Cloud Computing and Virtualization E-Book

Contents

Cover

Title page

Copyright page

List of Figures

List of Tables

Preface

Acknowledgments

Acronyms

Introduction

Chapter 1: Live Virtual Concept in Cloud Environment

1.1 Live Migration

1.2 Issues with Migration

1.3 Research on Live Migration

1.4 Total Migration Time

1.5 Graph Partitioning

1.6 Conclusion

References

Chapter 2: Live Virtual Machine Migration in Cloud

2.1 Introduction

2.2 Business Challenge

2.3 Virtual Machine Migration

2.4 Virtualization System

2.5 Live Virtual Machine Migration

2.6 Conclusion

References

Chapter 3: Attacks and Policies in Cloud Computing and Live Migration

3.1 Introduction to Cloud Computing

3.2 Common Types of Attacks and Policies

3.3 Conclusion

References

Chapter 4: Live Migration Security in Cloud

4.1 Cloud Security and Security Appliances

4.2 VMM in Clouds and Security Concerns

4.3 Software-Defined Networking

4.4 Distributed Messaging System

4.5 Customized Testbed for Testing Migration Security in Cloud

4.6 A Case Study and Other Use Cases

4.7 Conclusion

References

Chapter 5: Solution for Secure Live Migration

5.1 Detecting and Preventing Data Migrations to the Cloud

5.2 Protecting Data Moving to the Cloud

5.3 Application Security

5.4 Virtualization

5.5 Virtual Machine Guest Hardening

5.6 Security as a Service

5.7 Conclusion

References

Chapter 6: Dynamic Load Balancing Based on Live Migration

6.1 Introduction

6.2 Classification of Load Balancing Techniques

6.3 Policy Engine

6.4 Load Balancing Algorithm

6.5 Resource Load Balancing

6.6 Load Balancers in Virtual Infrastructure Management Software

6.7 VMware Distributed Resource Scheduler

6.8 Conclusion

References

Chapter 7: Live Migration in Cloud Data Center

7.1 Definition of Data Center

7.2 Data Center Traffic Characteristics

7.3 Traffic Engineering for Data Centers

7.4 Energy Efficiency in Cloud Data Centers

7.5 Major Cause of Energy Waste

7.6 Power Measurement and Modeling in Cloud

7.7 Power Measurement Techniques

7.8 Power Saving Policies in Cloud

7.9 Conclusion

References

Chapter 8: Trusted VM-vTPM Live Migration Protocol in Clouds

8.1 Trusted Computing

8.2 TPM Operations

8.3 TPM Applications and Extensions

8.4 TPM Use Cases

8.5 State of the Art in Public Cloud Computing Security

8.6 Launch and Migration of Virtual Machines

8.7 Trusted VM Launch and Migration Protocol

8.8 Conclusion

References

Chapter 9: Lightweight Live Migration

9.1 Introduction

9.2 VM Checkpointing

9.3 Enhanced VM Live Migration

9.4 VM Checkpointing Mechanisms

9.5 Lightweight Live Migration for Solo VM

9.6 Lightweight Checkpointing

9.7 Storage-Adaptive Live Migration

9.8 Conclusion

References

Chapter 10: Virtual Machine Mobility with Self-Migration

10.1 Checkpoints and Mobility

10.2 Manual and Seamless Mobility

10.3 Fine-and Coarse-Grained Mobility Models

10.4 Migration Freeze Time

10.5 Device Drivers

10.6 Self-Migration

10.7 Conclusion

References

Chapter 11: Different Approaches for Live Migration

11.1 Virtualization

11.2 Types of Live Migration

11.3 Live VM Migration Types

11.4 Hybrid Live Migration

11.5 Reliable Hybrid Live Migration

11.6 Conclusion

References

Chapter 12: Migrating Security Policies in Cloud

12.1 Cloud Computing

12.2 Firewalls in Cloud and SDN

12.3 Distributed Messaging System

12.4 Migration Security in Cloud

12.5 Conclusion

References

Chapter 13: Case Study

13.1 Kernel-Based Virtual Machine

13.2 Xen

13.3 Secure Data Analysis in GIS

13.4 Emergence of Green Computing in Modern Computing Environment

13.5 Green Computing

13.6 Conclusion

References

End User License Agreement

Guide

Cover

Copyright

Contents

Begin Reading

List of Illustrations

Chapter 1

Figure 1.1

Pre-copy method for live migration.

Figure 1.2

Pre- vs. Post-copy migration sequence.

Figure 1.3

Bin packing in VM context.

Figure 1.4

Nodes connected in a network.

Figure 1.5

Learning automata.

Chapter 2

Figure 2.1

Simple representation of a virtualized system.

Figure 2.2

Types of virtual machines

Figure 2.3

Virtual machine applications

Figure 2.4

Xen live migration

Figure 2.5

Type-1 and type-2 hypervisor

Figure 2.6

Simplified architecture of para- and full virtualization.

Figure 2.7

Types of virtualization.

Figure 2.8

Xen architecture.

Figure 2.9

Architecture of KVM.

