Is KVM a type 1 or a type 2 Hypervisor? – aka – My Hypervisor is better than your Hypervisor!

There are many virtualisation solutions on the market today. As a result we now get companies telling us that their solution is better than their competitors – nothing new there. Of course, no one seems to provide any benchmarks and some companies even get their knickers in a twist if you even suggest you’re going to perform and openly document any benchmarks.

Firstly, if you remember that it is all done with smoke and mirrors you’ll be fine.

What is a Hypervisor ?

Some people/vendors say Hypervisors (also called the Virtual Machine Monitor) are new technology that enables multiple Operating Systems to co-exist on a single system. This is incorrect, hypervisors have been around since system virtualisation started back in the 1970’s with IBM’s CP-370 reimplementation of CP-67 for the System/370 known as VM/370. VM/370 has evolved over the years and is now known as z/VM and is fundamental to large scale virtualisation of linux (and opensolaris) on system z.

Hypervisors use a small layer of code to achieve fine-grained, dynamic resource sharing of the underlying system though you could easily argue that z/VM is not a small layer of code. In general to me a piece of code that provides fine-grained, dynamic resource sharing of the underlying system sounds awefully like an operating system.   Admittedly this operating system allows you to run other operating systems simultaneously. Again, this doesn’t sound terribly different to an operating system running processes so clearly there is something more to it.

The issue revolves around how an operating system manages the underlying hardware resources. It does so in a privileged state where it handles all requests to access the hardware on behalf of the user processes. That is, my user mode process cannot directly access the hardware and it delegates that request to code running in a more privileged state. This is where the smoke and mirrors come out. The Hypervisor provides each guest operating system the appearance of full control over a complete computer system (memory, CPU, and all the peripheral devices). Fundamentally, Hypervisors work by intercepting and emulating in a safe way sensitive operating system operations (such as page table manipulation) in the guest.

Hypervisors, in general, are historically classified in two types:

• Type 1 hypervisor (Bare-Metal Architecture) – This is a hypervisor that runs directly on a given hardware platform. A Guest OS then runs at the second level above the hardware. The classic type 1 hypervisor was CP/CMS, developed at IBM in the 1960s. Often quoted examples of this type are Xen, VMware’s ESX Server and IBM’s LPAR hypervisor (PR/SM).

• Type 2 hypervisor (Hosted Architecture) – This is a hypervisor that runs within an OS environment. A Guest OS then runs at the third level above the hardware. Some examples quoted of this type are VMware Server and Linux KVM.

KVM is Type 1 versus Type 2?

Vendors will often be seen bagging their competition. Oh they’re a type 2 hypervisor, we’re a type 1. Since we’re type 1 we must be better.

Is the distinction between types even relevant anymore?

If we look at the above list of type 1 hypervisors we see IBMs PR/SM and the son of CP/CMS known as z/VM. Both system z PR/SM and z/VM are classified as type 1 hypervisors, but you can run z/VM as a type 1 hypervisor in a PR/SM logical partition. Does it make sense to keep the distinction of type 1 versus type 2 in this case – probably not.

What about x86?

If we look more closely at x86 style architecture we see that it is divided into 4 hardware resource privilege levels aka rings. The operating system kernel runs in privilege level 0 (aka ring 0) giving it complete control over the system. In the case of Linux, ring 0 is also known as kernel space, with user mode being in ring 3.

So where does the hypervisor and virtualisation fit into this?

Virtualisation effectively puts the hypervisor into Ring 0 which then in turn presents a ring 0 lookalike to the guest operating systems thereby fooling them into believing they are running on the native hardware.

In this context you could argue that a type 1 hypervisor runs directly in ring 0 and a type 2 hypervisor runs in ring 3, but as we’ve seen above with PR/SM and z/VM the distinction between type 1 and type 2 hypervisors is fuzzy at best.

Now coming back to the reason for me blathering on – Is KVM a type 2 or a type 1 hypervisor? Many people will flatly say type 2 as it is loaded by a hosted operating system (in this case Linux) and of course those running type 1 hypervisors will say that theirs is better. Others will say KVM is a type 1.

I’m not so sure that KVM is a type 2 hypervisor. Sure it does use a Linux operating system. But what are the differences between a dedicated hypervisor microkernel and a dedicated linux based hypervisor. I don’t think amount of code should really be a determining factor.

KVM makes available the hardware virtualisation extensions (AMD SVM or Intel VT-x) to the Linux kernel effectively making the kernel a Ring 0 Hypervisor. In this new mode the ring 0 hypervisor (VMXROOT) has full privileges and the guest operating systems run in what is known as a deprivileged ring 0. Sure guest VM creation is performed from user space via /dev/kvm device ioctls, but you could just as easily argue – do you want vm creation/management to be performed by a privileged microkernel?

