Communication between virtual machines (VM) may take place in a virtual switch (vSwitch) environment. Communication between virtual machines may also take place in a physical switch environment.
The same numbers are used throughout the disclosure and the figures to reference like components and features. Numbers in the 100 series refer to features originally found in
As described above, communications between virtual machines (VM) to take place either in a virtual switch (vSwitch) environment or in a physical switch environment. However, larger amounts of VM-to-VM network traffic can quickly cause the vSwitch layer to become a performance bottleneck, and thus increase latency. In particular, increasing powerful servers are becoming loaded with greater numbers of virtual machines. The increasing number of VMs running in a physical server and the corresponding increased amount of VM-to-VM network traffic can quickly cause the vSwitch layer to become a performance bottleneck and may thus increase latency. The performance of the vSwitch may thus be a limiting factor preventing scale out of the number of VMs running on a given server. Central processing unit (CPU) cycles that are spent copying network packets from one VM to another may then not available for use by the VMs for packet processing and other operations. Running the VMs on different non-uniform memory access (NUMA) nodes may cause processor interconnect congestion. For example, copying data via a CPU from one location to another may cause CPU stalls as the processors waits for memory to be accessed. Depending on the level of cache that the data resides in, there may be significant delays. Additionally, when a copy operation pulls this data into the copying cores cache and the next VM to access the data is running on another core or processor, then the data may be written back to memory before it can be accessed by the second core running the VM.
When communication between virtual machines takes place in a physical switch environment, hardware may be used to offload the vSwitch functions to a physical switch through a peripheral component interface network interface controller (pNIC). Offloading the vSwitch function to the physical switch through a pNIC may be referred to as hair pinning. Hair pinning may be performed using either a switch within the server or via a top of rack switch. However, hair pinning may also have performance limitations as well as considerable cost implications. Further, placing high traffic on a peripheral bus may introduce a security risk due to the possibility of malicious interference by hackers.
The techniques described herein relate generally to copying packets from one VM to another VM. In particular, techniques described herein can copy packets from one VM to another VM without burdening a CPU. In some examples, the techniques described herein can use a direct memory access (DMA) device to copy packets from VM to VM. As used herein, the direct memory access device can be any DMA engine, or any non-CPU agent, that can be used to copy packets from VM to VM within the scope of the techniques described herein. For example, in one embodiment, the DMA device can include I/O Acceleration Technology (I/OAT) by Intel®, or may include any of the relevant components of the I/OAT. In some examples, after the vSwitch has determined the source and destination for a packet in VM-to-VM traffic, the packet transfer may become a memory copy operation. For example, a vSwitch may offload the memory copy function to a DMA device. Offloading the memory copy function to the DMA device may enable packets to be transferred from one VM to another VM without the CPU having to perform the copy operation and without having to use physical switch bandwidth. The techniques described herein may thus free up CPU cycles that may otherwise be used for data copies.
The techniques described herein may provide a solution to the problems associated with using a vSwitch. In some examples, the techniques described herein may incorporate a DMA device for copying packets from VM to VM. After the vSwitch has determined that the source and the destination for a packet are VMs on the same platform, the memory copy operation of a vSwitch can be offloaded to the DMA device to perform the memory copy function.
The techniques described herein may also leave the bulk of the vSwitch software unchanged. For example, the techniques described herein may be backward compatible with existing vSwitch hardware. The techniques described herein may enable the vSwitch to perform firewall operations, access control lists (ACLs), or encrypt and decrypt services. Thus, no changes to an existing software application may be made in order to realize the benefits of the techniques described herein.
Furthermore, the techniques described herein do not use peripheral bus bandwidth and does not burden a physical switch with VM-to-VM traffic. Thus, network traffic to and from the platform is less likely to encounter congestion. Also, the techniques described herein eliminate the cost, power, space, components, etc., associated with using a physical switch for intra-platform communications. Thus, the techniques described herein enable the switch to be provisioned for external traffic, rather than external and internal traffic.
