Advancing Linux Virtualization For Cloud And Container Workloads

ByThe Aha Unix Team

The Need for Improved Virtualization

Virtualization technology enables more efficient utilization of hardware resources by allowing multiple virtual machines (VMs) to run on a single physical server. However, existing virtualization solutions based on hypervisors have limitations including substantial performance overhead. For example, the guest VM communicates with virtualized hardware through emulated device drivers which adds latency. Furthermore, the hypervisor must schedule both itself and guest VMs, resulting in CPU scheduling overhead.

As cloud computing and container workloads grow more pervasive, reductions in virtualization overhead can significantly improve density and reduce costs. Optimizing Linux virtualization with paravirtualized drivers and components integrated into the kernel can help address these inefficiencies.

Linux Kernel-based Virtual Machine (KVM)

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor. Unlike traditional hypervisors that run atop the host operating system, KVM enables guest VMs to leverage hardware virtualization support on modern CPUs for acceleration.

The KVM architecture includes a host Linux OS running the KVM kernel module for core virtualization functionality along with QEMU for emulating virtual hardware. When guests issue commands to virtual hardware, KVM translates these into calls to physical hardware. Furthermore, KVM has a clean interface enabling components like schedulers and security modules to be integrated from other projects.


qm set $INSTANCE --kvm 1 --vcpu 2 --memory 2048 
qm monitor $INSTANCE qmp capabilities | grep kvm

As shown above, the qemu-system command can launch KVM-enabled guests by passing the –kvm flag. This allows the capabilities command to confirm acceleration is active.

VirtIO Paravirtualized Devices

While KVM offloads most virtualization overhead to hardware, virtio devices aim to optimize performance-critical I/O pathways by eliminating emulated devices. Virtio provides paravirtualized drivers incorporated into guest VM kernels which communicate directly with host hardware instead of going through emulated hardware.

Rather than attempt to emulate specific physical devices, virtio devices provide a simplified abstraction exposing only essential configuration and data channels to guests. This allows guests to interact with a versatile range of virtual device types including network, block storage, GPU, input, memory ballooning, and more.


qm set $INSTANCE --virtio0 eth0,bridge=vmbr0
qm set $INSTANCE --ide2 /var/lib/vz/images/$INSTANCE-disk-1.qcow2,virtio1

As demonstrated above, virtio drivers can be configured for networking as well as block devices. This enables guests to achieve I/O performance approaching bare metal while consolidating workloads.

Security Improvements with sVirt

While KVM securely isolates guest VMs in hardware, additional security enhancements are needed to minimize risks from a compromised VM. SELinux sVirt provides mandatory access control policies to limit damage if a VM is compromised by restricting access to resources on the host.

The sVirt architecture associates each guest VM and process with an security context label defining its access permissions. This context restricts VM access to only pre-approved files, devices, and host processes defined in SELinux policies even if exploited by an attacker.


semanage fcontext -a -t virt_image_t "/vm_storage(/.*)?"
setsebool -P virt_use_nfs on
setsebool -P virt_sandbox_use_all_caps off

As shown above, SELinux policies can enforce strict controls limiting hypervisors and VMs to only necessary resources and capabilities. This security-focused approach reduces the host’s attack surface.

Advanced Scheduling with Crosvm

The Chromium OS Virtual Machine Monitor (Crosvm) is a lightweight VMM optimized for container deployment on Google Cloud Platform and Chrome OS. While Crosvm relies on KVM for hardware virtualization, it implements multiple innovations on top like a custom scheduler to optimize for cloud workloads.

Crosvm’s scheduler aims maximize resource utilization across VMs by balancing vCPU thread usage within and across physical cores. The scheduler supports features like pinning vCPU threads to improve NUMA locality, adaptive affinities for low-latency adjustments, and utilization balancing via work stealing.


crosvm run --cpu 1,3-5 -m 2G --socket 1 
crosvm run --affinity adaptive --priority 80
crosvm run --scheduler-policy steal

As shown above, command line flags can configure advanced Crosvm scheduler policies for bandwidth reservation, vCPU placement, priorities, and load balancing techniques.

The Future of Linux Virtualization

Ongoing Linux virtualization advancements are focused on reducing performance overheads to improve density and efficiency. For example, split device drivers decompose drivers between guest and host to avoid transitions during hot paths. This technique shows substantial latency improvements for network and storage I/O.

As container orchestration frameworks Kubernetes, Docker, and more continue gaining popularity, purpose-built secure container runtimes realized via virtualization will help drive adoption. Optimized Linux virtualization solutions integrated with compiler toolchains, kernels, and orchestrators will power the next generation of high-efficiency cloud and edge computing.

With compelling improvements on the horizon, the open source Linux virtualization community welcomes involvement from developers, organizations, and platforms willing to collaborate on advancing Linux as the industry-standard hypervisor kernel.

Leave a Reply

Your email address will not be published. Required fields are marked *