Glossary of terms
The glossary of computer and technology terms.
OpenStack is a free and open-source software platform for cloud computing, mostly deployed as infrastructure-as-a-service (IaaS), whereby virtual servers and other resources are made available to customers. The software platform consists of interrelated components that control diverse, multi-vendor hardware pools of processing, storage, and networking resources throughout a data center. Users either manage it through a web-based dashboard, through command-line tools, or through RESTful web services.
OpenStack began in 2010 as a joint project of Rackspace Hosting and NASA. As of 2016, it is managed by the OpenStack Foundation, a non-profit corporate entity established in September 2012 to promote OpenStack software and its community. More than 500 companies have joined the project.
- 2OpenStack development
- 3.1Compute (Nova)
- 3.2Networking (Neutron)
- 3.3Block storage (Cinder)
- 3.4Identity (Keystone)
- 3.5Image (Glance)
- 3.6Object storage (Swift)
- 3.7Dashboard (Horizon)
- 3.8Orchestration (Heat)
- 3.9Workflow (Mistral)
- 3.10Telemetry (Ceilometer)
- 3.11Database (Trove)
- 3.12Elastic map reduce (Sahara)
- 3.13Bare metal (Ironic)
- 3.14Messaging (Zaqar)
- 3.15Shared file system (Manila)
- 3.16DNS (Designate)
- 3.17Search (Searchlight)
- 3.18Key manager (Barbican)
- 4Historical names
- 5Compatibility with other cloud APIs
- 8Deployment models
- 10Release history
- 11See also
- 13External links
In July 2010, Rackspace Hosting and NASA jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project intended to help organizations offer cloud-computing services running on standard hardware. The community’s first official release, code-named Austin, appeared three months later on October 21, 2010, with plans to release regular updates of the software every few months. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform.
In 2011, developers of the Ubuntu Linux distribution adopted OpenStack with an unsupported technology preview of the OpenStack “Bexar” release for Ubuntu 11.04 “Natty Narwhal“. Ubuntu’s sponsor Canonical then introduced full support for OpenStack clouds, starting with OpenStack’s Cactus release.
OpenStack became available in Debian Sid from the Openstack “Cactus” release in 2011, and the first release of Debian including OpenStack was Debian 7.0 (code name “Wheezy”), including OpenStack 2012.1 (code name: “Essex”).
In October 2011, SUSE announced the public preview of the industry’s first fully configured OpenStack powered appliance based on the “Diablo” OpenStack release. In August 2012, SUSE announced its commercially supported enterprise OpenStack distribution based on the “Essex” release.
In 2012, Red Hat announced a preview of their OpenStack distribution, beginning with the “Essex” release. After another preview release, Red Hat introduced commercial support for OpenStack with the “Grizzly” release, in July 2013.
In July 2013, NASA released an internal audit citing lack of technical progress and other factors as the agency’s primary reason for dropping out as an active developer of the project and instead focus on the use of public clouds. This report is contradicted in part by remarks made by Ames Research Center CIO, Ray Obrien.
In December 2013, Oracle announced it had joined OpenStack as a Sponsor and planned to bring OpenStack to Oracle Solaris, Oracle Linux, and many of its products. It followed by announcing Oracle OpenStack distributions for Oracle Solaris and for Oracle Linux using Icehouse on 24 September 2014.
At the 2014 Interop and Tech Field Day, software-defined networking was demonstrated by Avaya using Shortest path bridging and OpenStack as an automated campus, extending automation from the data center to the end device, removing manual provisioning from service delivery.
The OpenStack community collaborates around a six-month, time-based release cycle with frequent development milestones. During the planning phase of each release, the community gathers for an OpenStack Design Summit to facilitate developer working sessions and to assemble plans.
Recent OpenStack Summits have taken place in Austin on 25–29 April 2016, and Barcelona on 25–28 October 2016. Earlier OpenStack Summits have taken place also in Tokyo in October 2015, Vancouver in May 2015, and Paris in November 2014. The summit in May 2014 in Atlanta drew 4,500 attendees — a 50% increase from the Hong Kong summit six months earlier.
