What is a hypervisor?
A hypervisor is a function that abstracts -- isolates -- operating systems (OSes) and applications from the underlying computer hardware. This abstraction enables the underlying host machine hardware to independently operate one or more virtual machines as guests, enabling multiple guest VMs to effectively share the system's physical compute resources, such as processor cycles, memory space and network bandwidth.
A hypervisor would be used by someone who wants to consolidate space on a server or run multiple isolated applications on a single server. Hypervisors are commonly supported in virtualization software, such as vCenter Server.
Types of hypervisors
Hypervisors are traditionally implemented as a software layer -- such as VMware vSphere or Microsoft Hyper-V -- but hypervisors can also be implemented as code embedded in a system's firmware. There are two principal types of hypervisor: Type 1 and Type 2 hypervisors.
Type 1 hypervisors
Type 1 hypervisors are deployed directly atop the system's hardware without any underlying OSes or other software. These are called bare-metal hypervisors and are the most common and popular type of hypervisor for the enterprise data center. Examples include vSphere and Hyper-V.
Type 2 hypervisors
Type 2 hypervisors run as a software layer atop a host OS and are usually called hosted hypervisors, such as VMware Workstation Player or Parallels Desktop. Hosted hypervisors are often found on endpoints such as personal computers.
What are hypervisors used for?
Hypervisors are important to any system administrator or system operator because virtualization adds a crucial layer of management and control over the data center and enterprise environment. Staff members not only need to understand how the respective hypervisor works, but also how to perform related management tasks such as VM configuration, migration and snapshots.
The role of a hypervisor is also expanding. Storage hypervisors, for example, are used to virtualize all the storage resources in the environment to create centralized storage pools that admins can provision, without having to concern themselves with where the storage was physically located. Today, storage hypervisors are a key element of software-defined storage. Networks are also being virtualized with hypervisors, enabling networks and network devices to be created, changed, managed and destroyed entirely through software without ever touching physical network devices. As with storage, network virtualization is appearing in broader software-defined network or software-defined data center platforms.
In the early to mid-1960s and 1970s, the earliest forms of hypervisors were created. In 1966, IBM released its first production computer system -- the IBM System/360-67-- which was capable of full virtualization. IBM also began production of its CP-40 system in 1967. This system ran off a modified S/360-40 system, which provided virtualization capabilities. This system also enabled multiple user applications to be run concurrently, which wasn't possible before. The Control Program/Cambridge Monitor System by IBM was released in 1968 and lasted through the 1970s.
In 1970, IBM released System/370, which would add support for virtual memory two years later in 1972. Since then, virtualization has been a feature in all systems. Around this time, more community members began using open source projects to further develop virtual systems with hypervisors.
IBM introduced the Processor Resource/System Manger hypervisor, which could manage logical partitions, in 1985. During the mid-2000s, more OSes, such as Linux, Unix and Windows, began supporting hypervisors. Around this time, hypervisors began premiered with better hardware, cost and consolidation abilities. In 2005, vendors began supporting virtualization of x86 products.
Hypervisors provide several benefits to the enterprise data center. First, the ability of a physical host system to run multiple guest VMs can vastly improve the utilization of the underlying hardware. Where physical (nonvirtualized) servers might only host one OS and a single application, a hypervisor virtualizes the server, enabling the system to host multiple VM instances -- each running an independent OS and application -- on the same physical system using far more of the system's available compute resources.
VMs are also very mobile. The abstraction that takes place in a hypervisor also makes the VM independent of the underlying hardware. Traditional software can be tightly coupled to the underlying server hardware, meaning moving the application to another server requires time-consuming and error-prone reinstallation and reconfiguration of the application. By comparison, a hypervisor makes the underlying hardware details irrelevant to the VMs. This enables VMs to be moved or migrated between any local or remote virtualized servers -- with enough computing resources available -- almost at-will with effectively zero disruption to the VM; this is a feature often termed live migration.
VMs are also logically isolated from each other, even though they run on the same physical machine. In effect, a VM has no native knowledge or dependence on any other VMs. An error, crash or malware attack on one VM doesn't proliferate to other VMs on the same or other machines. This makes hypervisor technology extremely secure.
Finally, snapshots make it possible to instantly revert a VM to a previous state. Although snapshots -- or checkpoints, as Microsoft calls them -- aren't intended to be used as a substitute for backups, snapshots can act as a protective mechanism, especially when performing maintenance on a VM. If an admin is about to upgrade a VM's OS, they can take a snapshot prior to performing the upgrade. If the upgrade fails, then the admin can restore the snapshot to instantly restore the VM to its previous state.
In summary, the key benefits of hypervisors include:
- Reduced cost through better hardware utilization.
- The ability to quickly and easily migrate a running VM to a different host, without taking the VM offline.
- A bare-metal hypervisor provides hardware isolation for VMs. An attacker can't use a compromised VM to attack an adjacent VM -- at least, not by using the hypervisor.
- Bare-metal hypervisors generally include a snapshot feature that enables VMs to be instantly restored to a prior state without the need for restoring a backup.
Containers vs. hypervisor
Containers might seem like hypervisors. However, hypervisors host kernel-based VMs, designed to create an environment that mimics a collection of physical machines. Each VM contains its own independent OS. In contrast, containers can share an OS kernel, known as a base image. Each container runs a separate application or microservice but depends on the underlying base image.
Microsoft offers two different container options. It's possible to build a traditional container architecture on top of Windows Server, but there is also an option to create a Hyper-V container deployment that acts as a hybrid environment. It uses a VM as the basis for the container infrastructure.
Kubernetes has become the standard tool for managing Linux containers across private, public and hybrid cloud environments. Kubernetes is an open source system created by Google, originally launched in 2015. Kubernetes can automate the scheduling, deployment, scaling and maintenance of containers across cluster nodes.
The hypervisor security process includes ensuring the hypervisor is secure throughout its lifecycle, including during development and implementation. If an attacker gains unauthorized access to the hypervisor, management software or the software that orchestrates the virtual environment, then that attacker could potentially gain access to any and all the data stored in each VM. Other possible vulnerabilities include shared hardware caches, the network and potential access to the physical server.
Common security practices for hypervisors include:
- Limiting the users in a local system
- Limiting attack surfaces by running hypervisors on a dedicated host that doesn't perform any additional roles
- Keeping systems updated by adhering to patch management best practices
- Configuring the host to act as a part of a guarded fabric
- Enabling VM encryption to prevent rogue admins from gaining access to VMs
- Encrypting the storage on which the VMs reside by using BitLocker or another similar encryption option
- Use Role-based access control (RBAC) to limit administrative privileges
- Use a dedicated physical network adapter for management traffic
- Use a dedicated physical network adapter for VM migration traffic
- Use a dedicated physical network adapter for cluster traffic
Hypervisor vendors and market
There are several major hypervisors available today, ranging from free platforms to pricey, enterprise-grade products. These are the most widely used hypervisors:
- Citrix Hypervisor
- Linux KVM (Kernel-based VM)
- Nutanix AHV (Acropolis Hypervisor)
- Microsoft Hyper-V
- Oracle VM Server
- Oracle VM VirtualBox
- VMware ESXi