Operating Systems

Virtualization

One physical server with 64 cores is idle 95% of the time. Electricity is burned, cooling works, and the CPU is almost asleep. Virtualization turns one server into dozens of isolated machines, each with its own OS, running on the same hardware. This is a revolution that changed the industry: from huge data centers to cloud giants like AWS, Google Cloud.

**AWS EC2 - the foundation of the cloud.** Amazon rents out computing power. On one physical server, VMs of dozens of clients run, isolated and secure. Without virtualization, clouds would be impossible - the economics wouldn't work.
**Docker changed development.** "It works on my machine!" - the DevOps nightmare. With Docker, the application + dependencies are packaged into a container that runs the same way on a laptop, staging, or production. Netflix deploys thousands of microservices in containers daily.
**Security through isolation.** Google Chrome runs each tab in an isolated process (sandbox). An exploit in one tab won't affect others. This is process-level virtualization - protection through isolation.

Цели урока

Distinguish Type 1 (bare-metal: ESXi, Xen, KVM) from Type 2 (hosted: VirtualBox, Parallels)
Know hardware-assisted virtualization: Intel VT-x and AMD-V for VMexit/VMresume
Compare VM (full OS) vs container (shared kernel) by cost, isolation, and density
Understand paravirtualization: guest OS aware of being virtualized (Xen PV)
Explain live migration: moving a running VM between hosts without downtime

The concept of virtualization

**Virtualization** is a technique for creating a virtual version of a resource: a computer, an operating system, storage device, or network resource. Instead of one physical server, we get several isolated virtual machines (VM).

Virtualization as an apartment building

Consider a physical server as a huge mansion. Without virtualization, the entire mansion is occupied by one family (one OS). **With virtualization**, the mansion turns into an apartment building: each apartment (VM) is isolated, has its own walls, electricity, water. Neighbors do not disturb each other but share a common foundation (hardware).

**Key idea:** a virtual machine thinks it is running on real hardware. In reality, between the VM and the processor is a **hypervisor** - a program that emulates or virtualizes the hardware.

**Why virtualization:** - **Isolation:** a failure in one VM does not affect others - **Utilization:** one server → 10+ VMs instead of idling - **Flexibility:** can run Linux, Windows, BSD on one hardware - **Migration:** VMs are easily transferred between servers - **Savings:** fewer physical servers = less energy, cooling

**History of virtualization:** the idea was born in the 1960s at IBM for mainframes. The goal was to give each user "their own computer" without buying 100 physical machines. The **VM/370** technology (1972) allowed running multiple copies of the OS on one mainframe.

Virtualization was revived in the 2000s with VMware, KVM, Xen. The driver: servers got oversized for any one workload. A 64-core server running a website at 2% CPU is waste - virtualization carves it into many VMs that share the hardware.

AWS EC2 - virtualization in the cloud

Amazon EC2 (Elastic Compute Cloud) is virtualization on an industrial scale. Amazon has thousands of physical servers. Renting an EC2 instance provides a **virtual machine** on one of these servers. It appears as a separate computer, but in reality, dozens of other VMs may be running on the same hardware.

What key advantage of virtualization allowed cloud providers (AWS, Google Cloud) to offer cheap computing?

Hypervisors: Type 1 vs Type 2

**Hypervisor (hypervisor, VMM - Virtual Machine Monitor)** is a program that creates and manages virtual machines. There are two types of hypervisors with radically different architectures.

**Type 1 (Bare Metal):** - Runs **directly on hardware**, without a host OS - Examples: VMware ESXi, Microsoft Hyper-V, Xen, KVM - Used in data centers, clouds **Type 2 (Hosted):** - Runs **on top of a regular OS** (Windows, macOS, Linux) - Examples: VMware Workstation, VirtualBox, Parallels Desktop - Used by developers, for testing

**Type 1 (Bare Metal) - professional level:** The hypervisor loads as an operating system, gaining full control over the hardware. No intermediate OS - minimal overhead. **VMware ESXi** occupies only ~150 MB, but manages terabytes of RAM and hundreds of cores.

VMware ESXi in production

A company wants to launch 50 virtual servers. It buys 5 physical servers, installs ESXi on each. The hypervisor loads in 30 seconds, gains access to the hardware, creates 10 VMs on each host. No Windows Server or Linux under the hypervisor - just a thin layer of virtualization. This provides maximum performance.

**KVM (Kernel-based Virtual Machine)** - an interesting hybrid. Technically it's Type 1, but it works as a Linux kernel module. Linux turns into a hypervisor! Used in Google Cloud, OpenStack.

**Type 2 (Hosted) - for development and testing:** The hypervisor runs as a regular program in the host OS. Convenient for developers: a Windows VM can run on macOS to test an application. But slower due to double overhead.

