Understanding Xen: Open‑Source Hypervisor Architecture and Virtualization Techniques

Xen Overview

Xen is an open‑source virtual machine monitor developed at Cambridge University. It aims to run up to 128 feature‑rich operating systems on a single computer; the OSes must be explicitly modified (ported) to run on Xen, though user‑level applications remain compatible, allowing high‑performance virtualization without special hardware.

Components of Xen

Xen consists of three parts:

Xen Hypervisor (VMM) : Replaces the Linux kernel, managing virtual CPUs, memory, etc.

Dom0 (privileged domain) : Provides hardware drivers for the VMM and offers simulated I/O to other domains; supported by Linux kernels 3.0+.

DomU (unprivileged domain) : The actual guest operating system used in production.

Virtualization Types in Xen

Full virtualization: All hardware in DomU is emulated by the VMM and Dom0.

Paravirtualization: CPU and memory are virtualized, while I/O devices are split into front‑end (in DomU) and back‑end (in Dom0).

Hardware‑assisted paravirtualization (e.g., Intel VT‑d).

In this model, the DomU network interface eth0 maps to a vif device in Dom0, eliminating the need for Dom0 to emulate the NIC and greatly improving I/O performance.

Xen Hypervisor Variants

default/xm (Xen‑4.1): Requires the xend daemon.

default/xl (Xen‑4.2): Does not require xend.

CPU Virtualization Methods

Emulation: Pure software, low performance.

Virtualization:

Full virtualization (e.g., VMware binary translation, hardware‑assisted HVM).

Paravirtualization.

Memory Virtualization Techniques

From a process perspective, memory is a linear address space; from the kernel perspective, it is physical address space. Virtualization implementations include:

Intel Extended Page Tables (EPT).

AMD Nested Page Tables (NPT).

I/O Virtualization Approaches

Emulation: Fully software‑based.

Paravirtualization: Uses front‑end and back‑end drivers.

I/O pass‑through (IO‑Through): Example Intel VT‑d, leveraging north‑bridge hardware.

Virtual Networking

Implemented via TUN/TAP devices. TAP acts as an Ethernet device handling layer‑2 frames, while TUN simulates a network‑layer device handling IP packets. The OS can send and receive data through these virtual interfaces, enabling various networking modes such as NAT, bridge, host‑only, route, and isolation.