Virtualization¶

Overview¶

Virtualization allows multiple operating systems to run simultaneously on a single physical machine by abstracting the hardware layer. A hypervisor manages the allocation of physical resources (CPU, memory, storage, network) to virtual machines (VMs), each of which behaves as an independent computer with its own OS.

Cloud platforms like ETAIS and OpenStack use virtualization to provide on-demand compute resources. Understanding how cloud infrastructure maps to physical resources helps system administrators make informed decisions about deployment, performance, and security.

How It Works¶

Hypervisor Types¶

A hypervisor is the software layer that creates and manages virtual machines.

Type 1 (Bare-metal) hypervisors run directly on the physical hardware, with no host OS underneath. They are used in production environments and cloud platforms.

Examples: VMware ESXi, KVM (used by OpenStack/ETAIS), Microsoft Hyper-V
Better performance — no host OS overhead
Used in data centers and cloud infrastructure

Type 2 (Hosted) hypervisors run as applications on top of a host operating system. They are used for development, testing, and learning.

Examples: VirtualBox, VMware Workstation, Parallels
Easier to set up on personal machines
Higher overhead due to the host OS layer

Virtual Machine Components¶

A VM is allocated a set of virtual resources that map to physical hardware:

vCPU — virtual CPU cores allocated from the host's physical CPUs
RAM — a portion of the host's physical memory
Storage — virtual disks backed by physical storage (often network-attached in cloud environments)
Network interface — virtual NICs connected to virtual switches/networks

Cloud platforms define flavors (or instance types) that bundle these resources into predefined configurations (e.g., g4.r8c4 = 4 cores, 8 GB RAM).

Cloud Networking¶

In a cloud environment, VMs are connected through virtual networking that mimics physical network infrastructure.

Internal (Private) Network¶

Each project gets a private network with its own address space (e.g., 192.168.42.0/24). VMs on this network communicate with each other directly. A virtual router provides outbound internet access via Source NAT (SNAT) — outgoing traffic appears to come from the router's external IP.

With only an internal IP, a VM can:

Initiate connections to the internet (and receive responses)
Communicate with other VMs in the same private network

But it cannot be reached from outside (no inbound connections).

External (Floating) IP¶

An external IP (or floating IP) is assigned from a routable address pool and attached to a VM, making it directly reachable from outside the private network. With an external IP:

The virtual router becomes "invisible" for that VM
The VM is accessible from the broader network (e.g., university VPN/Eduroam)
Both inbound and outbound connections work

Security Groups¶

Security groups act as a cloud-level firewall controlling which traffic can reach VMs. They are configured through the cloud provider's interface and operate independently of the host firewall. Every port that a service needs must be opened in security groups and in the host firewall.

See Firewalls for details on the relationship between security groups and host firewalls.

Snapshots and Backups¶

Cloud platforms allow snapshots — saving the complete state of a VM's disk at a point in time. Snapshots enable:

Rolling back after a failed configuration change
Creating a baseline before risky operations
Quick disaster recovery

However, snapshots are not a substitute for proper backups or configuration management (Ansible). They consume storage and become stale quickly.

Key Terminology¶

Hypervisor: Software that creates and manages virtual machines by abstracting physical hardware.
VM (Virtual Machine): An emulated computer system that runs its own operating system and applications, isolated from other VMs on the same host.
Flavor / Instance Type: A predefined combination of vCPU, RAM, and storage that defines a VM's capacity.
Floating IP: An external IP address that can be attached to a VM to make it reachable from outside the private network.
Source NAT (SNAT): Network address translation where outgoing traffic from a private IP is rewritten to use the router's public IP. Allows outbound access without a public IP.
VPN (Virtual Private Network): Extends a private network across a public network, allowing remote users to access resources as if directly connected.
Snapshot: A point-in-time copy of a VM's disk state, used for backup and recovery.

Why It Matters¶

As a system administrator, you will:

Provision and manage VMs in cloud environments
Choose appropriate VM sizes (flavors) based on workload requirements
Configure virtual networking (internal/external IPs, security groups)
Use snapshots strategically before risky changes
Understand the networking topology to debug connectivity issues
Manage SSH key pairs for secure VM access (the primary authentication method in cloud VMs)

Common Pitfalls¶

Losing SSH keys — cloud VMs typically only accept key-based authentication set at creation time. Losing the private key means losing access (and needing to recreate the VM).
Forgetting security groups — a new service won't be reachable if its port isn't opened in both the cloud security group and the host firewall.
Not setting a root password — without a root password, the cloud provider's web console is useless for emergency access.
Over-relying on snapshots — snapshots are not a replacement for configuration management. Use Ansible to make your setup reproducible.
Confusing internal and external IPs — services bound to localhost or the internal IP won't be reachable from outside. Services must listen on the correct interface.
Running out of resources — cloud quotas limit how many vCPUs, RAM, and storage you can use. Monitor usage to avoid hitting limits.