VirtualBox

source: vbox/trunk/doc/manual/en_US/user_Technical.xml@ 68716

Last change on this file since 68716 was 64726, checked in by vboxsync, 8 years ago

doc/manual: bring the explanation how VirtualBox determines the user's home directory in sync with what the code actually does, and use up to date example

File size: 46.9 KB
Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
3"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
4<chapter id="TechnicalBackground">
5 <title>Technical background</title>
6
7 <para>The contents of this chapter are not required to use VirtualBox
8 successfully. The following is provided as additional information for
9 readers who are more familiar with computer architecture and technology and
10 wish to find out more about how VirtualBox works "under the hood".</para>
11
12 <sect1 id="vboxconfigdata">
13 <title>Where VirtualBox stores its files</title>
14
15 <para>In VirtualBox, a virtual machine and its settings are described in a
16 virtual machine settings file in XML format. In addition, most virtual
17 machine have one or more virtual hard disks, which are typically
18 represented by disk images (e.g. in VDI format). Where all these files are
19 stored depends on which version of VirtualBox created the machine.</para>
20
21 <sect2>
22 <title>Machines created by VirtualBox version 4.0 or later</title>
23
24 <para>Starting with version 4.0, by default, each virtual machine has
25 one directory on your host computer where all the files of that machine
26 are stored -- the XML settings file (with a
27 <computeroutput>.vbox</computeroutput> file extension) and its disk
28 images.</para>
29
30 <para>By default, this "machine folder" is placed in a common folder
31 called "VirtualBox VMs", which VirtualBox creates in the current system
32 user's home directory. The location of this home directory depends on
33 the conventions of the host operating system:</para>
34
35 <itemizedlist>
36 <listitem>
37 <para>On Windows, this is the location returned by the
38 <computeroutput>SHGetFolderPath</computeroutput> function of the
39 Windows system library Shell32.dll, asking for the user profile. Only
40 on very old Windows versions which don't have this function
41 or where it unexpectedly returns an error, there is a fallback based
42 on environment variables: first
43 <computeroutput>%USERPROFILE%</computeroutput> is checked, if it
44 doesn't exist then an attempt with
45 <computeroutput>%HOMEDRIVE%%HOMEPATH%</computeroutput> is made.
46 Typical value is
47 <computeroutput>C:\Users\username</computeroutput>.</para>
48 </listitem>
49
50 <listitem>
51 <para>On Linux, Mac OS X and Solaris, this is generally taken from
52 the environment variable <computeroutput>$HOME</computeroutput>,
53 except for the user
54 <computeroutput>root</computeroutput> for which it's taken from the
55 account database (as a workaround for the frequent trouble caused
56 by users using VirtualBox in combination with the tool
57 <computeroutput>sudo</computeroutput> which by default doesn't reset
58 the environment variable <computeroutput>$HOME</computeroutput>).
59 Typical value on Linux and Solaris is
60 <computeroutput>/home/username</computeroutput> and on Mac OS X
61 <computeroutput>/Users/username</computeroutput>.</para>
62 </listitem>
63 </itemizedlist>
64
65 <para>For simplicity, we will abbreviate this as
66 <computeroutput>$HOME</computeroutput> below. Using that convention, the
67 common folder for all virtual machines is
68 <computeroutput>$HOME/VirtualBox VMs</computeroutput>.</para>
69
70 <para>As an example, when you create a virtual machine called "Example
71 VM", you will find that VirtualBox creates<orderedlist>
72 <listitem>
73 <para>the folder <computeroutput>$HOME/VirtualBox VMs/Example
74 VM/</computeroutput> and, in that folder,</para>
75 </listitem>
76
77 <listitem>
78 <para>the settings file <computeroutput>Example
79 VM.vbox</computeroutput> and</para>
80 </listitem>
81
82 <listitem>
83 <para>the virtual disk image <computeroutput>Example
84 VM.vdi</computeroutput>.</para>
85 </listitem>
86 </orderedlist></para>
87
88 <para>This is the default layout if you use the "Create new virtual
89 machine" wizard as described in <xref linkend="gui-createvm" />. Once
90 you start working with the VM, additional files will show up: you will
91 find log files in a subfolder called
92 <computeroutput>Logs</computeroutput>, and once you have taken
93 snapshots, they will appear in a
94 <computeroutput>Snapshots</computeroutput> subfolder. For each VM, you
95 can change the location of its snapshots folder in the VM
96 settings.</para>
97
98 <para>You can change the default machine folder by selecting
99 "Preferences" from the "File" menu in the VirtualBox main window. Then,
100 in the window that pops up, click on the "General" tab. Alternatively,
101 use <computeroutput>VBoxManage setproperty
102 machinefolder</computeroutput>; see <xref
103 linkend="vboxmanage-setproperty" />.</para>
104 </sect2>
105
106 <sect2>