Personally I think the distinction between Hypervisors based on their ‘type’ which is in itself a historical artefact of technology long extinct is a waste of time – perhaps that is why it is used in marketing campaigns

Perhaps we’d be better off looking at performance and interoperability and making those the things to argue about.   Let’s all forget about Type 1 and Type 2, it’s all too fuzzy to be bothered with those terms anymore.

nagios forked

I normally don’t get that fussed by opensource projects going off on tangents.  However, I think the fork of nagios to icinga is a good thing, much in the same way as quagga was a great fork of zebra.

Nagios is ok, it’s not great.  There are many areas where it can improve and now that the future for the tool is directly in the hands of the community i’m hoping it can make some big leaps forward.

Of course, the new team has to step up and deliver the goods.   I’m happy to support them where I can by replacing my nagios deployment with icinga.

My D-Link AP is dead, long live my Linksys

Finally…… after torturing me for a few years my D-Link DWL7000AP died.   It has been nothing but trouble.  In my opinion D-Link gear is sub-standard.  It was a crap AP, and the corresponding wireless cards equally as crappy.

Anyway, after cheering the demise of my DWL7000AP  I went out and got a Linksys WRT54GL (yes I know it’s a wireless broadband router) and i’m happily using it as a replacement access point for my home network.

There was only a little bit of fiddling required for using it as an AP only.

1. don’t put a cable into the port reserved for your broadband connection, just use one of the other ports.
2. turn off dhcp on the wrt54gl as you want to have dhcp requests pass through to your existing dhcp server.
3. Give the wrt54gl a management IP on the same subnet as the rest of your network
4. Set up the wireless security you want.

Hey presto.

As for performance, my DWL7000AP was crap.  Wireless performance meant the network was dodgy anywhere in the house, yes, even sitting next to it (oh yeah d-link refused to believe it was faulty and was working as designed).  Anyway. the wrt54gl network performance is far superior and I get peak performance to the edges of my property – not sure why i’ll be sitting on my boundary fence surfing the internet but at least now I have the option to do so

Why didn’t I go wireless N ?  Well i’ve spent enough money on wireless gear and in general I find wireless a poor substitute for wire – so I wanted a quick rock solid replacement that worked with all the other wireless gear – no point paying for N if you’re not going to ever use it.   Wireless is good for sitting outside on a nice day but wire is good – don’t let anyone try to convince you otherwise

Oh yeah, what’s the link to Linux here?   The ‘L’ in the WRT54GL means it runs Linux – gotta love that penguin.

VLC – 1, MythTV Internal Player – 0

Don’t freak, I love my MythTV, however the Internal player for handling videos and dvds tends to suck a little at times.

I watch a few google videos (more like this or this, than this , but hey, you watch what you want ) – anyway, the MythTV internal player more often than not doesn’t like playing these files, with either the video jumping, audio twitching, missing or some odd combination thereof.   Anyway, I’d finally had enough and decided i’d switch from the internal player to using vlc.

Surprisingly it’s pretty easy.

In mythtv, navigate the menus to “Video Settings” -> “Player Settings” and change the player from ‘Internal’ to vlc file://%s vlc:quit .  The vlc:quit adds ‘quit’ to the playlist which means when the video ends you’re not left with vlc sitting there looking at you.

Rather than passing parms to vlc via the command line, I modified the ~/.vlc/vlcrc and set options like :

fullscreen=1
width=1920
height=1080
osd=0
control=lirc    #note
intf=dummy
key-quit=Esc

Then of course I had to modify my ~/.lircrc to allow my remote and vlc to have a happy relationship.  Of course your remote is likely different to mine, but the concept looks like this:

In this context, button is the button pressed on the remote and config is the vlc action to take (as detailed in the ~/.vlc/vlcrc )


#Stop playback and exit
begin
prog = vlc
button = stop
config = key-quit
end

# Pause playback
begin
prog = vlc
button = playpause
repeat = 3
config = key-play-pause
end

# Seek back 10 seconds
begin
prog = vlc
button = rew
repeat = 3
config = key-jump-short
end

End result, all my videos work without issue.  My nearly 4 yr old son can happily get mythtv to work with this configuration, so dont let anyone tell you mythtv is hard to use

zfs … Ok i’m jealous

If you’ve ever built large filesystems on linux with hundreds of disks using ext3 and LVM you will appreciate the very nice way zfs works on opensolaris.   Having had a play with zfs – I am jealous.

