 Welcome back to 353. So today virtual machines. We actually know enough to kind of explain what was going on when we installed our virtual machine back all the way at the beginning of the course. So what do virtual machines do? Well they abstract the entire machine. So the goal with virtual machines is to run multiple operating systems on the same machine and kind of like processes think they're the only thing using CPU and memory. Virtual machines believe they're the only thing using the hardware, using the entire computer. So each OS believes they're the only thing running. We can't see any other virtual machine that is running. So some terminology. So there is the host and the host is the thing that has direct control over the hardware. So sometimes it'll be referred to as the hypervisor or virtual machine manager. They both mean the same thing. And that is the piece of software that controls the virtual machine. So they control when we create virtual machines, how to manage them, scheduling them, which should run, isolation. So which hardware they have access to. And kind of like we have the kernel that manages our processes. Well the hypervisor is the thing that manages virtual machines. So there are two kinds of hypervisors that have to do with how they are implemented. There are type one and type two. A type one is called a bare metal hypervisor runs directly on the host hardware and it requires special hardware support because the virtual machine itself while the kernel is actually going to run in kernel mode, which is if we recall that special CPU mode that lets you access instructions that can directly talk to the hardware. So type one, the virtualized operating system is actually running physically in kernel mode. So there needs to be some special hardware support that's more privileged than kernel mode that can go ahead and make sure and monitor our virtual machines. Type two is called a hosted hypervisor and it just simulates a hypervisor. It runs as a normal application, runs as a normal process. So it has to kind of create the illusion that your kernel is actually running in kernel mode even though in type two your virtual machine is just running as a normal process. So it's actually 100% running in user mode. So it's going to be a bit slower. We'll go over how you would actually implement that today but going to be slower but you don't have to have any special hardware. Even though nowadays you probably have special hardware that makes us go way faster. And another terminology, a guest, a guest is just another name for the virtual machine. It sees a copy of a virtual copy of the host which may or may not be complete. So it might not have access to all the same hardware or it might just make up fake hardware in order that you can monitor it or something like that. So here's review over on the left hand side so that this is the world we currently know where we have the hardware and then above that the software that is running and controlling that hardware is called the kernel and one example of it is the Linux kernel and we went over, I guess this is tearing into somewhat review. There's different kernel architectures, right? There's micro kernels, there's monolithic kernels which is what Linux is which change what code is actually running in kernel mode which is that privileged mode that can directly access the hardware. And then no matter what curl design you have you're going to have this programming interface between the kernel and normal user mode processes. All right, review time, that programming interface, what's it called? To go from kernel mode to user mode. Anyone remember the name? Uh-oh. Yeah, syscalls, yeah system call interface, whatever you want to call it. So that's this layer that's that programming interface if we want to go ahead and monitor it that application or that process program sorry that makes it easy to monitor things, right? strace, we can go ahead see all the system calls everything makes and figure out why JavaScript is actually so bad. So that's the world we kind of know right now, right? We have processes they use the system call interface they might use libraries so they might use libc, they might use I don't know if you use graphic stuff they might use other libraries like that and then we have the system call interface that talks to the kernel, kernel talks to the hardware. So if we have uh if we have virtual machines we have the picture on the right. So what controls the hardware is the virtual machine manager or the hardware or sorry or the hypervisor so that what that's what has direct control over the hardware and that manages the virtual machine so in this case we have three virtual machines one could be running Linux, one could be running Windows, one could be running macOS they all just see a virtualized copy of that hardware and then each virtual machine is running its own kernel again like I said they could be completely different and then each kernel is just managing their own processes so this part of the software stack from the kernel upwards is going to be exactly the same um and it's independent we can go ahead we can run as many virtual machines as we want on the same hardware so any questions about this so some and this is good you know makes us protected because if we wanted to we could I don't know install anyone know the official offering system of North Korea yeah red star os yeah so that is the official offering system of North Korea I would not recommend installing it on your laptop but if you wanted to see what is going on in North Korea you could go ahead you could create a virtual machine probably a good idea to not give that virtual machine internet um probably a very good idea you can install red star os on it and you can see what's going on in North Korea and that's fun if you wanted to hopefully your virtual machine your hypervisor