VirtualBox for developers

Code is written on macOS, but the application must run on Linux. The developer installs VirtualBox, creates an Ubuntu VM, runs it, installs dependencies, and tests the code. The VM runs in a macOS window, allowing switching between systems. This is Type 2: VirtualBox is an application in macOS, with virtual machines running underneath.

**Interesting facts:** - **Xen** was used by Amazon EC2 until 2017, then switched to KVM (Nitro System) - **Hyper-V** is built into Windows 10 Pro/11 Pro - a Linux VM can run without third-party programs - **Apple Hypervisor Framework** - built-in Type 1 hypervisor in macOS (used by Parallels, Docker Desktop)

**Nested virtualization** - VM inside a VM. For example, running VirtualBox inside a VMware VM. Slow, but useful for testing hypervisors themselves. Requires support from the CPU and hypervisor.

A company is choosing a hypervisor for production servers where maximum performance and VM density are critical. What type of hypervisor is optimal?

Hardware virtualization

In the early 2000s, virtualization was slow - the hypervisor intercepted every guest OS instruction and emulated it. **Intel VT-x (2005)** and **AMD-V (2006)** added hardware support for virtualization in processors, speeding up VMs by 10-100 times.

**Problem without hardware support:** x86 processors have privileged instructions (access to I/O ports, memory management) that can only be executed in kernel mode (Ring 0). But the guest OS in a VM also wants to be in Ring 0! Conflict.

**Binary Translation (old VMware method):** The hypervisor scans the guest OS code, finds privileged instructions, **rewrites them on the fly** into safe calls. Slow, but works without CPU support.

**Paravirtualization (Xen):** The guest OS is **modified** - instead of privileged instructions, it calls hypercalls (similar to syscalls, but to the hypervisor). Faster than binary translation, but requires changes in the guest OS.

**Intel VT-x / AMD-V (Hardware-Assisted Virtualization):** The processor adds a new ring **Ring -1** for the hypervisor. The guest OS operates in true Ring 0, but the processor automatically intercepts critical operations and passes them to the hypervisor. No modifications to the guest OS are required!

**Extended Page Tables (EPT) / Nested Page Tables (NPT):** Before EPT, the hypervisor manually translated addresses: guest virtual → guest physical → host physical. With EPT, the processor does this in hardware, in **one memory access**.

**Hardware Virtualization Technologies:** **Intel:** - VT-x: CPU virtualization - EPT: memory virtualization - VT-d: I/O virtualization (direct VM access to PCI devices) **AMD:** - AMD-V: CPU virtualization - NPT (RVI): memory virtualization - AMD-Vi (IOMMU): I/O virtualization

GPU Passthrough - graphics card virtualization

With VT-d, a **physical graphics card** can be passed directly to a VM. A gamer runs a Windows VM on a Linux host, passes through an Nvidia RTX to the VM, and plays with native performance. This is called **PCI Passthrough** or **VFIO**. The graphics card fully belongs to the VM, the host OS does not see it.

Hardware virtualization has transformed VMs from a "slow toy" into a production-ready technology. Modern VMs operate with an overhead of only 2-10% compared to a native OS.

Why does hardware virtualization (VT-x/AMD-V) provide such a performance boost compared to Binary Translation?

Containers vs Virtual Machines

**Containers (Docker, Podman)** - are a lighter form of virtualization. Instead of emulating an entire machine, containers isolate processes at the operating system level, sharing a single kernel.

**Key difference:** VMs emulate hardware (each VM has its own kernel), containers share the host's kernel, isolating processes through **namespaces** and **cgroups**.

**VM vs Containers:** **Virtual Machines:** - ✅ Full isolation (different OS, kernels) - ✅ More secure (hypervisor - additional barrier) - ✅ Can run Windows on a Linux host - ❌ Heavy (gigabytes of disk, hundreds of MB RAM) - ❌ Slow start (minutes) **Containers:** - ✅ Lightweight (megabytes, tens of MB RAM) - ✅ Fast start (milliseconds) - ✅ Portability (one image works everywhere) - ❌ Share host kernel (only Linux containers on Linux) - ❌ Weaker isolation (kernel vulnerability affects all containers)

**Linux Namespaces** - a resource isolation mechanism. Each container gets its own system view:

**Control Groups (cgroups)** - container resource limitation:

Docker in production - Netflix, Spotify

**Netflix** runs thousands of microservices in Docker containers on AWS. Each service: recommendations, streaming, billing - an isolated container. New service version? Build a new image, deploy in seconds. Rollback in case of issues - instant (revert to the old image). Containers provide development and deployment speed unattainable with VMs.