If you would like to see more on zfs, the following 3 videos are an excellent presentation and demonstration of zfs.  Thanks to Bill and Jeff and Sun for making this available.

ZFS : The last word in filesystems Pt 1

ZFS : The last word in filesystems Pt 2

ZFS : The last word in filesystems Pt 3

openembedded now using git

Ok, so this news is a little old, but nonetheless I am happy to see monotone go.   It made my experience with openembedded less than pleasant.  It was a slow, buggy and outright irritating experience.  Let’s just say – I will happily purge monotone from my systems and never look back.

Thank you Openembedded community, i’m now looking forward to coming back

new toy in the house

Ok,  it was time to replace my lovely Sony KRHV32M31 CRT with a new LCD.   The Sony is a beautiful CRT, but shall we say – it needs to lose a few kilos as it weighs a ton .  Anyway, after lugging the beast upstairs (something I don’t care to repeat for a long time to come especially considering how sick i’ve been) the hole it left behind was filled nicely with a Philips 42PFL7403 .

Normally installation of this TV (just as a TV) is piece of cake.  Plug in the antenna, turn it on and answer the questions you get asked and it’s all done – really even my mum could have done it (Hi Mum ).

Of course there’s a fair bit of Linux in my house so a reconfiguation of my  mythtv box was going to be required.   Previously the Sony CRT required handcrafted X modelines and was connected via a VGA to RGBHV cable.  I’d like to get those hours of my life back.   In this case I decided on using a DVI to HDMI adapter with an ancillary stereo audio cable tied to one of the Philips HDMI inputs.

After a couple of hours (yes I went and had lunch in that couple of hours as well) myth was alive and happily delivering 1080p content onto this really nice piece of equipment – don’t trust me, go read the reviews yourself and then have good look at it in the shops.

So what happened in those couple of hours (apart from lunch).  I just put in a standard ubuntu X config file, connected it to the TV, restarted X and had a look to see what happened.   The wonders of EDID saw the LCD automatically detected and I could start the mythfrontend in 1080p mode.   The GUI was off centered and required adjusting within the mythtv frontend settings.   This did however expose this bug which left an annoying white line at the top of the screen (boo!!).  Anyway, the simple solution was to put the XFCE panel into autohide mode which solved the problem.

Now, sometimes it’s a little hard to find true HD content being broadcast when you want it to show off the LCD in all it’s glory so I reserved a really nice piece of HD content called Big Buck Bunny which is available under a Creative Commons Attribution 3.0 licence.   The end result – happy family

openssh crypto cipher performance

It was mentioned to me that when transferring files on an internal network that by selecting a different cryptographic cipher you could improve the file transfer performance.  So, since I had a few spare minutes and elected not to scratch my bum I whipped up the following little script to test the theory.

I elected to scp a random ~700Mb file I affectionately called disc1.iso  (it was actually just random data, but you get the idea) to my localhost.  That is, I transferred the file from system A to system A.   I’m not interested in getting the highest possible speed with this test, i’m more interested in the relative performance of the ciphers.   Doing this creates a ‘relatively’ stable environment to conduct the comparisons.

I added my ssh key to allow myself to talk to myself – sort of like this blog really with the number of readers I have   Then I did the following (a man ssh shows the valid ciphers for protocol 2)

for c in 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr \
         arcfour128 arcfour256 arcfour blowfish-cbc cast128-cbc ; \
         do for j in `seq 1 1`  ; \
          do /usr/bin/time -a -o results.txt -f "$c,$j,%E,%U,%S" scp -c $c disc1.iso localhost:tmp/ ;\
          done  ; \
         done &

This creates a results file which in my case looks like this :

3des-cbc,1,1:12.67,35.41,3.53
aes128-cbc,1,0:56.18,9.52,4.09
aes192-cbc,1,0:54.58,9.86,4.16
aes256-cbc,1,0:55.73,11.46,3.89
aes128-ctr,1,0:59.78,13.43,4.14
aes192-ctr,1,1:04.33,14.67,4.19
aes256-ctr,1,1:01.07,15.31,4.08
arcfour128,1,0:57.75,7.10,4.50
arcfour256,1,1:18.06,7.80,4.56
arcfour,1,0:59.32,7.05,4.60
blowfish-cbc,1,1:01.19,11.62,4.46
cast128-cbc,1,1:26.57,22.31,4.14

Now, according to the man page aes128-cbc is the default cipher for Protocol version 2 so if I use this as the baseline then the relative performance becomes  :

Cipher	Relative Performance
3des-cbc	0.77
aes128-cbc	1.00
aes192-cbc	1.03
aes256-cbc	1.01
aes128-ctr	0.94
aes192-ctr	0.87
aes256-ctr	0.92
arcfour128	0.97
arcfour256	0.72
arcfour	0.95
blowfish-cbc	0.92
cast128-cbc	0.65

Based on those numbers I really wouldn’t bother trying to select a different cipher for the file transfer.

