 All right, good morning. So today is going to be the last lecture and then past that will be review of the final and Stuff like that depending on the material. I'll either do a lecture or just have it like open office hours So I'll also be here on the optional Thursday For that and payment. I'll probably just use that for open office hours And hopefully we can do some review or post on discord questions. You want me to go over but the final will be a Corkus in person. So it will kind of be like the quizzes. So any questions or anything you want me to go over for that Just let me know and If you have a regrade request for a quiz three you can email Ashvin I made an announcement on discord and there's a piazza post So our last topic will be virtual machines, which won't be covered on the final But it is a good thing to know about since you will encounter virtual machines nowadays You might even encounter them As soon as you leave this course because they do make a lot of things easier And if you've ever used a cloud service or anything like that, you've used a virtual machine even if you don't quite realize it So what virtual machines do is abstract the entire machine. So like a process abstracts a Abstracts a CPU a virtual machine abstracts the whole machine And our goal here is to run multiple operating systems on a single machine and the abstraction Because they're all virtual machines They should think they have access to the entire machine Even though there might be multiple operating systems all going and sharing that same machine But from the point of view of a single operating system, they believe they're the only ones running Similar to how if you're a process you think you have access to all the memory space You also think you're the only process running although you can actually do some queries to figure out what other Processes there are but in general that's kind of the illusion So for virtual machines the host has direct control over the hardware not the kernel as we have Known it so far So there's different names for that this they're sometimes people call them hypervisors sometimes people people call them virtual machine managers or VMMs and What that does is it controls a virtual machine so Controls when you can create a virtual machine management of them isolation like what hardware it has access to so maybe you have Decided to download. I don't know red star OS anyone ever heard of that So so that is the official operating system of North Korea So if you download that you probably don't want to run it on your actual hardware You might want to if you're curious you might want to install it on a virtual machine and probably not given network access So if you want to explore what's going on in North Korea, you can do something like that So that's one thing that virtual machines are good for just testing or if you were doing Kernel development or something like that. Well, we know that if your kernel has a bug on it and Seg faults or does something like that? Well, it's not a process. No one's there to save you So if your kernel seg faults, then your system just crashes and it'll be very very difficult to debug it So instead of that you can just run your kernel in a virtual machine And then it doesn't actually bring your whole computer down and you actually have a hope to debug it So there's two kinds of hypervisors that you'll see pop up called Creatively type one and type two So type one is a bare metal hypervisor that runs directly on the host hardware So it requires some special hardware support that we'll see and then type two is essentially a hosted hypervisor that just simulates what a hypervisor would do and it just runs as any old application and uses some tricks to provide kind of Fake a Fake hypervisor so it's slower, but doesn't require any special hardware so your hypervisor just runs as a process and it runs other kernels and does some tricks to handle that and then in this terminology a guest is the name of the operating system or kernel that is running via this hypervisor and It sees its own virtual copy of the host so it might only see You know might see the CPU but might only see a subset of the cores or something like that So it'll be a subset of what's on the host or it can also Create some emulated hardware So even if you don't have a network card You can tell the virtual machine that hey I have a network card and then you can monkey around with where that output goes But to the virtual machine it just looks like a network card to it So this is a diagram of what it looks like We're kind of used to what happens on the left in a so we're used to just we have a bunch of processes there's a Programming interface so we can talk to the kernel, which is a system call interface. We all know and love and the kernel then Uses that it's a different CPU mode and then it actually talks directly to the hardware processes never talk directly to the hardware and Then in the virtual machine case in B on the right here Well, we have multiple kernels on our machine and they are all allocated different virtual machines so here we have virtual machine one two and three and Then there's an interface for each of the virtual machines to call into the virtual machine manager or Hypervisor and then that is what talks directly to the hardware So should be noted here that virtual machines are not emulation So emulation typically means when you translate one ISA or instruction set architecture to another one Like for example x86 64 bit to armor risk 5 or what have you? so in This case we're assuming the guest operating system executes Instructions directly using the same instruction set architecture Otherwise we would have to be translating every single instruction Which is going to be really really slow, so it's okay for some uses So if you