Furthermore, the data moves according to the techniques described herein are memory transactions, and not Peripheral Component Interconnect Express (PCIe) transactions. The memory copies may thus be performed at full memory bandwidth speed. In addition, the copies may be more efficient and use less bandwidth than CPU copies because they do not involve moving data from the memory controller to the CPU, and CPU cycles are not wasted waiting for memory. The techniques described herein thus enable data copy by the chipset instead of the CPU to move data more efficiently through the server and provide fast, scalable and reliable throughput.
The memory device 104 can include random access memory (RAM), read only memory (ROM), flash memory, or any other suitable memory systems. For example, the memory device 104 may include dynamic random access memory (DRAM). In some examples, the DMA device 110 may be disposed in a memory controller (not shown) of the memory device 104. For example, the DMA device may be a DMA engine. In some examples, the memory device 104 can include random access memory (RAM), read only memory (ROM), flash memory, or any other suitable memory systems. For example, the memory device 104 may include dynamic random access memory (DRAM). The memory device 104 may include device drivers that are configured to execute the instructions for communication between virtual machines. The device drivers may be software, an application program, application code, or the like.
The computing device 101 may also include a storage device 106. The storage device 106 is a physical memory such as a hard drive, an optical drive, a thumbdrive, an array of drives, a solid-state drive, or any combinations thereof. The storage device 106 may also include remote storage drives.
The computing device 101 may also include a network interface controller (NIC) 108, a DMA device 110, a hypervisor 112, a first virtual machine 114, a second virtual machine 116, and a virtual switch 118. The NIC 108 may be configured to connect the computing device 101 through the bus to a network 150. The network 150 may be a wide area network (WAN), local area network (LAN), or the Internet, among others. In some examples, the device may communicate with other devices through a wireless technology. For example, the device may communicate with other devices via a wireless local area network connection. In some examples, the device may connect and communicate with other devices via Bluetooth® or similar technology.
In some examples, in order to initialize computer system 100, the vSwitch 118 can be initialized. In some examples, all virtual ports and all physical ports can be initialized. The DMA device 110 can then be initialized. In some examples, the DMA device 110 may note virtual and physical ports, together with their MAC addresses, for packet forwarding. In some examples, packet forwarding may be performed via the DMA device 110 or a physical port. In some examples, the link status of any port may then be presented. From this point onward, the vSwitch 118 and the DMA device 110 may be initialized. In some examples, if a user adds another port, the additional port may also be initialized. One or more packets may then be transferred between the first virtual machine 114 and the second virtual machine 116 according to the methods 200 and 400 described in
In some examples, overlays may be able to receive and transmit on ports that belong to the same virtual network. For example, overlays can include Virtual Extensible Local Area Network (VxLAN) and Generic Routing Encapsulation (GRE) Termination End Points (TEPs). In some examples, as long this condition is met, the presence of the DMA device 110 may be abstracted from the implementation of the virtual tunnel end point (VTEP), also known as the VxLAN gateway.
The techniques described herein may enable the use of a non-paged memory pool, because typically data does not go to a user page. Rather, the data may goes to a VM kernel page. The techniques described herein may also enable pre-pinning a pool of pages and recycling them, thus the cost may also be negligible.
Packet transfers, unlike software copies in the protocol stack, may be designed to be sent to peripheral devices via DMA operations. The stack may be designed for packet transfer processes to be asynchronous. The transmitting VM may thus continue to do productive work while the packet is queued and transferred. Similarly, a receiving VM may be available for tasks during the transfer and may become aware of the received packet only after the transfer is complete. Advantageously, the CPU, which may be used for other operations, may not be kept busy copying the packet and thus be available for the other operations.
In some examples, the techniques described herein may also include collaboration with an input-output memory management unit (IOMMU) (not shown). An IOMMU can be a software or a hardware unit that can be used to re-map host addresses to input-output (IO) devices. In a virtualized environment, an IOMMU may be used to enforce security policies, when a VM queues data to be transferred to another VM. The IOMMU may allow the VM to only be able to specify a “from” address in its own space and a “to” address in the intended VM's address. Otherwise a malicious or buggy VM could overwrite or read data in any other VM's memory. During setup, memory regions that are to be used as transfer buffers may be programmed into the IOMMU tables, which limit transfers initiated from a VM to only read and write data from its area to and from the target transfer buffers. In some examples, the buffers can also be dynamically allocated. For example, the buffers can be dynamically allocated just prior to a copy operation, rather than only at setup. Thus, IOMMU permissions may be granted at that time, and revoked when the transfer is complete.
The diagram of
In block 210, a request to transmit a packet from a first virtual machine (VM1) to a second virtual machine (VM2) is received. A transmission (TX) packet for transmission is provided to the first virtual machine VM1 and a virtual network interface controller (vNIC) driver of VM1.
In block 220, the vNIC driver of VM1 (VM1-vNIC) queues the TX packet to be transmitted. In some examples, the protocol stack can send a scatter-gather list to the vNIC driver with instructions for processing. For example, the processing may include a TCP checksum offload. In some examples, the vNIC driver can read the processing instructions and prepare descriptors for each element of the scatter-gather list. For example, the descriptors can be used to define the data and control for the packet and elements such address, length, and required processing. In some examples, after the descriptors are complete, the descriptors can be enqueued for transmission. For example, in the case of a physical NIC, the descriptors can be used for DMA operations. In case of vNIC to vSwitch environments, however, the descriptors can be used to inform the vSwitch of the packet location and control information.
In block 230, a virtual switch (vSwitch) driver reads a transmission (TX) queue of VM1. In some examples, the vSwitch driver can monitor traffic that is within the network. The vSwitch driver can then detect that the TX packet that has been queued up in memory and recognizes that the packet has another destination within the system.
In block 240, the vSwitch driver recognizes and determines the destination of the packet, which is another VM on the computer system, VM2. For example, the vSwitch driver may perform some discovery, read the VM1 transmission (TX) queue, and determine that the packet that is stored in VM1 memory is to be copied to VM2 memory.
In block 250, the vSwitch driver queues operation of a DMA device. In some examples, a packet may have three scatter elements. For example, a source address and a length for these elements may be provided in block 230 as described above. The destination for the elements may also have been determined at block 240. In some examples, given this information, the device driver for the DMA device can enqueue three copy commands to the DMA device. For example, each command can include the source address, destination address, and the given number of bytes to copy. In some examples, a command may also further include packet processing control information. For example, the processing control information can include cryptographic operations, encapsulation, or compression. These packet processing operations could result in a size of the packet in the destination that is different from the size of the packet at the source.
In block 260, the DMA engine copies the packet to the destination in VM2. For example, DMA device may copy the packet to the destination without the use of any CPU resources. Thus, with a DMA device operation, the CPU may not touch the data. The data may also not be brought into the core's cache. Therefore, there may be no CPU stalls and no cache pollution related to the copy operation.
In block 270, the vSwitch driver indicates to VM1 that transmission is complete. For example, an interrupt can be processed after it is communicated that the packet has been copied from memory in VM1 to memory in VM2 without the packet being put on the wire.
In block 280, the vSwitch driver writes the reception (RX) descriptor into the vNIC RX queue on VM2. The reception (RX) descriptor tells VM2 what has been put in VM2's receive buffer. The reception (RX) descriptor may include control information, such as the number of bytes or type of header associated with the packet.
In block 290, the vSwitch driver indicates a receive event to vNIC on VM2. The receive event may signal a receive interrupt. The VM2, as the receiver, can be informed that a receive event has been delivered to its receive buffer. The VM2 can then read its receive buffer as described in the descriptor and complete the processing. In some examples, the vSwitch driver may also perform stack processing. Operation concludes in block 292.
