Virtualization Explained: From VMware’s Binary Translation to Modern Containers

Historical Background

Virtualization is a resource‑management technique that abstracts physical resources (CPU, memory, storage, network) into one or more virtual environments.

Key concepts include partitioning, VM isolation, and encapsulation, allowing multiple VMs to run on a single server without interfering with each other.

Computers can be viewed as three layers: hardware, operating system, and applications.

Two classic virtualization models exist: Type‑1 (bare‑metal) and Type‑2 (hosted).

In the diagrams, VMM stands for Virtual Machine Monitor, also known as a Hypervisor.

Full Virtualization: VMware Binary Translation

Modern x86 CPUs use protection rings (Ring0‑Ring3). The OS kernel runs in Ring0, applications in Ring3.

Privileged instructions can only execute in Ring0; attempts in Ring3 cause exceptions.

VMware introduced binary translation: the VMM translates guest instructions into safe host instructions, similar to a Java VM translating bytecode.

Only "safe" instructions may be executed directly, improving performance.

Full virtualization fully simulates hardware, allowing unmodified guest OSes to run, but at a performance cost.

Para‑Virtualization: Xen Kernel Modifications

Para‑virtualization replaces privileged instructions with hypercalls to the VMM, reducing the need for instruction trapping.

Xen, an open‑source project from 2003, exemplifies this approach but requires OS source modifications, making it unsuitable for closed‑source systems like Windows.

Virtualization Software Architecture Classification

Server virtualization is a key cloud‑computing technology and can be classified as:

Hosted virtualization: a management program runs on a host OS and creates VMs.

Bare‑metal virtualization: the hypervisor runs directly on hardware.

OS‑level virtualization: the host OS itself partitions resources (e.g., Docker, OpenVZ).

Hybrid virtualization: a kernel‑level driver (VHM) mediates hardware access.

Memory Virtualization

Virtualization managers must present a consistent memory view to each guest, translating guest physical addresses to host physical addresses.

Techniques include shadow page tables (full memory virtualization) and extended page tables (EPT) for hardware‑assisted memory virtualization.

Hardware‑Assisted Virtualization (VT / AMD‑V)

Intel VT‑x adds VMX root and non‑root operation modes, allowing VMMs to run in root mode while guests run in non‑root mode, both supporting Ring0‑Ring3 privilege levels.

VT‑d enables direct I/O access for VMs, while VT‑c (including VMDq and VMDc) improves network I/O handling.

AMD‑V provides similar capabilities.

KVM‑QEMU

KVM (Kernel‑based Virtual Machine) is a Linux kernel hypervisor that relies on hardware‑assisted virtualization for CPU and memory.

QEMU provides device emulation; together they form the KVM‑QEMU architecture, a popular choice for cloud providers.

GPU and GPU Virtualization

GPU passthrough assigns a physical GPU to a VM; GPU sharing allows multiple VMs to share a GPU via a GPU server; vGPU virtualization splits a GPU into multiple virtual GPUs.

SR‑IOV enables a physical NIC to present multiple virtual functions directly to VMs.

I/O Virtualization

I/O virtualization aims to provide VMs with necessary I/O resources while isolating them and reducing overhead.

Full I/O virtualization simulates devices; para‑virtualization uses front‑end/back‑end queues (e.g., Xen’s Dom0).

Container Technology – LXC & Docker

Containers provide OS‑level isolation using cgroups and namespaces, creating lightweight execution environments.

LXC is a classic implementation; Docker builds on LXC concepts, packaging applications and dependencies into portable images.

Containers are more lightweight than full VMs but offer weaker isolation.

Conclusion

The article introduced basic virtualization concepts, the challenges of early x86 virtualization, and how hardware support (Intel VT, AMD‑V) and modern solutions like KVM, Xen, and containers have evolved to meet cloud‑computing demands.

Source: WeChat public account "Architecture Engineer Technical Alliance"