want to write yourself a Nintendo Emulator which is a fun little project to do well you could do that because it's like an 8-bit CPU that runs at like 1 megahertz So actually emulating all the instructions and translating them yourself is actually quite easy to do So Virtual machine could use emulation to run a virtual machine for a different ISA, but your performance is going to you know suffer a lot unless you know some of the max are pretty good at translating x86 to arm but in general That requires specialized hardware and it would be slow. Yeah Instruction set architecture So yeah, so those are the actual instructions so like if they're formatted x86 arm or risk 5 so One of the cool things virtual machines do is enable some pause and play so much like our kernel can pause a process and Put it to sleep and resume it later. Well a hypervisor can pause an entire operating system so all the concepts you know For switching processes pretty much apply to switching between kernels So the hypervisor would just need to contact switch between Virtual machines, so it would do the exact same thing as if you were just switching processes It'll save the current state and restore it later. The only difference is it would save registers and values that are also only accessible to The CPU instructions running in kernel mode, so it would save more registers But other than that, it's fundamentally the same thing as switching processes And then of course because you can do that you can move it around like a process So you could even move it across machines if you really wanted to so that is also how cloud machines work So like Amazon on AWS will have a bunch of servers and give you a virtual machine And they're not sure how you're going to use the virtual machine So they might be unlucky and say they put like 10 virtual machines on a single actual Box like actual hardware and then everyone starts using it and it's really really overloaded Well, what Amazon can do is move some Virtual machines that are using a lot of resources to a machine that has otherwise idle to spread out the load and You as a user will not actually know that your virtual machine has actually Completely moved what hardware it's running on. It just does it completely transparent to you So that's a cool thing with virtual machines and actually Makes your life easier if you have to manage a bunch of servers So if you just give everyone a virtual machine, it's easy to save back them up move them around stuff like that They also provide some protection through isolation. So the guests like Processes the guests are all going to be isolated each other and hopefully from the host So if you're the hypervisor, you can set limits on CPU time in addition to what virtual machines actually have access to which CPU cores But on top of that you can limit them with CPU time You can limit how much memory they use you can limit how much of the network utilization they have and Then the thing about that is if the guest gets compromised or hacked or just misbehaves for some reason Well, it only has access to its own virtualized hardware and won't actually bring down the machine for everyone else using it And if you need to recover well, you can easily roll back the virtual machine or just remove it completely And now the other virtual machines get affected by it other than actually probably getting their fair share of CPU time again They also kind of help consolidation which is what I was talking about before so data centers like Amazon there's going to be lots and lots of servers running often a bunch of them are going to be idle and Also, you could have servers with different purposes that are sharing the same hardware So if you start off initially just having a small site Well a good thing to do might be to create like a virtual machine for your database a virtual machine for your website and then Originally when you have a low number of people come on Well, all those virtual machines can run on a single physical machine because there's not that much traffic and then once you get a lot of Traffic well what you can do is you can just move the database virtual machine to its own physical machine and Keep the web server on its own physical machine and without changing anything other than some configuration Well now you have a web server that can handle a lot more and you didn't actually have to change anything So that's one technique people usually do they just instead of having lightly used physical systems They just make everything into a virtual machine ahead of time And then that gives them the flexibility to juggle things around move things to different servers or consolidate them if they need to so here our key abstraction is a virtual CPU which is Tries to abstract the entire CPU. So for processes It's like part of the process control block that acted as a virtual CPU But it doesn't virtualize all parts of CPU just enough for user mode processes So it just saves the registers and make sure that you have a stack But for virtual machines a virtual CPU is a data structure that stores the entire state of the CPU So that also includes like I said before all of the kernel mode specific registers and everything like that So then whenever you context switch the hypervisor would save all those and then restore them when the guest isn't running and Then when the virtual machine goes ahead and resumes like when you get a process context switch back in Like the process control block is just going to load all that data and then just resume execution as normal so The guest nothing changes in the guests. So the guest still has the same CPU modes So it still has a user mode and kernel mode like we're used to There's no changes whatsoever to the guest operating system It runs just as though it's actually running on real