Xen Project’s Virtualization Updated With Improved VMI and Security

The Xen Project has announced the release of Xen Project 4.6. The new release comes equipped with improvements to security, network throughput as well as upgraded migration.

With this release, Xen Project’s Virtual Machine Introspection (VMI) is natively supported on both Intel and ARM chips, making it an ideal API for developers building monitoring and security applications. Additional updates would allow for increased stability, scalability and usability to create a stable baseline for third-party security applications, including malware detection, forensics, security auditing and more.

Updates to the VMI would create the foundation for easier integration with IT monitoring tools for more centralized management, while the inclusion of Intel Cache Allocation Technology (CAT) and Memory Bandwidth Monitoring (MBM) enable additional system resources monitoring.

xen-project“Stability, performance and security are critical when it comes to running software on the modern Internet and cloud systems,” said Lars Kurth, Xen Project Advisory Board Chairperson. “The new Xen Project release puts these capabilities front and center and allows system administrator to determine where system vulnerabilities might lie to proactively assess potential security risks and to centralize and monitor how instances in IT infrastructure are affecting the overall stability of the environment.”

Major contributions from Citrix, Suse, Oracle, Intel, Linaro, Fujitsu, Novetta, Red Hat, Zentific, BitDefender, NSA, Verizon, Xilinx, Cavium, Huawei, Broadcom, GlobalLogic, AMD and a number of universities and individuals are now pushing Xen Project innovation forward in areas such as security, performance and quality. Xen’s functionality continues to evolve to better serve new compute infrastructures such as mobile, hyper-scale computing, massive workloads, security-intensive applications, embedded computing, cloud computing, hosting providers, and hardware appliances.

New features and capabilities of Xen Project 4.6 would include:

  • Enables a new class of security applications – A number of significant improvements to Xen’s Virtual Machine Introspection (VMI) subsystems would make it a good hypervisor for security applications. Hardware support for VM Functions (VMFunc) available on Intel’s 4th generation Haswell CPUs and Atom Silvermont CPUs would decrease overheads. Support for Virtualization Exceptions is now available on Intel’s 5th generation Broadwell CPUs and Atom Goldmont CPUs would have significantly reduced latency. VMI support for ARM CPUs has also been added.
  • Major improvements to scalability – Finer-grained grant table locks lead to significant scalability improvements in the Xen Project. For example, aggregate intrahost network throughput would have improved more than 100% in some cases. In addition, byte-range locks were replaced with ticket locks, which have better fairness properties than previously used locks for improved scalability.
  • Redesign of live migration components to better support high availability – The Xen Project Hypervisors Live Migration subsystem implemented its second version (Migration v2) to be more robust, extensible and able to handle next-generation infrastructures. It has been tested by several vendors to ensure it is enterprise-ready. The updates would provide better performance for 64 bit systems and add support for cross-bitness migration between 32 and 64 bit hosts. Migration v2 is optimized for PVH and Coarse-grained Lock-stepping (COLO), which will be fully integrated with Xen in the next release. In addition, Page Modification Logging (PML) was implemented for Intel CPUs, improving SpecJBB performance in log dirty mode.
  • Better quality – During the Xen 4.6 release cycle, the Xen Project increased its integration test capability by creating CI loops for Xen Hypervisor and OpenStack testing. Besides running tests on more hardware configurations, the number of test cases nearly doubled during the 4.6 release cycle, contributing to the best quality release yet.
  • intel-securityARM support – The new release increases the maximum number of supported VCPUs for 64-bit ARM CPUs from 8 to 128 and adds support for 32-bit userspace applications to 64-bit guests. Additionally, new IP blocks, firmware interfaces and platforms are supported, such as non-PCI passthrough support, OVMF for ARM and GICv2 on GICv3 support. During the hardening phase of Xen 4.6, members of the Xen Project community closely collaborated with the CentOS Virtualization SIG to build and test Xen 4.6 packages for CentOS 7’s 64-bit ARM variant and tested it against OpenStack using libvirt.
  • Updates for automotive and embedded systems – The new release added support for two platforms targeting the embedded and automotive market segments: Xilinx Zynq UltraScale+ MPSoC and support for the Renesas R-Car Gen2 SoCs.
  • Intel Platform QoS Technologies for improved scalability and performance – Intel Cache Allocation Technology (CAT) and Memory Bandwidth Monitoring (MBM) are included, which build on the Cache Monitoring Technology (CMT) introduced in Xen 4.5. CAT would allow system administrators to assign more L3 cache capacity to individual VMs, resulting in lower latency and higher performance for high-priority workloads such as NFV, real-time and video-on-demand applications. MBM allows system administrators to identify memory bandwidth saturation on a Xen host that may be caused by several memory-intensive VMs running on the same host. Taking corrective actions, such as migrating VMs to a different Xen host, would increase scalability and performance in the data center.