![]() Most significantly, VMCS shadowing registers are freely available to the kernel running on the bare-metal instance, which is unique for EC2 instances. If the instance hypervisor does not violate the boundaries established by Nitro, there is no intervention and no effect upon performance. The Nitro firmware thus provides nested virtualization with no material effect on performance (consuming only a small amount of additional processor resources). Not every register in the VMCS requires the first level hypervisor to monitor. The first-level hypervisor-in this case the Nitro system-keeps a copy of the second to nth level VMCS and only investigates registers that are different from the cached version. The VMCS is a set of registers that controls access to hardware features by a virtual machine (pdf). Virtual Machine Control Structure ( VMCS) Shadowing provides hardware-nested virtualization on Intel Processors. See Key Virtualization Features Exploited by the Nitro Firmwareīelow is a brief, incomplete summary of virtualization features exploited by the Nitro system-particularly in the bare metal instances. Image above: Amazon’s i3 platform includes the Annapurna ASIC, the Nitro PCI Card, and the Nitro Firmware. Thus, a hypervisor such as KVM, Xen, or VMWare can be run directly in an i3.metal instance partitioned by the Nitro firmware. Importantly, Nitro on the i3.metal system exposes hardware virtualization features to the running kernel, which can be a hypervisor. Nitro protects the Annapurna ASIC and the multi-root PCI hardware from being reprogrammed for the i3.metal systems, but nothing else (this invisible presence is to protect against the use of unauthorized elastic block stores or network access.) For example, while Nitro has no hardware emulation (which is the role of QEMU in a conventional KVM hypervisor), Nitro does enable self-virtualizing hardware (pdf). ![]() In this sense, Nitro is more properly viewed as partitioning firmware that uses hardware self-virtualization features, including support for nested virtualization on the i3.metal instances. From these presentations, it is clear that the Nitro firmware includes a stripped-down version of the KVM hypervisor that forgoes the QEMU emulator and passes hardware directly to the running instance. Together, we refer to the Nitro card, Annapurna ASIC, and Nitro hypervisor as the Nitro System. (See the EC2 FAQs entry for the Nitro Hypervisor for some additional details.)Īlthough Amazon has not released much information about the Nitro system there are important technical insights in Brendan Gregg’s blog and in two videos ( here and here ) from the November 2017 AWS re:Invent conference. The second improvement is the Nitro hypervisor, which replaces Xen for all new EC2 instance types. The first is the combination of the Annapurna ASIC and the Nitro PCI card, which together integrate security, storage, and network I/O within custom silicon. ![]() The i3 family platforms include two improvements from what Amazon has historically offered to AWS customers. Read on for details! i3.metal and the Nitro System We were able to run more than six thousand KVM virtual machines on one of these instances, far beyond our pessimistic guess of around two thousand. In the remainder of this post we will discuss what makes these platforms important and unique, how we ran KVM virtual machines on the platform using Amazon’s own Linux distribution, and how we measured its performance and capacity using kprobes and the extended Berkeley Packetcpu Filter eBPF . ![]() Amazon has recently released to general availability the i3.metal instance, which allows us to do some things which we could not do before in the Amazon cloud, such as running an unmodified hypervisor. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |