KVM (Kernel-based Virtual Machine) is gaining traction in the enterprise as a virtualization solution that provides high performance, scalability, and cost efficiency. But misconceptions still abound about this open source hypervisor. Some falsehoods continue to be perpetuated by organizations offering competing products, and others because KVM is maturing quickly and the up-to-date, correct information is not yet widely known. Here, we tackle some of the most persistent myths about KVM - because it’s time to set the record straight.
Myth #1: KVM is type 2 hypervisor that is hosted by the operating system, and isn’t a bare metal hypervisor.
This is a persistent myth, but the truth is that KVM actually does run directly on x86 hardware. People assume it is a type 2 hypervisor because one of the ways that it is packaged is as a component of Linux - so you can be running a Linux distribution and then, from the command-line shell prompt or from a graphical user interface on that Linux box, you can start KVM. The interface makes it look like it is a hosted hypervisor running on the operating system, but the virtual machine is running on the bare metal - the host operating system provides a launch mechanism for the hypervisor and then engages in a co-processing relationship with the hypervisor. . In a sense, it is taking over part of the machine and sharing it with the Linux kernel.
On x86 hardware, KVM relies on the hardware virtualization instructions that have been in these processors for seven years. Using these instructions the hypervisor and each of its guest virtual machines run directly on the bare metal, and most of the resource translations are performed by the hardware. This fits the traditional definition of a “Type 1,” or bare metal hypervisor.
You can also get KVM packaged as a standalone hypervisor - just like VMware ESX is packaged - but initially KVM was not available in that package. One way of doing this is with Red Hat Enterprise Virtualization (RHEV).
Myth #2: KVM only runs Linux workloads.
This myth is also pretty persistent, probably because KVM is so closely associated with Linux, was developed as part of the Linux kernel, and is offered by Linux distributors. A lot of people assume it runs Linux virtual machines and not others, but in fact KVM runs all types of workloads. It runs any type of workload that will run on an x86 box, including three different versions of Windows, several versions of Linux, as well as other operating systems, like BSD and Mac OS, and even NetWare. On x86, KVM as a virtual machine looks like an x86 computer. It runs Windows and Linux equally well and continues to get even better, even better than some competitors.
Myth #3: KVM is only available for x86 platforms.
This is a reasonable assumption because when KVM was first merged upstream into Linux, it was directly associated with the x86 processors from Intel and AMD. It was a couple of years before anybody started thinking about porting KVM to another platform although it was not very long until somebody developed a para-virtual implementation for Linux that would run on older hardware for KVM. Although commercially supported only on x86 today, there has been upstream work for other platforms, and there are the beginnings of additional platform support. KVM like Linux itself is perfectly capable of running on many different platforms and someday soon we would like to see it ported to the ARM platform.
Myth #4: KVM is only available from Red Hat.
Not true. KVM was available first from Debian and the first supported release was from Ubuntu. It is also available now from SUSE in SLES, from the Fedora Project, and from a number of other distributions. Red Hat is the leading distributor of KVM right now, but it will continue to be available from many sources.
Myth #5: KVM is only available as part of enterprise Linux distributions.
Again, not true. It is also available as a purpose-built standalone hypervisor with just enough packages and user space to run virtual machines, and a restricted shell and a very restricted user interface just to allow remote management of the host running virtual machines. The entire host image including the kernel is stateless and it is downloaded to the host every time the host boots up - and that is available as RHEV-H (Red Hat Enterprise Virtualization - and H for hypervisor). It is a very specific hypervisor-only distribution and it doesn’t even look like Linux. That has an appeal to people who are not familiar with Linux as well as people who want a locked-down hypervisor and don’t want all the extra things that come with enterprise Linux.
Myth #6: KVM is not secure.
Of course, this is a myth. KVM has all the security features that VMware has plus some more – such as mandatory access control turned on by default. In fact, Red Hat Enterprise Linux 5 with the KVM hypervisor on IBM Systems has just been awarded Common Criteria Certification at Evaluation Assurance Level 4+.
But the myth about security persists because of the fact that KVM is based on Linux - and that has a whole bunch of baggage with it. There are several reasons for this.
One is that some people think that open source code is not secure because people can audit the code and find security entry points and potential bugs where they can crack the code and escalate into a security issue. However, auditing source code has an overwhelming benefit to security. When more people audit code, that code becomes more secure. When you use proprietary hypervisor technology with closed source code, you never get to review that code so you have no idea what has been audited for security and what hasn’t. And, furthermore, anybody with a disassembler can disassemble the binary image and start looking at the assembly code to find security holes.
The second reason people say it is not secure is that when KVM is packaged as part of an enterprise Linux distribution, the distribution can include additional components such as an HTTP server, more than one shell, programming languages such as Perl and Python, and almost too many tools to mention. In this case, you have to take the Linux distribution - even if it is an enterprise Linux distribution - and spend some time to lock it down yourself or get something like RHEV-H which is a much smaller component and it is locked down by default.
The bottom line is that KVM is not necessarily insecure because it is based on enterprise Linux, but you might want to remove some packages that might have some issues in a Linux distribution – or simply get the RHEV-H version.
Myth #7: There are no virtualization management tools available for KVM.
This was actually largely true until a year ago. But it has changed dramatically since then. From Red Hat, there is RHEV-M (Red Hat Enterprise Virtualization-Management), which runs on Linux and Windows. There is also IBM System Director VMControl which became available in December, IBM Smart Cloud Provisioning, and a number of other tools such as xCAT (Extreme Cloud Administration Toolkit) an open source management software tool developed by IBM.
For more information about KVM, access a new white paper, “KVM: The Rise of Open Enterprise-Class Virtualization,” from the Open Virtualization Alliance, an organization founded to promote awareness and adoption of KVM.
Mike Day, Distinguished Engineer and Chief Virtualization Architect, Open Systems Development, IBM