Denali: a brief overview

Advances in network and computing technologies have accelerated the proliferation of infrastructure such as content distribution, caching, middleware services, and network measurement testbeds. Recently, however, a number of new application domains are beginning to emerge that are not well-supported by existing technologies, such as the ability to distribute dynamically generated or active content, to rapidly deploy new and untrusted Internet services into existing infrastructure, and the ability to dynamically inject network measurement code into an existing network experimentation infrastructure. These new application domains all share several security and resource management requirements: safely executing untrusted code, scaling to a large number (100s or 1000s) of protection domains per physical host, and supporting a large degree of multiplexing of physical host resources across many concurrently active protection domains. Although there have been many sandboxing technologies proposed in the past, none of them have the combination of water-tight isolation and the ability to scale to a large number of protection domains required by these new applications.

The goal of the Denali project is to enable this wide array of new networking and distributed middleware applications by designing and implementing lightweight protection domains, technically focusing on the notion of using virtual machine monitors (VMMs). A virtual machine monitor is a software layer that runs immediately on top of the hardware/software boundary, virtualizing all names exposed by that boundary to give higher-level virtual machines the illusion of their own dedicated physical machine. Virtual machines are known to have strong isolation, and they are known to support code migration. However, existing virtual machines and guest operating systems are typically heavyweight, permitting only a small number (3-10) to concurrently execute on a single physical machine. The first research challenge posed by this project is designing and implementing mechanisms for building lightweight VMMs, virtual machines, and guest operating systems, so that 100s or 1000s can concurrently execute. An ancillary challenge implied by this is resource management across virtual machines: to fully isolate one VM from another, each VM's resource usage (e.g., CPU consumption, I/O rates, memory footprint) must be bounded by the VMM.

Once we have successfully implemented lightweight virtual machines, we intend to heavily leverage this new mechanism to explore several new research topics, as well as revisiting a few existing ones. For example, we will use virtual machines as a sandboxing mechanism enabling web servers to dynamically inject new content-generation code into content delivery networks or web caching systems. As another example, we will use VMs to enable untrusted code authors to upload new Internet services into a virtual hosting platform. As a third example, we are exploring the role of virtual machines as a resource container in cluster-of-workstations, in particular exploring the ability to dynamically alter relative resource consumption rates of virtual machines to create the effect of isolated ``virtual clusters'' within a single physical cluster.