implementation doesn't have any bugs in it so you can't actually access the hardware but if you wanted to you could install virtual machine not give it internet access try and download as many viruses as you can put it all on there and let the viruses duke it out and see who wins so you could go ahead you could do all sorts of fun stuff without ruining your hardware and ruining you know your actual money and you can go ahead and you can have fun with it so virtual machines typically not emulation that's kind of a different idea so emulation is typically used to translate one isa or instruction set architecture to another and for review I guess you did take an assembly course so an isa is just the machine code that the actual physical cpu understands so for instance you might have to do some emulation if there is a mismatch between what your offering system is using and what your machine physically is so you might have to do something like x86 to arm or something like that so that's why in lab zero if you have the newer mac laptops that run arm that's why you had to download a different virtual machine or sorry a different uh a different installation of debian than someone using you know a windows machine because there are different instructions so dark detectors and we don't want to have to waste time translating one to the other when you're trying to run your virtual machine so generally you want it so that the guest operating system is executing the instructions directly using the same isa otherwise you have to translate the instructions and it's typically pretty slow unless you have uh apple laptops so they have like special hardware to convert arm to x86 but otherwise typically slow and you want to avoid it at all costs it's okay for some uses like if you try and write an emulator for a nintendo entertainment system or nes you can go ahead do that because it's an old eight bit cpu really easy to do and it's a fun summer project you can do while you're trying to avoid working on your thesis not that i would know or anything like that um so could go ahead and do that um virtual machine could use emulation to run a virtual machine for a different architecture but generally the performance suffers and you want to avoid it if at all possible all right other cool things virtual machines can do is they can enable pause and play so much like the kernel can go ahead stop a process from running and then you know run another process and run that for a while then switch go back to the original process pause it switch go back to the original process hypervisor can do the same thing but instead of pausing a process it pauses the complete operating system so the hypervisor would have to context switch between virtual machines much like the kernel has to context switch between processes same idea it just it'll save the current state so it can restore it later but you might imagine a whole machine probably has more state than just a single process so there's some more involved things here but the idea is exactly the same just save the current state restore it later run another virtual machine then we would have scheduling between virtual machines go ahead run another one later and the cool thing around about this is we could actually move it around as well so we could pause it and then physically move it to another machine if we really wanted to and then unpause it on a new machine so you can go ahead one second your virtual machines running on machine a then whenever and then without you noticing it's now running on machine b and your switch machines and you have no idea about it it's just a seamless process and that's why like all cloud providers will probably just give you a virtual machine because they'll physically move it around servers you know maybe they bring one physical server down for maintenance maybe one gets overloaded because someone decided to I don't know run something super intensive on it so they want to move your virtual machine to an unloaded machine and try and like load balance things across their vast data center so other things they give they give you some protection through isolation so like processes are isolated from each other again you this is pretty much the same idea as processes but just applied to the entire machine so guests are isolated from each other just like processes are isolated from each other and hopefully isolated from the host and because of this the hypervisor is the thing with ultimate control over the hardware so it can set limits on cpu time so if one I don't know fork bombs itself or does something stupid you can go ahead you can limit it and say hey virtual machine you can only use a third of the physical cpu or just set a time limit or whatever you want to do you could set limits on memory network bandwidth so or no network at all etc you can limit how much hard drive space it gets you can limit whatever you want on it because ultimately you are the thing controlling access to the hardware and the guest even if you install red star red star linux on it then doesn't matter just has access to its own virtualized hardware might ruin its hard drive or whatever but you can go go ahead just delete it after the factor do whatever and if you actually were managing a whole bunch of machines and something screwed up hopefully you have backups and then you can just roll it back to a previous state or just remove it completely and just get rid of it so yeah yeah so the question is how is this guest different than the guest user on your laptop so the guest user on your laptop is typically the user for that operating system and typically it's just another user account that doesn't have access to like your account's data or anything like that so it's no no no it'd just be a different user that can run processes and generally for like they're all running in that same operating system generally the