OpenStack has a modular architecture with various code names for its components.
OpenStack Compute (Nova) is a cloud computing fabric controller, which is the main part of an IaaS system. It is designed to manage and automate pools of computer resources and can work with widely available virtualization technologies, as well as bare metal and high-performance computing (HPC) configurations. KVM, VMware, and Xen are available choices for hypervisortechnology (virtual machine monitor), together with Hyper-V and Linux container technology such as LXC.
It is written in Python and uses many external libraries such as Eventlet (for concurrent programming), Kombu (for AMQPcommunication), and SQLAlchemy (for database access). Compute’s architecture is designed to scale horizontally on standard hardware with no proprietary hardware or software requirements and provide the ability to integrate with legacy systems and third-party technologies.
Due to its widespread integration into enterprise-level infrastructures, monitoring OpenStack performance in general, and Nova performance in particular, at scale has become an increasingly important issue. Monitoring end-to-end performance requires tracking metrics from Nova, Keystone, Neutron, Cinder, Swift and other services, in addition to monitoring RabbitMQ which is used by OpenStack services for message passing.
OpenStack Networking (Neutron) is a system for managing networks and IP addresses. OpenStack Networking ensures the network is not a bottleneck or limiting factor in a cloud deployment, and gives users self-service ability, even over network configurations.
OpenStack Networking provides networking models for different applications or user groups. Standard models include flat networks or VLANs that separate servers and traffic. OpenStack Networking manages IP addresses, allowing for dedicated static IP addresses or DHCP. Floating IP addresses let traffic be dynamically rerouted to any resources in the IT infrastructure, so users can redirect traffic during maintenance or in case of a failure.
Users can create their own networks, control traffic, and connect servers and devices to one or more networks. Administrators can use software-defined networking (SDN) technologies like OpenFlow to support high levels of multi-tenancy and massive scale. OpenStack networking provides an extension framework that can deploy and manage additional network services—such as intrusion detection systems (IDS), load balancing, firewalls, and virtual private networks (VPN).
Block storage (Cinder)
OpenStack Block Storage (Cinder) provides persistent block-level storage devices for use with OpenStack compute instances. The block storage system manages the creation, attaching and detaching of the block devices to servers. Block storage volumes are fully integrated into OpenStack Compute and the Dashboard allowing for cloud users to manage their own storage needs. In addition to local Linux server storage, it can use storage platforms including Ceph, CloudByte, Coraid, EMC (ScaleIO, VMAX, VNX and XtremIO), GlusterFS, Hitachi Data Systems, IBM Storage (IBM DS8000, Storwize family, SAN Volume Controller, XIV Storage System, and GPFS), Linux LIO, NetApp, Nexenta, Nimble Storage, Scality, SolidFire, HP (StoreVirtual and 3PAR StoreServ families) and Pure Storage. Block storage is appropriate for performance sensitive scenarios such as database storage, expandable file systems, or providing a server with access to raw block level storage. Snapshot management provides powerful functionality for backing up data stored on block storage volumes. Snapshots can be restored or used to create a new block storage volume.
OpenStack Identity (Keystone) provides a central directory of users mapped to the OpenStack services they can access. It acts as a common authentication system across the cloud operating system and can integrate with existing backend directory services like LDAP. It supports multiple forms of authentication including standard username and password credentials, token-based systems and AWS-style (i.e. Amazon Web Services) logins. Additionally, the catalog provides a queryable list of all of the services deployed in an OpenStack cloud in a single registry. Users and third-party tools can programmatically determine which resources they can access.
OpenStack Image (Glance) provides discovery, registration, and delivery services for disk and server images. Stored images can be used as a template. It can also be used to store and catalog an unlimited number of backups. The Image Service can store disk and server images in a variety of back-ends, including Swift. The Image Service API provides a standard REST interface for querying information about disk images and lets clients stream the images to new servers.
Glance adds many enhancements to existing legacy infrastructures. For example, if integrated with VMware, Glance introduces advanced features to the vSphere family such as vMotion, high availability and dynamic resource scheduling (DRS). vMotion is the live migration of a running VM, from one physical server to another, without service interruption. Thus, it enables a dynamic and automated self-optimizing datacenter, allowing hardware maintenance for the underperforming servers without downtimes.
Other OpenStack modules that need to interact with Images, for example Heat, must communicate with the images metadata through Glance. Also, Nova can present information about the images, and configure a variation on an image to produce an instance. However, Glance is the only module that can add, delete, share, or duplicate images.
Object storage (Swift)
OpenStack Object Storage (Swift) is a scalable redundant storage system. Objects and files are written to multiple disk drives spread throughout servers in the data center, with the OpenStack software responsible for ensuring data replication and integrity across the cluster. Storage clusters scale horizontally simply by adding new servers. Should a server or hard drive fail, OpenStack replicates its content from other active nodes to new locations in the cluster. Because OpenStack uses software logic to ensure data replication and distribution across different devices, inexpensive commodity hard drives and servers can be used.
In August 2009, Rackspace started the development of the precursor to OpenStack Object Storage, as a complete replacement for the Cloud Files product. The initial development team consisted of nine developers. SwiftStack, an object storage software company, is currently the leading developer for Swift with significant contributions from HP, Red Hat, NTT, NEC, IBM and more.
OpenStack Dashboard (Horizon) provides administrators and users with a graphical interface to access, provision, and automate deployment of cloud-based resources. The design accommodates third party products and services, such as billing, monitoring, and additional management tools. The dashboard is also brand-able for service providers and other commercial vendors who want to make use of it. The dashboard is one of several ways users can interact with OpenStack resources. Developers can automate access or build tools to manage resources using the native OpenStack API or the EC2 compatibility API.
Heat is a service to orchestrate multiple composite cloud applications using templates, through both an OpenStack-native REST API and a CloudFormation-compatible Query API.
Mistral is a service that manages workflows. User typically writes a workflow using workflow language based on YAML and uploads the workflow definition to Mistral via its REST API. Then user can start this workflow manually via the same API or configure a trigger to start the workflow on some event.
OpenStack Telemetry (Ceilometer) provides a Single Point Of Contact for billing systems, providing all the counters they need to establish customer billing, across all current and future OpenStack components. The delivery of counters is traceable and auditable, the counters must be easily extensible to support new projects, and agents doing data collections should be independent of the overall system.
Elastic map reduce (Sahara)
Sahara is a component to easily and rapidly provision Hadoop clusters. Users will specify several parameters like the Hadoop version number, the cluster topology type, node flavor details (defining disk space, CPU and RAM settings), and others. After a user provides all of the parameters, Sahara deploys the cluster in a few minutes. Sahara also provides means to scale a preexisting Hadoop cluster by adding and removing worker nodes on demand.
Bare metal (Ironic)
Ironic is an OpenStack project that provisions bare metal machines instead of virtual machines. It was initially forked from the Nova Baremetal driver and has evolved into a separate project. It is best thought of as a bare-metal hypervisor API and a set of plugins that interact with the bare-metal hypervisors. By default, it will use PXE and IPMI in concert to provision and turn on and off machines, but Ironic supports and can be extended with vendor-specific plugins to implement additional functionality.
Zaqar is a multi-tenant cloud messaging service for Web developers. The service features a fully RESTful API, which developers can use to send messages between various components of their SaaS and mobile applications by using a variety of communication patterns. Underlying this API is an efficient messaging engine designed with scalability and security in mind. Other OpenStack components can integrate with Zaqar to surface events to end users and to communicate with guest agents that run in the “over-cloud” layer.
OpenStack Shared File System (Manila) provides an open API to manage shares in a vendor agnostic framework. Standard primitives include ability to create, delete, and give/deny access to a share and can be used standalone or in a variety of different network environments. Commercial storage appliances from EMC, NetApp, HP, IBM, Oracle, Quobyte, and Hitachi Data Systems are supported as well as filesystem technologies such as Red Hat GlusterFS or Ceph.
Designate is a multi-tenant REST API for managing DNS. This component provides DNS as a Service and is compatible with many backend technologies, including PowerDNS and BIND. It doesn’t provide a DNS service as such as its purpose is to interface with existing DNS servers to manage DNS zones on a per tenant basis.
