Information Technology Reference
In-Depth Information
In the OSV model, all processes share the same operating system kernel, which
must provide a robust mechanism to prevent two different VEs from interact-
ing directly. Without this isolation, one VE could affect the operation of another
VE. The kernel must be modified so that the typical interprocess communication
(IPC) mechanisms do not work between processes in different VEs, at least in a
default configuration. The network stack can be modified to block network traffic
between VEs, if desired. Existing security features can be enhanced to provide
this level of isolation.
OSV implementations are usually very lightweight, taking up little disk space,
consuming little RAM, and adding very little CPU overhead. Nevertheless, al-
though they can easily mimic the same operating system, most of them do not
provide any ability to appear as another operating system.
Another strength of this model of virtualization relates to the possibility of
hardware independence. Because a physical computer is not being simulated, an
operating system that runs on multiple CPU architectures can potentially provide
the same feature set, including OSV features, on different types of computers.
1.2.3.1 Failure Isolation
All isolation of software and hardware failures must be provided by the operating
system, which may utilize hardware failure isolation features if they exist. For ex-
ample, the operating system may be able to detect a hardware failure and limit the
effects of that failure to one VE. Such detection may require hardware features to
support this functionality.
The isolation between processes in different VEs can also be used to minimize
propagation of software or hardware failures. A failure in one VE should not affect
other VEs. This is easier to achieve if each VE has its own network services, such
as
sshd
.
Further, the operating system must prevent any event that is occurring in one
VE from affecting another VE. This includes unintentional events such as soft-
ware failures, or actions taken by a successful intruder.
To be both robust and efficient, these hardware and software features must be
tightly integrated into the OS implementation.
1.2.3.2 Operating System Features
All of the necessary functionality of OSV is provided by the OS, rather than by
hardware or an extra layer of software. Usually this functionality is provided via
features integrated into the core of the OS. In some cases, however, the features
are provided by a different organization or community and integrated on-site,
with varying levels of application compatibility.
The shared kernel offers the possibility for a privileged user to observe all pro-
cesses running in all VEs, which simplifies the process of performance analysis
Search WWH ::
Custom Search