Author Archives: Sarah Conway

Alibaba Joins Xen Project Advisory Board As it Expands Aliyun Cloud Services Business

aliyunToday we officially welcome Alibaba as our newest Xen Project Advisory Board member. On the heels of the company announcing a $1 billion investment in its cloud computing unit Aliyun, we’re excited Aliyun is also committing to Xen Project virtualization.

As the cloud computing unit adds new data centers and upgrades cloud capabilities, Xen will deliver superior IT efficiencies, workload balancing, hyper-scalability and tight security by running VMs on a cloud service.

Aliyun is in good company, joining several other global cloud leaders, including AWS, Rackspace and Verizon, which are already Xen Project members.

Aliyun has been contributing vulnerability fixes to Xen for some time, and we are already benefiting from the queries, issues and patches its engineers regularly submit. It’s evident that Aliyun is extremely vigilant about security, and we believe they have a lot to contribute to Xen on this front.

“Aliyun is looking forward to deeper interaction and collaboration with the Xen Project board and community. We have been working with Linux for a long time, and Xen virtualization is increasingly important to enhancing our cloud and marketplace technology offerings in China and abroad,” says Wensong ZHANG, Chief Technology Officer, Aliyun.

Aliyun’s community involvement is also opening doors for Xen with other companies, partners and contributors in Asia. We recently announced a new partner in China. Hyper offers a new open source project that allows developers to run Docker images with Xen Project virtualization.  And last April Intel hosted our Xen Project Hackathon in Shanghai.

To learn more about live migration at Aliyun, including 20+ enhancements and hardware fixes involving issues of ~70 Shuguang X86 servers, be sure to check out Liu Jinsong’s presentation at Xen Project Developer Summit, Monday, August 17 at 3:20 p.m. Jinsong, a Xen PM, RAS maintainer and Aliyun engineer, is presenting “Live Migration at Aliyun – Benefits, Challenges, Developments and Future Works.”

Additional Resources

New Hyper Open Source Project Allows Developers To Leverage Docker and Xen Virtualization Infrastructure

Docker’s popularity and usefulness in cloud systems architectures is evident, having won over countless developers. Yet, it’s not a replacement for mature, proven and security-hardened virtualization technologies that support many of the world’s largest clouds in production.

So, while developers clearly want to take advantage of container technology to easily package applications, they also need a seamless migration path to their existing virtual infrastructure. That’s where our new partner Hyper announced today comes into play.

Hyper, a Chinese-based company with a new open source project by the same name, allows developers to run Docker images with Xen Project virtualization, version 4.5 or later. Download available here.

“Hyper offers the best of both worlds — VMs and containers,” said Xu Wang, Co-Founder at Hyper. “Our technology allows enterprises to leverage any mature, implemented virtualization infrastructure and eliminate unwanted complexity and also take advantage of container technology to easily package applications. We are partnering with Xen more closely to help developers get more out of their hypervisor, while also enjoying the benefits of container technology.”

To learn more, be sure to check out the presentation “Hyper: Make VM Run Like Containers” at Xen Project Developer Summit, Aug. 17-18. You’ll also find them at The Linux Foundation’s new ContainerCon event, as a bronze sponsor.

Hyper Enables the Next-Generation Container-as-a-Service

Caas (Container-as-a-Service) is gaining traction in cloud computing by leveraging the portability of Docker to avoid various technical limitations in a Platform-as-a-Service. However, the shared kernel approach introduces unnecessary complexity, overcapacity and security insecurity.

To eliminate these problems, Hyper uses virtualization to achieve hardware-enforced isolation. Unlike a VM + container approach, Hyper does not employ a GuestOS in the VM instance. Instead a HyperKernel, a customized Linux Kernel which includes Docker functionality, is loaded to host the Docker images. Hyper guests also does not require any Linux Container technology: in other words in Hyper guests do not require LXC, cgroups, namespace and  Docker daemon to run; they only require MOUNT namespace to support pods of Docker images.

