Virtualization & Containers: The Foundations of Cloud Computing

Virtualization is the ability to run multiple, independent operating systems on a single physical machine. It has revolutionized the IT industry, enabling the efficiency and scalability of the modern Cloud.

This chapter explores the architectural difference between Virtual Machines (VMs) and Containers, the hardware acceleration that makes them fast, and the orchestration layers that manage them at scale.

1. The Virtualization Spectrum

1.1 Full Virtualization

The Guest OS is unaware it is running in a virtual environment.

Binary Translation: If a Guest OS tries to execute a privileged instruction (Ring 0), the Hypervisor catches it, translates it, and executes a safe alternative.
Pros: Any OS can run unmodified.
Cons: High overhead.

1.2 Para-virtualization (Xen)

The Guest OS is modified to be aware it is virtualized.

Hypercalls: Instead of trying to execute privileged instructions, the Guest calls the Hypervisor directly via a special API.
Pros: Lower overhead.
Cons: The Guest OS kernel must be modified.

1.3 Hardware-Assisted Virtualization (Modern Standard)

Modern CPUs (Intel VT-x, AMD-V) have built-in support for virtualization.

VMX Root/Non-Root Mode: The CPU provides a hardware "trap" that automatically handles privileged instructions. No binary translation or kernel modification is needed.

2. The Hypervisor (VMM) Architecture

A Virtual Machine Monitor (VMM) manages the CPU, Memory, and I/O resources of the physical host.

2.1 Type 1 (Bare Metal)

The Hypervisor runs directly on the hardware.

Examples: VMware ESXi, Xen, Microsoft Hyper-V.
Pros: High performance and security isolation.

2.2 Type 2 (Hosted)

The Hypervisor runs as an application on top of a host OS.

Examples: VMware Workstation, Oracle VirtualBox.
Pros: Ease of use.

2.3 KVM (Kernel-based Virtual Machine)

KVM is unique. It turns the Linux kernel into a Type 1 Hypervisor by making it a "VMX Root" manager.

QEMU: A user-space program that emulates the "Virtual Hardware" (Disk, Network, BIOS) while KVM handles the CPU and Memory.

3. Hardware Acceleration: MMU and I/O

3.1 Memory: EPT (Extended Page Tables)

In a VM, there are two levels of memory translation:

Guest Virtual -> Guest Physical
Guest Physical -> Host Physical

Without Acceleration: The Hypervisor must manually manage "Shadow Page Tables," which is extremely slow.
With EPT/NPT: The CPU hardware handles both levels of translation in a single "Page Walk."

3.2 I/O: SR-IOV and VT-d

VT-d (Direct I/O): Allows a VM to directly "own" a physical hardware device (e.g., a GPU or NIC), bypassing the Hypervisor for near-native performance.
SR-IOV: Allows a single physical device to present itself as multiple "Virtual Functions" to different VMs.

4. Container Technology: The Lightweight Alternative

Containers do not virtualize hardware. They isolate User-Space Processes using features already present in the host kernel.

4.1 Linux Namespaces (The "View" Isolation)

PID: The container sees itself as PID 1.
NET: Private network stack (own IP, routing table, firewall).
MNT: Private mount points (cannot see host files).
UTS: Private hostname.

4.2 Cgroups v2 (The "Resource" Isolation)

Limits and accounts for resource usage (CPU shares, Memory limits, Disk I/O throttling).

OOM Killer: If a container exceeds its Cgroup memory limit, the kernel will kill it while leaving the host and other containers safe.

4.3 Union File Systems (OverlayFS)

Allows combining multiple directories into one.

Layered Architecture: Docker images consist of multiple read-only layers with a single writable layer on top. This makes images extremely small and efficient.

5. Comparison: VM vs Container

Feature	Virtual Machine (VM)	Container
Isolation	Hardware-level (Strong)	Process-level (Moderate)
Guest OS	Full OS per VM	Shared Host Kernel
Startup	Minutes	Seconds
Overhead	High (full kernel per VM)	Negligible
Kernel Version	Can be different	Must be same as host

6. Container Orchestration (Kubernetes)

When running thousands of containers across a cluster, manual management is impossible.

Scheduler: Decides which physical node should run a Pod based on resource availability.
Networking (CNI): Ensures every container in the cluster has its own IP and can talk to any other container.
Storage (CSI): Dynamically mounts persistent disks to containers as they move across nodes.

7. Virtualization & Container Debugging Tools

Tool	Purpose	Key Metric
`virsh`	KVM Management	List, start, stop, and snapshot VMs
`docker stats`	Container Health	Real-time resource usage per container
`nsenter`	Deep-dive	Enter a running container's namespace for debugging
`crictl`	Runtime	Low-level tool for Kubernetes container runtime
`kubectl`	Orchestration	The primary interface for Kubernetes clusters

8. Summary Checklist

Explain the difference between Type 1 and Type 2 Hypervisors.
How does EPT (Extended Page Tables) speed up VM memory access?
What is the role of the Linux Kernel in KVM virtualization?
Compare "Shadow Page Tables" with "Hardware-Assisted Paging."
Why do containers have lower overhead than Virtual Machines?

End of Chapter 09. Continue to Chapter 10: Linux Essentials.

1. The Virtualization Spectrum​

1.1 Full Virtualization​

1.2 Para-virtualization (Xen)​

1.3 Hardware-Assisted Virtualization (Modern Standard)​

2. The Hypervisor (VMM) Architecture​

2.1 Type 1 (Bare Metal)​

2.2 Type 2 (Hosted)​

2.3 KVM (Kernel-based Virtual Machine)​

3. Hardware Acceleration: MMU and I/O​

3.1 Memory: EPT (Extended Page Tables)​

3.2 I/O: SR-IOV and VT-d​

4. Container Technology: The Lightweight Alternative​

4.1 Linux Namespaces (The "View" Isolation)​

4.2 Cgroups v2 (The "Resource" Isolation)​

4.3 Union File Systems (OverlayFS)​

5. Comparison: VM vs Container​

6. Container Orchestration (Kubernetes)​

7. Virtualization & Container Debugging Tools​

8. Summary Checklist​