Virtualization and

Containerization
ST0263 – Special Topics in Telematics
Table of Contents

01 02
Virtualization Containerization
Context
Traditional Application Deployment
Context
Traditional Application Deployment
Application Deployment Technologies
• Virtualization.
• Containerization.
Virtualización

Virtualization
Overview
• The growth of the IT industry worldwide in the late 1990s and early
2000s brought with it a significant demand for IT infrastructure
resources.
• At that time, the concept of virtualization emerged as an innovative
and revolutionary solution.
• In this sense, it can be observed that virtualization is not a new
concept…
• In the development of cloud computing, it relies on or is supported
by virtualization.
 Virtualization
• PCs usually run only one operating
system
• Switching OS or instances requires a
separate machine
• Virtualization enables running two or
more operating systems concurrently
on the same hardware
Virtualización
• Virtualization refers to creating a virtual
version of a device or resource such as
a server, storage, or network, where the
framework divides it into one or more
execution environments.
• This is enabled by a software technique
implemented through the concept of
hypervisor.
• The hypervisor acts as the interface
between the operating system and the
hardware.
• A virtual machine (VM) is essentially a
software package that can be loaded
onto a host to run specific applications.
• Thus, multiple VMs can coexist on the
same host, provided there is enough
memory to support them.
Virtualization Drivers
Bussiness Impact
• Tens of thousands of
companies achieved
significant savings
• Enabled server
consolidation and data
center transformation
• Simplified software
development and testing
• Enhanced business
continuity and fault
tolerance
Challenges of Virtualization
• Initial reluctance from software vendors
• A single hardware failure can impact
multiple VMs
• Storage management complexity
• High VM consolidation increases server
complexity
• Performance overhead compared to bare
metal
• Security and isolation risks
• Licensing and hidden costs
• Network management challenges
• Operational scalability requirements
 Hypervisor (VMM)
What is a Hypervisor?
• Function that abstracts OSs and
applications from the underlying
hardware
• Allows multiple OSs to share a
single physical machine
• Allocates resources to each OS and
ensures isolation between VMs

• Type 1 – Bare Metal

• Runs directly on hardware (no host OS)
• High performance, fewer vulnerabilities
• Examples: VMware ESXi, KVM, Microsoft Hyper-V, Citrix XenServer
• Type 2 – Hosted
• Runs on top of a host operating system
• Easier to use on PCs/servers, but less efficient
• Examples: VMware Workstation/Fusion, Windows Virtual PC, Parallels Desktop, VirtualBox
Virtual Machines
• A VM is a software computer that runs an OS and applications like
a physical machine
• Backed by host hardware resources (CPU, memory, storage,
network)
• Each VM is isolated and runs independently from others
• Provide virtual devices equivalent to physical hardware, plus
benefits:
• Portability
• Manageability
• Security
Virtual Machines
• Core Components
• Virtual CPU (vCPU): mapped to host
CPU
• Virtual Memory (vRAM): backed by host
RAM
• Virtual Disk (VMDK): stores OS,
applications & data
• Virtual Network Interface (vNIC):
enables network connectivity
• Virtual BIOS/UEFI: firmware to boot the
VM
• Key Files
• .vmx: configuration file (VM settings)
• .vmdk: virtual disk file (data storage)
• .nvram: stores BIOS/UEFI settings
• .log : activity and error logs
• .vmsd / .vmsn: snapshot metadata &
state files
Virtualization Operations
• Un máquina virtual puede
multiplexarse entre máquinas de
HW.
• Una máquina virtual puede ser
suspendida y almacenada en un
almacenamiento estable.
• Una máquina suspendida, puede
ser aprovisionada en un nuevo
HW.
• Una máquina virtual puede ser
migrada de una plataforma HW a
otra.
Conditions for Efficient Virtualization
• Conditions for efficient virtualization (from Popek and Goldberg):
• A program running under the VMM should exhibit a behavior
essentially identical to that demonstrated when running on an
equivalent machine directly.
• The VMM should be in complete control of the virtualized
resources.
• A statistically significant fraction of machine instructions must
be executed without the intervention of the VMM. (Why?)
The x86 Virtualization Challenge
x86 Privilege Levels
• Ring 0: Most privileged (OS kernel)
• Ring 1-2: Rarely used
• Ring 3: Least privileged (user
applications)
The Problem
• OS expects to run in Ring 0 (full
hardware control)
• Virtualization layer needs Ring 0 for
isolation and performance
• Some sensitive instructions cannot be
effectively virtualized
• Different behavior when not executed
in Ring 0
Three Virtualization Techniques – x86
1. Full Virtualization with Binary Translation
2. OS Assisted Virtualization (Paravirtualization)
3. Hardware Assisted Virtualization

