secure cloud-scale virtualization with solaris 11
DESCRIPTION
Third presentation from Solaris 11 Technology Forum events conducted in New York, Boston, Chicago, Dallas and other North American cities.TRANSCRIPT
1 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Secure Cloud-Scale Virtualization
Jeff Victor
Principal Sales Consultant, Solaris
Oracle Solaris 11
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
2 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Insert Information Protection Policy Classification from Slide 8
The following is intended to outline our general product direction. It is intended
for information purposes only, and may not be incorporated into any contract. It
is not a commitment to deliver any material, code, or functionality, and should
not be relied upon in making purchasing decisions. The development, release,
and timing of any features or functionality described for Oracle ’s products
remains at the sole discretion of Oracle.
3 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Integrated Virtualization
• Use Cases for Zones
• Network Virtualization and Resource Control
• Built for Cloud Deployments
4 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Integrated Virtualization
Software
Management
Network
Virtualization
Data
Management
Provisioning
Security
5 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Integrated Virtualization
Security-ZFS Encryption
-Immutable Zones
-Delegated Admin
Software
Management-IPS
-Repositories
-Boot Environments
Network
Virtualization-Network in a box
-Bandwidth Control
-Resource Mgmt
Data
Management-ZFS
-COMSTAR
Provisioning-Automated Installer
-Distro Constructor
6 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Independent, Efficient, Virtualization
• Oracle Solaris Zones are more complete
– More flexible content with IPS
– NFS Server in a zone
– Delegated ZFS Datasets
– Exclusive IP by Default
– Recognized Hard Partition
– Full support for Oracle stack
– Legacy support: Oracle Solaris 10 Zones
• The default environment for your
application
7 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Integrated Virtualization
• Use Cases for Zones
• Network Virtualization and Resource Control
• Built for Cloud Deployments
8 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Consolidate to efficiency
9 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Self Service, Rapid Deployment
• Bring Services online quickly
– Isolated
– Fast zone boot
– Encapsulated
– VM Templates
– Zone cloning and attach/detach
– Minimized out of the box
– Resource control
• Deploying in a zone brings business
agility by default
10 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Seamless UpgradesOracle Solaris 11 Zones, Oracle VM
• Seamless upgrades from previous version– Assisted with a built-in pre-flight checker
• Live migration with OVM SPARC and OVM x86
Solaris 10
Live
Migrate
S10 Zone
Solaris 11
Oracle VM
S11 ZoneS10 Zone
Solaris 11
S10 Zone
Oracle VM
S11 Zonev2v
Solaris 10
p2v
S10 Zone
Solaris 10
S10 Zone S10 Zone
v2v
p2v v2v
11 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Tailored Security: Defense with Depth
• Always secure Oracle Solaris Zones
add even more control and depth
– Immutable Zones: strict or relaxed
– Data protection with RO storage access
– Data link protection for mis-behaving
applications
– Access protection with Delegated
Administration
– Secure by default
• No special hardware needed, built-in,
secure, cost free
12 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Zones and Resource Control (1)
Resource Control Control Name
Exclusive CPUs for a zone zonecfg:dedicated-cpu
Absolute limit on the amount of CPU resources for this zone zone.cpu-cap
Number of fair share scheduler (FSS) CPU
shares for this zonezone.cpu-shares
Total amount of physical locked memory available to a zone. zone.max-locked-memory
Total amount of System V shared memory allowed for this zone zone.max-shm-memory
13 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Zones and Resource Control (2)
Resource Control Control Name
Total amount of RAM that can be consumed by a zone’s processes zonecfg:capped-memory:physical
Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone.
zone.max-swap
Maximum number of processes that a zone can run zone.max-processes
Maximum number of software threads that a zone can run zone.max-lwps
14 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Plan for CapacityWith Clear Observability
• To plan you need to clearly see your
environment
– zonestat
– flowstat
– DTrace
• OEM Ops Center to bring it together
• Plan for consolidation
• Plan for expansion
• Unbeatable observability with clarity
15 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
HA for Oracle Solaris Zones Deployments
Server 3Server 1 Server 2
Zone1App
App
App
App
Zone 4
Zone2
App App
Zone 4
Physical Cluster
Zone ClustersIndependent virtual clusters:•Application protection with resource
dependencies management, policy based restart
and failover
• Ease of use with delegated administration
across virtual cluster
• Ideal for multi-tiered workloads and
consolidation
Failover ZoneHighly available resource:
• Zone protection with resource dependencies
management, restart and failover
• Ideal for packaged, closed workloads
16 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Integrated Virtualization
• Use Cases for Zones
• Network Virtualization and Resource Control
• Built for Cloud Deployments
17 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network
VirtualizationVirtual NICs, Virtual Switching, Network in a Box
Bandwidth
Partitioning
Built-in QOS: bandwidth limits for data links and on a per-
flows basis
Resource
Control
Constraint traffic processing to CPUs or CPU pools
dedicated to zones
ObservabilityReal-time usage and history for VNICs, hardware
resources, and traffic flow
ScalabilityParallel traffic from hardware to applications, Dynamic
Polling, NUMA I/O
Crossbow: Built-in Network Virtualization and Resource Control
18 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Parallel Network Virtualization Architecture
Virtualization and QoS designed-in
Independent Hardware Lanes with
dedicated resources (CPUs, I/O
threads, interrupts): from the NIC to
applications
VNIC behaves just like a regular
NIC (link speed, stats, MAC
address)
Hardware and software fanouts for
best scalability
Adaptive polling mode depending
on load
19 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network Resource Control
Set bandwidth limit on a VNIC
(virtual link speed)
QoS integrated in the core
stack, no separate component to
configure
Constrain the CPUs used by
VNICs or data links by CPU ids
or pool names
Integrated with Solaris resource
management and zones# dladm create-vnic -l net0 \-p maxbw=100M vnic0
20 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Controlling and Observing FlowsControl the Un-Controllable
Built-in QoS can be applied to
traffic flows specified by the
administrator
Managed by flowadm(1M) and
specified by source and
destination IP addresses, protocol,
port number, etc.