107 <title>Machines created by VirtualBox versions before 4.0</title>
108
109 <para>If you have upgraded to VirtualBox 4.0 from an earlier version of
110 VirtualBox, you probably have settings files and disks in the earlier
111 file system layout.</para>
112
113 <para>Before version 4.0, VirtualBox separated the machine settings
114 files from virtual disk images. The machine settings files had an
115 <computeroutput>.xml</computeroutput> file extension and resided in a
116 folder called "Machines" under the global VirtualBox configuration
117 directory (see the next section). So, for example, on Linux, this was
118 the hidden <computeroutput>$HOME/.VirtualBox/Machines</computeroutput>
119 directory. The default hard disks folder was called "HardDisks" and
120 resided in the <computeroutput>.VirtualBox</computeroutput> folder as
121 well. Both locations could be changed by the user in the global
122 preferences. (The concept of a "default hard disk folder" has been
123 abandoned with VirtualBox 4.0, since disk images now reside in each
124 machine's folder by default.)</para>
125
126 <para>The old layout had several severe disadvantages.<orderedlist>
127 <listitem>
128 <para>It was very difficult to move a virtual machine from one
129 host to another because the files involved did not reside in the
130 same folder. In addition, the virtual media of all machines were
131 registered with a global registry in the central VirtualBox
132 settings file
133 (<computeroutput>$HOME/.VirtualBox/VirtualBox.xml</computeroutput>).</para>
134
135 <para>To move a machine to another host, it was therefore not
136 enough to move the XML settings file and the disk images (which
137 were in different locations), but the hard disk entries from the
138 global media registry XML had to be meticulously copied as well,
139 which was close to impossible if the machine had snapshots and
140 therefore differencing images.</para>
141 </listitem>
142
143 <listitem>
144 <para>Storing virtual disk images, which can grow very large,
145 under the hidden <computeroutput>.VirtualBox</computeroutput>
146 directory (at least on Linux and Solaris hosts) made many users
147 wonder where their disk space had gone.</para>
148 </listitem>
149 </orderedlist></para>
150
151 <para>Whereas new VMs created with VirtualBox 4.0 or later will conform
152 to the new layout, for maximum compatibility, old VMs are
153 <emphasis>not</emphasis> converted to the new layout. Otherwise machine
154 settings would be irrevocably broken if a user downgraded from 4.0 back
155 to an older version of VirtualBox.</para>
156 </sect2>
157
158 <sect2>
159 <title>Global configuration data</title>
160
161 <para>In addition to the files of the virtual machines, VirtualBox
162 maintains global configuration data. On Linux and Solaris as of VirtualBox 4.3, this
163 is in the hidden directory <computeroutput>$HOME/.config/VirtualBox</computeroutput>, although <computeroutput>$HOME/.VirtualBox</computeroutput> will be used if it exists for compatibility with earlier versions; on Windows (and on Linux and Solaris with VirtualBox 4.2 and earlier) this is in <computeroutput>$HOME/.VirtualBox</computeroutput>; on a Mac it resides in
164 <computeroutput>$HOME/Library/VirtualBox</computeroutput>.</para>
165
166 <para>VirtualBox creates this configuration directory automatically if
167 necessary. Optionally, you can supply an alternate configuration
168 directory by setting the
169 <computeroutput><literal>VBOX_USER_HOME</literal></computeroutput>
170 environment variable, or additionally on Linux or Solaris by using the standard <computeroutput><literal>XDG_CONFIG_HOME</literal></computeroutput> variable. (Since the global
171 <computeroutput>VirtualBox.xml</computeroutput> settings file points to
172 all other configuration files, this allows for switching between several
173 VirtualBox configurations entirely.)</para>
174
175 <para>Most importantly, in this directory, VirtualBox stores its global
176 settings file, another XML file called
177 <computeroutput>VirtualBox.xml</computeroutput>. This includes global
178 configuration options and the list of registered virtual machines with
179 pointers to their XML settings files. (Neither the location of this file
180 nor its directory has changed with VirtualBox 4.0.)</para>
181
182 <para>Before VirtualBox 4.0, all virtual media (disk image files) were
183 also contained in a global registry in this settings file. For
184 compatibility, this media registry still exists if you upgrade
185 VirtualBox and there are media from machines which were created with a
186 version before 4.0. If you have no such machines, then there will be no
187 global media registry; with VirtualBox 4.0, each machine XML file has
188 its own media registry.</para>
189
190 <para>Also before VirtualBox 4.0, the default "Machines" folder and the
191 default "HardDisks" folder resided under the VirtualBox configuration
192 directory (e.g.
193 <computeroutput>$HOME/.VirtualBox/Machines</computeroutput> on Linux).
194 If you are upgrading from a VirtualBox version before 4.0, files in
195 these directories are not automatically moved in order not to break
196 backwards compatibility.</para>
197 </sect2>
198
199 <sect2>
200 <title>Summary of 4.0 configuration changes</title>
201
202 <para>The following table gives a brief overview of the configuration
203 changes between older versions and version 4.0 or above:</para>
204
205 <table>
206 <title>Configuration changes in version 4.0 or above</title>
207
208 <tgroup cols="3">
209 <thead>
210 <row>
211 <entry><emphasis role="bold">Setting</emphasis></entry>
212
213 <entry><emphasis role="bold">Before 4.0</emphasis></entry>
214
215 <entry><emphasis role="bold">4.0 or above</emphasis></entry>
216 </row>
217 </thead>
218 <tbody>
219 <row>
220 <entry>Default machines folder</entry>
221
222 <entry><computeroutput>$HOME/.VirtualBox/Machines</computeroutput></entry>
223
224 <entry><computeroutput>$HOME/VirtualBox
225 VMs</computeroutput></entry>
226 </row>
227
228 <row>
229 <entry>Default disk image location</entry>
230
231 <entry><computeroutput>$HOME/.VirtualBox/HardDisks</computeroutput></entry>
232
233 <entry>In each machine's folder</entry>
234 </row>
235
236 <row>
237 <entry>Machine settings file extension</entry>
238
239 <entry><computeroutput>.xml</computeroutput></entry>
240
241 <entry><computeroutput>.vbox</computeroutput></entry>
242 </row>
243
244 <row>
245 <entry>Media registry</entry>
246
247 <entry>Global <computeroutput>VirtualBox.xml</computeroutput>
248 file</entry>
249
250 <entry>Each machine settings file</entry>
251 </row>
252
253 <row>
254 <entry>Media registration</entry>
255
256 <entry>Explicit open/close required</entry>
257
258 <entry>Automatic on attach</entry>
259 </row>
260 </tbody>
261 </tgroup>
262 </table>
263 </sect2>
264
265 <sect2>
266 <title>VirtualBox XML files</title>
267
268 <para>VirtualBox uses XML for both the machine settings files and the
269 global configuration file,
270 <computeroutput>VirtualBox.xml</computeroutput>.</para>
271
272 <para>All VirtualBox XML files are versioned. When a new settings file
273 is created (e.g. because a new virtual machine is created), VirtualBox
274 automatically uses the settings format of the current VirtualBox
275 version. These files may not be readable if you downgrade to an earlier
276 version of VirtualBox. However, when VirtualBox encounters a settings
277 file from an earlier version (e.g. after upgrading VirtualBox), it
278 attempts to preserve the settings format as much as possible. It will
279 only silently upgrade the settings format if the current settings cannot
280 be expressed in the old format, for example because you enabled a
281 feature that was not present in an earlier version of
282 VirtualBox.<footnote>
283 <para>As an example, before VirtualBox 3.1, it was only possible to
284 enable or disable a single DVD drive in a virtual machine. If it was
285 enabled, then it would always be visible as the secondary master of
286 the IDE controller. With VirtualBox 3.1, DVD drives can be attached
287 to arbitrary slots of arbitrary controllers, so they could be the
288 secondary slave of an IDE controller or in a SATA slot. If you have
289 a machine settings file from an earlier version and upgrade
290 VirtualBox to 3.1 and then move the DVD drive from its default
291 position, this cannot be expressed in the old settings format; the
292 XML machine file would get written in the new format, and a backup
293 file of the old format would be kept.</para>
294 </footnote> In such cases, VirtualBox backs up the old settings file
295 in the virtual machine's configuration directory. If you need to go back
296 to the earlier version of VirtualBox, then you will need to manually
297 copy these backup files back.</para>
298
299 <para>We intentionally do not document the specifications of the
300 VirtualBox XML files, as we must reserve the right to modify them in the
301 future. We therefore strongly suggest that you do not edit these files
302 manually. VirtualBox provides complete access to its configuration data
303 through its the <computeroutput>VBoxManage</computeroutput> command line
304 tool (see <xref linkend="vboxmanage" />) and its API (see <xref
305 linkend="VirtualBoxAPI" />).</para>
306 </sect2>
307 </sect1>
308
309 <sect1 id="technical-components">
310 <title>VirtualBox executables and components</title>
311
312 <para>VirtualBox was designed to be modular and flexible. When the
313 VirtualBox graphical user interface (GUI) is opened and a VM is started,
314 at least three processes are running:<orderedlist>
315 <listitem>
316 <para><computeroutput>VBoxSVC</computeroutput>, the VirtualBox
317 service process which always runs in the background. This process is
318 started automatically by the first VirtualBox client process (the
319 GUI, <computeroutput>VBoxManage</computeroutput>,
320 <computeroutput>VBoxHeadless</computeroutput>, the web service or
321 others) and exits a short time after the last client exits. The
322 service is responsible for bookkeeping, maintaining the state of all
323 VMs, and for providing communication between VirtualBox components.
324 This communication is implemented via COM/XPCOM.<note>
325 <para>When we refer to "clients" here, we mean the local clients
326 of a particular <computeroutput>VBoxSVC</computeroutput> server
327 process, not clients in a network. VirtualBox employs its own
328 client/server design to allow its processes to cooperate, but
329 all these processes run under the same user account on the host
330 operating system, and this is totally transparent to the
331 user.</para>
332 </note></para>
333 </listitem>
334
335 <listitem>
336 <para>The GUI process, <computeroutput>VirtualBox</computeroutput>,
337 a client application based on the cross-platform Qt library. When
338 started without the <computeroutput>--startvm</computeroutput>
339 option, this application acts as the VirtualBox manager, displaying