The flow chart of
In
The diagram of
In block 402, the vSwitch reads a transmission queue of a first virtual machine. For example, a vSwitch may recognize a transmission packet that is within a queue in memory of a first virtual machine.
In block 404, the vSwitch determines a destination of a packet associated with the transmission queue of the first virtual machine. In some examples, the destination may be the memory of a second virtual machine on the computer system. For example, by reading the transmission queue of the first virtual machine, the vSwitch driver may determine that the packet is destined for the memory of the second virtual machine.
In block 406, the vSwitch may queue operation of a direct memory access device. For example, the vSwitch driver may queue a direct memory copy operation of a DMA device.
In block 408, the direct memory access device is used to copy the packet from the first virtual machine to a second virtual machine. For example, the DMA device may copy the packet from memory in VM1 to memory in VM2 without any involvement of a CPU.
The various software components discussed herein may be stored on one or more computer readable media 500, as indicated in
The block diagram of
Example 1 is a computer system for transferring a packet, including a hypervisor to run a first virtual machine and a second virtual machine. The computer system also includes a first memory address space associated with the first virtual machine to store the packet. The computer system also includes a second memory address space associated with the second virtual machine to receive and store the packet. The computer system further includes a virtual switch coupled to the first virtual machine and the second virtual machine to detect that the packet is to be sent from the first virtual machine to the second virtual machine. The computer system also further includes a direct memory access device. The direct memory access device is to copy the packet from the first memory address space to the second memory address space via the direct memory access device.
Example 2 includes the computer system of example 1, including or excluding optional features. In this example, the memory access device includes a direct memory access engine.
Example 3 includes the computer system of any one of examples 1 to 2, including or excluding optional features. In this example, the first virtual machine and the second virtual machine are to run on the same computing device.
Example 4 includes the computer system of any one of examples 1 to 3, including or excluding optional features. In this example, the computer system includes an input-output memory management unit (IOMMU) to re-map host addresses of the virtual machines to input-output (IO) devices.
Example 5 includes the computer system of any one of examples 1 to 4, including or excluding optional features. In this example, the direct memory access device lacks a central processing unit.
Example 6 includes the computer system of any one of examples 1 to 5, including or excluding optional features. In this example, the computer system includes a virtual switch driver to read a transmission queue of the first virtual machine.
Example 7 includes the computer system of any one of examples 1 to 6, including or excluding optional features. In this example, the computer system includes a virtual switch driver to queue a direct memory copy operation of the memory access device.
Example 8 includes the computer system of any one of examples 1 to 7, including or excluding optional features. In this example, the computer system includes a virtual switch driver to detect that the second virtual machine is a destination of the packet.
Example 9 includes the computer system of any one of examples 1 to 8, including or excluding optional features. In this example, the computer system includes a virtual switch driver to indicate to the first virtual machine that the copying of the packet is complete.
Example 10 includes the computer system of any one of examples 1 to 9, including or excluding optional features. In this example, the computer system includes a virtual switch driver to write a receive descriptor into a vNIC receive queue in the second virtual machine.
Example 11 is a method for transferring a packet between virtual machines, including reading a transmission queue of a first virtual machine. A destination of a packet associated with the transmission queue of the first virtual machine is detected. Operation of a direct memory access device is queued. The direct memory access device is used to copy the packet from the first virtual machine to a second virtual machine via the direct memory access device.
Example 12 includes the method of example 11, including or excluding optional features. In this example, the direct memory access device includes a direct memory access engine.
Example 13 includes the method of any one of examples 11 to 12, including or excluding optional features. In this example, the first virtual machine and the second virtual machine run on the same computing device.
Example 14 includes the method of any one of examples 11 to 13, including or excluding optional features. In this example, a hypervisor is used to run each of the first virtual machine and the second virtual machine.
Example 15 includes the method of any one of examples 11 to 14, including or excluding optional features. In this example, the direct memory access device lacks a central processing unit.
