Cloud: Definition and Virtualization

What services does Cloud offer?

• Before we can evaluate the necessity of moving to the cloud, we need to to know what services are available.
  • SaaS: Software-as-a-Service
  • PaaS: Platform-as-a-Service
  • IaaS: Infrastructure-as-a-Service
• Vendor: cloud service provider. ```

SaaS: Software-as-a-Service

• Vendor controlled applications that are accessed over the network by users.
• Characteristics:
  • Network-based access
  • Multi-tenancy
  • Single software release for all
• Examples:
  • Applications in the Google Suite
  • Dropbox
  • Cisco WebEx
• Net native
  • Cloud-specific design, development, and deployment
  • Multi-tenant data
  • Built-in metering and management
  • Browser-based
  • Customization via configuration

• High degree of configurability, efficiency, and scalability

• SaaS providers are dependent on network and cloud service providers.
  • A Dropbox story
• Performance is dependent on individual client’s bandwidth.
• Security
  • Good: Better security than personal computers
  • Bad: SaaS vendors (and cloud providers) are in charge of the data
  • Ugly: Privacy
• Who owns your data in SaaS?
• Google Drive ToS
• Google ToS ```

PaaS: Platform-as-a-Service

• Vendors provide development environment.
  • Tools and technologies are selected by vendors.
  • Users maintain control over data (application) life-cycle.
• Examples:
  • Google App Engine
  • AWS Elastic Beanstalk
  • Heroku
• Support multi-tenancy at various scale: sessions, processes, and data.
  • Isolation at: physical, virtual, and logical levels
  • Microsoft’s offerings of isolation choices
• Native scalability
  • Load balancing and fail-over (AWS Elastic Beanstalk)
• Native integrated management
  • Performance
  • Resource consumption/utilization
  • Load
• Inherits all from SaaS
• Options on technologies and tools are limited by the PaaS vendors ```

IaaS: Infrastructure-as-a-Service

• Vendors provide computing resources.
• Users provision computing resources.
  • Compute resources include processing, storage, memory, network etc.
  • Users are provided with customized virtual machines.
• Users maintain control over:
  • Operating system, memory
  • Storage,
  • Servers and deployment configurations, and
  • Some limited control over network resources via software-defined networking
• Infrastructure scalability
• Native-integrated management via vendors’ utilities
  • Performance, resource consumption/utilization, load
• Economical cost
  • Hardware, IT support
• Require more technical efforts than SaaS and PaaS. ```

Comparing service models

:::{image} ../fig/csc603/03-services/01.png :class: bg-primary mb-1 :height: 400px :align: center :::

:::{image} ../fig/csc603/03-services/02.png :class: bg-primary mb-1 :height: 400px :align: center :::

1
2
3
4
5
6
 
## XaaS: Everything-as-a-Service


- Composite second level services
- [NIST Evaluation of Cloud Computing Services (2018) p. 20](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-322.pdf)
 

NIST: Four deployment models

• Private Cloud
• Community Cloud
• Public Cloud

• Hybrid Cloud

• Infrastructure is organized solely for an organization

• Infrastructure is managed by the organization or by a third party

• Supports a specific community
• Infrastructure is shared by several organizations

• Examples: CloudLab

• Infrastructure is made available to the general public
• Infrastructure is owned by an organization selling cloud services

• Example: Azure Notebook free tier.

• Infrastructure is a composition of two or more clouds deployment models.
• Enables data and application portability ```

Cloud Security: who is doing what

• The cloud provider is responsible for the security OF the Cloud.

• The cloud consumer (users) is responsible for the security IN the Cloud.

• SaaS/PaaS:
  • Standard security procedure for online presences.
• IaaS:
  • Standard security procedure as any on-premise infrastructures.

  • Benefits from native administrative tools from the Cloud Provider.

  • Web application security: OWASP’s Top 10
  • Multi-tenancy: data isolation/leakage
  • Data security: accessibility versus security trade-off
• Similar security concerns as SaaS
• Complex security schemes due to potential third-party relationships.
• Development Lifecycle
  • Users depend on PaaS providers to patch security issues of the individual tools.
• Standard security measures.
  • To Cloud Provider, cloud resources are on-premise.
• Concerns with virtual machines’ security
• Concerns with virtual networking security ```

What is virtualization?

• Operating System concept: The abstraction of available resources
• Virtualization technologies encompass a variety of mechanisms and techniques used to address computer system problems such as security, performance, and reliability by decoupling the architecture and user-perceived behavior of hardware and software resources from their physical implementation. (https:/www.computer.org/csdl/mags/co/2005/05/r5028.html/)

:::{image} ../fig/csc603/04-virtualization/01.png :class: bg-primary mb-1 :height: 150px :align: center :::

• Formal requirements for virtualizeable third generation architectures
• A virtual machine is taken to be an efficient, isolated duplicate of the real machine.
• These notions can be explained through the idea of a virtual machine monitor.
• Essential characteristics of VMM:
  • Essentially identical to the physical resource
  • Efficiency
  • Complete control of system resources (with regard to the processes running inside the VM)

:::{image} ../fig/csc603/04-virtualization/02.png :class: bg-primary mb-1 :height: 300px :align: center :::

• Virtualization Layer: The Virtual Machine Monitor (or its modern name: Hypervisor) provides an interface between hardware and virtual operating systems.
• Type of hypervisors:
  • Bare-metal
  • Hosted

:::{image} ../fig/csc603/04-virtualization/03.png :class: bg-primary mb-1 :height: 150px :align: center :::