340 the VMs and their settings. It then communicates settings and state
341 changes to <computeroutput>VBoxSVC</computeroutput> and also
342 reflects changes effected through other means, e.g.,
343 <computeroutput>VBoxManage</computeroutput>.</para>
344 </listitem>
345
346 <listitem>
347 <para>If the <computeroutput>VirtualBox</computeroutput> client
348 application is started with the
349 <computeroutput>--startvm</computeroutput> argument, it loads the
350 VMM library which includes the actual hypervisor and then runs a
351 virtual machine and provides the input and output for the
352 guest.</para>
353 </listitem>
354 </orderedlist></para>
355
356 <para>Any VirtualBox front-end (client) will communicate with the service
357 process and can both control and reflect the current state. For example,
358 either the VM selector or the VM window or VBoxManage can be used to pause
359 the running VM, and other components will always reflect the changed
360 state.</para>
361
362 <para>The VirtualBox GUI application is only one of several available
363 front ends (clients). The complete list shipped with VirtualBox
364 is:<orderedlist>
365 <listitem>
366 <para><computeroutput>VirtualBox</computeroutput>, the Qt front end
367 implementing the manager and running VMs;</para>
368 </listitem>
369
370 <listitem>
371 <para><computeroutput>VBoxManage</computeroutput>, a less
372 user-friendly but more powerful alternative, described in <xref
373 linkend="vboxmanage" />.</para>
374 </listitem>
375
376 <listitem>
377 <para><computeroutput>VBoxSDL</computeroutput>, a simple graphical
378 front end based on the SDL library; see <xref
379 linkend="vboxsdl" />.</para>
380 </listitem>
381
382 <listitem>
383 <para><computeroutput>VBoxHeadless</computeroutput>, a VM front end
384 which does not directly provide any video output and keyboard/mouse
385 input, but allows redirection via VirtualBox Remote Desktop Extension;
386 see <xref linkend="vboxheadless" />.</para>
387 </listitem>
388
389 <listitem>
390 <para><computeroutput>vboxwebsrv</computeroutput>, the VirtualBox
391 web service process which allows for controlling a VirtualBox host
392 remotely. This is described in detail in the VirtualBox Software
393 Development Kit (SDK) reference; please see <xref
394 linkend="VirtualBoxAPI" /> for details.</para>
395 </listitem>
396
397 <listitem>
398 <para>The VirtualBox Python shell, a Python alternative to
399 VBoxManage. This is also described in the SDK reference.</para>
400 </listitem>
401 </orderedlist></para>
402
403 <para>Internally, VirtualBox consists of many more or less separate
404 components. You may encounter these when analyzing VirtualBox internal
405 error messages or log files. These include:</para>
406
407 <itemizedlist>
408 <listitem>
409 <para>IPRT, a portable runtime library which abstracts file access,
410 threading, string manipulation, etc. Whenever VirtualBox accesses host
411 operating features, it does so through this library for cross-platform
412 portability.</para>
413 </listitem>
414
415 <listitem>
416 <para>VMM (Virtual Machine Monitor), the heart of the
417 hypervisor.</para>
418 </listitem>
419
420 <listitem>
421 <para>EM (Execution Manager), controls execution of guest code.</para>
422 </listitem>
423
424 <listitem>
425 <para>REM (Recompiled Execution Monitor), provides software emulation
426 of CPU instructions.</para>
427 </listitem>
428
429 <listitem>
430 <para>TRPM (Trap Manager), intercepts and processes guest traps and
431 exceptions.</para>
432 </listitem>
433
434 <listitem>
435 <para>HM (Hardware Acceleration Manager), provides support for VT-x
436 and AMD-V.</para>
437 </listitem>
438
439 <listitem>
440 <para>GIM (Guest Interface Manager), provides support for various
441 paravirtualization interfaces to the guest.</para>
442 </listitem>
443
444 <listitem>
445 <para>PDM (Pluggable Device Manager), an abstract interface between
446 the VMM and emulated devices which separates device implementations
447 from VMM internals and makes it easy to add new emulated devices.
448 Through PDM, third-party developers can add new virtual devices to
449 VirtualBox without having to change VirtualBox itself.</para>
450 </listitem>
451
452 <listitem>
453 <para>PGM (Page Manager), a component controlling guest paging.</para>
454 </listitem>
455
456 <listitem>
457 <para>PATM (Patch Manager), patches guest code to improve and speed up
458 software virtualization.</para>
459 </listitem>
460
461 <listitem>
462 <para>TM (Time Manager), handles timers and all aspects of time inside
463 guests.</para>
464 </listitem>
465
466 <listitem>
467 <para>CFGM (Configuration Manager), provides a tree structure which
468 holds configuration settings for the VM and all emulated
469 devices.</para>
470 </listitem>
471
472 <listitem>
473 <para>SSM (Saved State Manager), saves and loads VM state.</para>
474 </listitem>
475
476 <listitem>
477 <para>VUSB (Virtual USB), a USB layer which separates emulated USB
478 controllers from the controllers on the host and from USB devices;
479 this also enables remote USB.</para>
480 </listitem>
481
482 <listitem>
483 <para>DBGF (Debug Facility), a built-in VM debugger.</para>
484 </listitem>
485
486 <listitem>
487 <para>VirtualBox emulates a number of devices to provide the hardware
488 environment that various guests need. Most of these are standard
489 devices found in many PC compatible machines and widely supported by
490 guest operating systems. For network and storage devices in
491 particular, there are several options for the emulated devices to
492 access the underlying hardware. These devices are managed by
493 PDM.</para>
494 </listitem>
495
496 <listitem>
497 <para>Guest Additions for various guest operating systems. This is
498 code that is installed from within a virtual machine; see <xref
499 linkend="guestadditions" />.</para>
500 </listitem>
501
502 <listitem>