only difference is like what files you can access okay and that's pretty much it so like if I use your computer as a guest user I can't like access your documents folder or anything like that yeah yeah so guest in this context is like guest operating systems like virtual machines that running on it so for you uh your Debian virtual machine that would be your guest and your host would be whatever you're using mac or windows or whatever you're using yeah and all right so other things virtual machines can help you with is consolidation so data centers or even when you're like developing uh web applications or whatever there's a lots and lots and lots and lots of servers running often not making use of all the hardware so sometimes services with different purposes could be like using the same hardware or sharing the same hardware so maybe I don't know I have a really powerful computer but my application just one application uses a lot of cpu and one application uses a lot of memory well oh that is a mouse okay great down there all right cool we have a mouse in here they should they should probably do something about that who the hell they go all right that's not distracting it whoops I don't know where it went that's not good all right well people I thought it was a leaf or something before but turns out to be an actual physical mouse like the animal kind not like our kind huh all right that's not distracting at all all right sorry about that um what was I talking about oh yeah so you could go ahead you could virtualize both those application one that uses a lot of cpu one that uses a lot of memory and they can both run on the same physical machine share hardware and do everything like that so instead of just having one system that's not using a lot of memory and one that's not using a lot of cpu make them both virtual machines put both virtual machines on it and then suddenly way better hardware utilization which is like the main concern of data centers and like google will pay you a lot of money if you work on this to like bring down or increase their server utilization by like one percent since they spend billions and billions of dollars of it turns out to actually be lots of money so when we're actually implementing virtual machines a virtual cpu is like the key abstraction so like for processes well like we use the process control block that kind of acted as a virtual cpu it doesn't virtualize all parts of the cpu just enough for user mode so like saved all of our registers and then we are page tables our open page or open file tables things like that the virtual cpu structure tries to store the entire state of the cpu so like what mode is the cpu currently in um anything that has to do with the hardware any special flags it has to set like any special things you normally can't access in user mode it has to save because we're trying to emulate the intact well not emulate we're trying to go ahead and abstract the entire cpu not just enough for a user process so when the virtual machine resumes like the pcb or low data and resume just like we had for processes so the guest in this case basically a virtual machine still uses user mode and kernel mode so like there's no changes to the guest operating system it's still the linux kernel in case of the devian operating system so you could install it directly on your hardware or you could run it in the virtual machine but it is the exact same code so if we are on x86 we have like the your user code would be if we remember the stupid numbers user mode code is running in something called ring three kernel mode is in ring zero which is the most privileged and then if you actually look and see if your cpu has hypervisor support so it can support like a type one virtual machine the the special instructions it has access to are officially in ring negative one so you can tell that that did not exist when they first made up that cpu because ring negative one doesn't really make a lot of sense but kind of does because it's supposed to be more privileged than more privileged than ring zero so when they go ahead and they designed it initially the virtual machines were not a thing because x86 dates back to like 1978 or something like that so that it has to support everything has to stay the same same numbers same everything so whenever they created virtual machines and hardware support for it i guess around the time you were born then they created a ring negative one so that is where all of the hypervisor instructions are if you have a type two hypervisor well then the host has to create like a virtual virtual kernel and user mode and try to emulate what is going on and just try and simulate what's actually going on so if you had to implement a type two hypervisor where the guest is running on the host in user mode at all time if you try to run any actual privilege instruction that can only run in kernel mode then it's going to generate a trap which would say wrong mode or illegal instruction or you don't have access to run this instruction so what happens is whenever you whenever your virtual machine tries to execute one of those instructions your hypervisor which is just the program that's kind of monitoring your virtual machine should go ahead recognize that hey you tried to run an instruction which you don't have access to so it should go ahead and write essentially a signal handler and then simulate the operation that actually is happening on the guest and then resume it so it will significantly slow things down because it's trying to execute just whatever your instructions are but if it turns out to execute an instruction that is only available in kernel mode you will go ahead catch the error and try and simulate that kernel mode instruction and you would have to like simulate the entire rest of the cpu so you'd have to look at all the documentation and everything like that so