physical hardware So if you look at your Linux kernel and you put in a virtual machine Well, it's still going to use all the same privilege instructions You don't rewrite the kernel or have it behave any different It would use all of those kernel mode instructions and registers as it would normally So remember on x86 there's user mode ran in something called ring three and kernel mode was in ring zero Well, this is how you can tell how old x86 is So hypervisors are a fairly new thing new ish So a hardware hypervisor So like type one that actually provides hardware hypervisor support on x86 is called ring negative one because they obviously ran out of normal numbers so they had to Make something that is even more privileged that can you know control things running in kernel mode So they just called it ring negative one and that's why you know, they ran out of numbers So the hypervisor is in ring negative one. So on most other architectures. They'll just be given a you know Sensible name. So like on risk five. It's actually just called. There's it's actually just called hypervisor mode So instead of just ring negative one. So some architectures make more sense than others and then For type two hypervisors. So those are ones where the kernel just runs as a normal process Well, the host has to do something different because If I don't rewrite the kernel and it uses kernel Kernel mode only instructions Well, then I can't run it as a normal process because my normal process runs in user mode So for a type two hypervisor that you're just running as a process You have to do something to kind of emulate all those instructions that can only run in kernel mode So we'll see some options for that so One strategy if you are writing a hypervisor that just a type two hypervisor So the hypervisor runs as a normal process Well, one strategy you can do is something called trap and emulate So again, the kernel would be running as a normal process in user mode and then if you just Straight up do that. So say you just want to execute the links kernel as a process Well, whatever it the CPU tries to encountered a privilege instruction It's going to generate a trap that says hey You don't have access to run this instruction because you are not in kernel mode. You are in user mode So if you're writing your own hypervisor, you can go ahead and explicitly handle this error So you can generate a trap So it would generate a trap which would be a signal to you that says hey a legal instruction And then you can tell the you then you can handle the signal and be like, okay I'll handle this. I will emulate whatever that instruction is supposed to do in kernel mode So you'd have to know how the hardware actually works. So you go ahead emulate that instruction in Your process and then you would just skip that instruction and go to the next one so you Simulate or emulate it and then you just resume executing the kernel as you would normally and then next time You hit another kernel only mode instruction Same thing is going to happen. You're going to get a trap and you're going to have to simulate it again So this will slow down otherwise native execution because if the instruction doesn't need any special privilege It's just going to execute normally and not generate a trap. This will only happen for kernel mode only instructions So this is what it kind of looks like visually. So your guest This is a type 2 hypervisor. So your guest is just running as a normal user process So if it tries to execute a privilege instruction that can only be run in kernel mode Well, it's in user mode. So you'll so the host offering system Whatever it is would generate a trap and then you would handle it It's like, oh, that's an illegal instruction You can't execute some instruction that I don't know Modifies the page table pointer or something like that. So then you would go ahead emulate that handle that signal and then update your copy of that virtual CPU So that keeps track of all the kernel specific stuff that you just you'd have to know the details of the hardware And then you return to just executing the code normally and again Soon as you hit another privilege instruction, this would happen again and go on and on like that until you know eventually your kernel is going to switch itself into user mode and then Everything runs the exact same But before that if you execute a kernel mode instruction, you're gonna have to trap and emulate it so Funnily enough that seems like it would work, but it doesn't always work So some CPU architectures, they weren't designed with virtual machines in mind, especially x86 So this would work if there are a clear subset of instructions that only work in kernel mode And not in user mode. So if you tried to execute them, you would get a trap. Well on x86 They didn't believe in this So for x86, there are some instructions that behave completely differently Depending on the CPU mode. So the same instruction if the CPU mode is in kernel mode It will do something different than if that CPU instruction gets executed and it's in user mode So one example is the popf instruction and what that's supposed to do is load the flags register from the stack Well, depending on what mode you are in the flags register is different So if you run this in kernel mode Well, it's the kernel flag register and if you run this in user mode, then it is the user flag register So that was a good idea in the 70s, but kind of makes creating a hypervisor kind of a pain in the ass in you know today's modern age, so Again, this doesn't generate a trap. So we can't do trap and emulate and If our kernel is expecting it to behave as a kernel mode version if we just blindly executed it When your guest kernel thought it was in kernel mode and it behaves as user mode It's not going to behave as you expect So