IDC has just released a whitepaper on "KVM for Server Virtualization: An Open Source Solution Comes of Age" which you can find over here in PDF format.
KVM has made tremendous improvements in the 4 years it has been around - yes it has only been 4 years, quite remarkable really! You can easily argue the vibrant open source ecosystem is the main reason for the rapid development and that is certainly part of the reason, but it doesn't hurt to have companies with a strong commercial interest being part of the community - the IDC report being funded by IBM and IBM contributing 60+ developers to KVM development isn't going to hurt either :)
The hypervisor is only part of the equation. I'm a big fan of the KVM philosophy of not re-inventing the wheel and using whatever is currently in the Linux kernel - advanced schedulers, memory management, io subsystems all wrapped up in SELinux to provide VM isolation - a fantastic start for a hypervisor. Of course, this is only part of the overall virtualisation solution and the big ticket items are the management tools. KVM has libvirt and to be honest - it's just OK, but if there is aspects of it I don't like (which there are) then i'm free to get involved and submit code, or even suggest features which may capture the imagination of some developers.
Commercial deployments of KVM, such as RHEV from Red Hat build on top of the basic libvirt and libguestfs api's and deliver more robust management solutions - hopefully all of which will become upstream projects so that I can contribute in some small way to those.
Is KVM the equivalent of VMware ESXi - not yet, perhaps when RHEV 3.0 is released then the feature gap will diminish. Performance-wise the SPECVirt benchmarks show that KVM is at least equal to (and arguably better than) the performance of ESX.
For many companies, KVM through the commercial product RHEV is right for them - right now. RHEV 3.0 will extend the suitability to many more companies. I'm looking forward to getting a look at it and of course importantly to me, contributing.
Thursday, June 16, 2011
Friday, June 10, 2011
Recently a patch was dropped into the KVM community – adding support for the Intel SMEP cpu feature (if available on the CPU). I thought to myself, what the hell is SMEP?
According to the Intel Software Developers Manual it is “Supervisor-Mode Execution Prevention” – this sounds like a great thing as the kernel is prevented from executing ‘user data’ in kernel mode – ie. If there is an exploit that delivers a page of data and asks the kernel to execute it then this wont happen and a fault will be triggered. This sounds like a neat piece of work and as it’s all h/w based then there should be little overhead.
Like me, i’m guessing you’re wondering if your system has the SMEP cpu feature then this code will show you. Don’t be disappointed if your cpu doesn’t have it – it’s a very new feature and I can’t even find what cpu’s implement it.
Anyway, it’s a step in the right direction and that future direction will hopefully allow hypervisors to be that little bit more secure from un-trusted VM’s and provide a VM ‘shell’ environment that’s a little more secure for the VM’s. Unfortunately the way things currently stand the usefulness for KVM is unlikely to be immediately realised as intel engineers suggest enabling SMEP without a guest vm’s knowledge is likely to be ‘problematic’.