized storage device for each container to eliminate contention on kernel data structures and locks between them, thus scaling them to manycores. Meanwhile, we propose a set of techniques to tune the overhead induced by storage-device virtualization to be negligible, and to scale the virtualized devices to manycores on the host, which itself scales poorly. To reduce the contention within each single container, we further propose SFS, which runs multiple file-system instances through the proposed virtualized storage devices, distributes all files under each directory among the underlying file-system instances, then stacks a unified namespace on top of them. The evaluation of our prototype system built for Linux container (LXC) on a 32-core machine with both a RAM disk and a modern flash-based SSD demonstrates that MultiLanes scales much better than Linux in micro- and macro-benchmarks, bringing significant performance improvements, and that MultiLanes with SFS can further reduce the contention within each single container.

MARACAS: A Real-Time Multicore VCPU Scheduling Framework

Abstract: This paper describes a multicore scheduling and load-balancing framework called MARACAS, to address shared cache and memory bus contention. It builds upon prior work centered around the concept of virtual CPU (VCPU) scheduling. Threads are associated with VCPUs that have periodically replenished time budgets. VCPUs are guaranteed to receive their periodic budgets even if they are migrated between cores. A load balancing algorithm ensures VCPUs are mapped to cores to fairly distribute surplus CPU cycles, after ensuring VCPU timing guarantees. MARACAS uses surplus cycles to throttle the execution of threads running on specific cores when memory contention exceeds a certain threshold. This enables threads on other cores to make better progress without interference from co-runners. Our scheduling framework features a novel memory-aware scheduling approach that uses performance counters to derive an average memory request latency. We show that latency-based memory throttling is more effective than rate-based memory access control in reducing bus contention. MARACAS also supports cache-aware scheduling and migration using page recoloring to improve performance isolation amongst VCPUs. Experiments show how MARACAS reduces multicore resource contention, leading to improved task progress.

Live updates for virtual machine monitor

Abstract: Generally described, aspects of the present disclosure relate to a live update process of the virtual machine monitor during the operation of the virtual machine instances. An update to a virtual machine monitor can be a difficult process to execute because of the operation of the virtual machine instances. Generally, in order to update the virtual machine monitor, the physical computing device needs to be rebooted, which interrupts operation of the virtual machine instances. The live update process provides for a method of updating the virtual machine monitor without rebooting the physical computing device.

Ready for Rain? A View from SPEC Research on the Future of Cloud Metrics

Abstract: In the past decade, cloud computing has emerged from a pursuit for a service-driven information and communication technology (ICT), into a signifcant fraction of the ICT market. Responding to the growth of the market, many alternative cloud services and their underlying systems are currently vying for the attention of cloud users and providers. Thus, benchmarking them is needed, to enable cloud users to make an informed choice, and to enable system DevOps to tune, design, and evaluate their systems. This requires focusing on old and new system properties, possibly leading to the re-design of classic benchmarking metrics, such as expressing performance as throughput and latency (response time), and the design of new, cloud-specififc metrics. Addressing this requirement, in this work we focus on four system properties: (i) elasticity of the cloud service, to accommodate large variations in the amount of service requested, (ii) performance isolation between the tenants of shared cloud systems, (iii) availability of cloud services and systems, and the (iv) operational risk of running a production system in a cloud environment.Focusing on key metrics, for each of these properties we review the state-of-the-art, then select or propose new metrics together with measurement approaches. We see the presented metrics as a foundation towards upcoming, industry-standard, cloud benchmarks. Keywords: Cloud Computing; Metrics; Measurement; Benchmarking; Elasticity; Isolation; Performance; Service Level Objective; Availability; Operational Risk.