it's a fairly boring job so how it would look visually is well this is all running as a user process we have our guest above this line so it has user processes and then privilege instructions which are running in kernel mode if it tries to actually execute one of the privilege instructions it would generate a trap or a signal or an interrupt whatever you want to call it and then our hypervisor code would have to emulate whatever that instruction is supposed to do update that virtual cpu that is supposed to represent the entire state of the cpu including whatever it's doing to the hardware and then we return back to the guest operating system continue running their code just like nothing happened and we just keep on doing this over and over again so it'll be really slow so instead of executing instruction directly we have to go ahead simulate it which will will be slow but hopefully you know most of the time our code generally isn't in kernel mode doing stuff it's actually running our user processes so may or may not actually work and not be that slow although sometimes doesn't always work on some cpus like especially x86 if there were clear instructions that were like this instruction only runs in kernel mode and this instruction only runs in user mode it would be easy but on x86 especially it is not clear some instructions do double duty because on x86 virtual machines did not exist when they first made up that instruction set in the 70 in like the 1970s which is old even for me um so that didn't exist it wasn't a consideration so they took some shortcuts to go ahead save space and make things easier to implement and make things do do two duties so for instance there is this instruction called pop f so it loads a like flag register from the values on the stack and which flags register it actually affects depends what mode you're currently in so if you are in user mode it updates the user flags and if the CPU is currently in kernel mode it goes ahead and updates all the kernel flags so the same instruction updates two different things and the only way you know which things it updates is what mode is it currently in so if we're trying to if we actually run this instruction and like we actually run this instruction on a type two hypervisor it will always update the user flags but if our guest operating system actually thinks it's in kernel mode and we run this instruction it will update the wrong set of flags and then your kernel will probably freak out because well you didn't actually update the kernel flags like it thought you were going to so this also wouldn't generate a trap you can't trap and emulate so instructions like pop f would be something considered call or something considered a special instruction and we need another approach to be able to simulate what happens with that so what they need is something called binary translation so if the virtual cpu is currently in user mode and i'm running user mode code in my guest well they both agree so they both think we are in user mode so i don't have to handle anything specially i can go ahead i can just execute it doesn't really matter if one if the guest thinks it is actually in kernel mode then the hypervisor is actually going to need to inspect every instruction before it executes so it will inspect every instruction before it executes if it's one of these special instructions well it needs to be translated to instructions with the same effect and we go ahead we have to simulate like we did before and update that virtual cpu so so the kernel it's just going to use like for instance we're going to be able to do this because the kernel well if we want to switch from user mode to kernel mode luckily that is an instruction that we can do trap and emulate so we can go ahead see when the guest switches from user mode to kernel mode and then when it switches from user mode to kernel mode we can go ahead we can update our virtual cpu to note that okay now this guest thinks we are actually in kernel mode i should turn on binary translation and i should just inspect every instruction before it executes to see if i need to simulate what's going on so overall the performance is going to suffer a lot because it's inspecting every single instruction but generally it works more or less okay um and performance you can go ahead you can actually run something like that with modern hardware so what that looks like looks like exactly the same thing but now instead of like actually just generating a trap the hypervisor or the virtual machine manager is going to go ahead inspect the special instructions if we believe we are in kernel mode and then it would translate it or simulate what it needs to do then update the virtual cpu that would have all of the hardware registers and then return keep on executing things and let them go and binary translation is spoiler alert also how valgrind works so valgrind will go ahead and inspect any instructions that use memory to check you know whether or not you have access something that is actually in bounds it would go ahead and translate all your calls to malloc so that it can go ahead monitor that monitor them and know what memory you actually have valid access to but if you go ahead and run valgrind or you know you actually care about performance valgrind is like 30 times slower or like 300 times slower i forget the number then actually executing your program so yeah there's a big performance penalty but generally computers are pretty fast now so for some tasks you can put up with it all right so that's for type two we use type one all the time so this is wait 2005 is this this is newer than you right you are born okay in the year of your birth they they decided to no not this close oh three okay so this is this is brand new all right so when you were one or two then they introduced virtualization as like a standard in cpus um intel introduced