Searchlight provides advanced and consistent search capabilities across various OpenStack cloud services. It accomplishes this by offloading user search queries from other OpenStack API servers by indexing their data into ElasticSearch. Searchlight is being integrated into Horizon and also provides a Command-line interface.
Key manager (Barbican)
Barbican is a REST API designed for the secure storage, provisioning and management of secrets. It is aimed at being useful for all environments, including large ephemeral Clouds.
Several OpenStack projects changed names due to trademark issues.
- Neutron was formerly known as Quantum.
- Sahara used to be called Savanna.
- Designate was previously known as Moniker.
- Trove was formerly known as RedDwarf.
- Zaqar was formerly known as Marconi.
Compatibility with other cloud APIs
OpenStack does not strive for compatibility with other clouds APIs. However, there is some amount of compatibility driven by various members of the OpenStack community for whom such things are important.
- The EC2 API project aims to provide compatibility with Amazon EC2
- The GCE API project aims to provide compatibility with Google Compute Engine
OpenStack is governed by a non-profit foundation and its board of directors, a technical committee, and a user committee. The board of directors is made up of eight members from each of the eight platinum sponsors, eight members from the 24 defined maximum allowed Gold sponsors, and eight members elected by the Foundation individual members.
OpenStack has a wide variety of users, from a number of different sectors. Notable users include:
- AT&T – joined OpenStack in January 2012
- Beebop Cloud
- Betfair Now PaddyPower Betfair has a private cloud which will support its entire productions stack – named “i2”.
- Bhabha Atomic Research Centre has a private cloud to cater to in house employees’ requirements.
- Deutsche Telekom has created a “Business Marketplace”, whose functionality is based on OpenStack and Open Telekom Cloud operated by T-Systems
- DreamHost – offers public cloud computing.
- GloboTech Communications
- HP Converged Cloud, which combines software and cloud services into a unified set of packages and under a single unified architecture.
- KT (formerly Korea Telecom) – for object storage only
- Memset Hosting
- MercadoLibre.com – MercadoLibre has over 6,000 VMs managed by OpenStack
- Nokia Networks
- OVH has created a “Public Cloud” offer, based on OpenStack, and is also supporting the OpenStack Foundation, as an Infrastructure donor
- Rackspace Cloud
- Snapdeal – India’s largest online marketplace
- Sony – online games for PlayStation 4
- Spil Games
- SUSE Cloud solution. See SUSE Cloud product description.
- Telefonica has created an International Hyperscalar Platform (Open Cloud), whose functionality is based on OpenStack
- Wikimedia Labs
As the OpenStack project has matured, vendors have pioneered multiple ways for customers to deploy OpenStack:
- OpenStack-based Public Cloud: A vendor provides a public cloud computing system based on the OpenStack project.
- On-premises distribution: In this model, a customer downloads and installs an OpenStack distribution within their internal network. See Distributions.
- Hosted OpenStack Private Cloud: A vendor hosts an OpenStack-based private cloud: including the underlying hardware and the OpenStack software.
- OpenStack-as-a-Service: A vendor hosts OpenStack management software (without any hardware) as a service. Customers sign up for the service and pair it with their internal servers, storage and networks to get a fully operational private cloud.
- Appliance based OpenStack: Nebula was a vendor that sold appliances that could be plugged into a network which spawned an OpenStack deployment.
- Bright Computing
- Canonical (Ubuntu)
- Oracle OpenStack for Oracle Linux, or O3L
- Oracle OpenStack for Oracle Solaris
- Red Hat
- VMware Integrated OpenStack (VIO)
What is Hypervisor
What is Hypervisor and what types of hypervisors are there
If you know what a private cloud is and you know the infrastructure of it, you’ve probably heard about hypervisor.
It is the part of the private cloud that manages the virtual machines, i.e. it is the part (program) that enables multiple operating systems to share the same hardware. Each operating system could use all the hardware (processor, memory) if no other operating system is on. That is the maximum hardware available to one operating system in the cloud.
