Rawpixel - Fotolia


Learning to love the Xen hypervisor

In recent years, the Xen hypervisor has become popular with major companies such as Amazon and Rackspace. So what's behind all this new interest from cloud providers?

Xen, an open source bare-metal hypervisor, has been hailed by Citrix as the fastest, most secure and least expensive hypervisor on the market. The reality is, it holds just a 4% market share and lags far behind VMware and Microsoft in many areas. However, it is available for free and has some heavyweight corporate backers who are contributing code. In recent years, Xen hypervisor has become popular with small companies and industry leaders alike, with major corporations such as Rackspace, Amazon, IBM SoftLayer and Verizon using it to power their public clouds.

Xen was developed at Cambridge University and released in 2003. In 2007, its founders went on to establish XenSource, which was then purchased by Citrix in order to launch Citrix XenServer. Rather than occupy the driver's seat, Citrix ceded much of the leadership for XenServer to major players, including Amazon, Google, Yahoo, CA Technologies, Oracle and Intel, all of which have contributed to XenServer's development. Other companies such as Google, Peugeot and Yahoo use XenServer for their own internal development and administrative systems. Amazon even built a business using Xen, launching Elastic Compute Cloud in 2006.

With fewer than 150,000 lines of code, Xen has a small footprint and is fairly easy to deploy and configure, although critics point to its lack of a graphical user interface (GUI).

The lack of a simple GUI makes sense when you consider that Xen is a basic hypervisor with just a set of application programming interfaces and no console. To start Xen you must install at least one VM, called Domain-0, using whichever OS you choose. Xen runs on a number of OSes including, Debian, Ubuntu, NetBSD, FreeBSD, Solaris and Windows.

Once you have an OS running on top of Xen, use either Xen's command-line tool or a third-party command-line tool to create other VMs, called "Domain(s)-U." Those can be different flavors of Linux, Solaris or Windows, or cloud operating systems like OpenStack and CloudStack.

Paravirtualization vs. hardware-assisted virtualization

Xen has no networking or storage functions. Instead, Xen either operates in paravirtualization (PV) mode or uses a central processing unit that supports Intel Virtualization Technology or Advanced Micro Dynamics to create a hardware-assisted virtual machine (HVM). With PV, a modified guest OS is aware that it is running in a virtual environment and, as such, can communicate with the host OS directly. PV is different from VMware or Hyper-V in this respect, because those OSes are restricted from communicating with host hardware directly.

How does this work? Microsoft does not provide a modified version of Windows to run atop Xen, so Windows runs in HVM mode only. In order to take advantage of paravirtualization, Citrix and other open source projects have developed storage, bus and networking paravirtual drivers for Windows.

Linux OSes support paravirtualization directly. Oracle's hypervisor, Oracle VM Server, is built on Xen and provides paravirtualization support for Oracle Solaris deployed as an HVM.

Xen hypervisor security

Security is a key component of Xen. Its authors claim that Xen's kernel is so small that it is less exposed to attack. The Xen Security Modules include code written by the NSA and others. The NSA-sponsored Flux Advanced Security Kernel project is similar to Secure Enhanced Linux in that it lays down rules that prevent VMs from tampering with or accessing each other's memory and devices, and adds additional auditing tools and policies. For those who want to go even further with security, Invisible Thing Labs took its own form of Xen and built a Xen variant focused on security, called QubeOS.

The management layer

One of the major complaints critics level against the Xen hypervisor is that it lacks a cohesive management layer. Since there is no dominant management tool, it is unclear as to which tool users should use. Xen also provides a link to Red Hat's virt-manager on its homepage, but this hasn't been updated to support anything beyond Windows Server 2008 or Windows 7, largely because Red Hat has its own hypervisor, the Kernel-based Virtual Machine hypervisor.

The majority of Xen management tools, such as virt-builder, xen-tools and virt-manager, were written by third parties; the only management tool native to Xen is the xl command-line tool. These tools are all more geared toward Debian than Windows, as evidenced by the prebuilt Debian images on the Xen website's Resources page.

Now that we've explored the Xen hypervisor in-depth, what's our takeaway? There's a good reason large corporations like Amazon, IBM and Rackspace have chosen to use the Xen hypervisor for their businesses, and it's likely more than just the desire to avoid paying up for VMware or Microsoft.

The concept of paravirtualization is an intriguing one, as allowing a VM go directly to the hardware, and boosts performance without sacrificing security. Xen has also acknowledged concerns regarding its management layer and has made adjustments accordingly, and has debuted a slew of new management tools within the past few years. With benefits like these, it's hard to argue against the efficiency of the Xen hypervisor -- so ignore naysayers and stop paying for your hypervisor.

Next Steps

Considerations for choosing an open source hypervisor

How do Xen security updates affect the public cloud?

Why the Xen hypervisor could be making a comeback

Dig Deeper on Open source virtualization