• Under-utilized resources
• Complicated system management
• Limited access to shared resources
• Inefficient power consumption
• Tight coupling with underlying resources

:::{image} ../fig/csc603/04-virtualization/04.png :class: bg-primary mb-1 :height: 300px :align: center :::

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
 

## Types of virtualization

- Platform Virtualization
- Memory Virtualization
- Desktop Virtualization
- Application Virtualization
- Network Virtualization
- Storage Virtualization


- Full Virtualization
- Para Virtualization
- Hardware assisted virtualization
- OS level virtualization


- x86 offers four levels of privilege (Ring 0 through 3)
- OS needs to have access to hardware and run on ring 0
- Application runs on ring 3, gain access to hardware by trapping into kernel mode for 
privileged instructions.
- Virtualizing x86 requires a layer under OS (which already at lowest level) to create 
and manage the VM
- Sensitive instructions must be executed in ring 0 

:::{image} ../fig/csc603/04-virtualization/05.png
:class: bg-primary mb-1
:height: 300px
:align: center
:::


- Guess OS is unaware of host OS.
  - VMM provides virtual BIOS, virtual devices, and virtual memory management.
- Non-critical instructions run directly on hardware.
- Runtime translation of critical non-virtualizable instructions happens in the hypervisor.
- Provide best isolation and security at the cost of performance.

:::{image} ../fig/csc603/04-virtualization/06.png
:class: bg-primary mb-1
:height: 300px
:align: center
:::


- Thin layer interfaces between each guest OS and underlying hardware.
- Need guest kernel modification.
- No need of runtime translation for critical instructions.
- Superior in performance.
- Requires expertise to patch the kernels.

:::{image} ../fig/csc603/04-virtualization/07.png
:class: bg-primary mb-1
:height: 300px
:align: center
:::


- Hardware provides support to run instructions independently.
  - Intel Virtualization Technology (VT-x)
  - AMD Virtualization Technology (AMD-V)
- No need to patch the kernels.
- Runtime translation not required.
- Better performance in comparison to other variants.
- Greater stability
:::{image} ../fig/csc603/04-virtualization/08.png
:class: bg-primary mb-1
:height: 300px
:align: center
:::


- Same OS for both host and guest machines.
- User space is completely isolated.
- High performance.
- Extremely light-weight.



- How to share physical system memory and dynamically allocating it to virtual machines.
- Guess OS maps virtual memory space (of VM) to physical memory space (of VM).
- VMM translates physical memory space (of VM) to physical memory space (of main machine), 
but also enables direct mapping (shadow table) to avoid overhead.
:::{image} ../fig/csc603/04-virtualization/09.png
:class: bg-primary mb-1
:height: 300px
:align: center
:::



|  | Full Virtualization with Binary Translation | Hardware Assisted Virtualization | OS Assisted Virtualization/Para Virtualization |  
| ----------- | -------------- | -------------- | ------- |  
| Guest modification/Compatibility | Unmodified Guest OS, excellent compatibility | Unmodified Guest OS, excellent compatibility | Guest OS codified to run Hypercall, cannot run of native hardware or other hypervisors. Poort compatibility |  
| Performance | Good              | Fair              | Better on certain cases       |  
| Guest OS Hypervisor Independent | Yes              | Yes              | Xen Linux runs only on Xen Hypervisor. VMI-Linux is Hypervisor agnostic       |  


- Desktop and Applications run on servers.
- Stateless thin clients connected to servers.
- Efficient system management.
- Requires high-end servers for system stability
 

Network and storage virtualization

• Similar idea of providing an abstraction layer to the physical infrastructures
• In networks, abstraction will
  • Be at the level of routers, switches, gateway, firewalls, load balancers, …
  • Enabled by software-defined networking
• In storage, single storage backends can be used for different requirements
  • Ephemeral
  • Persistent
  • Specialize storage backends ```

Virtualization: concept of overcommits

• Allocating more than the available physical resources to the Guest OS
• Common types of overcommit:
  • CPU
  • Memory
  • Storage
• Advantages:
  • Favorable economic model
  • Efficient resource utilization
  • Support green computing
• Disadvantages:
  • Performance loss or unstable system response
  • Complex system understanding
  • VM shutdown by the hypervisor
• Allows more virtual CPUs than physically available
  • Openstack KVM: overcommit-number = 16.0
• Allow more memory than physically available
  • Overstack KVM: overcommit-number = 1.5GB ```

Virtualization hypervisors

• Contribution from industry and academia
• Xen: Project from Cambridge Computer Laboratory
• VMware: Commercial product
  • Also comes from academic research (see Mendel Rosenblum ACM)
• KVM: Initiated by the Open Virtualization Alliance, later dissolved and is now managed by the Linux Foundation
• Qemu: Open source machine emulator and virtualizer ```

Virtualization in the cloud

:::{image} ../fig/csc603/04-virtualization/10.png :class: bg-primary mb-1 :height: 300px :align: center :::

:::{image} ../fig/csc603/04-virtualization/11.png :class: bg-primary mb-1 :height: 300px :align: center :::

:::{image} ../fig/csc603/04-virtualization/12.png :class: bg-primary mb-1 :height: 500px :align: center :::

:::{image} ../fig/csc603/04-virtualization/13.png :class: bg-primary mb-1 :height: 300px :align: center :::

• Management: internal comm between OpenStack components, reachable only within the data center.
• Guest: Used for VM data communication within the Cloud Deployment.
• External: Provide VM with Internet access.
• API: Exposed all the Stack’s API to the public.

:::{image} ../fig/csc603/04-virtualization/14.png :class: bg-primary mb-1 :height: 300px :align: center :::

```