Virtualization Redefined:

Embedded virtualization through CGE7 and

Docker.
Paul Farmer
Technical Solutions Engineering Manager
MontaVista Software
pfarmer@mvista.com
 Setting the Stage

Docker is a new leading container based

technology that offers a more efficient and
lightweight approach to application deployment.

Using this technology together with CGE7 creates

a powerful solution for key use-cases in the
datacenter and networking in general.

This presentation focuses on introducing Docker

interoperation with CGE7.
 Agenda

Virtualization Technologies

Performance Benchmarks

Use Cases

Docker Advantages

CGE7 Advantages

Summary

Q&A
Virtualization Technologies
History of Virtualization Technologies
Solaris Deterministic KVM from
Hypervisor on
Containers MontaVista
CP-40 and CP-67 from
IBM
Virtual Server
from KVM CGE7
VMware workstation Microsoft from
CGE & Virtual MontaVista
ESX server from Resource Manager
VMware from
MontaVista

1960 1982 1995 1999 2001 2003 2004 2005 2007 2008 2009 2010 2013 2014

OpenVZ
Hypervisor on
UNIX from Docker
IBM LXC

Xen
&
Java
QEMU Virtualization with bare
metal performance from
chroot MontaVista
 Complexity of Virtualization
Technologies

Application
HW Protection CPU
Simulation (MMU) Virtualization
HW
(VT-x) Device
Emulation
Virtualization
OS (VT-d)
Complexity Emulation
Containers

Time
 Virtualization Technologies

Containers are lightweight:

share the host OS kernel
share the host OS root filesystem wherever appropriate
 Virtualization Technologies
Docker provides a unified access to
Linux container technology (cgroups, namespaces)
Various container implementations (lxc, libvirt, libcontainer, etc.)

libcontainer is Dockers implementation of container technology

 Virtualization Technologies

Docker Underlying Technology

Performance Benchmarks
I/O Performance
I/O Performance

IBM Research Report July, 2014

Real-time Latency
Cyclictest

Intel Ivy bridge based 4 core with hyper-threading

(8 logical cores) each running @ 2.2 GHz.
8 GB RAM
Math Performance

IBM Research Report July, 2014

Random Access Performance

IBM Research Report July, 2014

Security of Docker Containers
How secure are Docker containers?
Intrinsic security of containers
Depends on kernel namespaces and cgroups feature
The code base has been around for more than 6 years

Attack surface of the Docker daemon

currently Docker daemon requires root privileges, and you should therefore be
careful
Solution: Two additional security improvements
Map the root user of a container to a non-root user of the Docker host, to
mitigate the effects of a container-to-host privilege escalation;
Allow the Docker daemon to run without root privileges

"Hardening" security features of the kernel

Linux Kernel Capabilities
Kernel with grsecurity and PaX
Linux Security Modules
Security in CGE7

Standards Conformance
CGL 5.0, STIG 2.0, USGv6, OSPP

Hardening security features of the kernel

PaX, Linux capabilities, SELinux, etc.

CVE - Common Vulnerabilities and Exposures

Wide Deployment
Use Cases
Platform-as-a-Service (PaaS) Cloud
Containers-Based Multi-Tenancy in
the Cloud
 Bundling/Consolidating HW+SW
Configurations in Network Servers
Consolidate certain legacy applications all on the same platform
Bundle HW plugin and SW plugin components with automatic
configuration:
Launch Docker image automatically based on hot plugging of certain HW
 Migration Between Legacy
Virtualization and Containers
Move applications dynamically to and from KVM Hypervisor-based applications
to Docker-based application contained in either virtual machines or containers
domains.
Cloud RAN
Docker Advantages
 Docker Advantages

Portability across machines

A containers-based virtualization solution suitable for dynamic multi-
node cloud deployments.
Live Migration capabilities.

Security and Isolation of services and applications

Comply with legal or contractual obligations to isolate an application.
Prevent flawed applications from compromising the rest of the system.

Limit resource usage

Get higher density and run more workloads.

Application-centric, easy and fast removal and addition

 Docker Advantages
Copy-on-write mechanism
Every instance of your Docker image uses the same files until one of
them needs to change a file.
Better utilization of system memory.
Higher density of containers for a given resource than other container
implementations.

Version control
Container Repository
Component reuse
Reducing the cycle time of development, testing and deployment
Easy to deploy PaaS-type solutions

Active Community
 Docker Security

If you really have to give root, give looks-like-root

If thats not enough, give root but build another wall

Dont run regular applications as root

Remove SUID binaries, SUID bit, mount file system with nosuid
Limit available syscalls (seccomp-bpf = whitelist/blacklist syscalls)
SELinux (assign different security contexts to containers)

System services do not all have to be run as root

whitelist/blacklist devices
Prevent unauthorized access control (AppArmor, SELinux)
CGE7 Advantages
 Virtualization in CGE7

Virtualization in CGE7 offers the best combination of flexibility,

performance and ease of application development

1. KVM Hypervisor 2. Linux Containers 3. Core

Full virtualization with Operating system resource virtualization Isolation
Paravirtualization options (lxc, Docker)
Multicore I/O Symmetry

Intel Multiprocessor Specification Version 1.4

Carrier Grade Docker Advantages

Combining Docker with an embedded, Carrier Grade distributions,

such as CGE7, offers several advantages over plain desktop
distributions:

100% native Linux with real-time performance features including

hrtimers, core isolation and other enhancements

Support for various virtualization technologies

You can choose the right virtualization technology for the right problem.

Long term commercial support options with customizable models for

different use-cases

The same advantages can be extended to Cloud components like

OpenStack
Full use-case support using a single baseline.
 Multi-Architecture support for
Docker
True multi-architecture platform with support for
ARM64 exists today in Embedded Baselines (like MV
CGE7)
Enables Docker on all these architectures

Best approach is align with community development

Linaro Networking Group (LNG)
GNU GCC (4.9+) with Go support (gccgo)

Support on a single Carrier-Grade Baseline provides

the best stability and deployability on the field
Summary
 Which Virtualization Solution Do
You Choose?
Performance Requirements?

Functionality and ease of use?

How much legacy content do you want to

preserve?
Questions?
Backup / rough slides
Performance Benchmarks
Host v/s Docker v/s KVM
Real-time Latency
Network Performance
Process related latency
File-system Performance
1. Real-time Latency
Cyclictest
2. Network Performance

netperf
3. Process Creation

lat_proc (lmbench)
4. Page Fault

lat_pagefault (lmbench)
4. File-system Read Performance

IOzone
4. File-system Write Performance

IOzone