503 <para>The "Main" component is special: it ties all the above bits
504 together and is the only public API that VirtualBox provides. All the
505 client processes listed above use only this API and never access the
506 hypervisor components directly. As a result, third-party applications
507 that use the VirtualBox Main API can rely on the fact that it is
508 always well-tested and that all capabilities of VirtualBox are fully
509 exposed. It is this API that is described in the VirtualBox SDK
510 mentioned above (again, see <xref linkend="VirtualBoxAPI" />).</para>
511 </listitem>
512 </itemizedlist>
513 </sect1>
514
515 <sect1 id="hwvirt">
516 <title>Hardware vs. software virtualization</title>
517
518 <para>VirtualBox allows software in the virtual machine to run directly on
519 the processor of the host, but an array of complex techniques is employed
520 to intercept operations that would interfere with your host. Whenever the
521 guest attempts to do something that could be harmful to your computer and
522 its data, VirtualBox steps in and takes action. In particular, for lots of
523 hardware that the guest believes to be accessing, VirtualBox simulates a
524 certain "virtual" environment according to how you have configured a
525 virtual machine. For example, when the guest attempts to access a hard
526 disk, VirtualBox redirects these requests to whatever you have configured
527 to be the virtual machine's virtual hard disk -- normally, an image file
528 on your host.</para>
529
530 <para>Unfortunately, the x86 platform was never designed to be
531 virtualized. Detecting situations in which VirtualBox needs to take
532 control over the guest code that is executing, as described above, is
533 difficult. There are two ways in which to achieve this:<itemizedlist>
534 <listitem>
535 <para>Since 2006, Intel and AMD processors have had support for
536 so-called <emphasis role="bold">"hardware
537 virtualization"</emphasis>. This means that these processors can
538 help VirtualBox to intercept potentially dangerous operations that a
539 guest operating system may be attempting and also makes it easier to
540 present virtual hardware to a virtual machine.</para>
541
542 <para>These hardware features differ between Intel and AMD
543 processors. Intel named its technology <emphasis
544 role="bold">VT-x</emphasis>; AMD calls theirs <emphasis
545 role="bold">AMD-V</emphasis>. The Intel and AMD support for
546 virtualization is very different in detail, but not very different
547 in principle.<note>
548 <para>On many systems, the hardware virtualization features
549 first need to be enabled in the BIOS before VirtualBox can use
550 them.</para>
551 </note></para>
552 </listitem>
553
554 <listitem>
555 <para>As opposed to other virtualization software, for many usage
556 scenarios, VirtualBox does not <emphasis>require</emphasis> hardware
557 virtualization features to be present. Through sophisticated
558 techniques, VirtualBox virtualizes many guest operating systems
559 entirely in <emphasis role="bold">software</emphasis>. This means
560 that you can run virtual machines even on older processors which do
561 not support hardware virtualization.</para>
562 </listitem>
563 </itemizedlist></para>
564
565 <para>Even though VirtualBox does not always require hardware
566 virtualization, enabling it is <emphasis>required</emphasis> in the
567 following scenarios:<itemizedlist>
568 <listitem>
569 <para>Certain rare guest operating systems like OS/2 make use of
570 very esoteric processor instructions that are not supported with our
571 software virtualization. For virtual machines that are configured to
572 contain such an operating system, hardware virtualization is enabled
573 automatically.</para>
574 </listitem>
575
576 <listitem>
577 <para>VirtualBox's 64-bit guest support (added with version 2.0) and
578 multiprocessing (SMP, added with version 3.0) both require hardware
579 virtualization to be enabled. (This is not much of a limitation
580 since the vast majority of today's 64-bit and multicore CPUs ship
581 with hardware virtualization anyway; the exceptions to this rule are
582 e.g. older Intel Celeron and AMD Opteron CPUs.)</para>
583 </listitem>
584 </itemizedlist></para>
585
586 <warning>
587 <para>Do not run other hypervisors (open-source or commercial
588 virtualization products) together with VirtualBox! While several
589 hypervisors can normally be <emphasis>installed</emphasis> in parallel,
590 do not attempt to <emphasis>run</emphasis> several virtual machines from
591 competing hypervisors at the same time. VirtualBox cannot track what
592 another hypervisor is currently attempting to do on the same host, and
593 especially if several products attempt to use hardware virtualization
594 features such as VT-x, this can crash the entire host. Also, within
595 VirtualBox, you can mix software and hardware virtualization when
596 running multiple VMs. In certain cases a small performance penalty will
597 be unavoidable when mixing VT-x and software virtualization VMs. We
598 recommend not mixing virtualization modes if maximum performance and low
599 overhead are essential. This does <emphasis>not</emphasis> apply to
600 AMD-V.</para>
601 </warning>
602 </sect1>
603
604 <sect1 id="gimproviders">
605 <title>Paravirtualization providers</title>
606
607 <para>VirtualBox allows exposing a paravirtualization interface to
608 facilitate accurate and efficient execution of software within a
609 virtual machine. These interfaces require the guest operating system
610 to recognize their presence and make use of them in order to leverage
611 the benefits of communicating with the VirtualBox hypervisor.</para>
612
613 <para>Most modern mainstream guest operating systems, including
614 Windows and Linux, ship with support for one or more paravirtualization
615 interfaces. Hence, there is typically no need to install additional software
616 in the guest to take advantage of this feature.