it as vtx amd did it in 2006 as amd-v but if you go ahead and you try and enable this if it's not enabled for some whatever reason in your bios they had different names for it so intel called it like vanderpool and then like publish it internally as virtual machine extensions amd their codename was pacifica they published it as secure virtual machine or svm so all of those names generally they all mean the same thing it just depends the internal term the marketing term the the official boring documentation term um they're not consistent about it whatsoever but they all mean the same thing they all mean they support that hypervisor mode or that ring negative one so all of them do they added the concept of hypervisor mode and then what usually happens nowadays is the host so whatever operating system is actually installed on your computer whatever you boot it up so you boot up windows then windows is going to claim the hypervisor and then windows will actually also serve as a hypervisor for your virtual machine and your virtual machines can go nice and fast so so it's the only one able to access it windows goes ahead it can set isolation for all your guest virtual machines what hardware can access and everything like that so technically windows would be your hypervisor as well as uh running in kernel mode although windows does like weird things now where it virtualizes parts of itself and um actually supported or actually needed for like game anti-cheat stuff oddly enough because that stuff will run in kernel mode and then windows needs ultimate security so windows needs to be the hypervisor so lots of fun stuff so we can talk a little bit briefly about like what the hypervisor has to do so it has to do some scheduling so if there's only like one CPU on the physical machine guest doesn't know it you could lie to the guest you could say I have a hundred CPUs like you could present as many virtual CPUs as you want for the guest and then in your hypervisor you can map the virtual CPUs to physical CPUs or schedule them like processes and like a normal kernel right there's also hypervisor threads so maybe your hyper your hypervisor would be running in the background and your hypervisor would be scheduling all of your virtual machines what to run and what CPU they go on to so one approach the hypervisor might take is like just assigning virtual machines to CPUs directly so if there's more physical cores on your machine then all the virtual machine or all the virtual machine virtual CPUs put together you can just map them one to one and then the host can just use any spare physical cores if you have to share that's where things get more complicated they call it over committing for some reason so at equal numbers you can still map one to one and because the hypervisor threads like the kernel don't really run that often but otherwise in general you would have to schedule them just like processes it would use all the same scheduling algorithms the only difference is we are context switching between virtual machines instead of processes so as you might imagine context switching between virtual machines probably takes a bit longer than context switching between processes so maybe I want to let them run for a little bit more before context switching but otherwise I mean everything is pretty much similar so some other problems that CPU over commitment could have is that like guest operating systems really run way too unpredictably for soft real-time tasks because you could context out a whole virtual machine even when the user process says not to so on your virtual machine if you really cared about something you could you know set yourself as a real-time process and try and have like the highest priority so that you're assured that you do not get context switched out so let's say the round robin time slice is like 10 milliseconds and the guest like if you ran it on physical hardware then you're guaranteed that you know if there's four other processes around you'll have to wait at most 30 milliseconds before you get to run again but if you are virtualized well that guarantee is now thrown out the window because even though that's true in the virtual machine that virtual machine might be context switched out it might not be running so it would miss deadlines it wouldn't have if it was actually running on the physical host and in this case virtualization fails a little bit because we can actually observe different behavior now we can no longer hit all of our deadlines but this is like a very special case for very very performance sensitive code so also as you might imagine with virtual machine or yeah with virtual machines virtual memory is a lot more complex too because virtual memory right each process thinks it has the entire address space but now the kernel also thinks it is managing the entire physical memory but the virtual machine well it doesn't have access to physical memory anymore so it has to virtualize it too so the hypervisor would have virtual memory for the guest operating system or the virtual machine and then the virtual machine has is managing virtual addresses and virtual memory for each individual process so we have like two so if you thought just multi-level page tables were wrong now we have multi multi-level page tables so we would have two levels of page tables and that would be great so technically you have like a nested page table so like I said the guest thinks it controls physical memory does its own page table management but the hypervisor actually controls physical memory in this case so it would have a page table as well that is valid mappings for that guest or that virtual machine so in order to translate a virtual address or to translate a virtual address on the virtual machine well it's going to have to translate that processes virtual address to what the kernel of the virtual machine thinks is a