**When to use VMs, when containers?**

**Use VMs when:** - Different OS needed (Windows + Linux) - Maximum isolation required (security, compliance) - Legacy applications with kernel dependencies - Long-lived stateful services **Use containers when:** - Microservice architecture - CI/CD - fast deployments - Stateless applications - High density needed (100+ containers on a host)

Hybrid approach - VM + Containers

Many companies use **both** approaches: create VMs for team/project isolation, run dozens of containers within each VM. For example, AWS Fargate runs Docker containers, but each in its own micro-VM (Firecracker) for added security.

**Future:** technologies converge. **Kata Containers** run containers in lightweight VMs (microsecond startup). **Firecracker** (AWS) - micro-VM in 125ms. **gVisor** (Google) - userspace kernel for containers. The line between VMs and containers is blurring.

Containers are just lightweight virtual machines, they work the same way.

Containers and VMs are fundamentally different technologies. VMs virtualize hardware (each has its own kernel), containers isolate processes, sharing one host kernel.

This common misconception leads to the wrong choice of technology. VMs provide full isolation (Windows can run on a Linux host), but they are heavy and slow. Containers are fast and lightweight, but they share the kernel - a Windows container cannot run on a Linux host without a VM. A container is not a "stripped-down VM," it is an **isolated process** with its own view of the system through namespaces. Understanding this difference is critical for architectural decisions: legacy monoliths with different OS require VMs, cloud-native microservices require containers.

A startup is developing a microservice application: 20 services on Node.js, Python, Go. Frequent deployments needed (10+ times a day), fast scaling, minimal infrastructure costs. What to choose?

Key ideas

**Virtualization creates the illusion of multiple computers on one piece of hardware.** VMs think they are running on real CPU/RAM/disk, but the hypervisor divides resources among them. This provides isolation, high utilization, flexibility.
**Type 1 (bare metal) vs Type 2 (hosted) hypervisors.** Type 1 runs directly on hardware (ESXi, KVM) - maximum performance for production. Type 2 runs on top of a host OS (VirtualBox) - convenient for development, but slower.
**Hardware virtualization (VT-x/AMD-V) accelerated VMs by 10-100 times.** CPUs added Ring -1 for the hypervisor, EPT/NPT for memory translation. The guest OS runs in the real Ring 0, the processor automatically intercepts critical operations.
**Containers vs VMs - different goals.** VMs virtualize hardware (full isolation, heavy), containers isolate processes (lightweight, fast, but share the kernel). VMs are for legacy and security, containers are for microservices and CI/CD.

Вопросы для размышления

Why are cloud providers migrating from Xen to KVM (AWS Nitro), even though both are Type 1 hypervisors? What advantages does KVM offer?
A deployment requires running 1000 microservices. Calculate resources: VMs (1 GB RAM each) vs containers (50 MB each). What savings are there?
Docker containers share the host kernel. What happens if a critical vulnerability is found in the kernel? How does this affect the security of containerized applications?

Связанные уроки

os-08-virtual-memory — Nested paging is virtualization of virtual memory
os-02-processes — A VM is to an OS what a process is to a program - an isolated context
os-19-containers — Containers are a lighter alternative to full virtualization
arch-10-virtual-memory

Operating Systems

Virtualization

**AWS EC2 - the foundation of the cloud.** Amazon rents out computing power. On one physical server, VMs of dozens of clients run, isolated and secure. Without virtualization, clouds would be impossible - the economics wouldn't work.
**Docker changed development.** "It works on my machine!" - the DevOps nightmare. With Docker, the application + dependencies are packaged into a container that runs the same way on a laptop, staging, or production. Netflix deploys thousands of microservices in containers daily.
**Security through isolation.** Google Chrome runs each tab in an isolated process (sandbox). An exploit in one tab won't affect others. This is process-level virtualization - protection through isolation.

Цели урока

Distinguish Type 1 (bare-metal: ESXi, Xen, KVM) from Type 2 (hosted: VirtualBox, Parallels)
Know hardware-assisted virtualization: Intel VT-x and AMD-V for VMexit/VMresume
Compare VM (full OS) vs container (shared kernel) by cost, isolation, and density
Understand paravirtualization: guest OS aware of being virtualized (Xen PV)
Explain live migration: moving a running VM between hosts without downtime

The concept of virtualization

Virtualization as an apartment building

**Key idea:** a virtual machine thinks it is running on real hardware. In reality, between the VM and the processor is a **hypervisor** - a program that emulates or virtualizes the hardware.

AWS EC2 - virtualization in the cloud

What key advantage of virtualization allowed cloud providers (AWS, Google Cloud) to offer cheap computing?