An Eco Model of Process Migration with Virtual Machines

Abstract: It is critical to reduce the electric energy consumed by servers in clusters. In cloud computing systems, computation resources like CPU, memory, and storages are virtualized so that applications can use the resources without being conscious of which physical servers supports which service. Virtual machine technologies are now used to support applications with virtual computation service. Virtual machines are used to perform application processes issued by clients. More importantly, virtual machines can migrate from a host server to a guest server while processes are being performed on the virtual machines. In this paper, we take advantage of migration technologies of virtual machines to reduce the electric energy consumed by servers in a cluster. By using the virtual machines, we propose an energyaware migration model of processes to decide to which virtual machine a process issued by a client is allocated and which virtual machine migrates to another energy-efficient server in order to reduce the electric energy consumption.

FLICK: developing and running application-specific network services

Abstract: Data centre networks are increasingly programmable, with application-specific network services proliferating, from custom load-balancers to middleboxes providing caching and aggregation. Developers must currently implement these services using traditional low-level APIs, which neither support natural operations on application data nor provide efficient performance isolation. We describe FLICK, a framework for the programming and execution of application-specific network services on multi-core CPUs. Developers write network services in the FLICK language, which offers high-level processing constructs and application-relevant data types. FLICK programs are translated automatically to efficient, parallel task graphs, implemented in C++ on top of a user-space TCP stack. Task graphs have bounded resource usage at runtime, which means that the graphs of multiple services can execute concurrently without interference using cooperative scheduling. We evaluate FLICK with several services (an HTTP load-balancer, a Memcached router and a Hadoop data aggregator), showing that it achieves good performance while reducing development effort.

Direct mapped files in virtual address-backed virtual machines

Abstract: Mapping files in host virtual address backed virtual machines. A method includes receiving a request from a guest virtual machine for a file from a host. The method further includes, at the host determining that the file can be directly mapped to a physical memory location for virtual machines requesting access to the file. The method further includes, at the host, providing guest physical memory backed by the file mapping in host virtual memory.

CloudPhylactor: Harnessing Mandatory Access Control for Virtual Machine Introspection in Cloud Data Centers

Abstract: Virtual machine introspection is a valuable approach for malware analysis and forensic evidence collection on virtual machines. However, there are no feasible solutions how it can be used in production systems of cloud providers. In this paper, we present the CloudPhylactor architecture. It harnesses the mandatory access control of Xen to grant dedicated monitoring virtual machines the rights to access the main memory of other virtual machines in order to run introspection operations. This allows customers to create monitoring virtual machines that have access to perform VMI-based operations on their production virtual machines. With our prototype implementation, we show that our approach does not introduce performance drawbacks and gives cloud customers full control to do introspection on their virtual machines. We also show that the impact of successful attacks to the monitoring framework is reduced.

PhaseNoC: Versatile Network Traffic Isolation Through TDM-Scheduled Virtual Channels

Abstract: As multi/many-core architectures evolve, the demands on the network-on-chip (NoC) are amplified. In addition to high performance and physical scalability, the NoC is increasingly required to also provide specialized functionality, such as network virtualization, flow isolation, and quality-of-service. Although traditional architectures supporting virtual channels (VCs) offer the resources for flow partitioning and isolation, an adversarial workload can still interfere and degrade the performance of other workloads that are active in a different set of VCs. In this paper, we present PhaseNoC, a truly noninterfering VC-based architecture that adopts time-division multiplexing at the VC level. Distinct flows, or application domains, mapped to disjoint sets of VCs are isolated, both inside the router's pipeline and at the network level. Any latency overhead is minimized by appropriate scheduling of flows in separate phases of operation, irrespective of the chosen topology. When strict isolation is not required, the proposed architecture can employ opportunistic bandwidth stealing. This novel mechanism works synergistically with the baseline PhaseNoC techniques to improve the overall latency/throughput characteristics of the NoC, while still preserving performance isolation. Experimental results corroborate that—with lower cost than state-of-the-art NoC architectures, and with minimum latency overhead—PhaseNoC removes any flow interference and allows for efficient network traffic isolation.

