By Listey-Oracle on Jul 07, 2015
Secure Live Migration with Oracle Solaris Kernel Zones
Hopefully you have heard about the Oracle Solaris 11.3 Beta release but if not you can learn more here.
One of the key features of the Oracle Solaris 11.3 Beta release is the introduction of Secure Live Migration for Kernel Zones. This feature brings with it a couple of things of note.
First the obvious part - with live migration system administrators can limit the number and types of outages to applications and end users. This is particularly useful when there is a requirement to do system maintenance to the underlying OS or hardware. The Kernel Zones environments can be migrated off the source system before this maintenance. This is especially useful in today's datacenter where workloads (and owners of those workloads) running on systems can be many and varied. It is not always simple to organise a common outage window and can actually be quite frustrating.
Secondly the secure part. With secure live migration, not only is your data protected but man in the middle attacks are prevented. As with other security features in Oracle Solaris this is the default setting and automatically takes advantage of the available hardware crypto accelerators - meaning you get this protection at no additional performance cost. You may have to set up some security keys but our documentation walks you through this.
So, you are about to try live migrating a Kernel Zones, here are 10 things you might not know:
- We recommend that you use a 10GB link between the source and target systems
- Live migration with Kernel Zones is available on both SPARC and x86 systems
- On SPARC you will need to update your firmware to the appropriate system firmware level (see the docs for actual details)
- We recommend you perform live migration with a non-root user
- You will need running instances of these 3 services: live migration daemon, Remote Administration Daemon, and NTP server
- You can perform a dry run of a live migration with the -n option to zoneadm migrate
- Right now you cannot live migrate an LDom guest that has a running Kernel Zone inside it
- You might want to consider having a dedicated link for live migration or putting some bandwidth controls on
- Live migration tasks are performed by the zone itself so if you have CPU resource limits in place, make sure there is sufficient for the live migration task
- You don't have to have a config for a zone setup on the target system, you can configure a privileged to get this done automatically