S 3.70 Introduction to virtualisation

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

With the so-called virtualisation of IT systems, a technology that can be used to operate one or several virtual IT systems on a physical computer is provided. Such a physical computer is referred to as virtualisation server. This technology has already been used since the 1970s for mainframes (e.g. IBM zSeries). However, it only became more widespread in the field of midrange servers at the end of the 1990s. Examples of software products for the virtualisation of IT systems using the x86 architecture include the Microsoft Virtual PC/Server, Parallels Virtuozzo, Sun VirtualBox, VMware Workstation/Server, and Xen. Another example is SUN Solaris Zones, available for the SPARC and INTEL platforms of Solaris. Furthermore, a hardware-supported virtualisation (here referred to as partitioning) using so-called domains is possible for the Enterprise series of the SUN servers. In the field of zSeries mainframes, virtualisation may be performed using logical partitions (LPARs, hardware-supported virtualisation) or using the z/VM product (software-supported), for example (see also S 3.7 S/390 and zSeries mainframe).

The virtualisation technology very quickly gained acceptance as a strategic means for improved utilisation and consolidation of server systems, since it allows concentration of many servers on one physical server system without the need for any compromises regarding the distribution of the services to individual IT systems. This provides for a better utilisation of the resources of the physical servers and savings in server operations may be achieved in many cases. These savings not only refer to the number of physical IT systems to be used, but also to the energy costs, the space in the server rooms and computer centres, as well as air conditioning. Furthermore, it is possible to accelerate processes for provision of new servers with the help of virtualisation, since no order is required for each new server system, for example. For some virtualisation solutions, virtual IT systems can be copied, thereby simplifying the installation processes, or it is also possible to create so-called snapshots of virtual IT systems allowing for the quick restoration of the original state after an incorrect change to the configuration.

Several virtualisation servers can furthermore be consolidated to form a so-called virtual infrastructure. In such a virtual infrastructure, several virtualisation servers are administrated, including the virtual IT systems running thereon. This allows for additional functions. For example, virtual IT systems can be migrated from one virtualisation server to another. This may sometimes even be performed during operation of the virtual IT system (Live Migration). Furthermore, there are options for increasing the availability of the virtual IT systems. For example, the Live Migration may be used to always migrate virtual systems to the virtualisation server currently capable of providing the best performance for operating the virtual system. Another option is to automatically restart virtual IT systems on a different virtualisation server if the initial virtualisation server has failed due to a hardware defect, for example.

The manifold options for manipulating the virtual IT systems using the virtualisation software make virtualisation servers seem particularly suitable for designing test and development environments. With the help of virtualisation, it is possible to quickly provide IT systems and to establish complex environments quickly and efficiently for testing and development. Moreover, productive virtual IT systems can be copied for a test and development environment so that updates and adaptations can be tested without any disturbances for productive operations.

Prerequisites for operating virtual IT systems on a virtualisation server

In order to be able to securely operate virtual IT systems in parallel on a virtualisation server, the virtualisation software must meet certain prerequisites. The virtualisation software must make sure that

Depending on how the virtualisation of the resources is carried out, these functions of the virtualisation layer may only be fulfilled to a limited extent. For example, there are virtualisation solutions available in which the operating system software needs to be slightly modified before it can be run on a virtual IT system. Another example for virtualisation restrictions includes solutions where all virtual IT systems on a virtualisation server must use different instances of the same operating system.

The virtualisation layer does not necessarily have to consist of software components only. The hardware or firmware of some platforms also supports virtualisation of the resources. The virtualisation layer generally provides the virtual IT systems with configurable access capabilities to local drives and network connections. This allows the virtual IT systems to communicate with each other and with other IT systems.

In practice, two types of virtualisation software are differentiated: server virtualisation and operating system virtualisation.

Server virtualisation

Server virtualisation forms the basis for virtual IT systems, which usually have a hardware environment that is abstracted from the virtualisation server, virtualised, and complete. A complete operating system is installed in this virtual hardware environment, with the operating system then being used to operate applications as usual.

Normally, the operating system that may be installed on the virtual IT system is completely independent of the operating system the virtualisation software is operated on. Access of the virtual IT system to the resources (processor, internal memory, bulk, memory, network) of the virtualisation server is controlled by the virtualisation software. For this, every virtual IT system is equipped with devices allowing access to these resources. These devices are either completely emulated or the physical devices are forwarded to the virtual IT system by the virtualisation software. In any case, the virtualisation software ensures that the physical devices can be used by the virtual IT systems in an orderly manner so that the mutual influence between the virtual IT systems is minimised as far as possible. The drivers used by the virtual IT systems to access the hardware components of the virtualisation server must normally be subsequently installed within the virtual IT systems after operating system installation.