physical address and then the hypervisor is going to translate that physical address which isn't really a physical address it's a virtual address for that virtual machine and then go ahead and it would translate that to an actual physical address so we would have in this case kind of like a nested page table so that is one of the hardware support things that hypervisor mode actually does it allows you to have nested page tables and tell essentially tell the tell the mmu or memory management unit about this so you don't have to do two steps in order to translate an address it will go ahead you tell it about the nested page tables and it will actually use those nested page tables to translate an address for you directly all in one shot instead of having to do it like one step and then another step and that is generally where most of the speed up from hypervisor mode comes in is telling the guest or while telling the hardware about nested page tables so if and then you could imagine this gets even like way worse so if you have if you over commit on memory so you're using more memory than your virtual machine can actually use well maybe that virtual machine has like a bunch of swap space and then swap stuff to what it thinks is a physical disc but now the hypervisor could also do the same trick right it could go ahead and have its own swap space and lie about how much memory it has essentially so you might have two different page replacement algorithms one would be running on the hypervisor another would be running in the kernel on the virtual machine and you don't really it's really unpredictable to know which one runs for what and generally for this you don't do page replacement in the hypervisor you just let your guests go ahead and worry about it so you don't have this weird thing where there are two things trying to do page replacement other fun things we did copy on right right we did copy on right for processes to save mep to save memory so guests could also do the same trick because they could share pages if they are complete duplicates but unlike copy on right that while we start copy on right because we fork we know two things are supposed to be exactly the same we don't exactly know that for virtual machines so what they do is the hypervisor tries to detect if two virtual machines can actually share memory so it will actually try to detect duplicate pages between virtual machines and how it does that is basically they hash the contents of all the pages if two pages hash to the same value that means their content could be the same or but yeah it could be the same doesn't mean they have to be the same they could be so if their hashes are the same then it will go ahead and it will check it bite for bite to see if they're actually the same bite for bite if they're the same bite for bite we're going to head go ahead and share them so we would point both entries to the same physical page and then we would do the same copy on right as before we can share them as long as both are only reading to them as soon as one writes to them then we can go ahead we can do our copy on right thing again who other things the hypervisor can do is it can provide like virtualized IO devices so for like your network card or something like that it can multiplex one device to multiple virtual machines so for instance it could share your network card between all the virtual machines they all share it it could also emulate devices that don't exist so you could go ahead you could make a fake network card give it to Red Star OS and then monitor whatever it writes to it and whatever it's trying to do but as far as Red Star OS is concerned it actually has access to a network card and it can go ahead and try and do whatever it wants other things you could do you could just map a physical device to one virtual machine so that that virtual machine has exclusive access to the device but the hypervisor is still kind of in the middle and still doing some translation which might slow things down especially if I don't know you're on Linux and you're trying to pass a whole GPU to windows that can actually use it better so you can play your games or whatever you want to do so that is slow and there is a newer hardware solution to remove the hypervisor during runtime and that is called the IOMMU so what that does is let the hypervisor map the devices to virtual memory and then exclusively give that to the guest so that that virtual machine has exclusive control over the device and then whenever you install drivers on that virtual machine they actually are interacting directly with the hardware there's no hypervisor that gets in the way and it allows you to run things like GPUs at pretty much native speeds on your virtual machine so you can go ahead you can use Linux or whatever as your hypervisor install windows virtual machine give windows your GPU and then your GPU which is most of what you care about in terms of your performance runs at full speed you can run your games you can do whatever you want with it other things virtual machine well the only thing a virtual machine actually needs is like your computer all you need is an operating system on your hard drive so virtual machines work the same way they boot from a virtualized disk so that is what you set up when you set up your virtual machine the main thing that you set up was you installed Debian to a virtualized disk also called a disk image that has all the contents of a physical disk it would contain like partitions each partition would have a file system on it and in lab six well you're making a file system so it would look exactly like that usually that big disk image is one big file some formats let you split it up some let you do copy and write things but they're all the same idea the guest kernel just sees it as a normal disk that it has full control over and that has all you need for your