What you have to do with these so these instructions are given the name special instructions that behave differently in both modes And they need a different approach So what they need is something called binary translation so if the guest is in You know if the guest thinks it's virtual CPU is in user mode You can just run the instructions natively because there's a match The virtual machine thinks it's in user mode and the actual process running is in user mode So we can go ahead just execute instructions blindly because it's what we expect So the difference comes in when you expect it to be in kernel mode. So If it's a special instruction, it needs to be translated into instructions that have the same effect and these regular instructions we can run natively So it'd be the same idea where you simulate it, but instead of Relying on a trap to no one to simulate it you have to do binary translation And what that means is when it's executing you're actually inspecting the instruction before it actually executes So you would have to inspect all the instructions if that virtual CPU thinks it's in kernel mode See if this instruction is a special instruction And if it is then you have to simulate it at that point So you would know this so the kernel is going to use an instruction to switch from user mode to kernel mode So you can capture that because that's a privilege instruction So you can handle that with trap and emulate and then you would know your virtual CPU is supposed to be in kernel mode and then you can enable this Binary translation so instead of executing the instructions that should be running in kernel mode directly you inspect them Check if they're in special instruction, and if they are then you Simulate it and then carry on So this is going to cause things to be Very very slow so this is what you have to do and because you're inspecting every instruction before you execute it It's just going to lead you to performance penalties and it's going to be quite slow But in practice this actually works kind of okay because typically the kernel Staves out of the way and doesn't execute as much. Hopefully your user processes are doing more work than the kernel Otherwise, you know the kernel is not really helping you out. It's just kind of heating up your computer and wasting You know wasting all your power So this is what again it looks like visually so If your guest is running and it's supposed to be in kernel mode Then you have to read every single instruction before it executes it scan to see if it's one of these special Instructions that behave differently and if it is a special instruction Then you translate it you simulate it and then update the virtual CPU and just return and keep On executing the next instruction and hopefully it's not one of these special instructions Then you can just execute natively or otherwise It's you know not a special instruction and we can do this trap and emulate thing so These are kind of slow. So that is why there's special hardware support for these hypervisors So in 2005 Intel introduced something called its virtualization as something called VTX and AMD did it in 2006 and they called it AMD V The annoying thing is that They use code names before that and if you want to enable this on your computer yourself You might not see these names as you know VTX and AMD V Even today so Intel originally it was called code name Vanderpool and then they published it as virtual machine Instructions or extensions VMX So if you want to enable this on your system and you go into your BIOS Then it might actually be called Vanderpool or VMX or VTX Just depending. They're all the same names for different things Depending on you know if it was R&D if you're talking to Intel or their marketing department And then AMD was the same thing they added code name Pacifica and then published it as secure virtual machine So if you have an AMD system, it might be called AMD V SVM or Pacifica, which is really really annoying But basically all these did is enable you to use that concept of ring negative one or hypervisor mode So what typically happens if you enable this on a modern operating system like windows or Linux or something like that? Well When you boot the host kernel, which would run at ring Zero is going to claim the hypervisor So it's going to claim it and actually know about Ring negative one and actually manage those instructions So it would manage the hypervisor and also manage itself So it's kind of a race. So the first the kernel that boots would go grab the hypervisor And now it's responsible for also managing the hypervisor and also all the stuff it normally does So that means your host kernel the one that grabs a hypervisor can manage isolation for guests and what hardware virtualizes So windows will do the same thing. So if you enable it windows would be the hypervisor and that's kind of how the WSL or Windows subsystem for Linux works. So Windows actually comes with Linux kernel now and just runs it essentially as a virtual machine for you so for So we have to schedule these things. So it's the same problem as with processes So if there's only one CPU on the physical machine, the guest doesn't need to know it You could just lie to the guests and tell it. Hey, you have, you know, 26 cores 26 CPUs Go ahead do whatever you with it So the host could still present multiple CPUs for the guest and you're just going to have to manage that yourself So you're going to have to map virtual CPUs in all the guests to physical CPUs and schedule them and Luckily for us the scheduling is exactly like processes So you can set whatever policy you want. They're going to be the exact same policies We can do round robin. You could do like the completely fair scheduler. You can do whatever you want. So otherwise Essentially everything we know