Hypervisors: Type 1 vs Type 2

**Hypervisor (hypervisor, VMM - Virtual Machine Monitor)** is a program that creates and manages virtual machines. There are two types of hypervisors with radically different architectures.

VMware ESXi in production

**KVM (Kernel-based Virtual Machine)** - an interesting hybrid. Technically it's Type 1, but it works as a Linux kernel module. Linux turns into a hypervisor! Used in Google Cloud, OpenStack.

VirtualBox for developers

**Nested virtualization** - VM inside a VM. For example, running VirtualBox inside a VMware VM. Slow, but useful for testing hypervisors themselves. Requires support from the CPU and hypervisor.

A company is choosing a hypervisor for production servers where maximum performance and VM density are critical. What type of hypervisor is optimal?

Hardware virtualization

**Binary Translation (old VMware method):** The hypervisor scans the guest OS code, finds privileged instructions, **rewrites them on the fly** into safe calls. Slow, but works without CPU support.

GPU Passthrough - graphics card virtualization

Hardware virtualization has transformed VMs from a "slow toy" into a production-ready technology. Modern VMs operate with an overhead of only 2-10% compared to a native OS.

Why does hardware virtualization (VT-x/AMD-V) provide such a performance boost compared to Binary Translation?

Containers vs Virtual Machines

**Containers (Docker, Podman)** - are a lighter form of virtualization. Instead of emulating an entire machine, containers isolate processes at the operating system level, sharing a single kernel.

**Key difference:** VMs emulate hardware (each VM has its own kernel), containers share the host's kernel, isolating processes through **namespaces** and **cgroups**.

**Linux Namespaces** - a resource isolation mechanism. Each container gets its own system view:

**Control Groups (cgroups)** - container resource limitation:

Docker in production - Netflix, Spotify

**When to use VMs, when containers?**

Hybrid approach - VM + Containers

Containers are just lightweight virtual machines, they work the same way.

Containers and VMs are fundamentally different technologies. VMs virtualize hardware (each has its own kernel), containers isolate processes, sharing one host kernel.

A startup is developing a microservice application: 20 services on Node.js, Python, Go. Frequent deployments needed (10+ times a day), fast scaling, minimal infrastructure costs. What to choose?

Key ideas

**Virtualization creates the illusion of multiple computers on one piece of hardware.** VMs think they are running on real CPU/RAM/disk, but the hypervisor divides resources among them. This provides isolation, high utilization, flexibility.
**Type 1 (bare metal) vs Type 2 (hosted) hypervisors.** Type 1 runs directly on hardware (ESXi, KVM) - maximum performance for production. Type 2 runs on top of a host OS (VirtualBox) - convenient for development, but slower.
**Hardware virtualization (VT-x/AMD-V) accelerated VMs by 10-100 times.** CPUs added Ring -1 for the hypervisor, EPT/NPT for memory translation. The guest OS runs in the real Ring 0, the processor automatically intercepts critical operations.
**Containers vs VMs - different goals.** VMs virtualize hardware (full isolation, heavy), containers isolate processes (lightweight, fast, but share the kernel). VMs are for legacy and security, containers are for microservices and CI/CD.

Вопросы для размышления

Why are cloud providers migrating from Xen to KVM (AWS Nitro), even though both are Type 1 hypervisors? What advantages does KVM offer?
A deployment requires running 1000 microservices. Calculate resources: VMs (1 GB RAM each) vs containers (50 MB each). What savings are there?
Docker containers share the host kernel. What happens if a critical vulnerability is found in the kernel? How does this affect the security of containerized applications?

Связанные уроки

os-08-virtual-memory — Nested paging is virtualization of virtual memory
os-02-processes — A VM is to an OS what a process is to a program - an isolated context
os-19-containers — Containers are a lighter alternative to full virtualization
arch-10-virtual-memory

Virtualization

Цели урока

The concept of virtualization

Virtualization as an apartment building

AWS EC2 - virtualization in the cloud

Hypervisors: Type 1 vs Type 2

VMware ESXi in production

VirtualBox for developers

Hardware virtualization

GPU Passthrough - graphics card virtualization

Containers vs Virtual Machines

Docker in production - Netflix, Spotify

Hybrid approach - VM + Containers

Key ideas

Related topics

Вопросы для размышления

Связанные уроки

Virtualization

Цели урока

The concept of virtualization

Virtualization as an apartment building

AWS EC2 - virtualization in the cloud

Hypervisors: Type 1 vs Type 2

VMware ESXi in production

VirtualBox for developers

Hardware virtualization

GPU Passthrough - graphics card virtualization

Containers vs Virtual Machines

Docker in production - Netflix, Spotify

Hybrid approach - VM + Containers

Key ideas

Related topics

Вопросы для размышления

Связанные уроки