Figure 2.10

OpenStack architecture

Figure 2.11

Virtual machine migration.

Figure 2.12

QEMU and KVM.

Figure 2.13

Libvirt architecture.

Chapter 3

Figure 3.1

Fake certificate injection.

Figure 3.2

Cross-site scripting.

Figure 3.3

SQL injection.

Figure 3.4

Layer-2 attacks.

Figure 3.5

Double encapsulation attacks.

Figure 3.6

Multicast brute force attacks.

Figure 3.7

Spanning tree attacks.

Figure 3.8

Random frame attacks.

Figure 3.9

DNS attacks.

Figure 3.10

Layer 3 attacks.

Figure 3.11

Man-in-the-middle attack.

Chapter 4

Figure 4.1

Software-defined networking architecture.

Figure 4.2

Authentication in Cloud.

Figure 4.3

Data transfer after authentication in cloud.

Chapter 5

Figure 5.1

Virtualization vs. Containers

Figure 5.2

Security as a service.

Chapter 6

Figure 6.1

Types of load balancing approaches.

Figure 6.2

Relationship between policy engine and the Xen hosts.

Figure 6.3

For our prototype, the policy engine runs inside of a VM separate from everything else.

Figure 6.4

The prototype policy engine communicates with all hosts to decide when VMs should be migrated and to initiate migration when necessary.

Figure 6.5

Distribution of nodes in groups based on load thresholds.

Figure 6.6

OpenNebula architecture.

Chapter 7

Figure 7.1

Data center architecture.

Figure 7.2

Server power model based on CPU utilization.

Chapter 8

Figure 8.1

Trusted computing standards.

Chapter 9

Figure 9.1

VM Checkpointing.

Chapter 11

Figure 11.1

Hardware-assisted virtualization.

Figure 11.2

Pre-copy live migration.

Figure 11.3

Post-copy live migration.

Figure 11.4

Hybrid live migration.

List of Tables

Chapter 1

Table 1.1

Variables used in formulas in the VM buddies system

Chapter 2

Table 2.1

Types of virtual machines

Table 2.2

Virtual machine applications

Table 2.3

Advantages associated with virtualization

Table 2.4

Kernel-based virtual machine features

Chapter 11

Table 3.1

Popular layer 2 attacks.

Chapter 11

Table 4.1

Cloud computing security risks

Chapter 11

Table 5.1

Virtualization-related security issues

Pages

ii

iii

iv

xiii

xiv

xv

xvii

xviii

xix

xx

xxi

xxiii

xxv

xxvi

xxvii

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

Scrivener Publishing100 Cummings Center, Suite 541JBeverly, MA 01915-6106

Publishers at ScrivenerMartin Scrivener ([email protected])Phillip Carmical ([email protected])

Cloud Computing and Virtualization

This edition first published 2018 by John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA and Scrivener Publishing LLC, 100 Cummings Center, Suite 541J, Beverly, MA 01915, USA © 2018 Scrivener Publishing LLC For more information about Scrivener publications please visit www.scrivenerpublishing.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

Wiley Global Headquarters111 River Street, Hoboken, NJ 07030, USA

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

Limit of Liability/Disclaimer of WarrantyWhile the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials, or promotional statements for this work. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read.

Library of Congress Cataloging-in-Publication DataISBN 978-1-119-48790-6

List of Figures

1.1   Pre-copy method for live migration

1.2   Pre- vs. Postcopy migration sequence

1.3   Bin packing in VM context

1.4   Nodes connected in a network

1.5   Learning automata

2.1   Simple representation of a virtualized system

2.2   Types of virtual machines

2.3   Virtual machine applications

2.4   Xen live migration

2.5   Type-1 and type-2 hypervisor

2.6   Simplified architecture of para-and full virtualization

2.7   Types of virtualization

2.8   Xen architecture

2.9   Architecture of KVM

2.10   OpenStack architecture

2.11   Virtual machine migration

2.12   QEMU and KVM

2.13   Libvirt architecture

3.1   Fake certificate injection

3.2   Cross-site scripting

3.3   SQL injection

3.4   Layer-2 attacks

3.5   Double encapsulation attacks

3.6   Multicast brute force attacks

3.7   Spanning tree attacks

3.8   Random frame attacks

3.9   DNS attacks

3.10   Layer 3 attacks

3.11   Man-in-the-middle attack

4.1   Software-defined networking architecture

4.2   Authentication in cloud

4.3   Data transfer after authentication in cloud

5.1   Virtualization vs. Containers

5.2   Security as a service

6.1   Types of load balancing approaches

6.2   Relationship between policy engine and the Xen hosts

6.3   For our prototype, the policy engine runs inside of a VM separate from everything else

6.4   The prototype policy engine communicates with all hosts to decide when VMs should be migrated and to initiate migration when necessary

