Monday Mar 23, 2015

Oracle VM Server for SPARC 3.2 - Live Migration

Oracle has just released Oracle VM Server for SPARC release 3.2. This update has been integrated into Oracle Solaris 11.2 beginning with SRU 8.4. Please refer to Oracle Solaris 11.2 Support Repository Updates (SRU) Index [ID 1672221.1]. 

This new release introduces the following features:

  • Improved multipath virtual disk I/O (mpgroup): view, set active I/O path
  • Improved domain observability to show dependencies between service and guest domains
  • Improved network observability, quality of service and security management, and PVLAN
  • I/O Resiliency (IOR) for physical I/O
  • Dynamic Bus (dynamically assign PCI bus to domains)
  • Live migration improvements
  • Guest additions (VM API to interact with host environment)
  • Guest access to SPARC performance counters

Live migration performance and security enhancements

This blog entry details 3.2 improvements to live migration. Oracle VM Server for SPARC has supported live migration since release 2.1, and has been enhanced over time to provide features like cross-CPU live migration to permit migrating domains across different SPARC CPU server types. Oracle VM Server for SPARC 3.2 improves live migration performance and security.

Live migration performance

The time to migrate a domain is reduced in Oracle VM Server for SPARC 3.2 by the following improvements:

  • Parallel page copying and memory mapped I/O: data compression and transmission were alredy multi-threaded, but copying from hypervisor memory was single-threaded and buffers were copied twice. This change adds worker threads for parallelism and reduces the number of times data is copied, including for network I/O
  • LZJB used to compress: Memory is compressed before it is encrypted and transmitted over the network. This change uses the fast, lightweight LZJB (Lempel Zev Jeff Bonwick) algorithm to quickly compress and decompress memory pages. Zero-fill pages are skipped, and pages that are only slightly reduced in size are sent unchanged. That reduces overall processing time.
These and other changes reduce overall migration time, reduce domain suspension time (the time at the end of migration when the domain is paused to retransmit the last remaining pages). and reduces CPU utilization. In my own testing I've seen speedups from 50% to 500% faster migration depending on the guest domain activity and memory size. Others may experience different times, depending on network and CPU speeds and domain configuration.

This improvement is available on all SPARC servers supporting Oracle VM Server for SPARC, including the older UltraSPARC T2, UltraSPARC T2 Plus, and SPARC T3 systems. Some speedups are only be available for guest domains running Solaris 11.2 SRU 8 or later, and will not be available on Solaris 10. Solaris 10 guests must run Solaris 10/09 or later, as that release introduced code for cooperative live migration that works with the hypervisor.

Live migration security

Oracle VM Server for SPARC 3.2 improves live migration security by adding certificate-based authentication and supporting the FIPS 140-2 standard.

Certificate based authentication

Live migration requires mutual authentication between the source and target servers. The simplest way to initiate live migration is to issue an "ldm migrate" command on the source system specifying an adminstrator password on the target system, or point to a root-readable file containing the target system's password. That is cumbersome, and not ideal for security. Oracle VM Server for SPARC 3.2 adds a secure, scalable way to permit password-less live migration using certificates that prevents man-in-the-middle attacks.

This is accomplished by using SSL certificates to establish a trust relationship between different server's control domainss as described at Configuring SSL Certificates for Migration. In brief, a certificate is securely copied from the remote system's /var/opt/SUNWldm/server.crt to the local system's /var/opt/SUNWldm/trust and a symbolic is made from certificate in the ldmd trusted certificate directory to /etc/certs/CA. After the certificate and ldmd services are restarted, the two control domains can securely communicate with one another without passwords. This enhancement is available on all servers supporting Oracle VM Server for SPARC, using either Solaris 10 or Solaris 11.

FIPS 140-2 Mode

The Oracle VM Server for SPARC Logical Domains Manager can be configured to perform domain migrations using the Oracle Solaris FIPS 140-2 certified OpenSSL libraries as described at http://docs.oracle.com/cd/E48724_01/html/E48732/fipsmodeformigration.html#scrolltoc. When this is in effect, migrations are conformant with this standard, and can only done between servers that are all in FIPS 140-2 mode.

For more information, please see Using a FIPS 140 Enabled System in Oracle® Solaris 11.2. This enhancement requires that the control domain run Oracle Solaris 11.2 SRU 8.4 or later.

Where to get more information

For additional resources about Oracle VM Server for SPARC 3.2, please see the documentation at http://docs.oracle.com/cd/E48724_01/index.html, especially the What's New page, the Release Notes and the Administration Guide

Friday Jun 14, 2013

Best Practices - Live Migration on Oracle VM Server for SPARC

Oracle VM Server for SPARC supports live migration for moving a guest domain (virtual machine) from one server to another. This blog entry provides some comments on best practices for using live migration, describes factors that affect how long migration takes, and offers some alternative methods that can be better than live migration for some use cases - just because you can do something doesn't mean you should do something![Read More]

Thursday May 24, 2012

Cross-CPU Live Migration in Oracle VM Server for SPARC 2.2

Oracle VM Server for SPARC 2.2 can now live migrate running guest domains between T-series servers even if they don't have the same chip type or frequency. [Read More]

Thursday Jun 09, 2011

Live migration in Oracle VM Server SPARC 2.1

Oracle VM Server SPARC now supports "live migration" - this blog entry explains how it works, shows examples using it, and describes how it can be used. [Read More]

Friday Sep 25, 2009

ZFS, Live Upgrade and Flash Archive - happy together at last

Flash Archive is a really handy Solaris feature for cloning Solaris systems. Unfortunately, until recently it didn't work with Solaris 10 systems that leveraged ZFS boot - but now it's available. Here's my experience making use of this.[Read More]
About

Jsavit-Oracle

Search

Categories
Archives
« August 2015
SunMonTueWedThuFriSat
      
1
2
3
4
5
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today