617 </para>
618
619 <para>Exposing a paravirtualization provider to the guest operating
620 system does not rely on the choice of host platforms. For example, the
621 <emphasis>Hyper-V</emphasis> paravirtualization provider can be
622 used for VMs to run on any host platform (supported by VirtualBox) and
623 not just Windows.</para>
624
625 <para>VirtualBox provides the following interfaces:</para>
626 <itemizedlist>
627 <listitem>
628 <para><emphasis role="bold">Minimal</emphasis>: Announces the
629 presence of a virtualized environment. Additionally, reports the
630 TSC and APIC frequency to the guest operating system. This provider
631 is mandatory for running any Mac OS X guests.</para>
632 </listitem>
633
634 <listitem>
635 <para><emphasis role="bold">KVM</emphasis>: Presents a Linux KVM
636 hypervisor interface which is recognized by Linux kernels starting
637 with version 2.6.25. VirtualBox's implementation currently supports
638 paravirtualized clocks and SMP spinlocks. This provider is
639 recommended for Linux guests.</para>
640 </listitem>
641
642 <listitem>
643 <para><emphasis role="bold">Hyper-V</emphasis>: Presents a Microsoft
644 Hyper-V hypervisor interface which is recognized by Windows 7 and newer
645 operating systems. VirtualBox's implementation currently supports
646 paravirtualized clocks, APIC frequency reporting, guest debugging,
647 guest crash reporting and relaxed timer checks. This provider is
648 recommended for Windows guests.
649 </para>
650 </listitem>
651 </itemizedlist>
652 </sect1>
653
654 <sect1>
655 <title>Details about software virtualization</title>
656
657 <para>Implementing virtualization on x86 CPUs with no hardware
658 virtualization support is an extraordinarily complex task because the CPU
659 architecture was not designed to be virtualized. The problems can usually
660 be solved, but at the cost of reduced performance. Thus, there is a
661 constant clash between virtualization performance and accuracy.</para>
662
663 <para>The x86 instruction set was originally designed in the 1970s and
664 underwent significant changes with the addition of protected mode in the
665 1980s with the 286 CPU architecture and then again with the Intel 386 and
666 its 32-bit architecture. Whereas the 386 did have limited virtualization
667 support for real mode operation (V86 mode, as used by the "DOS Box" of
668 Windows 3.x and OS/2 2.x), no support was provided for virtualizing the
669 entire architecture.</para>
670
671 <para>In theory, software virtualization is not overly complex. In
672 addition to the four privilege levels ("rings") provided by the hardware
673 (of which typically only two are used: ring 0 for kernel mode and ring 3
674 for user mode), one needs to differentiate between "host context" and
675 "guest context".</para>
676
677 <para>In "host context", everything is as if no hypervisor was active.
678 This might be the active mode if another application on your host has been
679 scheduled CPU time; in that case, there is a host ring 3 mode and a host
680 ring 0 mode. The hypervisor is not involved.</para>
681
682 <para>In "guest context", however, a virtual machine is active. So long as
683 the guest code is running in ring 3, this is not much of a problem since a
684 hypervisor can set up the page tables properly and run that code natively
685 on the processor. The problems mostly lie in how to intercept what the
686 guest's kernel does.</para>
687
688 <para>There are several possible solutions to these problems. One approach
689 is full software emulation, usually involving recompilation. That is, all
690 code to be run by the guest is analyzed, transformed into a form which
691 will not allow the guest to either modify or see the true state of the
692 CPU, and only then executed. This process is obviously highly complex and
693 costly in terms of performance. (VirtualBox contains a recompiler based on
694 QEMU which can be used for pure software emulation, but the recompiler is
695 only activated in special situations, described below.)</para>
696
697 <para>Another possible solution is paravirtualization, in which only
698 specially modified guest OSes are allowed to run. This way, most of the
699 hardware access is abstracted and any functions which would normally
700 access the hardware or privileged CPU state are passed on to the
701 hypervisor instead. Paravirtualization can achieve good functionality and
702 performance on standard x86 CPUs, but it can only work if the guest OS can
703 actually be modified, which is obviously not always the case.</para>
704
705 <para>VirtualBox chooses a different approach. When starting a virtual
706 machine, through its ring-0 support kernel driver, VirtualBox has set up
707 the host system so that it can run most of the guest code natively, but it
708 has inserted itself at the "bottom" of the picture. It can then assume
709 control when needed -- if a privileged instruction is executed, the guest
710 traps (in particular because an I/O register was accessed and a device
711 needs to be virtualized) or external interrupts occur. VirtualBox may then
712 handle this and either route a request to a virtual device or possibly
713 delegate handling such things to the guest or host OS. In guest context,
714 VirtualBox can therefore be in one of three states:</para>
715
716 <para><itemizedlist>
717 <listitem>
718 <para>Guest ring 3 code is run unmodified, at full speed, as much as
719 possible. The number of faults will generally be low (unless the
720 guest allows port I/O from ring 3, something we cannot do as we
721 don't want the guest to be able to access real ports). This is also
722 referred to as "raw mode", as the guest ring-3 code runs
723 unmodified.</para>
724 </listitem>
725
726 <listitem>
727 <para>For guest code in ring 0, VirtualBox employs a nasty trick: it
728 actually reconfigures the guest so that its ring-0 code is run in
729 ring 1 instead (which is normally not used in x86 operating
730 systems). As a result, when guest ring-0 code (actually running in
731 ring 1) such as a guest device driver attempts to write to an I/O
732 register or execute a privileged instruction, the VirtualBox
733 hypervisor in "real" ring 0 can take over.</para>
734 </listitem>
735
736 <listitem>
737 <para>The hypervisor (VMM) can be active. Every time a fault occurs,
738 VirtualBox looks at the offending instruction and can relegate it to
739 a virtual device or the host OS or the guest OS or run it in the
740 recompiler.</para>
741
742 <para>In particular, the recompiler is used when guest code disables
743 interrupts and VirtualBox cannot figure out when they will be
744 switched back on (in these situations, VirtualBox actually analyzes
745 the guest code using its own disassembler). Also, certain privileged
746 instructions such as LIDT need to be handled specially. Finally, any
747 real-mode or protected-mode code (e.g. BIOS code, a DOS guest, or
748 any operating system startup) is run in the recompiler
749 entirely.</para>
750 </listitem>
751 </itemizedlist></para>
752
753 <para>Unfortunately this only works to a degree. Among others, the
754 following situations require special handling:</para>
755
756 <para><orderedlist>
757 <listitem>
758 <para>Running ring 0 code in ring 1 causes a lot of additional
759 instruction faults, as ring 1 is not allowed to execute any
760 privileged instructions (of which guest's ring-0 contains plenty).