virtual machine so it makes it real easy to move has your kernel on it all your programs all your settings all your files everything like that so if you want to go ahead and say your laptop well you got a new laptop or something like that you don't have to redo all the steps in lab zero and set up the virtual machine again you just take that virtual disk image and just do ye old copy paste onto the new machine and you can go ahead you can run it and resume your virtual machine on a new computer um yeah some some things will have you like download a file for the whole virtual machine but the majority of it is going to be the disk image and then settings for that particular software that tells you oh the default number of cpus it should have memory and like just settings like that so if you used at one point we used it if you used uh what's it called virtual box they're like ova files and it's basically a disk image and then just a whole bunch of settings all right other things virtual machine could be due that's more relevant to you is they can be used to isolate an application so let's go back to lecture three so if you use a dynamic library and we discussed that if we change the a bi at all even in subtle ways like changing uh the order of fields in the structure round then we could break our applications they could no longer work or change the behavior and they would suddenly now be wrong now so what you may want to do is like freeze your dependencies in production so that even if you update the operating system running on it you're sure that won't affect your application and you won't get any weird dependency errors so what most people more or less do is create a virtual machine for your application with all the libraries it needs and then you just go ahead and run that virtual machine in production so you and you might also use it to separate out your application so like if you were running a web server well maybe you you run i don't know the maybe you run the back end in a virtual machine the front end in another virtual machine in the database in another virtual machine and now they're all separated you can talk to them like they were just like actual machines through networking and then you also have the nice benefit of well if you're starting off small all the virtual machines could be running on the same physical computer and then when you grow a little bit and that machine's overloaded makes things really easy you can just buy another physical machine and then move a virtual machine over and you don't really have to change anything suddenly wow you don't have to reset up anything you don't have to reinstall anything you just move the overloaded part onto a new machine and you're off to the races and you could do this as many times as you want separated out give it give each virtual machine its own computer eventually and then when you really grow well then you might have to have multiple copies of the virtual machines and then you'd go ahead and try and like load balance between them and then suddenly and that would be like you're operating at the scale of google or amazon or something like that so have we heard of containers before docker or anything like that all right so that's kind of that idea right so there are things called containers so docker is an example of it so they aim to have that same idea of like using a virtual machine for your application with all of its libraries but if you're give like an application as a virtual machine that's kind of dumb because while your application's probably not that big your libraries probably aren't that big and then most of your virtual machine is the kernel so let's say again you had I don't know three different virtual machines and they're all running the same kernel so all that is the same between all of them and then the only thing that's different is the application and the libraries well it's essentially what docker aims to solve so like the hypervisor can set limits on cpu time memory network bandwidth and things like that so that's another reason you would use virtual machines but nowadays the linux kernel supports things like that directly without virtualization so linux has something called control groups so that's part of the kernel api or the system call interface that supports hypervisor like limits but for processes so you can isolate a process just like yeah you can isolate a process kind of like you can isolate a virtual machine except instead of each virtual machine having its own kernel all of the containers are sharing the same kernel so you can set other resources for namespace like mount points like what directories it can access what ipc it can access things like that so containers are basically just like a lighter weight virtual machine because they all share the normal kernel if you've used docker on mac or windows well how that works is because docker needs linux to operate because it's all built on cgroups windows or macOS will actually install a linux virtual machine and then all of the docker containers will use that one virtual machine that it is managing but under the hood it just is managing a virtual machine so virtual machines they virtualize a physical machine they allow multiple operating systems to share the same hardware provide isolation and the hypervisor which is the thing controlling the hardware can go ahead allocate resources to each individual virtual machine a type 2 hypervisor is implemented in user mode it's slower it has to do trap and emulate binary translation type 1 fast support by hardware ring negative one hypervisors might over commit on resources physically move a virtual machine but that is possible just kind of is a bit difficult and containers aim to have the benefits of virtual machines without the overhead aka they share the same kernel so with that just remember pulling for you we're all in this together