6.5   Distribution of nodes in groups based on load thresholds

6.6   OpenNebula architecture

7.1   Data center architecture

7.2   Server power model based on CPU utilization

8.1   Trusted computing standards

9.1   VM Checkpointing

11.1  Hardware-assisted virtualization

11.2  Pre-copy live migration

11.3  Post-copy live migration

11.4  Hybrid live migration

List of Tables

1.1   Variables used in formulas in the VM buddies system

2.1   Types of virtual machines

2.2   Virtual machine applications

2.3   Advantages associated with virtualization

2.4   Kernel-based virtual machine features

3.1   Popular layer 2 attacks

4.1   Cloud computing security risks

5.1   Virtualizationrelated security issues

Preface

The idea of cloud computing isn’t new, or overly complicated from a technology resources and Internet perspective. What’s new is the growth and maturity of cloud computing methods, and strategies that enable business agility goals. Looking back, the phrase “utility computing” didn’t captivate or create the stir in the information industry as the term “cloud computing” has in recent years. Nevertheless, appreciation of readily available resources has arrived and the utilitarian or servicing features are what are at the heart of outsourcing the access of information technology resources and services. In this light, cloud computing represents a flexible, cost-effective and proven delivery platform for business and consumer information services over the Internet. Cloud computing has become an industry game changer as businesses and information technology leaders realize the potential in combining and sharing computing resources as opposed to building and maintaining them.

There’s seemingly no shortage of views regarding the benefits of cloud computing nor is there a shortage of vendors willing to offer services in either open source or promising commercial solutions. Beyond the hype, there are many aspects of the Cloud that have earned new consideration due to their increased service capability and potential efficiencies. The ability to demonstrate transforming results in cloud computing to resolve traditional business problems using information technology management’s best practices now exists. In the case of economic impacts, the principles of pay-as-you-go and computer agnostic services are concepts ready for prime time. Performances can be well measured by calculating the economic and environmental effects of cloud computing today.

In Cloud Computing and Virtualization, Dac Nhuong Le et al. take the industry beyond mere definitions of cloud computing and virtualization, grid and sustainment strategies to contrasting them in day-to-day operations. Dac-Nhuong Le and his team of co-authors take the reader from beginning to end with the essential elements of cloud computing, its history, innovation, and demands. Through case studies and architectural models they articulate service requirements, infrastructure, security, and outsourcing of salient computing resources.

The adoption of virtualization in data centers creates the need for a new class of networks designed to support elasticity of resource allocation, increasing mobile workloads and the shift to production of virtual workloads, requiring maximum availability. Building a network that spans both physical servers and virtual machines with consistent capabilities demands a new architectural approach to designing and building the IT infrastructure. Performance, elasticity, and logical addressing structures must be considered as well as the management of the physical and virtual networking infrastructure. Once deployed, a network that is virtualization-ready can offer many revolutionary services over a common shared infrastructure. Virtualization technologies from VMware, Citrix and Microsoft encapsulate existing applications and extract them from the physical hardware. Unlike physical machines, virtual machines are represented by a portable software image, which can be instantiated on physical hardware at a moment’s notice. With virtualization, comes elasticity where computer capacity can be scaled up or down on demand by adjusting the number of virtual machines actively executing on a given physical server. Additionally, virtual machines can be migrated while in service from one physical server to another. Extending this further, virtualization creates “location freedom” enabling virtual machines to become portable across an ever-increasing geographical distance. As cloud architectures and multi-tenancy capabilities continue to develop and mature, there is an economy of scale that can be realized by aggregating resources across applications, business units, and separate corporations to a common shared, yet segmented, infrastructure.

Elasticity, mobility, automation, and density of virtual machines demand new network architectures focusing on high performance, addressing portability, and the innate understanding of the virtual machine as the new building block of the data center. Consistent network-supported and virtualization-driven policy and controls are necessary for visibility to virtual machines’ state and location as they are created and moved across a virtualized infrastructure.

Dac-Nhuong Le again enlightens the industry with sharp analysis and reliable architecture-driven practices and principles. No matter the level of interest or experience, the reader will find clear value in this in-depth, vendor-neutral study of cloud computing and virtualization.

This book is organized into thirteen chapters. Chapter 1, “Live Migration Concept in Cloud Environment,” discusses the technique of moving a VM from one physical host to another while the VM is still executing. It is a powerful and handy tool for administrators to maintain SLAs while performing optimization tasks and maintenance on the cloud infrastructure. Live migration ideally requires the transfer of the CPU state, memory state, network state and disk state. Transfer of the disk state can be circumvented by having a shared storage between the hosts participating in the live migration process. This chapter gives the brief introductory concept of live migration and the different techniques related to live migration such as issues with live migration, research on live migration, learning automata partitioning and, finally, different advantages of live migration over WAN.

Chapter 2, “Live Virtual Machine Migration in Cloud,” shows how the most well known and generally sent VMM-VMware is defenseless against reasonable assaults, focusing on their live migration’s usefulness. This chapter also discusses the different challenges of virtual machine migration in cloud computing environments along with their advantages and disadvantages and also the different case studies.