Example 16 includes the method of any one of examples 11 to 15, including or excluding optional features. In this example, a virtual switch driver is used to read the transmission queue of the first virtual machine.
Example 17 includes the method of any one of examples 11 to 16, including or excluding optional features. In this example, a virtual switch driver is used to queue the operation of the direct memory access device.
Example 18 includes the method of any one of examples 11 to 17, including or excluding optional features. In this example, a virtual switch driver is used to detect that the second virtual machine is a destination of the packet.
Example 19 includes the method of any one of examples 11 to 18, including or excluding optional features. In this example, a virtual switch driver is used to indicate to the first virtual machine that the copying of the packet is complete.
Example 20 includes the method of any one of examples 11 to 19, including or excluding optional features. In this example, a virtual switch driver is to write a receive descriptor into a virtual network interface controller (vNIC) receive queue in the second virtual machine.
Example 21 is a computer readable medium storing instructions to be executed by a processor. The instructions include instructions that cause the processor to read a transmission queue of a first virtual machine. The instructions include instructions that cause the processor to detect a destination of a packet associated with the transmission queue of the first virtual machine. The destination can be a second virtual machine. The instructions include instructions that cause the processor to queue operation of a direct memory access device. The instructions include instructions that cause the processor to cause the direct memory access device to copy the packet from the first virtual machine to the second virtual machine.
Example 22 includes the computer readable medium of example 21, including or excluding optional features. In this example, the direct memory access device includes a direct memory access engine.
Example 23 includes the computer readable medium of any one of examples 21 to 22, including or excluding optional features. In this example, the first virtual machine and the second virtual machine are to run on the same computing device.
Example 24 includes the computer readable medium of any one of examples 21 to 23, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to run each of the first virtual machine and the second virtual machine.
Example 25 includes the computer readable medium of any one of examples 21 to 24, including or excluding optional features. In this example, the direct memory access device lacks a central processing unit.
Example 26 includes the computer readable medium of any one of examples 21 to 25, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to read a transmission queue of the first virtual machine via a virtual switch driver.
Example 27 includes the computer readable medium of any one of examples 21 to 26, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to queue operation of the direct memory access device via a virtual switch driver.
Example 28 includes the computer readable medium of any one of examples 21 to 27, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to detect that the second virtual machine is a destination of the packet via a virtual switch driver.
Example 29 includes the computer readable medium of any one of examples 21 to 28, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to indicate to the first virtual machine that the copying of the packet is complete.
Example 30 includes the computer readable medium of any one of examples 21 to 29, including or excluding optional features. In this example, the stored instructions include instructions that cause the processor to write a receive descriptor into a virtual network interface controller (vNIC) receive queue in the second virtual machine.
Example 31 is a computer system for transferring a packet, including means to run a first virtual machine and a second virtual machine. The computer system includes a first memory address space associated with the first virtual machine for storing the packet. The computer system includes a second memory address space associated with the second virtual machine that includes to receive and store the packet. The computer system includes means for detecting that the packet is to be sent from the first virtual machine to the second virtual machine. The computer system further includes means for copying the packet from the first memory address space to the second memory address space without using a processor.
Example 32 includes the computer system of example 31, including or excluding optional features. In this example, the copying means includes a direct memory access device.
Example 33 includes the computer system of any one of examples 31 to 32, including or excluding optional features. In this example, the copying means includes a direct memory access engine.
Example 34 includes the computer system of any one of examples 31 to 33, including or excluding optional features. In this example, the apparatus includes a hypervisor to run each of the first virtual machine and the second virtual machine.
Example 35 includes the computer system of any one of examples 31 to 34, including or excluding optional features. In this example, the copying means lacks a central processing unit.
Example 36 includes the computer system of any one of examples 31 to 35, including or excluding optional features. In this example, the computer system includes a virtual switch driver to read a transmission queue of the first virtual machine.