already transfers over to that so Like with schedulers, we could do the same thing one approach would just be CPU assignment So there's more physical cores on the machine than all the virtual CPUs we just map them one-to-one and the host can continue just using the spare physical cores and That's a and then you don't even have to do contact switching You just give the virtual machine some CPU cores and then you just don't touch them anymore Otherwise if you need to share things get more complicated and something there's something called over committing where there are You don't have enough resources to go around So at equal numbers, you can still map, you know, virtual CPU to physical CPU one-to-one As long as the hypervisor threads don't run that often so they would you know context switch away But typically the hypervisor doesn't need to do that much And then you just use the same old scheduling algorithms So it kind of causes some other additional problems So if the guest operating system sometimes it's going to run too Unpredictably for like soft real-time tasks Because normally when you run your or operating system or kernel it has access to the physical hardware and it manages everything So it can make argues of arguments about timing and all that stuff Well now if you are running it as a virtual machine You now don't have control over how long you have hardware for the hypervisor actually has control over it So if you run something that would normally make all of your you know deadlines on a normal machine That's running just straight on the hardware Well when you move to virtual machine You might miss those deadlines now because the hypervisor could context switch your kernel in and out and It could not actually execute for the full time even though in the kernel. It just thinks it's executing the whole time So like yeah, if there was just round robin where each time slice was 10 milliseconds The guest would not have a consistent time slice of 10 milliseconds because any time it gets context switch Context switch is going to take longer than that. So your Your time slices that were consistent running on real hardware are now not going to be consistent because You're just a guest and you get context switch at will So this in this case virtualization does cause different observable behavior, which is not something you want So if you are super super sensitive to timing you still probably want to do something like actually run on the hardware where you have more control and Then this is where we get into virtual Management because it also gets a lot more complex. So remember Virtual memory allows each process to think it has the entire address space but now we have to Do one additional lie because the guest kernel Thinks it's managing the entire physical address space But now we have to virtualize that too because that is now a lie So we want every kernel to think it has access to all the memory So we need to virtualize the memory for the kernel as well So this problem is also even worse if memory is over committed So that means all of the virtual machines use more memory together than there is on that machine And then the hypervisor has to implement something like paging or what have you like the page replacement stuff So if you're doing that you have to use something called a nested page table And that enables virtual memory for guest kernels. So again, the guest thinks it controls all the physical memory It keeps on doing What it was doing before so it would manage all of its page tables One for each process and then its own page table for when it when it executes in kernel mode So if you don't do anything the hypervisor is going to maintain a nested page table that does the re translation for the guest So it just waits for the guest to spit out a Virtual address and then it's going to re translate to that what it thinks is a physical address It's actually now a virtual address Then the hypervisor is going to translate that virtual address to physical address So that's going to be much much slower So you can create something called a nested page table which Will make the memory controller actually use the guest kernels page tables as part of it So you don't have to do this two-step translation process You can just do an additional hop and that way it's much much faster. Most of the speed up from using you know hardware supported hypervisors as opposed to like a type 2 hypervisor is because virtual memory Translation is going to be a hell of a lot faster If you can actually just nest the page tables because you're getting rid of one whole One whole path of translation. So you're just nesting them together And then if it's over committed the hypervisor can provide something called double paging and That means the hypervisor is going to have its own page replacement algorithm And then the guests Which might not be the greatest idea because the guest might actually know it's physical It's memory access patterns better and do a better job than just a generalized type advisor So you might not even want that to happen and that Comes with more performance stuff where you actually care things get a lot more hairy because it's a lot more complicated So there's still more similarities with just normal kernels So you're still running the same physical hardware. There's still still some pages Well, if you are running say you're running three copies of the exact same linux kernel. Well, I could Ideally I would want the same thing as if I'm running multiple copies of the c library for processes All my processes can just share the same library. So you can do the same thing for virtual machines So similar to copyright on pages, you just want to share any memory pages that are read only So this time we want to share them between virtual machines and step