Each technique addresses the challenge of sensitive and

privileged instructions differently
Binary Translation
How It Works
• The guest OS can run without any modifications, as if it were
executing directly on the hardware.
• Direct Execution: User-level code runs natively.
• Binary Translation: Converts non-virtualizable kernel instructions
• “The hypervisor translates all operating system instructions on the fly
and caches the results for future use, while user level instructions run
unmodified at native speed”.
• VMM runs in Ring 0, guest OS in user-level ring
• No guest OS modification required
Key Advantages
• Complete isolation: Best security for VMs
• Universal compatibility: Works with any x86 OS
• Simplified migration: Same OS runs virtualized or native
• No hardware requirements: Works on any x86 system
Examples
• VMware virtualization products
• Microsoft Virtual Server
Hardware Assisted Virtualization
How It Works
• “a new CPU execution mode feature that allows the VMM to run in a
new root mode below ring 0. As depicted in Figure 7, privileged and
sensitive calls are set to automatically trap to the hypervisor,
removing the need for either binary translation or paravirtualization“
(from VMware paper)”.
First Generation Features (2006)
• Intel VT-x and AMD-V technologies
• New CPU execution mode (root mode below Ring 0)
• Automatic trapping of privileged calls to hypervisor
• No binary translation or paravirtualization needed
Current Limitations
• High hypervisor-to-guest transition overhead
• Rigid programming model
• VMware's binary translation often outperforms
• Limited software flexibility
VMware Usage
• Primarily for 64-bit guest support on Intel processors
• Full potential not yet realized in first generation
Hardware Assisted Virtualization
• 2005: Intel released first Pentium 4 processors with VT-x
support
• Both Intel and AMD recognized virtualization's importance
during 32-bit to 64-bit transition.
• Intel VT-x became critical for efficient 64-bit VM virtualization
• BT64 was inefficient on Intel CPUs (lack of segment limit checks in 64-
bit mode)
• AMD introduced AMD-V with similar goals but different
implementation details
Hardware Assisted Virtualization
• VT-x supports two distinct modes of operation:
• VMX Root Mode
• Purpose: VMM (Virtual Machine Monitor) operations
• Privilege: Complete control over system
• Role: Hypervisor executes in this mode
• VMX Non-Root Mode
• Purpose: Support VM execution
• Privilege: Restricted - certain instructions trigger exits
• Role: Guest OS and applications run in this mode
Hardware Assisted Virtualization
ESXi Architecture
Virtual Switch
Containerization
Context
• There is currently a strong
movement to shift application
deployment from virtual
machines to containers…
• Among the main reasons, the
following stand out:
• Flexibility and lower cost compared
to virtual machines.
• The popularity of containers is
growing exponentially.
• As more containers are adopted
and used, it becomes necessary to
manage and orchestrate them.
Definition
• A container is a way of packaging an
application and all its dependencies so
that it can be moved across environments
and run without changes.
• In this way, a container “contains” an
application and its dependencies such as
libraries and frameworks.
• Containers work in such a way that the
differences between applications are
encapsulated within the containers… I
• Multiple containers can run on the same
host.
• Containers can decouple applications
from the operating system.
Beneficios de los Contenedores
