Linux Virtualization Concepts
External
- https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Getting_Started_Guide/index.html
- https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Virtualization_Deployment_and_Administration_Guide/index.html
Internal
Generic Virtualization Concepts
Virtualization Solutions from Red Hat
RHEL 7 includes a hypervisor and a number of virtualization tools, which allows running guest operating systems, so it can function as a virtualization platform. However, the solution supports a limited number of guests per host and a limited range of guest types. Red Hat Virtualization is an enterprise virtualization solution based on the KVM technology, offering more features than Red Hat Enterprise Linux. Red Hat OpenStack Platform support OpenStack clouds.
KVM (Kernel-based Virtual Machine)
KVM is a hypervisor that only runs on systems with hardware supporting virtualization extensions. It is built into the standard RHEL 7 kernel, and it can run Linux, Windows, Solaris and BSD guests. KVM is integrated with the Quick Emulator (QEMU). KVM is managed with the libvirt API. The virtual machines are executed as multi-threaded Linux processes controlled by tools built in top of libvirt. KVM supports overcommitting, kernel same-page merging (KSM), disk I/O throttling, automatic NUMA balancing and virtual CPU hot add.
Xen
Xen can do full virtualization on systems that support virtualization extensions, but can also work as hypervisor on the machines that don't.
Quick Emulator (QEMU)
QEMU Guest Agent
The QEMU guest agent runs on the guest operating system and makes it possible for the host machine to issue commands to the guest operating system.
libvirt
libvirt is a package providing a hypervisor-independent C-based API that can be used to manage KVM as well as Xen. libvirt's clients are the virtualization management tools. The management tools do not need to be on the same physical machine as the machines on which the hosts are running.
libvirt provides access to management of virtual machines on a host. The API can be used to provision, create, modify, monitor, control, migrate and stop virtual machines. Resources such as CPUs, memory, storage, networking and non-uniform memory access (NUMA) partitions can be listed with libvirt. libvirt delegates management operations to the hypervisor, so only operations supported by the hypervisor can be performed with libvirt.
virsh, the primary command-line virtualization management tool, is baed on libvirt.
virtio
virtio is a package that provides KVM hypervisor-specific code, and exposes paravirtualized devices to the guest operating system. virtio is a layer sitting between the hypervisor and the guest. All virtio devices have two parts: the host device and the guest driver. The paravirtualized device drivers allow the guest operating system to access the corresponding physical device installed on the host system, and they must be installed on the guest operating system. Examples of paravirtualized devices: the paravirtualized network device virtio-net, the paravirtualized block device (virtio-blk), which is a high-performance virtual storage device supported by the hypervisor, the paravirtualized controller device (virtio-scsi), and others (clock, virtio-serrial, virtio-balloon, virtio-rng, QXL graphic card)
Also see paravirtualization and paravirtualized devices.
- Virtual Function I/O (VFIO) is a kernel drivert that provides virtual machines with high performance access to physical hardware. It attaches PCI devices on the host system directly to the virtual machine, and it enables the PCI device to appear and behave as it was physically attached to the guest. The driver moves device assignment out of the KVM hypervisor and enforces device isolation at kernel level. This is the default device assignment mechanism in RHEL 7. For more details see RHEL 7 Virtualization Administration Guide - PCI passthrough.
- USB, PCI and SCSI Passthrough. RHEL 7 Virtualization Administration Guide - Guest virtual machine device configuration.
- Single Root I/O Virtualization (SR-IOV).
- N_Port ID Virtualization (NPIV). RHEL 7 Virtualization Administration Guide - Using an NPIV virtual adapter (VHBA) with SCSI devices.
Also see physically shared devices.
Storage and Virtualization
The storage for virtual machines is abstracted from the physical storage attached to the host. The storage is attached to the virtual machine using paravirtualized or emulated block device drivers. Commonly used storage devices:
- virtio-blk
- virtio-scsi
- IDE
- CD-ROM
- USB mass storage devices
Storage Pool
A storage pool is a file, directory or storage device managed by libvirt to provide storage to virtual machines. Storage pools are divided into storage volumes that store virtual machine images or are attached to virtual machines as additional storage. Multiple guests can share the same storage pool. A local storage pool is directly attached to the host server, as a local directory, directly attached disk, physical partition and logical volume management (LVM) volume. Local storage pools do not support live migration. A network (shared) storage pool implies storage shared over the network using standard protocols.
Storage Volume
A storage pool is divided into storage volumes, which are abstractions of physical partitions/LVM logical volumes/etc. Storage volumes are presented to virtual machines as local storage devices, regardless of the underlying hardware.
Networking and Virtualization
Security and Virtualization
KVM virtual machines use SELinux and sVirt to enforce security.
sVirt
sVirt is a technology included in RHEL 7 to integrate SELinux and virtualization. It applies Mandatory Access Control (MAC) to improve security when using virtual machines.
Steal Time
"Steal time" is the percentage of time a virtual CPU waits for real CPU while the hypervisor is servicing another virtual processor.
A high value means the physical CPU is overcommitted and more physical CPU should be allocated to the environment - or the VM should be moved on a different physical server. The steal time is reported by vmstat st.