processes so The hypervisor has to do a bit more work to detect if pages are actually shared between virtual machines So one thing it can do is scan all of the pages and then hash the contents of the pages And then if two hashes of any pages are the same between virtual machines Well, if two hashes are the exact same, it doesn't mean the contents of the page are same. They mean they could be the same So if the hashes line up, then they would check byte for byte if they're exactly the same And then if they're the same then the hypervisor would actually share that page between two different guests so Again as long as they're both reading then we can actually share that memory and We get a nice benefit where you know everything just shares But if one of the guests tries to write to one of those pages Then we do the exact same thing and we do our copy on write optimization as before And otherwise nothing changes. So this is a lot of rehashing all of our ideas we already know and all of the tricks we already do For operating systems and just extending it so we virtualize an entire machine now Other thing the hypervisor could provide is virtualize i o devices So hypervisor can choose to just multiplex all one device to multiple virtual machines So for example like a network card Each virtual machine can think it has its own network card And then there's only one physical network card on the device. So they all just kind of share that one and the hypervisor manages that but For some applications like I don't know anything GPU sensitive the hypervisor could do something else and actually map The physical device to exactly one virtual machine so that that virtual machine Actually has exclusive access to the device But the hypervisor still manages it and makes sure that you know, nothing goes bad so There's a hardware solution to this To remove the hypervisor during runtime. So you just give it Give the raw hardware directly to a virtual machine and that's something called i o mmu So that would be something like hey if I want to I don't know virtualize a game or something like that Well, it's going to be really really slow if everything is being virtualized on the same GPU It's better to just give like windows the GPU and then it can run It actually gets physical access to the GPU and can run at actually native speed So the hypervisor would map that to a to a virtual machine and it would get exclusive ownership over it And the VM actually controls the physical device as if it just booted up not as a virtual machine So that again gets your GPU working at pretty much native speeds in virtual machines So you can actually use virtual machines for like gaming or machine learning or whatever now because of this i o mmu thing and then The final piece of the puzzle is virtual machines that boot off a virtualized disk So we already had virtual we had like virtual virtual memory virtual CPUs and now there's a virtualized disk So when you boot a virtual machine, it will just boot off a virtualized disk And all you do is create a disk image that has all the contents that would otherwise be on a physical disk Except it's just now a file So you would have some format where it specifies the partitions each partition has a file system Which would be like something like fat like we saw before or another file system that actually uses inodes And then Usually it's just one big file But there's some formats that allow you to split it up or kind of compress it in other ways But according to the guest kernel, it just sees it as a normal disk that it has full control over But on your machine, it's actually just one big file So and that's all you need for a virtual machine. Yep the disk So the disk is just yeah Yeah, so like if you go ahead and you modify your virtual machine you write some files on it It would write to that virtualized disk So you could just transfer that virtualized disk and boot it up somewhere else if you want to Because it's all the contents of the file system It's literally that Yeah, so Well, well, it's still going to consume space because it's going to be living on your hard drive anyways It just looks like a big file. You don't get space for free It's a good try though But like For all the lectures all the examples I ran. Hey, they were running in a virtual machine Because they were linux. I'm using mac So that's why I also like did stupid things like try to kill Process one and stuff like that because it's a virtual machine. If it dies. I don't care Yeah Yeah, so when you boot it it boots off, you know a disk image and then anytime you make modifications when you're running in the vm It's just going to write it back to that disk image and then it's like exactly like a normal disk. Yeah Yep Yeah, so that's what I did in other offerings of this course so The first lab was write a linux kernel module Well, no one's going to let you you know No university is going to let you just insert some random kernel code into their kernel that would be insane You probably don't want to brick your own system Since you're learning So what I did in the lab and made sure and that's another reason to use virtual machines to make sure that Everyone's consistent. I just gave students a virtual machine image and said work off this You're free to use your own system if you want, but it's going to be tested on this environment and that's it so like What they could do on the ug machines instead of this like overloaded thing Where you know you're discovering with lab five everyone's on it They could just give you a virtual disk image and then you can just boot it up yourself And you just run it on your machine and you don't have to worry about that stuff. Yeah yep Yeah, so the question is can I run a virtual machine inside of a virtual machine? So Your first virtual machine If you want