Swipe to navigate through the chapters of this book
Virtualization separates hardware from software. The opportunities presented by this separation are startling. Long ago, engineers conceived virtualization as a tool for supporting multiple users on a single computer. A side effect of this separation was the possibility of providing significantly different and separate environments for each user. Eventually, virtualization came to support a rich environment for entire ecosystems of applications and services and became the foundation for cloud computing.
Please log in to get access to this content
To get access to this content you need the following product:
This is a developer’s phrase for coding for yourself rather than using a standard library, an off-the-shelf component, and so on.
Quiesce means to become still or cease activity.
Some virtualization products streamline the movement from server to server using proprietary technology to take a snapshot of memory and quiescing the original VM when the snapshot is stable. The rest of the process is the same, but it is automated so there is no human latency.
The scenario described here is not the migration of processes from one physical device or hypervisor to another. The memory snapshots used for migration hold state, and the state is reproduced in the target VM. For state recovery to become an issue during migration, something would have to happen to interrupt the migration and cause the snapshot to be damaged or lost. This is not impossible but unlikely.
Medium Access Control (MAC) addresses are globally unique strings that are assigned when hardware is manufactured. The global uniqueness of MAC addresses is a fundamental assumption of computer networking. When VMs are not exposed outside the virtualized space, MAC addresses can be assigned and changed by the hypervisor, which follows its own rules. When a VM can communicate with the outside, MAC addresses must be assigned more carefully.
One way of accomplishing this is with a reverse proxy. A reverse proxy acts as a front end with an address that does not change. The proxy keeps track of the real location of services and forwards the message to the real target. When the target replies, it sends the message to the reverse proxy, which then passes the message on to the originator. This is similar to Network Address Translation described in the next section.
Be cautious. The security benefits of NAT are a side effect, not part of its design. It is irrelevant to most common exploits. No one should ever assume that because NAT is in place, their network is safe.
See http://dmtf.org/standards/ovf for further information on the OVF standard.
OVF is supported by most major hypervisor manufacturers, including IBM, VMware, Microsoft, Oracle, and Citrix.
- Splendid Isolation
- Sequence number
- Chapter number
- Chapter 11