Method and Apparatus for Controlling Virtual Machine Migration

Abstract: A method and an apparatus for controlling virtual machine migration is presented, where the method includes obtaining information about an application running on a first virtual machine, where the first virtual machine runs on a first host; determining, according to the information about the application, whether an application associated with the application running on the first virtual machine runs on a second virtual machine, where the second virtual machine is any virtual machine running on a second host; and if no application associated with the application running on the first virtual machine runs on the second virtual machine, migrating the first virtual machine to the second host. The embodiments of the present disclosure can ensure that reliability of an application is not affected during a virtual machine migration process.

Survivable and Bandwidth-Guaranteed Embedding of Virtual Clusters in Cloud Data Centers (Extended Version)

Abstract: Cloud computing has emerged as a powerful and elastic platform for internet service hosting, yet it also draws concerns of the unpredictable performance of cloud-based services due to network congestion. To offer predictable performance, the virtual cluster abstraction of cloud services has been proposed, which enables allocation and performance isolation regarding both computing resources and network bandwidth in a simplified virtual network model. One issue arisen in virtual cluster allocation is the survivability of tenant services against physical failures. Existing works have studied virtual cluster backup provisioning with fixed primary embeddings, but have not considered the impact of primary embeddings on backup resource consumption. To address this issue, in this paper we study how to embed virtual clusters survivably in the cloud data center, by jointly optimizing primary and backup embeddings of the virtual clusters. We formally define the survivable virtual cluster embedding problem. We then propose a novel algorithm, which computes the most resource-efficient embedding given a tenant request. Since the optimal algorithm has high time complexity, we further propose a faster heuristic algorithm, which is several orders faster than the optimal solution, yet able to achieve similar performance. Besides theoretical analysis, we evaluate our algorithms via extensive simulations.

Service level and performance aware dynamic resource allocation in overbooked data centers

Abstract: Many cloud computing providers use overbooking to increase their low utilization ratios. This however increases the risk of performance degradation due to interference among co-located VMs. To address this problem we present a service level and performance aware controller that: (1) provides performance isolation for high QoS VMs; and (2) reduces the VM interference between low QoS VMs by dynamically mapping virtual cores to physical cores, thus limiting the amount of resources that each VM can access depending on their performance. Our evaluation based on real cloud applications and both stress, synthetic and realistic workloads demonstrates that a more efficient use of the resources is achieved, dynamically allocating the available capacity to the applications that need it more, which in turn lead to a more stable and predictable performance over time.

A Model for Migration of Virtual Machines to Reduce Electric Energy Consumption

Abstract: We have to reduce the electric energy consumed by servers in a cluster in order to realize eco-society. Types of algorithms for a request process to select an energy-efficient server in a cluster of servers are proposed in our previous studies. Furthermore, algorithms for energy-efficiently migrating a process on a host server to a more energy-efficient guest server is discussed. Virtual machines are now widely used to support applications with virtual computation service in cloud computing systems. Here, a virtual machine can migrate to a guest server, e.g. which is less loaded. By migrating a virtual machine, application processes performed on the virtual machine can also migrate from a host server to another guest server. In this paper, we newly propose an energy-aware migration algorithm of virtual machines (EAMV). Here, processes on a virtual machine can migrate to a guest server which consumes smaller electric energy and can be energy-efficiently performed in a cluster. We evaluate the EAMV algorithm compared with non-migration algorithms in terms of the total electric energy consumption and execution time of processes. We show the electric energy consumption and average execution time can be reduced in the EAMV algorithm.

SPLM: Security Protection of Live Virtual Machine Migration in Cloud Computing

Abstract: Virtual machine live migration technology, as an important support for cloud computing, has become a central issue in recent years. The virtual machines' runtime environment is migrated from the original physical server to another physical server, maintaining the virtual machines running at the same time. Therefore, it can make load balancing among servers and ensure the quality of service. However, virtual machine migration security issue cannot be ignored due to the immature development of it. This paper we analyze the security threats of the virtual machine migration, and compare the current proposed protection measures. While, these methods either rely on hardware, or lack adequate security and expansibility. In the end, we propose a security model of live virtual machine migration based on security policy transfer and encryption, named as SPLM (Security Protection of Live Migration) and analyze its security and reliability, which proves that SPLM is better than others. This paper can be useful for the researchers to work on this field. The security study of live virtual machine migration in this paper provides a certain reference for the research of virtualization security, and is of great significance.