Chapter 3, “Attacks and Policies in Cloud Computing and Live Migration,” presents the cloud computing model based on the concept of pay-per-use, as the user is required to pay for the amount of cloud services used. Cloud computing is defined by different layer architecture (IAAS, PAAS and SAAS), and models (Private, Public, Hybrid and Community), in which the usability depends on different models. Chapter 4, “Live Migration Security in Cloud,” gives different security paradigm concepts that are very useful at the time of data accessing from the cloud environment. In this chapter different cloud service providers that are available in the market are listed along with security risks, cloud security challenges, cloud economics, cloud computing technologies and, finally, common types of attacks and policies in cloud and live migration.

Chapter 5, “Solutions for Secure Live Migration,” analyzes approaches for secure data transfer, focusing mainly on the authentication parameter. These approaches have been categorized according to single- and multi-tier authentication. This authentication may use digital certificate, HMAC or OTP on registered devices. This chapter gives an overview of Cloud security applications, VM migration in clouds and security concerns, software-defined networking, firewalls in cloud and SDN, SDN and Floodlight controllers, distributed messaging system, customized testbed for testing migration security in cloud. A case study is also presented along with other use cases: Firewall rule migration and verification, existing security scenario in cloud, authentication in cloud, hybrid approaches to security in cloud computing and data transfer, and architecture in cloud computing.

Chapter 6, “Dynamic Load Balancing Based on Live Migration,” concentrates on ancient data security controls (like access controls or encryption). There are two other steps to help operate unapproved data moving to cloud services: Monitor for large internal data migrations with file activity monitoring (FAM) and database activity monitoring (DAM) and monitor for data moving to the cloud with universal resource locater (URL) filters and data loss prevention. This chapter gives an overview of detecting and preventing data migrations to the cloud, protecting data moving to the cloud, application security, virtualization, VM guest hardening, security as a service, identity as service requirements, web services SecaaS requirements, email SECaaS requirements, security.

Chapter 7, “Live Migration in Cloud Data Center,” introduces the use of load balancing is to improve the throughput of the system. This chapter gives an overview of different techniques of load balancing, load rebalancing, and a policy engine to implement dynamic load balancing algorithm, some load balancing algorithms and VMware distributed resource scheduler.

In Chapter 8, “Trusted VMv-TPM,” data center network architectures and various network control mechanisms are introduced. Discussed in the chapter is how resource virtualization, through VM migration, is now commonplace in data centers, and how VM migration can be used to improve system-side performance for VMs, or how load can be better balanced across the network through strategic VM migration. However, all the VM migration works in this chapter have not addressed the fundamental problem of actively targeting and removing congestion from oversubscribed core links within data center networks. The TPM can be utilized to enable outside parties to guarantee that a specific host bearing the TPM is booted into a confided in state. That is performed by checking the arrangement of summaries (called estimations) of the stacked programming, progressively delivered all throughout the boot procedure of the gadget. The estimations are put away in a secured stockpiling incorporated within the TPM chip and are in this way impervious to programming assaults, albeit powerless against equipment altering. This chapter presents a stage skeptic trusted dispatch convention for a generic virtual machine image (GVMI). GVMIs are virtual machine pictures that don’t vary from the merchant-provided VM pictures (conversationally known as vanilla programming). They are made accessible by the IaaS suppliers for customers that plan to utilize a case of a VM picture that was not subject to any adjustments, such fixes or infused programming. The convention portrayed in this chapter permits a customer that demands a GVMI to guarantee that it is kept running on a confided stage.

Chapter 9, “Lightweight Live Migration,” presents a set of techniques that provide high availability through VM live migration, their implementation in the Xen hypervisor and the Linux operating system kernel, and experimental studies conducted using a variety of benchmarks and production applications. The techniques include: a novel fine-grained block identification mechanism called FGBI; a lightweight, globally consistent checkpointing mechanism called VPC (virtual predict checkpointing); a fast VM resumption mechanism called VM resume; a guest OS kernel-based live migration technique that does not involve the hypervisor for VM migration called HSG-LM; an efficient live migration-based load balancing strategy called DC balance; and a fast and storage-adaptive migration mechanism called FDM.

Chapter 10, “Virtual Machine Mobility with Self Migration” discusses many open issues identified with gadget drivers. Existing frameworks exchange driver protection for execution and simplicity of advancement, and gadget drivers are a noteworthy protection of framework insecurity. Endeavors have been made to enhance the circumstance, equipment security methods, e.g., smaller scale bits and Nooks, and through programming authorized seclusion. Product frameworks don’t uphold tending to confinements on gadget DMA, constraining the viability of the portrayed systems. Lastly, if applications are to survive a driver crash, the OS or driver security instrument must have a method for reproducing lost hardware state on driver reinitialization.

Chapter 11, “Different Approaches for Live Migration,” studies the implementation of two kinds of live migration techniques for hardware-assisted virtual machines (HVMs). The first contribution of this chapter is the design and implementation of the post-copy approach. This approach consists of the last two stages of the processmigration phases, the stop-and-copy phase and pull phase. Due to the introduction of the pull phase, this approach becomes non-deterministic in terms of the completion of the migration. This is because of the only on-demand fetching of the data from the source.