Nevertheless, the hypervisor is what controls and allocates what portion of hardware resources each operating system should get, in order every one o them to get what they need and not to disrupt each other.
Virtualization is changing the mindset from physical to logical.
What virtualization means is creating more logical IT resources, called virtual systems, within one physical system. That’s called system virtualization. It most commonly uses the hypervisor for managing the resources for every virtual system. The hypervisor is a software that can virtualize the hardware resources.
Image Source: www.ibm.com
There are two types of hypervisors:
- Type 1 hypervisor: hypervisors run directly on the system hardware – A “bare metal” embedded hypervisor,
- Type 2 hypervisor: hypervisors run on a host operating system that provides virtualization services, such as I/O device support and memory management.
Image Source: www.ibm.com
Type 1 hypervisors:
1. VMware ESX and ESXi
These hypervisors offer advanced features and scalability, but require licensing, so the costs are higher.
There are some lower-cost bundles that VMware offers and they can make hypervisor technology more affordable for small infrastructures.
VMware is the leader in the Type-1 hypervisors. Their vSphere/ESXi product is available in a free edition and 5 commercial editions.
2. Microsoft Hyper-V
The Microsoft hypervisor, Hyper-V doesn’t offer many of the advanced features that VMware’s products provide.
However, with XenServer and vSphere, Hyper-V is one of the top 3 Type-1 hypervisors.
It was first released with Windows Server, but now Hyper-V has been greatly enhanced with Windows Server 2012 Hyper-V. Hyper-V is available in both a free edition (with no GUI and no virtualization rights) and 4 commercial editions – Foundations (OEM only), Essentials, Standard, and Datacenter. Hyper-V
3. Citrix XenServer
It began as an open source project.
The core hypervisor technology is free, but like VMware’s free ESXi, it has almost no advanced features.
Xen is a type-1 bare-metal hypervisor. Just as Red Hat Enterprise Virtualization uses KVM, Citrix uses Xen in the commercial XenServer.
Today, the Xen open source projects and community are at Xen.org. Today, XenServer is a commercial type-1 hypervisor solution from Citrix, offered in 4 editions. Confusingly, Citrix has also branded their other proprietary solutions like XenApp and XenDesktop with the Xen name.
4. Oracle VM
The Oracle hypervisor is based on the open source Xen.
However, if you need hypervisor support and product updates, it will cost you.
Oracle VM lacks many of the advanced features found in other bare-metal virtualization hypervisors.
Type 2 hypervisor
1. VMware Workstation/Fusion/Player
VMware Player is a free virtualization hypervisor.
It is intended to run only one virtual machine (VM) and does not allow creating VMs.
VMware Workstation is a more robust hypervisor with some advanced features, such as record-and-replay and VM snapshot support.
VMware Workstation has three major use cases:
- for running multiple different operating systems or versions of one OS on one desktop,
- for developers that need sandbox environments and snapshots, or
- for labs and demonstration purposes.
2. VMware Server
VMware Server is a free, hosted virtualization hypervisor that’s very similar to the VMware Workstation.
VMware has halted development on Server since 2009
3. Microsoft Virtual PC
This is the latest Microsoft’s version of this hypervisor technology, Windows Virtual PC and runs only on Windows 7 and supports only Windows operating systems running on it.
4. Oracle VM VirtualBox
VirtualBox hypervisor technology provides reasonable performance and features if you want to virtualize on a budget. Despite being a free, hosted product with a very small footprint, VirtualBox shares many features with VMware vSphere and Microsoft Hyper-V.
5. Red Hat Enterprise Virtualization
Red Hat’s Kernel-based Virtual Machine (KVM) has qualities of both a hosted and a bare-metal virtualization hypervisor. It can turn the Linux kernel itself into a hypervisor so the VMs have direct access to the physical hardware.
This is a virtualization infrastructure for the Linux kernel. It supports native virtualization on processors with hardware virtualization extensions.
The open-source KVM (or Kernel-Based Virtual Machine) is a Linux-based type-1 hypervisor that can be added to most Linux operating systems including Ubuntu, Debian, SUSE, and Red Hat Enterprise Linux, but also Solaris, and Windows.