Secure Virtual Network Configuration for Virtual Machine (VM) Protection

Abstract: Virtual machines (VMs) are key resources to be protected since they are the compute engines hosting mission-critical applications. Since VMs are end nodes of a virtual network, the configuration of the virtual network is an important element in the security of the VMs and their hosted applications. The virtual network configuration areas discussed in this document are network segmentation, network path redundancy, traffic control using firewalls, and VM traffic monitoring. This document analyzes the configuration options under these areas and presents a corresponding set of recommendations for secure virtual network configuration for VM protection.

Virtual CPU State Detection and Execution Flow Analysis by Host Tracing

Abstract: Cloud computing offers to the end user the ability of accessing a pool of resources with the Pay as Use (PaU) model By leveraging this technology, users can benefit from hardware virtualization for on-demand resource acquisition and rapid elasticity However, there is no effective tool to analyze virtual hardware performance, especially when isolation between these virtual resources is not adequate The existing tools need to access and trace the whole activity of the VM and host However, in most cases, tracing the virtual machine (VM) is not possible because of security issues and the added overhead Therefore, there is a need for a tool to troubleshoot unexpected behavior of VMs without internal access for tracing or debugging In this paper, we propose a new method to study the state of CPUs inside VMs without internal access Our tool can detect unexpected delays and their root causes We developed a virtual CPU (vCPU) state analyser to detect the state of vCPUs along with the reason for being in that state This approach relies on host tracing, thus adding less overhead to VMs as compared to existing approaches Then we propose a new approach for profiling threads inside the VMs by host tracing We implemented different views for the TraceCompass trace viewer to let the administrator visually track different threads and their states inside the VMs Our tool can detect different problems such as overcommitment of resources

A Software Cache Partitioning System for Hash-Based Caches

Abstract: Contention on the shared Last-Level Cache (LLC) can have a fundamental negative impact on the performance of applications executed on modern multicores. An interesting software approach to address LLC contention issues is based on page coloring, which is a software technique that attempts to achieve performance isolation by partitioning a shared cache through careful memory management. The key assumption of traditional page coloring is that the cache is physically addressed. However, recent multicore architectures (e.g., Intel Sandy Bridge and later) switched from a physical addressing scheme to a more complex scheme that involves a hash function. Traditional page coloring is ineffective on these recent architectures. In this article, we extend page coloring to work on these recent architectures by proposing a mechanism able to handle their hash-based LLC addressing scheme. Just as for traditional page coloring, the goal of this new mechanism is to deliver performance isolation by avoiding contention on the LLC, thus enabling predictable performance. We implement this mechanism in the Linux kernel, and evaluate it using several benchmarks from the SPEC CPU2006 and PARSEC 3.0 suites. Our results show that our solution is able to deliver performance isolation to concurrently running applications by enforcing partitioning of a Sandy Bridge LLC, which traditional page coloring techniques are not able to handle.

Virtualization in the Private Cloud: State of the Practice

Abstract: Virtualization has become a mainstream technology that allows efficient and safe resource sharing in data centers. In this paper, we present a large scale workload characterization study of 90K virtual machines hosted on 8K physical servers, across several geographically distributed corporate data centers of a major service provider. The study focuses on 19 days of operation and focuses on the state of the practice, i.e., how virtual machines are deployed across different physical resources with an emphasis on processors and memory, focusing on resource sharing and usage of physical resources, virtual machine life cycles, and migration patterns and their frequencies. This paper illustrates that indeed there is a huge tendency in over-provisioning CPU and memory resources while certain virtualization features (e.g., migration and collocation) are used rather conservatively, showing that there is significant room for the development of policies that aim to reduce operational costs in data centers.