Note 1: This was performed on a run of the mill core 2 duo system running Ubuntu Hardy, you will possibly find that certain architectures have better results with certain ciphers possibly due to the instruction set being a better fit for a certain algorithm or in the case of higher end servers the availability and use of cryptographic hardware.

Note 2:  The seq 1 1 allows you to run the test multiple times, just change it to seq 1 10 to run each test 10 times.  I just did it once for the purposes of putting it in the blog.

System.exit(0) Universe Terminated

I’m always interested in cool things running Java, mostly because i’m a nerd, but also because it annoys people when I tell them how cool Java is and let’s face it – that’s a fair bit of fun in itself

Anyway,  the Large Hadron Collider uses Linux, Java and other platforms with both Linux and Java playing a major role in the control systems.   So, how does Java lead to the end of the universe. Well, of course that is a ‘tongue-in-cheek’ view of the legal challenge raised against the LHC where it is speculated that the LHC could create a variety of conditions leading to the end of us all (read more over at wikipedia).   Let’s hope no one leaves a stray System.exit() in the code and accidentally destroy the universe – that really would be a poor programming practice 

The list of really cool practical applications of Java and Linux technology continues to grow.  It seems to me that the LHC is possibly the biggest machine ever created – are there others bigger?

building netbeans from source on ubuntu

Everyone needs a hobby.   Clearly I don’t have one.

I’ve decided that I want the latest and greatest set of features (and bugs) for netbeans so i’m installing netbeans from the code repository and building it on my currently preferred platform (ubuntu 8.04 – yes I know it’s a beta which is only more proof that I need a hobby).

I prefer to do all my bleeding edge test builds on the ’server’ version of ubuntu – why?  I like small footprint build systems that only have the required packages to satisfy my build.  I guess I just don’t like packages sitting there looking at me and this way I know exactly what’s required to make it work on my primary desktop system later.  ie. I can do everything in an experimental manner in the VM and develop detailed documentation of what is required to implement it on other systems.

So, going from the top, I’ve created a brand new hardy server as a VM so that I have a clear view of everything that is required to get the job done.   If your system already has some of the pre-req software loaded then great.

netbeans uses mercurial so to get the source code you need that installed

~$ sudo apt-get install mercurial
~$ mkdir netbeans && cd netbeans
~/netbeans$ hg clone http://hg.netbeans.org/main/
destination directory: main
requesting all changes
adding changesets
adding manifests
adding file changes
added 78686 changesets with 365473 changes to 80849 files
77968 files updated, 0 files merged, 0 files removed, 0 files unresolved

note: to build netbeans we need a few tools, first of them is ant which will drag on a number of dependencies.

sudo apt-get install ant ant-optional
Reading package lists… Done
Building dependency tree
Reading state information… Done
The following extra packages will be installed:
.
.
.

and given that there are issues using gcj  to build netbeans (and I really can’t be bothered looking closer to tell you the truth) I suggest not bothering and just install the sun jdk (note: java5 is required and anything higher wont work at the time of writing this).  Also, don’t forget the ant-optional otherwise you will get complaints about regexp during compilation.

~netbeans$ sudo apt-get install sun-java5-jdk

Add the following to your ~/.nbbuild.properties file

nbjdk.home=/usr/lib/jvm/java-1.5.0-sun
build.compiler=extJavac
javac.compilerargs=-J-Xmx512m

and the following to your ~/.antrc file

ANT_OPTS=-Xmx384m

~/netbeans$ ant -f main/build.xml

and hey presto netbeans should be built (it will take some time).   Now as I’m ssh -X into this server I also need to ensure the xauth package is installed

~/netbeans$ sudo apt-get install xauth

and then I can try out the newly compiled netbeans using

~/netbeans$ ant -f main/build.xml tryme

which should see the netbeans splash screen appear and I can start using the latest development version of netbeans.   Of course, this means you have to deal with any bugs, performance problems and mysterious quirks yourself.   Join the mailing lists and enjoy.

Now that I have a very good understanding of what is required to get netbeans built from source I am confident that doing so will not interfere with anything else running on my primary development system.  Using the results of the above exploration it should be a simple matter of matching the package requirements, rsync-ing over the downloaded repository and you’re good to go.