Screen Shot 2015-07-20 at 3.47.49 PM (1)

 

To learn more about this minimalist approach, which also offers sub-second boot, rapid ROI, enhanced security, minimal resource footprint and overheads and more, check out these additional resources:

Continuous innovation is the lifeblood of any project, and Xen Project is fortunate to have an extremely active and growing community. Partners like Hyper allow Xen Project to stay one step ahead of the industry with security, performance and scalability as cloud and computing infrastructures evolve.

Future of Xen Project – Video Spotlight with ARM’s Thomas Molgaard

ARM joined Xen Project two years ago as part of its drive into servers, networking and the emerging “Internet of Things” markets. In our latest “Future of Xen” video, Thomas Molgaard, Manager of Software Marketing – Systems & Software at ARM, talks about changes unfolding in enterprise and cloud computing that are creating new opportunities for his company and virtualization.

ARM designs the technology that is at the heart of advanced digital products, from wireless, networking and consumer entertainment solutions to imaging, automotive, security and storage devices. It offers electronics companies a comprehensive semiconductor IP portfolio, enhanced by the company’s broad partner community that increasingly embraces open source.

The company believes open source and its collaborative development model is keeping pace with transitions in the industry, helping to give companies more deployment options when it comes to cloud hosting, caching, scale-out storage and NoSQL and Hadoop analytics. ARM is hoping to offer even more variety to these application users. Early on the semiconductor design company recognized that Linux and Xen would play an important role in opening data centers up to enterprise-class 64-bit ARMv8 servers.  This recent eWeek article showcases a proof point from Cavium, one of the earliest vendors to launch ARM-based chips for servers, on display last week at OpenStack Summit in Vancouver.

Built from the ground up with open source best practices, Xen virtualization is increasingly deployed in applications targeted by ARM customers, including servers, networking infrastructure and embedded systems.  First to market with ARM support, Xen Project’s original ARM support focused on newer CPUs designed for servers. Taking direction from the community, ARM and Xen have expanded their scope to mobile, tablet, automotive, Internet of Things, midddlebox processing and other embedded applications.

In the video, Molgaard describes how Xen’s lean architecture is perfectly suited to ARM architecture-based solutions. Collaboration with the open source partners like Xen Project, Linaro and The Linux Foundation is extremely valuable as ARM makes further inroads in the data center and cloud infrastructure, he says.

 

PIÑATA

Why Unikernels Can Improve Internet Security

This is a reprint of a 3-part unikernel series published on Linux.com. In this post, Xen Project Advisory Board Chairman Lars Kurth explains how unikernels address security and allow for the careful management of particularly critical portions of an organization’s data and processing needs. (See part one, 7 Unikernel Projects to Take On Docker in 2015.)

Many industries are rapidly moving toward networked, scale-out designs with new and varying workloads and data types. Yet, pick any industry —  retail, banking, health care, social networking or entertainment —  and you’ll find security risks and vulnerabilities are highly problematic, costly and dangerous.

Adam Wick, creator of the The Haskell Lightweight Virtual Machine (HaLVM) and a research lead at Galois Inc., which counts the U.S. Department of Defense and DARPA as clients, says 2015 is already turning out to be a break-out year for security.

“Cloud computing has been a hot topic for several years now, and we’ve seen a wealth of projects and technologies that take advantage of the flexibility the cloud offers,” said Wick. “At the same time though, we’ve seen record-breaking security breach after record-breaking security breach.”

The names are more evocative and well-known thanks to online news and social media, but low-level bugs have always plagued network services, Wick said. So, why is security more important today than ever before?

Improving Security

The creator of MirageOS, Anil Madhavapeddy, says it’s “simply irresponsible to continue to knowingly provision code that is potentially unsafe, and especially so as we head into a year full of promise about smart cities and ubiquitous Internet of Things. We wouldn’t build a bridge on top of quicksand, and should treat our online infrastructure with the same level of respect and attention as we give our physical structures.”

In the hopes of improving security, performance and scalability, there’s a flurry of interesting work taking place around blocking out functionality into containers and lighter-weight unikernel alternatives. Galois, which specializes in R&D for new technologies, says enterprises are increasingly interested in the ability to cleanly separate functionality to limit the effect of a breach to just the component affected, rather than infecting the whole system.