Chapter 12, “Migrating Security Policies in Cloud,” presents the concepts of cloud computing, which is a fast-developing area that relies on sharing of resources over a network. While more companies are adapting to cloud computing and data centers are growing rapidly, data and network security is gaining more importance and firewalls are still the most common means to safeguard networks of any size. Whereas today data centers are distributed around the world, VM migration within and between data centers is inevitable for an elastic cloud. In order to keep the VM and data centers secure after migration, the VM specific security policies should move along with the VM as well.

Finally, Chapter 13, “Case Study,” gives different case studies that are very useful for real-life applications, like KVM, Xen, emergence of green computing in cloud and ends with a case study that is very useful for data analysis in distributed environments. There are lots of algorithms for either transactional or geographic databases proposed to prune the frequent item sets and association rules, among which is an algorithm to find the global spatial association rule mining, which exclusively represent in GIS database schemas and geo-ontologies by relationships with cardinalities that are one-to-one and one-to-many. This chapter presents an algorithm to improve the spatial association rule mining. The proposed algorithm is categorized into three main steps: First, it automates the geographic data pre-processing tasks developed for a GIS module. The second contribution is discarding all well-known GIS dependencies that calculate the relationship between different numbers of attributes. And finally, an algorithm is proposed which provides the greatest degree of privacy when the number of regions is more than two, with each one finding the association rule between them with zero percentage of data leakage.

Dac-Nhuong LeRaghvendra KumarNguyen Gia NhuJyotir Moy ChetterjeeJanuary 2018

Acknowledgments

The authors would like to acknowledge the most important persons of our lives, our grandfathers, grandmothers and our wives. This book has been a long-cherished dream which would not have been turned into reality without the support and love of these amazing people. They have have encouraged us despite our failing to give them the proper time and attention. We are also grateful to our best friends for their blessings, unconditional love, patience and encouragement of this work.

Acronyms

ACL

Access Control List

ALB

Adaptive Load Balancing

AMQP

Advanced Message Queuing Protocol

API

Application Programming Interface

ARP

Address Resolution Protocol

CAM

Content Addressable Memory

CCE

Cloud Computing Environment

CFI

Control Flow Integrity

CSLB

Central Scheduler Load Balancing

CSP

Cloud Service Provider

DAM

Database Activity Monitoring

DCE

Data Center Efficiency

DLP

Data Loss Prevention

DPM

Distributed Power Management

DRS

Distributed Resource Scheduler

DVFS

Dynamic Frequency Voltage Scaling

DHCP

Dynamic Host Configuration Protocol

ECMP

Equal-Cost Multi-Path

EC2

Elastic Compute Cloud

FAM

File Activity Monitoring

FGBI

Fine-Grained Block Identification

GVMI

Generic Virtual Machine Image

GOC

Green Open Cloud

HVM

Hardware Assisted Virtual Machine

HPC

Hardware Performance Counters

HIPS

Host Intrusion Prevention System

IaaS

Infrastructure as a Service

IDS/IPS

Intrusion Detection System/Intrusion Prevention System

IMA

Integrity Management Architecture

IRM

In-Lined Reference Monitors

ISA

Instruction Set Architecture

KVM

Kernel-Based Virtual Machine

KBA

Knowledge-Based Answers/Questions

LAN

Local Area Network

LLFC

Link Layer Flow Control

LLM

Lightweight Live Migration

LVMM

Live Virtual Machine Migration

MiTM

Man-in-the-Middle Attack

MAC

Media Access Control

NAC

Network Access Control

NRDC

Natural Resources Defense Council

NIPS

Network Intrusion Prevention System

OS

Operating System

ONF

Open Networking Foundation

PaaS

Platform as a Service

PAP

Policy Access Points

PDP

Policy Decision Points

PEP

Policy Enforcement Points

PUE

Power Usage Effectiveness

PDT

Performance Degradation Time

PMC

Performance Monitoring Counters

PPW

Performance Per Watt

RLE

Run-Length Encoding

SaaS

Software as a Service

SAML

Security Assertion Markup Language

SDN

Software-Defined Networks

SecaaS

Security as a Service

SLA

Service Level Agreements

SPT

Shadow Page Table

SFI

Software Fault Isolation

SMC

Secure Multi-Party Computation

SIEM

Security Information and Event Management

STP

Spanning Tree Protocol

S3

Simple Storage Service

TPM

Trusted Platform Module

TTP

Trusted Third Party

TCG

Trusted Computing Group

VDCs

Virtual Data Centers

VLB

Valiant Load Balancing

VPC

Virtual Predict Checkpointing

VM

Virtual Machine

VMM

Virtual Machine Migration

VMLM

Virtual Machine Live Migration

XSS

Cross-Site Scripting

WAN

Wide Area Network

Introduction

Contemporary advancements in virtualization and correspondence advances have changed the way data centers are composed and work by providing new mechanisms for better sharing and control of data center assets. Specifically, virtual machine and live migration is an effective administration strategy that gives data center administrators the capacity to adjust the situation of VMs, keeping in mind the end goal to better fulfill execution destinations, enhance asset usage and correspondence region, moderate execution hotspots, adapt to internal failure, diminish vitality utilization, and encourage framework support exercises. In spite of these potential advantages, VM movement likewise postures new prerequisites on the plan of the fundamental correspondence foundation; for example, tending to data transfer capacity necessities to help VM portability. Besides, conceiving proficient VM relocation plans is additionally a testing issue, as it not just requires measuring the advantages of VM movement, but additionally considering movement costs, including correspondence cost, benefit disturbance, and administration overhead.