761 With each of these faults, the VMM must step in and emulate the code
762 to achieve the desired behavior. While this works, emulating
763 thousands of these faults is very expensive and severely hurts the
764 performance of the virtualized guest.</para>
765 </listitem>
766
767 <listitem>
768 <para>There are certain flaws in the implementation of ring 1 in the
769 x86 architecture that were never fixed. Certain instructions that
770 <emphasis>should</emphasis> trap in ring 1 don't. This affects, for
771 example, the LGDT/SGDT, LIDT/SIDT, or POPF/PUSHF instruction pairs.
772 Whereas the "load" operation is privileged and can therefore be
773 trapped, the "store" instruction always succeed. If the guest is
774 allowed to execute these, it will see the true state of the CPU, not
775 the virtualized state. The CPUID instruction also has the same
776 problem.</para>
777 </listitem>
778
779 <listitem>
780 <para>A hypervisor typically needs to reserve some portion of the
781 guest's address space (both linear address space and selectors) for
782 its own use. This is not entirely transparent to the guest OS and
783 may cause clashes.</para>
784 </listitem>
785
786 <listitem>
787 <para>The SYSENTER instruction (used for system calls) executed by
788 an application running in a guest OS always transitions to ring 0.
789 But that is where the hypervisor runs, not the guest OS. In this
790 case, the hypervisor must trap and emulate the instruction even when
791 it is not desirable.</para>
792 </listitem>
793
794 <listitem>
795 <para>The CPU segment registers contain a "hidden" descriptor cache
796 which is not software-accessible. The hypervisor cannot read, save,
797 or restore this state, but the guest OS may use it.</para>
798 </listitem>
799
800 <listitem>
801 <para>Some resources must (and can) be trapped by the hypervisor,
802 but the access is so frequent that this creates a significant
803 performance overhead. An example is the TPR (Task Priority) register
804 in 32-bit mode. Accesses to this register must be trapped by the
805 hypervisor, but certain guest operating systems (notably Windows and
806 Solaris) write this register very often, which adversely affects
807 virtualization performance.</para>
808 </listitem>
809 </orderedlist></para>
810
811 <para>To fix these performance and security issues, VirtualBox contains a
812 Code Scanning and Analysis Manager (CSAM), which disassembles guest code,
813 and the Patch Manager (PATM), which can replace it at runtime.</para>
814
815 <para>Before executing ring 0 code, CSAM scans it recursively to discover
816 problematic instructions. PATM then performs <emphasis>in-situ
817 </emphasis>patching, i.e. it replaces the instruction with a jump to
818 hypervisor memory where an integrated code generator has placed a more
819 suitable implementation. In reality, this is a very complex task as there
820 are lots of odd situations to be discovered and handled correctly. So,
821 with its current complexity, one could argue that PATM is an advanced
822 <emphasis>in-situ</emphasis> recompiler.</para>
823
824 <para>In addition, every time a fault occurs, VirtualBox analyzes the
825 offending code to determine if it is possible to patch it in order to
826 prevent it from causing more faults in the future. This approach works
827 well in practice and dramatically improves software virtualization
828 performance.</para>
829 </sect1>
830
831 <sect1>
832 <title>Details about hardware virtualization</title>
833
834 <para>With Intel VT-x, there are two distinct modes of CPU operation: VMX
835 root mode and non-root mode.<itemizedlist>
836 <listitem>
837 <para>In root mode, the CPU operates much like older generations of
838 processors without VT-x support. There are four privilege levels
839 ("rings"), and the same instruction set is supported, with the
840 addition of several virtualization specific instruction. Root mode
841 is what a host operating system without virtualization uses, and it
842 is also used by a hypervisor when virtualization is active.</para>
843 </listitem>
844
845 <listitem>
846 <para>In non-root mode, CPU operation is significantly different.
