The open-source Xen virtualization hypervisor project is out today with a major milestone update providing improved performance and enhanced security features. The Xen Project is managed as a Linux Foundation Collaboration project initiative and has multiple stakeholders, including Intel, Citrix, Amazon and Rackspace.
Among the new features in the Xen 4.5 update are capabilities aimed at reducing the impact of the so-called “noisy neighbor” issue in multitenant cloud and data center environments.
“The noisy neighbor is the situation where you have two processes, A and B,” Donald Dugger, virtualization architect at Intel, explained to eWEEK. “Process A can be noisy in that it runs an algorithm that dirties many entries in the cache, evicting cache entries for process B and thereby slowing down process B.”
As part of Xen 4.5, Intel’s Cache Monitoring Technology (CMT) is now supported, which allows users to track which processes are using how much cache and identify the noisy ones, according to Dugger. That is, the process A’s that consume too much cache.
Lars Kurth, Xen Project Advisory Board member, explained to eWEEK that CMT is an Intel-only feature. It is part of a new set of Intel Hardware features to monitor CPU utilization as well as enable fine-grained monitoring and control of CPU resources.
“This is very interesting for the enterprise and cloud segments, in particular in multitenant environments where many different workloads run on one host,” Kurth said.
Another key new feature in Xen 4.5 is known as PVH (Para Virtualization Hardware), which enables Xen to utilize Intel hardware extensions including VMX (Virtual Machine eXtentions) and EPT (Extended Page Tables).
“It [PVH] improves performance because the hardware has become very quick for nested page tables handling and other hypervisor-related operations,” Stefano Stabellini, senior principal software engineer at Citrix, told eWEEK.
Stabellini noted that PVH improves security because the guest kernel does not share the same address space with the hypervisor and as such helps to reduce the hypercall interface exposed by Xen.
Security is also enhanced in Xen 4.5 with improved introspection of virtual guests. Xen has supported an introspection API for PV (Paravirtualization) guests only, via LibVMI since Xen 4.1, according to Kurth.
“The improvements allow introspection of HVM [Hardware Virtual Machine] guests using Intel EPT/AMD RVI hardware features, enabling the creation of malware detection software running in a dedicated privileged virtual machine,” he said.
Xen 4.5 Boosts Virtualization Security
Kurth added that the Xen development community has also been working on enabling introspection on ARM guests, but it wasn’t fully completed for Xen 4.5. The expectation is that the ARM introspection changes will make it into Xen 4.6, he said.
Overall ARM support has improved in the Xen 4.5 release, however, with increased RAM support.
“Previously we only supported a little less than 1GB of memory per VM on ARM,” Stabellini said. “Raising the maximum amount of guest memory from 1GB to 1TB is a huge step forward and puts Xen on ARM at the same level of Xen on x86.”
Xen 4.6
Looking forward to the rest of 2015, the Xen Project is working on a number of initiatives. While the release date for the next Xen milestone update has not been announced, Stabellini said it will likely be in the third quarter of the year.
Among the potential features that will land in a Xen update later in 2015 is support for guest NUMA (Non-Uniform Memory Access). Stabellini explained that the potential feature provides the ability to export NUMA information to virtual machines in order to allow the guest operating system to make smarter choices about memory allocation.
“In addition, we have a few interesting ideas on how to further improve hypervisor security and the performance of paravirtualized IO protocols, disk and network in particular,” Stabellini said.
Kurth also expects continued focus on Xen security hardening throughout 2015. The Xen hypervisor is widely deployed in public cloud infrastructures including Amazon, IBM and Rackspace. On Oct. 1, 2014, the Xen Project revealed that, prior to the flaw’s public disclosure, it had fixed a critical flaw that triggered a public cloud reboot.
From Kurth’s perspective, 2015 will also be about continuing to grow the Xen community, not just in terms of participation but also in terms of process. He noted that the code contributions from new participants in the Xen community are important, as is the ability within the existing community to be able to review contributions.
“One of the challenges we are facing as a community today is that we have many newcomers who are still learning how to effectively work with the community,” Kurth said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.