For next-generation clouds and in-house clouds, unikernels make it possible to run thousands of small VMs per host. Galois, for example, uses this capability in their CyberChaff project, which uses minimal VMs to improve intrusion detection on sensitive networks, while others have used similar mechanisms to save considerable cost in hardware, electricity, and cooling; all while reducing the attack surface exposed to malicious hackers. These are welcome developments for anyone concerned with system and network security and help to explain why traditional hypervisors will remain relevant for a wide range of customers well into the future.

Madhavapeddy goes as far to say that certain unikernel architectures would have directly tackled last year’s Heartbleed and Shellshock bugs.

“For example, end-to-end memory safety prevents Heartbleed-style attacks in MirageOS and the HaLVM. And an emphasis on compile-time specialization eliminates complex runtime code such as Unix shells from the images that are deployed onto the cloud,” he said.

The MirageOS team has also put their stack to the test by releasing a “Bitcoin pinata,” which is a unikernel that guards a collection of Bitcoins.  The Bitcoins can only be claimed by breaking through the unikernel security (for example, by compromising the SSL/TLS stack) and then moving the coins.  If the Bitcoins are indeed transferred away, then the public transaction record will reflect that there is a security hole to be fixed.  The contest has been running since February 2015 and the Bitcoins have not yet been taken.

PIÑATA

Linux container vs. unikernel security

Linux, as well as Linux containers and Docker images, rely on a fairly heavyweight core OS to provide critical services. Because of this, a vulnerability in the Linux kernel affects every Linux container, Wick said. Instead, using an approach similar to a la carte menus, unikernels only include the minimal functionality and systems needed to run an application or service, all of which makes writing an exploit to attack them much more difficult.

Cloudius Systems, which is running a private beta of OSv, which it tags as the operating system for the cloud, recognizes that progress is being made on this front.

“Rocket is indeed an improvement over Docker, but containers aren’t a multi-tenant solution by design,” said CEO Dor Laor. “No matter how many SELinux Linux policies you throw on containers, the attack surface will still span all aspects of the kernel.”

Martin Lucina, who is working on the Rump Kernel software stack, which enables running existing unmodified POSIX software without an operating system on various platforms, including bare metal embedded systems and unikernels on Xen, explains that unikernels running on the Xen Project hypervisor benefit from the strong isolation guarantees of hardware virtualization and a trusted computing base that is orders of magnitude smaller than that of container technologies.

“There is no shell, you cannot exec() a new process, and in some cases you don’t even need to include a full TCP stack. So there is very little exploit code can do to gain a permanent foothold in the system,” Lucina said.

The key takeaway for organizations worried about security is that they should treat their infrastructure in a less monolithic way. Unikernels allow for the careful management of particularly critical portions of an organization’s data and processing needs. While it does take some extra work, it’s getting easier every day as more developers work on solving challenges with orchestration, logging and monitoring. This means unikernels are coming of age just as many developers are getting serious about security as they begin to build scale-out, distributed systems.

For those interested in learning more about unikernels, the entire series is available as a white paper titled “The Next Generation Cloud: The Rise of the Unikernel.”

Read part 1: 7 Unikernel Projects to Take On Docker in 2015

7 Unikernel Projects to Take On Docker in 2015

This is a reprint of a 3-part unikernel series published on Linux.com. In part one, Xen Project Advisory Board Chairman Lars Kurth takes a closer look at the rise of unikernels and several up-and-coming projects to keep close tabs on in the coming months.

Docker and Linux container technologies dominate headlines today as a powerful, easy way to package applications, especially as cloud computing becomes more mainstream. While still a work-in-progress, they offer a simple, clean and lean way to distribute application workloads.

With enthusiasm continuing to grow for container innovations, a related technology called unikernels is also beginning to attract attention. Known also for their ability to cleanly separate functionality at the component level, unikernels are developing a variety of new approaches to deploy cloud services.