We use KVM in VapourApps Private Cloud:
- Virtualization engine – OpenStack on KVM
- Predefined virtual servers based on Debian
- Orchestration and management web dashboard, a customized Horizon dashboard.
The owner of the tenant or the IT administrator, can manage his virtual servers, users, groups and monitor the status of the used application from a single dashboard.
D.E.P. or Data Execution Prevention (DEP)
A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003
Data Execution Prevention (DEP) is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. In Microsoft Windows XP Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005, DEP is enforced by hardware and by software.
The primary benefit of DEP is to help prevent code execution from data pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. Software-enforced DEP can help prevent malicious code from taking advantage of exception-handling mechanisms in Windows.
Hardware-enforced DEP marks all memory locations in a process as non-executable unless the location explicitly contains executable code. A class of attacks exists that tries to insert and run code from non-executable memory locations. DEP helps prevent these attacks by intercepting them and raising an exception.
Hardware-enforced DEP relies on processor hardware to mark memory with an attribute that indicates that code should not be executed from that memory. DEP functions on a per-virtual memory page basis, and DEP typically changes a bit in the page table entry (PTE) to mark the memory page.
Processor architecture determines how DEP is implemented in hardware and how DEP marks the virtual memory page. However, processors that support hardware-enforced DEP can raise an exception when code is executed from a page that is marked with the appropriate attribute set.
Advanced Micro Devices (AMD) and Intel have defined and shipped Windows-compatible architectures that are compatible with DEP.
Beginning with Windows XP SP2, the 32-bit version of Windows uses one of the following:
- The no-execute page-protection (NX) processor feature as defined by AMD.
- The Execute Disable Bit (XD) feature as defined by Intel.
To use these processor features, the processor must be running in Physical Address Extension (PAE) mode. However, Windows will automatically enable PAE mode to support DEP. Users do not have to separately enable PAE by using the /PAE boot switch.
Note Because 64-bit kernels are Address Windowing Extensions (AWE) aware, there is not a separate PAE kernel in 64-bit versions of Windows.
For more information about PAE and AWE in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:
283037 Large memory support is available in Windows Server 2003 and in Windows 2000
An additional set of Data Execution Prevention security checks have been added to Windows XP SP2. These checks, known as software-enforced DEP, are designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. Software-enforced DEP runs on any processor that can run Windows XP SP2. By default, software-enforced DEP helps protect only limited system binaries, regardless of the hardware-enforced DEP capabilities of the processor.
The primary benefit of DEP is that it helps prevent code execution from data pages, such as the default heap pages, various stack pages, and memory pool pages. Typically, code is not executed from the default heap and the stack. Hardware-enforced DEP detects code that is running from these locations and raises an exception when execution occurs. If the exception is unhandled, the process will be stopped. Execution of code from protected memory in kernel mode causes a Stop error.
DEP can help block a class of security intrusions. Specifically, DEP can help block a malicious program in which a virus or other type of attack has injected a process with additional code and then tries to run the injected code. On a system with DEP, execution of the injected code causes an exception. Software-enforced DEP can help block programs that take advantage of exception-handling mechanisms in Windows.
DEP configuration for the system is controlled through switches in the Boot.ini file. If you are logged on as an administrator, you can now easily configure DEP settings by using the System dialog box in Control Panel.
Windows supports four system-wide configurations for both hardware-enforced and software-enforced DEP.
|OptIn||This setting is the default configuration. On systems with processors that can implement hardware-enforced DEP, DEP is enabled by default for limited system binaries and programs that “opt-in.” With this option, only Windows system binaries are covered by DEP by default.|
|OptOut||DEP is enabled by default for all processes. You can manually create a list of specific programs that do not have DEP applied by using the System dialog box in Control Panel. Information technology (IT) professionals can use the Application Compatibility Toolkit to “opt-out” one or more programs from DEP protection. System compatibility fixes, or shims, for DEP do take effect.|
|AlwaysOn||This setting provides full DEP coverage for the whole system. All processes always run with DEP applied. The exceptions list to exempt specific programs from DEP protection is not available. System compatibility fixes for DEP do not take effect. Programs that have been opted-out by using the Application Compatibility Toolkit run with DEP applied.|
|AlwaysOff||This setting does not provide any DEP coverage for any part of the system, regardless of hardware DEP support. The processor does not run in PAE mode unless the /PAE option is present in the Boot.ini file.|
Hardware-enforced and software-enforced DEP are configured in the same manner. If the system-wide DEP policy is set to OptIn, the same Windows core binaries and programs will be protected by both hardware-enforced and software-enforced DEP. If the system cannot use hardware-enforced DEP, the Windows core binaries and programs will be protected only by software-enforced DEP.