Example 37 includes the computer system of any one of examples 31 to 36, including or excluding optional features. In this example, the computer system includes a virtual switch driver to queue operation of the copying means.
Example 38 includes the computer system of any one of examples 31 to 37, including or excluding optional features. In this example, the computer system includes a virtual switch driver to detect that the second virtual machine is a destination of the packet.
Example 39 includes the computer system of any one of examples 31 to 38, including or excluding optional features. In this example, the computer system includes a virtual switch driver to indicate to the first virtual machine that the copying of the packet is complete.
Example 40 includes the computer system of any one of examples 31 to 39, including or excluding optional features. In this example, the computer system includes a virtual switch driver to write a receive descriptor into a virtual network interface controller (vNIC) receive queue in the second virtual machine.
The technical benefits of the techniques described herein may thus include relieving the virtual switch layer bottleneck, thereby improving performance and scaling. For example, since a CPU is not relied upon to perform packet copying, packets may not be copied though the virtual switch layer, which relieves the bottleneck. Another benefit is that processor interconnect congestion is relieved. For example, because a processor is not used for packet copying, less data flows through processor interconnects, thereby relieving congestion. Yet another benefit is that CPU resources are more efficiently used due to the CPU not performing copying. For example, the CPU time may be available for other functions. A further benefit is that peripheral bus bandwidth is not used in the techniques described herein. For example, because packets are copied directly from one VM's memory to another VM's memory, the packets do not travel on the peripheral bus. Still another benefit is that the security risk of transmitting packets over NIC/networks is lowered. For example, NIC/networks may be susceptible to being accessed by malicious actors, who pose security risks. Thus, because the packets are not transmitted on the wire or over NIC/networks, the packets are less liable to be intercepted by such malicious actors.
In addition, the packet transfers, unlike software copies in the protocol stack, may be sent to peripheral devices via DMA operations. In some examples, the stack may be already designed for packet transfer processes to be asynchronous. The transmitting VM may continue to do productive work while the packet is queued and transferred. Similarly, the receiving VM may be available for tasks during the transfer, and may only become aware of the received packet after the transfer is complete. Thus, the CPU core that can be used for other operations may not be needlessly occupied in copying the packet.
Not all components, features, structures, characteristics, etc. described and illustrated herein need be included in a particular aspect or aspects. If the specification states a component, feature, structure, or characteristic “may”, “might”, “can” or “could” be included, for example, that particular component, feature, structure, or characteristic is not required to be included. If the specification or claim refers to “a” or “an” element, that does not mean there is only one of the element. If the specification or claims refer to “an additional” element, that does not preclude there being more than one of the additional element.
It is to be noted that, although some aspects have been described in reference to particular implementations, other implementations are possible according to some aspects. Additionally, the arrangement and/or order of circuit elements or other features illustrated in the drawings and/or described herein need not be arranged in the particular way illustrated and described. Many other arrangements are possible according to some aspects.
In each system shown in a figure, the elements in some cases may each have a same reference number or a different reference number to suggest that the elements represented could be different and/or similar. However, an element may be flexible enough to have different implementations and work with some or all of the systems shown or described herein. The various elements shown in the figures may be the same or different. Which one is referred to as a first element and which is called a second element is arbitrary.
It is to be understood that specifics in the aforementioned examples may be used anywhere in one or more aspects. For instance, all optional features of the computing device described above may also be implemented with respect to either of the methods or the computer-readable medium described herein. Furthermore, although flow diagrams and/or state diagrams may have been used herein to describe aspects, the techniques are not limited to those diagrams or to corresponding descriptions herein. For example, flow need not move through each illustrated box or state or in exactly the same order as illustrated and described herein.
The techniques described herein are not restricted to the particular details listed. Indeed, those skilled in the art having the benefit of this disclosure will appreciate that many other variations from the foregoing description and drawings may be made within the scope of the techniques described herein. Accordingly, it is the following claims including any amendments thereto that define the scope of the techniques described herein.