Traditional operating systems run multiple applications on a single machine, managing resources and isolating applications from one another.  A unikernel runs a single application on a single virtual machine, relying instead on the hypervisor to isolate those virtual machines. Unikernels are constructed by using “library operating systems,” from which the developer selects only the minimal set of services required for an application to run. These sealed, fixed-purpose images run directly on a hypervisor without an intervening guest OS such as Linux.

unikernel illustration
Image credit: Xen Project.

 

As well as improving upon container technologies, unikernels are also able to deliver impressive flexibility, speed and versatility for cross-platform environments, big data analytics and scale-out cloud computing. Like container-based solutions, this technology fulfills the promise of easy deployment, but unikernels also offer an extremely tiny, specialized runtime footprint that is much less vulnerable to attack.

There are several up-and-coming open source projects to watch this year, including ClickOSClive,HaLVMLINGMirageOSRump Kernels and OSv among others, with each of them placing emphasis on a different aspect of the unikernel approach.  For example, MirageOS and HaLVM take a clean-slate approach and focus on safety and security, ClickOS emphasizes speed, while OSv and Rump kernels aim for compatibility with legacy software. Such flexible approaches are not possible with existing monolithic operating systems, which have decades of assumptions and trade-offs baked into them.

How are unikernels able to deliver better security? How do the various unikernel implementations differ in their approach? Who is using the technology today? What are the key benefits to cloud and data center operators? Will unikernels on hypervisors replace containers, or will enterprises use a mix of all three? If so, how and why?  Answers to these questions and insights from the key developers behind these exciting new projects will be covered in parts two and three of this series.

For those interested in learning more about unikernels, the entire series is available as a white paper titled “The Next Generation Cloud: The Rise of the Unikernel.”

A Tale of Two Amazing Open Source Hypervisors

Born in the logic of ones and zeroes and forged in the heat of battle, two hypervisors–sworn foes in the realm of virtualization–are about to unite in a way many never thought possible. Over beer and code.

Join the teams behind Xen Project Developer Summit and KVM Forum in Seattle as they co-host a social event that will rock the virtualization world. On August 18, 2015, at the close of the Xen Project Developer Summit and on the eve of KVM Forum, attendees of both events can come together and collaborate in the best way possible: with crudites and hors d’oeuvres (and beer).

Virtualization is one of the most important technologies in IT today, so it makes perfect sense for the two best hypervisor projects to collaborate and socialize at an event that celebrates their similarities and bridges that gap between all things KVM and Xen.

virtlogos

The party will get started Tuesday, August 18, at a time and location to be announced shortly! Attendees of both conferences are welcome to come and join the fun and be reminded of what open source is all about.

And before raising a pint to toast to friends both old and new, there’ll be an opportunity for some serious coding. So, if you’re a KVM contributor, a Xen zealot, or a power user of XenServer or oVirt, the joint KVM Forum and Xen Project Developer Summit Hackaton is the place to be during daylight hours.

The hackathon will be held on Tuesday, August 18, 2015, in the Virginia Room, 4th Floor, Union St. Tower of the Sheraton Seattle from 1:00pm to 5:00pm. Aiming to foster technical collaboration between the two best hypervisors in IT today, the event will enable participants to learn more about what makes each project work, as well as to delve into work on libvirt code that could bridge the gaps between Xen and KVM. Bring your laptops, your ideas, and your code and help improve open source virtualization for the good of both projects. Collaboration is what makes open source truly great, so come be a part of greatness.

Finally, we all know greatness is nothing to be shy about, so we encourage Xen ecosystem developers, contributors and users to submit a speaking proposal for Xen Project Developer Summit.  The CFP is open through May 1. The topics of discussion are nearly endless — from scaling and optimizations, nested virtualization, performance enhancements, and hardening and security to high availability and continuous backup desktop virtualization, new devices, boards and architectures and more. Presenting at #xendevsummit is the excellent way to share your knowledge of all things Xen and help define and plan for the future of Xen. If you’re still looking for inspiration, check out last year’s slides and topics. Register soon to benefit from early bird pricing. See you in Seattle!