 Retos de los Contenedores
• Se basan en la virtualización del
sistema operativo en lugar de la
virtualización del HW.
• Su fin es abstraer un sistema
operativo e incluir aplicaciones o
tareas, así como todas sus
dependencias.
• Los contenedores son objetos
portátiles e independientes que
pueden ser fácilmente
manipulados por la capa de
software que administra una
gran computadora virtual.
Permite a los desarrolladores elegir los lenguajes de
programación y los sistemas de software más
adecuados y elimina la necesidad de hacer copias del
código de producción e instalar la misma
configuración en diferentes entornos.
Máquinas Virtuales vs
Contenedores
Casos de Uso para los Contenedores
Combinación de Arquitectura Microservicios/Contenedores
• Servicios debilmente acoplados…
• Servicios autónomos y desplegados independientemente…
DevOps
• Desarrollar, distribuir y ejecutar SW.
On-premise, Cloud, Hybrid y Multi-Cloud.
• Contenedores se ejecutan en diferentes entornos…
Modernización de aplicaciones…
Docker
¿Qué es Docker?
• Docker es un proyecto open
source para la creación,
distribución y ejecución de
aplicaciones software como
contenedores.
• Fue lanzada en 2013…
• Dos conceptos importantes
en docker:
• Imagen…
• Contenedor…
• Docker emplea una arquitectura Cliente/Servidor.
• Cliente y daemon pueden co-existir en la misma
máquina. Arquitectura Docker
• Los clientes se comunican con el servidor a través de
API REST, sockets, interfaz de red.
• Docker client:
• Es la forma principal con el usuario se comunica con
el motor de docker…
• Los comandos son enviados a través de la API al
daemon de docker, el cual los ejecuta.
• Los clientes son CLI y docker compose.
• Docker daemon:
• Es el proceso que escucha las peticiones del cliente y
ejecuta la tarea.
• Se encarga de la gestión de los objetos: imágenes,
contenedores, redes, volúmenes, etc.
• Docker registries:
• Es el encargado de almacenar las imágenes de
docker.
• El docker hub es registro público que cualquiera
puede usar. Docker es configurado por defecto para
utilizar el docker hub
 Objetos en Docker
• Imágenes:
• Una imagen se define como un template (inmutable) de solo lectura
para la creación de un contenedor.
• Normalmente, usted crea una imagen a partir de otra…y agrega
algunos aspectos propios que usted requiera.
• Usted puede crear su imagen a través de un archivo que se
denomina Dockerfile.
• Una imagen contiene todo lo necesario para ejecutar su aplicación.
• Contenedores:
• Un contenedor es una instancia en ejecución de una imagen.
• Usted puede crear, iniciar, parar, mover, borrar un contenedor a
través de CLI.
• Un contenedor se puede conectar a una o mas redes, se puede
asociar a un almacenamiento.
• En términos generales, un contenedor se encuentra bien aislado de
otros contenedores.
• Tenga en cuenta que cuando usted quita un contenedor, cualquier
cambio al estado que no se almaceno en el almacenamiento
persistente, se pierde…
Construyendo una imagen…
• Las imágenes son construidas
el Dockerfile.
• Un Dockerfile es simplemente
un archivo texto que contiene
todos los comandos que un
usuario utiliza para crear la
imagen.
• Cada instrucción/comando de
docker crear una nueva capa
encima de la otra.
Docker Instructions
• Ejemplo de un Dockerfile
FROM:
• Define una imagen base. FROM ubuntu:18.04
RUN:
• Ejecuta comandos…
COPY . /app
ENV:
RUN make /app
• Establece variables de entorno…
ADD/COPY: CMD python /app/[Link]
• Son similares y permiten la copia de archivos en la
imagen.
CMD:
• Proporciona comando para ejecutar el
contenedor.