Lonely
Definition
Signature
lonely(s : set<VM>)
s: an non-empty set of VMs for a meaningful constraint. VMs not in theRunningstate are ignored.
The lonely constraint forces all the running VMs in s to be running on dedicated servers.
Each of the used servers can still host multiple VMs but they have to be in s.
Classification
- Primary users: application administrator
- Manipulated elements: VM placement
- Concerns: VM-to-VM placement, Partitioning
Usage
The lonely constraint deserves isolation purposes. Hypervisors are supposed
to provide a strong isolation between the VMs. However various attacks, such as those based on
VM escaping [50],
allow to break this isolation to provide from a malicious VM, a non-legitimate access to the hypervisor or the other VMs.
An application administrator may then want to have to prevent this situation by requiring to have its VMs hosted on servers that do not host unknown, potentially malicious VMs. A lonely constraint can then be used to indicate the VMs that must be running on dedicated servers.
Example
Figure 6 depicts a sample reconfiguration between a source and a destination configuration. In this example, the following lonely constraints were considered:
N1: VM1 VM2
N2: VM3
N3: VM4
N4: VM6
N5: VM5
N1: VM1
N2: VM3
N3: VM2 VM4
N4: VM6 VM5
N5:
Figure 6: A reconfiguration motivated by lonely constraints.
lonely({VM1,VM3}). This constraint was not satisfied in the source configuration asVM2was colocated withVM1despiteVM2does not belong to the VMs given as parameter. This violation was fixed by relocatingVM2toN3.lonely({VM2, VM4}). This constraint was not satisfied in the source configuration. It was fixed by colocatingVM2withVM4onN3.lonely({VM5, VM6}). This constraint was satisfied in the source configuration. The constraint is still satisfied in the destination configuration despite the relocation ofVM5toN4which is allowed by the constraint.
See also
Reformulation(s)
Using
split:lonely(vs1)↔split({vs1,vs1})