This blog is a based on a posting on IOvisor.org, but modified slightly to suit the needs of ESG blog readers.
What is the IO Visor Project?
This is a low level discussion compared to a typical ESG blog, but we wanted to provide some insight into how new low level technology placed into the Linux kernel can have potentially far reaching affects into practical uses and into the products you may use in the future. Read on if you are interested in virtualization, software-defined data centers, and networking.
IO Visor Project is an IO hypervisor engine that resides between the Linux OS and hardware, along with a set of development tools. It is an in-kernel virtual machine for IO instructions, somewhat like Java virtual machines. You see apps and a runtime engine atop a host and hardware layer. It's not a replacement for a hypervisor like ESX or KVM since it just does IO. Being software-defined, it has the flexibility for modern IO infrastructure and can become a foundation for new generations of Linux virtualization and networking.
The IO Visor project was announced on August 17th, 2015 as a project hosted by the Linux foundation, and is composed of the IO Visor engine and a set of dev tools, management and operation tools, apps, and IO modules. It's not unlike Java - you can write portable programs, and an engine runs that program. It has support from a range of founding members including major ones such as Cisco, Huawei, and Intel.
What does this mean to you? It may affect Linux IO to make it a better platform for a new generation of networking and virtualized infrastructure.
The founding members of this project include networking device vendors Cisco and Huawei. Network chip vendors are Broadcom, Cavium, and Intel. Software companies are Barefoot Networks, PLUMgrid (initial code contributions comes from them), and Linux providers SuSE and Ubuntu.
But first, let's explain what this all is:
Network IO (Input/Output) is a key function of any operating system and network devices. Packets come, are examined, and delivered to some destination. These functions are typically done deep in the operating system in kernel-space. If you want application programs to participate in it, you pay a penalty in performance since the packets get shuffled out to a user program, get processed, and sent back to the OS kernel. There are tricks to make this faster, but in general there has been a tradeoff betweem performance, functionality, and security. The security part comes in because we don't want any user program to have access to system resource such as all packets being delivered.
Extended Berkeley Packet Filter (eBPF), the technology that underpins IO Visor, is not new (origins go back to 1997!) but being a project hosted by the Linux Foundation will enable proliferation. It’s general purpose enough to build storage systems, distributed virtual networks, or security sandboxes. You get a universal virtual machine that runs "safe" instructions of IO programs in the operating system kernel. This provides the speed you need (since it runs in the kernel) and flexibility (since you run programs that are dynamically loaded)
How is this different?
Let us examine networking uses. Some people who follow this technical space may say: IO Virtualization? I think I've heard of this before. Don’t we have IO virtualization such as SR-IOV (Single Root I/O virtualization?) or even those right inside hypervisors? Don’t dataplane libraries such as DPDK (data plane development kit) and projects such as P4 provide flexible packet processing too?
They may seem to overlap, but are actually complementary. IO Visor combines kernel-space performance with extensibility via plug ins to low level functions (e.g., DPDK or directly to hardware) so you can run IO Visor modules implemented atop DPDK, so they all work together. Imagine loading apps that change the operating system's IO capabilities at a low level but done in a safe way.
Portable across software and hardware devices
With support of Broadcom, Cavium, Cisco, Huawei, and Intel we may see plug-ins to support a variety of hardware devices. Networking endpoints have increasingly moved into virtual switches, so it makes sense to provide IO extensibility within the kernel and not rely solely on physical switches. But physical switches are also important, and with hardware vendor support for this project, we may see IO Visor apps that span from software and hardware devices. Imagine some network function (currently a virtual machine, or maybe a physical appliance) converted into a program, and run by the IO Engine within Linux perhaps with assistance of specialized hardware, and that program can be ported from one type of Linux to another or even to a switch that is running a Linux-based OS.
Linux portability gives this project a potentially large footprint. Since Linux is the basis for many network switch OSs – including those from Arista, Cisco Systems, Dell Networking, Cumulus Networks, Extreme Networks, Open Networking Linux (basis for Big Switch Networks’ Switch Light), and Pica8 -- so in the long-term, many vendors may choose to examine IO Visor to use its capabilities.
Since IO Visor is platform-independent, it can be hosted on different CPU or hardware network processing units. SuSE and Ubuntu, as founding members, may jump start support for the commercial Linux community to support a variety of platforms and devices.
Here are some practical business use cases.
- Security. Performance requirements traditionally require I/O to run in the kernel but updates were hard to make, creating a tradeoff between speed and security functionality. IO is important since it is a component of security and sits between the outside world and your workloads, so you update low level components carefully and periodically such as with OS patches. IO Visor reduces this limitation, so I foresee the development of high performance IO security functions that can be updated with new capabilities, just like antivirus programs updating with signatures. Imagine a Linux-based firewall that dynamically gets new functionality.
Security use cases have used BPF for years. The popular OpenSSH utilities use it to sandbox privileges and Google’s Chrome browser on Linux and Chrome OS use it to sandbox Adobe Flash. Having it in upstream Linux should enable it to find more uses.
- Cloud building blocks. Integrated computing platforms (converged infrastructure), closely couples storage, compute, and virtualization, and will benefit from a universal IO layer that ties it all together. Systems like VMware vSphere distributed switches (VDS) provide networking devices that span multi hosts, but don’t yet offer platform-independent extensibility. IO Visor enables creation of distributed virtual networks (more than just switches). PLUMgrid, which contributed the initial IO Visor code, based their Open Networking Suite on this technology, so it’s known to work commercially.
- Carrier networking. Carriers support NFV in the pursuit of reducing opex, capex, and increasing agility, but performance demands have been a concern. IO Visor can provide the performance with dynamic changes. Since IO Visor does not require physical or virtual appliances to create distributed networks, it can drive high density and reduced capex for carriers uses such as vCPE. Rather than running many VMs, the IO functions are just IO Visor programs which can be lightweight. Some founding member companies provide technologies to carriers, and through collaboration OPNFV, I expect carrier networking requirements will influence IO Visor development in new ways.
Need for apps
Foundational software systems, regardless of technical soundness, cannot succeed unless there are applications. Since the project founding members provide a wide range of solutions, we expect their contributions to build applications, tools and IO Modules and not focus solely on the IO Visor engine.
Implications for IT users
End-users won’t directly interact with IO Visor but they will instead see improvements in performance, flexibility, and security and be introduced to new classes of Linux-based tools and devices.
Given that Linux is used widely, we feel this project can have widespread affects throughout the Linux virtualization and networking space. With this project, another layer of the IT infrastructure may get transformed to provide more flexibility in a portable, open manner.
Although this is a new Linux Foundation project, the origins of the technology go back many years, so the concept has been tested in the real-world. This is not a new idea that requires years of validation.
But this collaborative project is just starting, so we don't expect too wide a variety of commercial products immediately (PLUMgrid ships an IO Visor-based product today), but it is nice to see that some large vendors such as Cisco, Huawei, and Intel have come forth to support this open source project alongside start-ups. I think that's the value of these open communities.
Remember that although major companies support a variety of projects and partnerships, this is the only project of this type that is an official Linux Foundation collaborative project (there are 21 at the time of this writing) so there is some exclusivity there.
We'll keep an eye on this to see how this community evolves.