Similarly, if the system-wide DEP policy is set to OptOut, programs that have been exempted from DEP protection will be exempted from both hardware-enforced and software-enforced DEP.
The Boot.ini file settings are as follows:
Note policy_level is defined as AlwaysOn, AlwaysOff, OptIn, or OptOut.
Existing /noexecute settings in the Boot.ini file are not changed when Windows XP SP2 is installed. These settings are also not changed if a Windows operating system image is moved across computers with or without hardware-enforced DEP support.
During installation of Windows XP SP2 and Windows Server 2003 SP1 or later versions, the OptIn policy level is enabled by default unless a different policy level is specified in an unattended installation. If the /noexecute=policy_level setting is not present in the Boot.ini file for a version of Windows that supports DEP, the behavior is the same as if the /noexecute=OptIn setting was included.
If you are logged on as an administrator, you can manually configure DEP to switch between the OptIn and OptOut policies by using the Data Execution Prevention tab in
System Properties. The following procedure describes how to manually configure DEP on the computer:
- Click Start, click Run, type sysdm.cpl, and then click
- On the Advanced tab, under
Performance, click Settings.
- On the Data Execution Prevention tab, use one of the following procedures:
- Click Turn on DEP for essential Windows programs and services only to select the OptIn policy.
- Click Turn on DEP for all programs and services except those I select to select the OptOut policy, and then click
Add to add the programs that you do not want to use the DEP feature.
- Click OK two times.
IT professionals can control system-wide DEP configuration by using a variety of methods. The Boot.ini file can be modified directly with scripting mechanisms or with the Bootcfg.exe tool that is included in Windows XP SP2.
To configure DEP to switch to the AlwaysOn policy by using the Boot.ini file, follow these steps:
- Click Start, right-click My Computer, and then click Properties.
- Click the Advanced tab, and then click Settings under the Startup and Recovery field.
- In the System startup field, click Edit. The Boot.ini file opens in Notepad.
- In Notepad, click Find on the Edit menu.
- In the Find what box, type /noexecute, and then click Find Next.
- In the Find dialog box, click Cancel.
- Replace policy_level with AlwaysOn.WARNING Make sure that you enter the text accurately. The Boot.ini file switch should now read:
- In Notepad, click Save on the File menu.
- Click OK two times.
- Restart the computer.
For unattended installations of Windows XP SP2 or later versions, you can use the Unattend.txt file to pre-populate a specific DEP configuration. You can use the OSLoadOptionsVar entry in the [Data] section of the Unattend.txt file to specify a system-wide DEP configuration.
For the purposes of program compatibility, you can selectively disable DEP for individual 32-bit programs when DEP is set to the OptOut policy level. To do this, use the Data Execution Prevention tab in
System Properties to selectively disable DEP for a program. For IT professionals, a new program compatibility fix that is named DisableNX is included with Windows XP SP2. The DisableNX compatibility fix disables Data Execution Prevention for the program that the fix is applied to.
The DisableNX compatibility fix can be applied to a program by using the Application Compatibility Toolkit. For more information about Windows application compatibility, see Windows Application Compatibility on the following Microsoft Web site:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
899298 The “Understanding Data Execution Prevention” help topic incorrectly states the default setting for DEP in Windows Server 2003 Service Pack 1
Article ID: 875352 – Last Review: Feb 16, 2017 – Revision: 2
A detailed description of the Data Execution Prevention (DEP) feature in Windows XP Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows Server 2003 data taken from below Microsoft link: