1 / 14

How to run 10,000 untrusted applications on a single machine (and why)

How to run 10,000 untrusted applications on a single machine (and why). The Denali project: Andrew Whitaker, Marianne Shaw, Steve Gribble. The rise of Internet services. Internet services push application functionality into Internet infrastructure examples: Hot Mail, MapQuest, MyYahoo

jara
Download Presentation

How to run 10,000 untrusted applications on a single machine (and why)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to run 10,000 untrusted applications on a single machine (and why) The Denali project: Andrew Whitaker, Marianne Shaw, Steve Gribble

  2. The rise of Internet services • Internet services push application functionality into Internet infrastructure • examples: Hot Mail, MapQuest, MyYahoo • Advantages: • services are always on and always available • deployment and upgrades are easier • don’t have to trust clients with your code • Internet services today require costly upkeep • grassroots development is stifled

  3. Denali: Support for small Internet services • Our goal: allow the little guy to deploy Internet services • “code it up, turn it on” • outsource administrative overhead to a 3rd party provider • Many of these services will be unpopular • must run many services per machine What system support is best suited to running many small Internet services?

  4. Outline • Challenge #1: Isolation • Challenge #2: Scalability • Current status • Future work • Questions

  5. Challenge #1: Isolation • Security isolation • preventing a misbehaved service from corrupting the system or other services • Performance isolation • providing approximately fair resource allocations • Both forms of isolation are hard to provide on an OS: • malicious or buggy code (e.g., Code Red) can compromise the system • poor resource accounting

  6. Denali: a virtual machine monitor • Separate physical machines would provide strong isolation • cost is prohibitive • Use a virtual machine monitor to emulate a set of machines on a single host • exposes a virtualized machine image to a set of virtual machines • A “guest OS” provides customary OS abstractions app app app OS OS OS VMM hardware

  7. Not enough resources to run all machines at once fortunately, machines are idle most of the time Use main memory as a cache of active virtual machines memory disk Challenge #2: Scale

  8. System performance • Cache performance dictates where we optimize • good cache performance: optimize CPU / memory performance • bad cache performance: optimize swap time • Zipf’s law says objects fall into two classes: • a small set of popular services (low miss rate) • a large set of unpopular services (high miss rate) • Both classes receive a large fraction of requests • bottom line: both the swap time and the in-memory performance are important

  9. VMM’s and swapping • Guest OS’s expect to run on physical hardware, not virtual hardware • Emulating physical hardware becomes increasingly difficult for large numbers of VM’s • interrupt delivery: target machine may be on disk! • Para-virtualization: modify the virtual architecture to adapt to virtualization • Denali architecture is similar, but not identical to x86

  10. virtual interrupts 3 4 1 2 4 scheduled VM VM 1 VM 2 VM 3 VM 4 3 4 3 4 4 1 2 1 4 physical interrupts Batched interrupt dispatch • Deliver interrupts in a batch at the beginning of a scheduler quantum: • Batching changes interrupt semantics • “timer just fired” => “timers have fired” • Breaks backwards compatibility with legacy OS’s • but allows us to co-design the OS and the architecture

  11. Current status • Prototype VMM and guest OS can support working applications (e.g., web server) • Working on adding swapping support and virtual disks • can run 1017 virtual machines! • Longer term directions: • migrating VM’s within a cluster • virtual machines for other platforms (mobile devices?)

  12. Denali conclusions • Co-hosting many small Internet services raises significant isolation and scaling challenges • Virtual machine monitors achieve isolation by emulating a cluster of physical machines • Scaling to large number of virtual machines requires swapping out active VM’s • Denali changes the virtual architecture to support swapping • More info at: http://denali.cs.washington.edu

  13. Questions?

  14. popular services unpopular services Junk

More Related