In the field of server virtualisation, a differentiation is made between so-called hypervisor-based (type 1) and host-based (type 2) virtualisation products. Regarding the hypervisor-based virtualisation products, only a core operating system specialised for the virtualisation, the so-called hypervisor, is installed on the physical hardware. This hypervisor creates the virtual hardware environment required for operating the virtual IT systems and controls the access of the virtual IT systems to the physical resources. For the host-based virtualisation products, the hypervisor is installed as service in a fully equipped operating system and not in an operating system optimised for the purpose.

Operating system virtualisation

The operating system virtualisation differs greatly from the server virtualisation in the way the virtual IT systems are created. The server virtualisation provides the virtual IT systems with a complete hardware environment. The operating system virtualisation, on the other hand, is a solution where the virtual IT systems are provided with isolated instances of the operating system the virtualisation product was installed on. Therefore, no specific drivers are normally required for accessing the hardware components of the physical system, since the hardware components are "passed" to the virtual IT system without any changes. The virtualisation software only controls the access at this point so that the virtual IT systems do not influence each other.

This type of virtualisation results in some restrictions for the virtual IT systems which are operated with the help of an operating system virtualisation solution. Normally, it is not possible to use different operating systems in the IT systems running on a virtualisation server, since the operating system must be accepted by the virtualisation server. For some products, different kernel versions of the same operating system may be used on one virtualisation server, however.

Both virtualisation technologies provide an administration software for administrating the virtualisation server, the hypervisor, and the virtual IT systems. This may be a web-based administration interface, a special administration software, or also a command line-based user interface. For some type 1 server virtualisation products, this administration interface is executed as a virtual IT system under complete control of the hypervisor.

Comparison of server and operating system virtualisations

The huge advantage of operating system virtualisation is that practically no resources are needed on the virtualisation server for emulating virtual hardware, as is the case for server virtualisation. Thus, with the operating system virtualisation, significantly more virtual IT systems can be operated on one physical system when compared to server virtualisation. This allows for higher degrees of compression, i.e. a higher ratio of virtual and physical IT systems.

However, the essential disadvantages of operating system virtualisation include the lower flexibility regarding the use of different operating systems, as well as the weaker encapsulation of the virtual IT systems. Therefore, there may also be restrictions for using different applications within the virtual IT systems. This is predominantly associated with the fact that the interlock of virtual IT systems and virtualisation server is stronger when compared to server virtualisation. For operating system virtualisation, many parts of the virtualisation server's operating system are frequently used together with the virtual IT systems. For example, the same software libraries and operating system components are used in most cases; for some virtualisation products, software libraries are only stored once in the internal memory of the physical system and used by all virtual IT systems, for instance.

Therefore, the encapsulation of the virtual IT systems is more pronounced for operating system virtualisation when compared to server virtualisation. As a consequence, the isolation of the virtual IT systems amongst each other and in relation to the virtualisation server may also be lower.

Normally, server virtualisation is characterised by a higher resource consumption per virtual IT system on the virtualisation server when compared to operating system virtualisation. The time and expense required for maintenance and service (example: installation of software updates) of the virtual IT systems are also higher, since this work must frequently be performed individually for every virtual IT system due to the strong encapsulation. Within the framework of operating system virtualisation, such software updates may sometimes be installed in all virtual IT systems when installing the patch on the virtualisation server.

Moreover, the higher level of flexibility of server virtualisation solutions is related to a higher degree of complexity. This higher complexity results from the somewhat higher time and expense required in order to integrate virtualisation servers into the infrastructure of the information system for server virtualisation. The procedures for integrating these systems into networks and storage networks are normally more complex. Furthermore, existing processes for rolling out new IT systems may require adaptations.

Therefore, the operating system virtualisation is particularly suitable if a large amount of similar virtual IT systems are required, for example many similarly or identically configured web servers. The server virtualisation can make use of its advantages if many different virtual IT systems must be operated. If heterogeneous server landscapes are to be virtualised, there is often no alternative for server virtualisation.

Network integration of the virtualisation servers and virtual IT systems

The different virtualisation solutions provide numerous different methods for allowing the virtual IT systems to access the networks of the information system. Essentially, two principles of implementing these network connections can be differentiated.

These two different network integration technologies have different effects on how the virtual IT systems and the virtualisation servers must be integrated into the network of the information system. With the second variant in particular, it is possible to react to different protection requirements of the virtual IT systems in a flexible manner.

Guest tools

Many manufacturers provide so-called guest tools for the virtual IT systems, which can be used to easily control the virtual IT systems via the virtualisation software. For example, these tools allow the shutting down of virtual IT systems with the help of the virtualisation software without the need for any direct interaction with the virtual system. Additional functions include the exchange of the clipboard between the virtual IT system and the computer of the user of the virtual IT system or the simplified access to data media such as DC-ROMs or DVD-ROMs inserted into the corresponding drives of the virtualisation server or the computer of the user of the virtual IT system. The drivers for accessing the virtualised hardware and the tools for controlling the virtual IT systems are often provided as an integrated installation pack.

© Federal Office for Information Security. All rights reserved.