This book presents profound insights into virtual machine and live movement advantages and systems and examines their related research challenges in server farms in distributed computing situations.

CHAPTER 1LIVE VIRTUAL CONCEPT IN CLOUD ENVIRONMENT

Abstract

Live migration ideally requires the transfer of the CPU state, memory state, network state and disk state. Transfer of the disk state can be circumvented by having a shared storage between the hosts participating in the live migration process. Next, the VM is suspended at the source machine, and resumed at the target machine. The states of the virtual processor are also copied over, ensuring that the machine is the very same in both operation and specifications, once it resumes at the destination. This chapter is a detailed study of live migration, types of live migration and issues and research of live migration in cloud environment.

Keywords: Live migration, techniques, graph partitioning, migration time, WAN.

1.1 Live Migration

1.1.1 Definition of Live Migration

Live migration [1] is the technique of moving a VM from one physical host to another while the VM is still executing. It is a powerful and handy tool for administrators to maintain SLAs while performing optimization tasks and maintenance on the cloud infrastructure. Live migration ideally requires the transfer of the CPU state, memory state, network state and disk state. Transfer of the disk state can be circumvented by having a shared storage between the hosts participating in the live migration process. Memory state transfer can be categorized into three phases:

Push Phase: The memory pages are transferred or pushed to the destination iteratively while the VM is running on the source host. Memory pages modified during each iteration are re-sent in the next iteration to ensure consistency in the memory state of the VM.

Stop-and-copy Phase: The VM is stopped at the source, all memory pages are copied across to the destination VM and then VM is started at the destination.

Pull Phase: The VM is running at the destination and if it accesses a page that has not yet been transferred from the source to the destination, then a page fault is generated and this page is pulled across the network from the source VM to the destination. Cold and hot VM migration approaches use the pure stop-and-copy migration technique. Here the memory contents of the VM are transferred to the destination along with CPU and I/O state after shutting down or suspending the VM, respectively. The advantage of this approach is simplicity and one-time transfer of memory pages. However, the disadvantage is high VM downtime and service unavailability.

1.1.2 Techniques for Live Migration

There are two main migration techniques [1], which are different combinations of the memory transfer phases explained previously. These are the pre-copy and the post- copy techniques.

1.1.2.1 Pre-Copy Migration

The most common way for virtual machine migration (VMM) [2] is the pre-copy method (Figure 1.1). During such a process, the complete disk image of the VM is first copied over to the destination. If anything was written to the disk during this process, the changed disk blocks are logged. Next, the changed disk data is migrated. Disk blocks can also change during this stage, and once again the changed blocks are logged. Migration of changed disk blocks are repeated until the generation rate of changed blocks are lower than a given threshold or a certain amount of iterations have passed. After the virtual disk is transferred, the RAM is migrated, using the same principle of iteratively copying changed content. Next, the VM is suspended at the source machine, and resumed at the target machine. The states of the virtual processor are also copied over, ensuring that the machine is the very same in both operation and specifications, once it resumes at the destination.

Figure 1.1 Pre-copy method for live migration.

It is important to note that the disk image migration phase is only needed if the VM doesn’t have its image on a network location, such as an NFS share, which is quite common for data centers.

1.1.2.2 Post-Copy Migration

This is the most primitive form of VMM [3]. The basic outline of the post-copy method is as follows. The VM is suspended at the source PM. The minimum required processor state, which allows the VM to run, is transferred to the destination PM. Once this is done, the VM is resumed at the destination PM. This first part of the migration is common to all post-copy migration schemes. Once the VM is resumed at the destination, memory pages are copied over the network as the VM requests them, and this is where the post-copy techniques differ. The main goal in this latter stage is to push the memory pages of the suspended VM to the newly spawned VM, which is running at the destination PM. In this case, the VM will have a short SDT, but along performance degradation time (PDT).

Figure.1.2 illustrates the difference between these two migration techniques [3]. The diagram only depicts memory and CPU state transfers, and not the disk image of the VM. The latter is performed similarly in both the migration techniques, and does not affect the performance of the VM, and is therefore disregarded from the comparison. The “performance degradation of VM migration technique” in the precopy refers to the hypervisor having to keep track of the dirty pages; the RAM which has changed since the last pre-copy round. In the post-copy scenario, the degradation is greater and lasts longer. In essence, the post-copy method activates the VMs on the destination faster, but all memory is still located at the source. When a VM migrated with post-copy requests a specific portion of memory not yet local to the VM, the relevant memory pages will have to be pushed over the network. The “stop-and-copy” phase in the pre-copy method is the period where VM is suspended at the source PM and the last dirtied memory and CPU states are transferred to the destination PM. SDT is the time where the VM is inaccessible.

