Open Source Xen 4.3 Advances Server Virtualization Security
The open source Xen virtualization hypervisor project got a new lease on life when it became a Linux Foundation Collaboration project earlier this year. Now the Xen project is out with is first release under the Linux Foundation banner with Xen 4.3.
The new release offers new scalability and security capabilities as well as ARM and software-defined networking (SDN) technology previews.
Lars Kurth, community manager, Xen Project, explained to ServerWatch that Xen Project 4.3 was the first release with a release coordinator. The coordinator is George Dunlap, who volunteered to do the job.
Dunlap regularly polled the major Xen contributors on what they were working on and how that work was going. Kurth added that as part of the Xen 4.3 development there were six community test days built into the release cycle.
Overall, Kurth noted that the development cycle changes were decided by the community in line with Xen Project governance, and those changes started before Xen Project became a Linux Foundation Collaborative Project.
"None of the day-to-day operations of the project have really changed," Kurth said.
NUMA hardware also gets a boost in the 4.3 release.
Xen now supports up to 16TB of physical RAM, up from 5 TB in the previous release. The increase in RAM support is complemented by a corresponding increase in virtual CPU support as well. Xen 4.3 supports up to 750 virtual CPUs, a significant improvement from the prior limit of only 300.
Xen is now also moving beyond x86 with a technology preview for ARM support.
The mainline Linux kernel already provides ARM support, but the challenge is that the Xen hypervisor is not in the mainline kernel.
"What is in the kernel is the PVOPS framework and Xen-related drivers," Kurth explained. "This means that Linux will work out-of-the box as Dom0 and DomU with the Xen Hypervisor."
Kurth added that the Xen Project maintains the PVOPS framework and Xen drivers within the Linux kernel, as well as the Xen Hypervisor.
He explained that Linux Distros tend to consume the Xen Hypervisor and deliver it as packages: the typical workflow is a) Install a Dom0 Distro, and b) Install the Xen Hypervisor package and reboot, at which point the Dom0 distro runs on top of Xen.
"All the Xen-related ARM support had previously been upstreamed to the Linux kernel," Kurth said. "Of course, we had to add ARM support to the hypervisor itself."
Xen 4.3 also includes new security capabilities with its XSM-Flask modules (Xen Security Modules - Flux Advanced Security Kernel). XSM-Flask provides granular-level security controls.
Providing granular-level security controls is also the goal of the SELinux project, which is packaged in multiple Linux distributions, including Red Hat Enterprise Linux. Kurth explained that XSM-Flask and SELinux are orthogonal to each other and can indeed be used together.
"XSM allows administrators or developers to exert fine-grained control over a Xen domain and its capabilities, whereas SELinux provides that control over the kernel's capabilities," Kurth said. "Specifically, XSM makes it possible to define permissible interactions between domains (VMs), the hypervisor itself, and related resources such as memory and devices. "
Kurth added that XSM-Flask's approach is architecturally similar to SELinux and, in fact, the same tools that are available to develop and validate SELinux policies can be applied to XSM.
Xen 4.3 also includes a technology preview for Open vSwitch support. Open vSwitch is an open source virtual switch technology that first landed in the mainline Linux 3.3 kernel in March of 2012.
"It's worth noting that support for Open vSwitch has all the important features necessary to use; however, it was only integrated into the mainline tree about six weeks ago," Kurth said. "Some of our developers have switched over to using Open vSwitch and have had no trouble, but before we recommend that users apply a feature in production environments, we want to make sure that it has had adequate testing."
Kurth expects Open vSwitch to be a fully supported feature in the Xen 4.4 release.
"We always label major new features as tech previews in the first release in which the major feature appears," Kurth said. "Depending on the amount of use we get in the field during the first release (in this case Xen 4.3), we move the feature to supported in the next release."
Read more on "Server Virtualization Spotlight" »