to be really fast it wants that hardware support So it has to be running as a hypervisor like that type one thing But if you ran a virtual machine in a virtual machine You could run it as type two because it just runs as a normal process And then inside of that you could run another type two and then another type two another type two So you can run virtual machines as much as you want. They're just going to get slower because there's more translation steps So like for Some of the lab stuff where i'm testing other stuff that's running on risk five Well, i'm using my mac to virtualize linux and then linux is Translating it to risk five and virtualizing that So i'm like three layers deep in virtualization But yeah, so for this all you need is a disk image for a virtual machine makes it really easy to move um, so what I provide before was an OVA file and that is A whole virtual machine package. So that will give you like a disk image and then some just general guest settings So like the amount of memory this virtual machine should have Uh, how many cpu's you give it and so on and things like that But otherwise if you want to set all those settings yourself I could just give you a disk image and say go ahead go for it. So So that's one thing that makes virtual machines cool so another reason you might use virtual machines aside from Virtualizing a whole machine is maybe you just want to use them just to isolate an application So way back in lecture 13. We remember some problems. We had with the dynamic library So if someone is very bad at writing dynamic libraries and doesn't follow good versioning practices and you know break stuff all the time Well, if I updated that library Maybe some other applications are updated to go against the new library and they would work But it would break half of my other applications So actually doing all these updates is a pain in the butt So if you wanted to make sure that everything was nice and consistent and nice and working you could just Package your application as a virtual machine So it comes with all of its libraries that it needs And you can just run it Within the virtual machine and it's going to use its own version of the library Which would hopefully be tested with it and it works So now if you update the library on your system, it's not going to affect the virtual machine You also might want this to you know, if you're doing stuff in production You don't want you want a nice consistent environment and virtual machines also give you a nice consistent environment And if you need to boot up more instances of your application Well, you just transfer the disk image over and just boot it up and that's it so that Way of giving an application just its own virtual machine Is a gives you some nice benefits, but it's also kind of slow Well, not kind of slow kind of wasteful Because with every single application because it's a full virtual machine You're going to need to package a kernel with it So if your kernel is you know, like 700 megabytes and your application is like Two kilobytes. Well, your application is not going to represent very much of that disk image So That's exactly what something like docker does So docker is a container and it aims to be that same goal of having things nice and fast Or sorry nice and isolated where you can package everything together But the only difference with docker is It gives you the same benefits as having it as a virtual machine, but you don't package a kernel with it. So docker Uses your same kernel and that's why docker only supports the linux kernel So if you run docker on mac, well, what's going to happen is It's going to virtualize the linux kernel and then run all of your docker containers on that kernel and same with windows and if you're what part of the linux, you know the linux Whatever you want to name yourself. You can just use your same kernel directly so as part of the Kernel like if we are running it as a virtual machine the hypervisor can set limits on CPU time memory network bandwidth, etc But the linux kernel supports all of that without virtualization. So you can actually For each individual process you can set limits on all that stuff you want as well So in linux, they're called control groups or c groups you might see and they support these features but for normal processes so You can also share other resources like files on the system, etc or even inter process communication And containers just behave pretty much exactly They're trying to give you the nice benefits of having a full virtual machine But instead of each having its own kernel, they share the same kernel but get all the same benefits So virtual machines virtualize a physical machine oddly enough So they allow multiple operating systems to share the same hardware They provide isolation and they use a hypervisor and the hypervisor is the thing that manages virtual machines and allocates resources So we saw two different types of hypervisors type two are slower because they either have to Handle the instruction specially so either use trap and emulate or binary translation While type one hypervisors are supported by hardware They can use something like IOMMU to speed up hard speed up devices But hypervisors might overcommit on resource And resources and need to physically move virtual machines But thankfully that's easy You can even transfer a virtual machine as it's running to a different physical machine without the user even knowing You can even do it while they're connected through ssh So one command might be on one machine and one the other command might be on a completely different machine And then containers are Supposed to have all the benefits of virtual machines without the overhead because they share the kernel So that is it. So just remember pulling for you We're all in this together