News, tips, partners, and perspectives for Oracle’s virtualization offerings
-
Perspectives
|
March 23, 2015
Oracle VM Server for SPARC 3.2 - Live Migration
Oracle has just released Oracle VM Server for SPARC release 3.2.
This update has been integrated into
Oracle Solaris 11.2 beginning with SRU 8.4. Please refer to Oracle Solaris 11.2
Support Repository Updates (SRU) Index [ID 1672221.1].
This new release introduces the following features:
- Improved multipath virtual disk I/O (mpgroup): view, set active I/O path
- Improved domain observability to show dependencies between service and guest domains
- Improved network observability, quality of service and security management, and PVLAN
- I/O Resiliency (IOR) for physical I/O
- Dynamic Bus (dynamically assign PCI bus to domains)
- Live migration improvements
- Guest additions (VM API to interact with host environment)
- Guest access to SPARC performance counters
Live migration performance and security enhancements
This blog entry details 3.2 improvements to live migration.
Oracle VM Server for SPARC has supported live migration since release 2.1, and has been enhanced over time
to provide features like cross-CPU live migration to permit migrating domains across different SPARC CPU server types.
Oracle VM Server for SPARC 3.2 improves live migration performance and security.
Live migration performance
The time to migrate a domain is reduced in Oracle VM Server for SPARC 3.2 by the following improvements:
- Parallel page copying and memory mapped I/O:
data compression and transmission were alredy multi-threaded, but copying from hypervisor memory was single-threaded and buffers were
copied twice. This change adds worker threads for parallelism and reduces the number of times data is copied, including for network I/O - LZJB used to compress: Memory is compressed before it is encrypted and transmitted over the network.
This change uses the fast, lightweight LZJB (Lempel Zev Jeff Bonwick) algorithm
to quickly compress and decompress memory pages. Zero-fill pages are skipped, and pages that are only slightly reduced in size are sent unchanged.
That reduces overall processing time.
These and other changes reduce overall migration time, reduce domain suspension time (the time at the end of migration
when the domain is paused to retransmit the last remaining pages). and reduces CPU utilization.
In my own testing I've seen speedups from 50% to 500% faster migration depending on the guest domain activity and memory size.
Others may experience different times, depending on network and CPU speeds and domain configuration.
This improvement is available on all SPARC servers supporting Oracle VM Server for SPARC,
including the older UltraSPARC T2, UltraSPARC T2 Plus, and SPARC T3 systems.
Some speedups are only be available for guest domains running Solaris 11.2 SRU 8 or later, and will not be
available on Solaris 10. Solaris 10 guests must run Solaris 10/09 or later, as that release introduced code for cooperative live migration that works with the hypervisor.
Live migration security
Oracle VM Server for SPARC 3.2 improves live migration security
by adding certificate-based authentication and supporting the FIPS 140-2 standard.
Certificate based authentication
Live migration requires mutual authentication between the source and target servers.
The simplest way to initiate live migration is to issue an "ldm migrate" command on the source system specifying an adminstrator password
on the target system, or point to a root-readable file containing the target system's password.
That is cumbersome, and not ideal for security.
Oracle VM Server for SPARC 3.2 adds a secure, scalable way to permit password-less live migration using certificates
that prevents man-in-the-middle attacks.
This is accomplished by using SSL certificates to establish a trust relationship between different server's control domainss
as described at Configuring SSL Certificates for Migration.
In brief, a certificate is securely copied from the remote system's /var/opt/SUNWldm/server.crt to the local system's /var/opt/SUNWldm/trust and a symbolic is made from certificate in the ldmd trusted certificate directory to /etc/certs/CA. After the certificate and ldmd services are restarted, the two control domains can securely communicate with one another without passwords.
This enhancement is available on all servers supporting Oracle VM Server for SPARC, using either Solaris 10 or Solaris 11.
FIPS 140-2 Mode
The Oracle VM Server for SPARC Logical Domains Manager
can be configured to perform domain migrations using the Oracle Solaris FIPS 140-2 certified OpenSSL libraries
as described at http://docs.oracle.com/cd/E48724_01/html/E48732/fipsmodeformigration.html#scrolltoc.
When this is in effect, migrations are conformant with this standard, and can only done between servers that are all in FIPS 140-2 mode.
For more information, please see
Using a FIPS 140 Enabled System in Oracle® Solaris 11.2.
This enhancement requires that the control domain run Oracle Solaris 11.2 SRU 8.4 or later.
Where to get more information
For additional resources about Oracle VM Server for SPARC 3.2, please see the documentation athttp://docs.oracle.com/cd/E48724_01/index.html,
especially the
What's New page, the
Release Notes
and the Administration Guide