Figure 1.2 Pre- vs. Post-copy migration sequence.

1.2 Issues with Migration

Moving VMs [4] between physical hosts has its challenges, which are listed below.

1.2.1 Application Performance Degradation

A multi-tier application is an application [5] which communicates with many VMs simultaneously. These are typically configured with the different functionality spread over multiple VMs. For example, the database might be part of an application stored on one set of VMs, and the web server functionality on another set. In a scenario where an entire application is to be moved to a new site which has a limited bandwidth network link to the original site, the application will deteriorate in performance during the migration period for the following reason. If one of the application’s member VMs are resumed at the destination site, any traffic destined for that machine will be slower than usual due to the limited inter-site bandwidth, and the fact that the rest of the application is still running at the source site. Several researchers have proposed ways of handling this problem of geographically split VMs during migration. This is referred to as the split components problem.

1.2.2 Network Congestion

Live migrations which take place within a data center, where no VMs end up at the other end of a slow WAN link, are not as concerned about the performance of running applications. It is common to use management links in production cloud environments, which allow management operations like live migrations to proceed without affecting the VMs and their allocated network links. The occurrence of some amount of SDT is unavoidable. However, such an implementation could be costly. In a setting where management links are absent, live migrations would directly affect the total available bandwidth on the links it uses. One issue that could arise from this is that several migrations could end up using the same migration paths, effectively overflowing one or more network links [6], and hence slow the performance of multi-tiered applications.

1.2.3 Migration Time

In a scenario where a system administrator needs to shut down a physical machine for maintenance, all the VMs currently running on that machine will have to be moved, so that they can keep serving the customers. For such a scenario, it would be favorable if the migration took the least time possible. In a case where the migration system is only concerned about fast migration, optimal target placement of the VMs might not be attained.

1.3 Research on Live Migration

1.3.1 Sequencer (CQNCR)

A system called CQNCR [7] has been created whose goal is to make a planned migration perform as fast as possible, given a source and target organization of the VMs. The tool created for this research focuses in intra-site migrations. The research claims it is able to increase the migration speed significantly by reducing total migration time by up to 35%. It also introduced the concept of virtual data centers (VDCs) and residual bandwidth. In practical terms, a VDC is a logically separated group of VMs and their associated virtual network links. As each VM has a virtual link, it too needs to be moved to the target PM. When this occurs, the bandwidth available to the migration process changes. The CQNCR-system takes this continuous change into account and does extended recalculations to provide efficient bandwidth usage, in a parallel approach. The system also prevents potential bottlenecks when migrating.

1.3.2 The COMMA System

A system called COMMA has been created which groups VMs together and migrates [8] one group at a time. Within a group are VMs which have a high degree of affinity; VMs which communicate a lot with each other. After the migration groups are decided, the system performs inter- and intra-group scheduling. The former is about deciding the order of the groups, while the latter optimizes the order of VMs within each group. The main function of COMMA is to migrate associated VMs at the same time, in order to minimize the traffic which has to go through a slow network link. The system is therefore especially suitable for inter-site migrations. It is structured so that each VM has a process running, which reports to a centralized controller which performs the calculations and scheduling.

The COMMA system defines the impact as the amount of inter-VM traffic which becomes separated because of migrations. In a case where a set of VMs, {VM1, VM2,.., VMn}, is to be migrated the traffic levels running between them are measured and stored in matrix TM. Let the migration completion time for vmi be ti.

The VM buddies system also addresses the challenges in migrating VMs which is used by multi-tier applications. The authors formulate the problem as a correlated VM migration problem, and are tailored towards VM hosting multi-tier applications. Correlated VMs are machines that work closely together, and therefore send a lot of data to one another. An example would be a set of VMs hosting the same application.

1.3.3 Clique Migration

A system called Clique Migration also migrates VMs based on their level of interaction, and is directed at inter-site migrations. When Clique migrates a set of VMs, the first thing it does is to analyze the traffic patterns between them and try to profile their affinity. This is similar to the COMMA system. It then proceeds to create groups of VMs. All VMs within a group will be initiated for migration at the same time. The order of the groups is also calculated to minimize the cost of the process. The authors define the migration cost as the volume of inter-site traffic caused by the migration. Due to the fact that a VM will end up at a different physical location (a remote site), the VM’s disk is also transferred along with the RAM.

1.3.4 Time-Bound Migration

A time-bound thread-based live migration (TLM) technique has been created. Its focus is to handle large migrations of VMs running RAM-heavy applications, by allocating additional processing power at the hypervisor level to the migration process. TLM can also slow down the operation of such instances to lower their dirty rate, which will help in lowering the total migration time. The completion of a migration in TLM is always within a given time period, proportional to the RAM size of the VMs.

All the aforementioned solutions migrate groups of VMs simultaneously, in one way or another, hence utilizing parallel migration to lower the total migration time. It has been found, in very recent research, that when running parallel migrations within data centers, an optimal sequential approach is preferable. A migration system called vHaul has been implemented which does this. It is argued that the application performance degradation caused by split components is caused by many VMs at a time, whereas only a single VM would cause degradation if sequential migration is used. However, the shortest possible migration time is not reached because vHaul’s implementation has a no-migration interval between each VM migration. During this short time period, the pending requests to the moved VM are answered, which reduces the impact of queued requests during migration. vHaul is optimized for migrations within data centers which have dedicated migration links between physical hosts.

1.3.5 Measuring Migration Impact

It is commonly viewed that the live migration sequence can be divided into three parts when talking about the pre-copy method:

Disk image migration phase

Pre-copy phase

Stop-and-copy phase

1.4 Total Migration Time

The following mathematical formulas are used to calculate the time it takes to complete the different parts of the migration. Let W be the disk image size in megabytes (MB), L the bandwidth allocated to the VM’s migration in MBps and T the predicted time in seconds. X is the amount of RAM which is transferred in each of the pre-copy iterations.

The time it takes to copy the image from the source PM to destination PM is:

1.4.1 VM Traffic Impact

The following formulas have been provided to describe the total network traffic amount and total migration duration, respectively. The number of iterations on the pre-copy phase (n) is not defined here, but is calculated based on a given threshold in Table 1.1.

Table 1.1 Variables used in formulas in the VM buddies system

Description

Total network traffic during migration

Time it takes to complete migration

Number of pre-copy rounds (iterations)

Size of VM RAM

Memory dirty rate during migration

Transmission rate during migration

Another possible metric for measuring how impactful a migration has been, is to look at the total amount of data the migrating VMs have sent between the source and destination PMs during the migration process. This would vary depending on how the scheduling of the VMs is orchestrated.

1.4.2 Bin Packing

The mathematical concept of bin packing centers around the practical optimization problem of packing a set of different sized “items” into a given number of “bins.” The constraints of this problem are that all the bins are of the same size and that none of the items are larger than the size of one bin. The size of the bin can be thought of as its capacity. The optimal solution is the one which uses the smallest number of bins. This problem is known to be NP-hard, which in simple terms means that finding the optimal solution is computationally heavy. There are many real-life situations which relate to this principle.

In VM migration context, one can regard the VMs to be migrated as the items and the network links between the source and destination host as bins. The capacity in such a scenario would be the amount of available bandwidth which the migration process can use. Each VM requires a certain amount of bandwidth in order to be completed in a given time frame. If a VM scheduling mechanism utilized parallel migration, the bin packing problem is relevant because the start time of each migration is based on calculations of when it is likely to be finished, which in turn is based on bandwidth estimations. A key difference between traditional bin packing of physical objects and that of VMs on network links is that the VMs are infinitely flexible. This is shown in Figure 1.3. In this hypothetical scenario, VM1 is being migrated between time t0 and t4, and uses three different levels of bandwidth before completion, since VM2 and VM3 are being migrated at times where VM1 is still migrating. The main reason for performing parallel migrations is to utilize bandwidth more efficiently, but it could also be used to schedule migration of certain VMs at the same time.

Figure 1.3 Bin packing in VM context.

1.5 Graph Partitioning

Graph partitioning refers [9] to a set of techniques used for dividing a network of vertices and edges into smaller parts. One appliance for such a technique could be to group VMs together in such a way that the VMs with a high degree of affinity are placed together. This could mean, for example, that they have a lot of network traffic running between them. In graph partitioning context, the network links between VMs would be the edges and the VM’s vertices. Figure 1.4 shows an example of the interconnection of nodes in a network. The “weight” in the illustration could represent the average traffic amount between two VMs in a given time interval, for example. This can be calculated for the entire network, so that every network link (edge) would have a value. The “cut” illustrates how one could divide the network into two parts, which means that the cut must go through the entire network, effectively crossing edges so that the output is two disjoint subsets of nodes.

Figure 1.4 Nodes connected in a network.

If these nodes were MVs marked for simultaneous migration, and the sum of the their dirty rate was greater than the bandwidth available for the migration task, the migration will not converge. It is therefore imperative to divide the network into smaller groups of VMs, so that each group is valid for migration. For a migration technique which uses VM grouping, it is prudent to cut a network of nodes (which is too large to migrate all together), using a minimum cut algorithm, in order to minimize the traffic that goes between the subgroups during migration. The goal of a minimum cut, when applied to a weighted graph, is to cut the graph across the vertices in a way that leads to the smallest sum of weights. The resulting subsets of the cut are not connected after this.

In a similar problem called the uniform graph partitioning problem, the number of nodes in the resulting two sets have to be equal. This is known to be NP-complete which means that there is no efficient way of finding a solution to the problem, but it is takes very little time to verify if a given solution is in fact valid.

1.5.1 Learning Automata Partitioning

Multiple algorithms have been proposed for solving the graph partitioning problem (see Figure 1.5). The time required to computationally discover the minimum cut is very low, as there are few possibilities (cuts over vertices) which lead to exactly four nodes in each subset. Note that the referenced figure’s cut is not a uniform graph cut resulting in two equal sized subsets, nor shows the weight of all the vertices. It merely illustrates a graph cut.

Figure 1.5 Learning automata.