847 There are still four privilege rings and the same instruction set,
848 but a new structure called VMCS (Virtual Machine Control Structure)
849 now controls the CPU operation and determines how certain
850 instructions behave. Non-root mode is where guest systems
851 run.</para>
852 </listitem>
853 </itemizedlist></para>
854
855 <para>Switching from root mode to non-root mode is called "VM entry", the
856 switch back is "VM exit". The VMCS includes a guest and host state area
857 which is saved/restored at VM entry and exit. Most importantly, the VMCS
858 controls which guest operations will cause VM exits.</para>
859
860 <para>The VMCS provides fairly fine-grained control over what the guests
861 can and can't do. For example, a hypervisor can allow a guest to write
862 certain bits in shadowed control registers, but not others. This enables
863 efficient virtualization in cases where guests can be allowed to write
864 control bits without disrupting the hypervisor, while preventing them from
865 altering control bits over which the hypervisor needs to retain full
866 control. The VMCS also provides control over interrupt delivery and
867 exceptions.</para>
868
869 <para>Whenever an instruction or event causes a VM exit, the VMCS contains
870 information about the exit reason, often with accompanying detail. For
871 example, if a write to the CR0 register causes an exit, the offending
872 instruction is recorded, along with the fact that a write access to a
873 control register caused the exit, and information about source and
874 destination register. Thus the hypervisor can efficiently handle the
875 condition without needing advanced techniques such as CSAM and PATM
876 described above.</para>
877
878 <para>VT-x inherently avoids several of the problems which software
879 virtualization faces. The guest has its own completely separate address
880 space not shared with the hypervisor, which eliminates potential clashes.
881 Additionally, guest OS kernel code runs at privilege ring 0 in VMX
882 non-root mode, obviating the problems by running ring 0 code at less
883 privileged levels. For example the SYSENTER instruction can transition to
884 ring 0 without causing problems. Naturally, even at ring 0 in VMX non-root
885 mode, any I/O access by guest code still causes a VM exit, allowing for
886 device emulation.</para>
887
888 <para>The biggest difference between VT-x and AMD-V is that AMD-V provides
889 a more complete virtualization environment. VT-x requires the VMX non-root
890 code to run with paging enabled, which precludes hardware virtualization
891 of real-mode code and non-paged protected-mode software. This typically
892 only includes firmware and OS loaders, but nevertheless complicates VT-x
893 hypervisor implementation. AMD-V does not have this restriction.</para>
894
895 <para>Of course hardware virtualization is not perfect. Compared to
896 software virtualization, the overhead of VM exits is relatively high. This
897 causes problems for devices whose emulation requires high number of traps.
898 One example is the VGA device in 16-color modes, where not only every I/O
899 port access but also every access to the framebuffer memory must be
900 trapped.</para>
901 </sect1>
902
903 <sect1 id="nestedpaging">
904 <title>Nested paging and VPIDs</title>
905
906 <para>In addition to "plain" hardware virtualization, your processor may
907 also support additional sophisticated techniques:<footnote>
908 <para>VirtualBox 2.0 added support for AMD's nested paging; support
909 for Intel's EPT and VPIDs was added with version 2.1.</para>
910 </footnote><itemizedlist>
911 <listitem>
912 <para>A newer feature called <emphasis role="bold">"nested
913 paging"</emphasis> implements some memory management in hardware,
914 which can greatly accelerate hardware virtualization since these
915 tasks no longer need to be performed by the virtualization
916 software.</para>
917
918 <para>With nested paging, the hardware provides another level of
919 indirection when translating linear to physical addresses. Page
920 tables function as before, but linear addresses are now translated
921 to "guest physical" addresses first and not physical addresses
922 directly. A new set of paging registers now exists under the
923 traditional paging mechanism and translates from guest physical
924 addresses to host physical addresses, which are used to access
925 memory.</para>
926
927 <para>Nested paging eliminates the overhead caused by VM exits and
928 page table accesses. In essence, with nested page tables the guest
929 can handle paging without intervention from the hypervisor. Nested
930 paging thus significantly improves virtualization
931 performance.</para>
932
933 <para>On AMD processors, nested paging has been available starting
934 with the Barcelona (K10) architecture -- they call it now "rapid
935 virtualization indexing" (RVI). Intel added support for nested
936 paging, which they call "extended page tables" (EPT), with their
937 Core i7 (Nehalem) processors.</para>
938
939 <para>If nested paging is enabled, the VirtualBox hypervisor can
940 also use <emphasis role="bold">large pages</emphasis> to reduce TLB
941 usage and overhead. This can yield a performance improvement of up
942 to 5%. To enable this feature for a VM, you need to use the
943 <computeroutput>VBoxManage modifyvm
944 </computeroutput><computeroutput>--largepages</computeroutput>
945 command; see <xref linkend="vboxmanage-modifyvm" />.</para>
946 </listitem>
947
948 <listitem>
949 <para>On Intel CPUs, another hardware feature called <emphasis
950 role="bold">"Virtual Processor Identifiers" (VPIDs)</emphasis> can
951 greatly accelerate context switching by reducing the need for
952 expensive flushing of the processor's Translation Lookaside Buffers
953 (TLBs).</para>
954
955 <para>To enable these features for a VM, you need to use the
956 <computeroutput>VBoxManage modifyvm --vtxvpid</computeroutput> and
957 <computeroutput>--largepages</computeroutput> commands; see <xref
958 linkend="vboxmanage-modifyvm" />.</para>
959 </listitem>
960 </itemizedlist></para>
961 </sect1>
962</chapter>
Note: See TracBrowser for help on using the repository browser.

© 2024 Oracle Support Privacy / Do Not Sell My Info Terms of Use Trademark Policy Automated Access Etiquette