Flows can be observed in real time
with flowstat(1M), or a history can
be obtained using extended accounting
21 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Highly Available VNICs
Link Aggregation provides
transparent failover and
increased throughput to VNICs
and zones
Compliant with IEEE 802.3ad
IP Multipathing (IPMP) can also
be used, but needs to be
configured from within zones
22 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Virtual Switching
Use etherstubs instead of physical NICs
Build virtual switches that are independent
from any hardware
As many as you want on a single host
A virtual switch is created automatically
when VNICs are configured
Virtual switches allow VNICs to
communicate with each other and with
hosts on the network
23 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Private Virtual Network
Use a virtual switch to
build a private network
Use a zone to firewall the
private network, and route
with physical network
Virtual router/firewall has
very small footprint
24 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Virtual Multi-Tiered Architecture
25 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Simulating Network Latencies
26 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Data Center Modeling and
Network Consolidation with Oracle Solaris 11
Network Virtualization
Virtual switching,
Virtual NICs, QOS
Resources control
CPU pools, NUMA I/O,
memory capping
Solaris Zones
lightweight, small footprint
Built-in Network Functions
Routing, Firewall, Bridging,
Integrated Load Balancer,
VRRP
27 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Infiniband and Zones
Infiniband (IB) is the backplane for
Engineered Systems – SPARC
SuperCluster, Exadata, Exalogic
IP over IB partitions are the IB
equivalent of Ethernet VNICs
IB P_KEY is the equivalent of a Ethernet
VLAN
Can apply same network resource
control to IB partitions
Allows mixing and matching of VNICs
and IB partitions in a zone
28 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Agenda
• Integrated Virtualization
• Use Cases for Zones
• Network Virtualization and Resource Control
• Built for Cloud Deployments
29 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
VLAN Separation
VNICs can be assigned a VLAN id
Virtual switch provides VLAN
separation
Local traffic between VNICs
Traffic to and from external hosts
Extend VLAN separation from
physical network into virtual switch
30 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Dynamic VLAN ProvisioningElastic and Isolated Virtual Networks in the Cloud
Global zone dynamically sends
updates to switch when VLANs
are configured on physical NIC
Switch updates VLANs
associated with each port
Messages are sent only from
global zone
Data link protection can be used
to block attempts from non-global
zone to add unauthorized VLANs
Based on IEEE 802.1d standard
31 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Network
Virtualization
Virtual NICs (VNICs), Virtual switching, Hardware-assisted virtualization, Automatic
VNICs for zones, SR-IOV Integration, VLAN isolation, Anti-spoofing protection
Resource
ControlIntegrated QOS, Bandwidth limits, Mapping to CPUs or CPU pools for isolation
PerformanceParallel stack, NUMA I/O Framework, SR-IOV Integration, Dynamic Polling, Buffer
Management, Pre-mapped buffers, Kernel Socket API, 4x Lower latency vs KVM,
Converged Ethernet
Built-in Network
FuntionalityRouting, Firewall, Load Balancing, VRRP, Bridging
ManagementIPMP re-architecture, Vanity naming, Automatic IP configuration, Centralized IP
administration, Centralized data link administration, Consolidated data link
properties, GLDv3 unification for legacy drivers
ObservabilityReal-time data link, hardware, and flow statistics. History integrated with extended
accounting. Capture local traffic through through virtual switch and IP loopback path.
APIsCommitted GLDv3 APIs, pluggable TCP congestion algorithms, IP Filter Hooks,
Kernel socket API
Cloud-Scale Networking With Solaris 11
32 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
For More Information / Try Out Today
• Product overview and download
– oracle.com/solaris
• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community
– oracle.com/technetwork/systems
• @ORCL_Solaris
• facebook.com/oraclesolaris
• Oracle Solaris Insider
32
33 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
34 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
[additional backup slides]
35 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Test the un-testable
• Fully simulate your production
environment
– Reduce expense with software network
equipment
– More testing means better quality
– Easier to test different scenarios or even
different production environments
– Better define your production environment
network requirements
36 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Control the un-controlable
• Introducing network resource control
– Bandwidth control
– Flow control
• Split up large network pipes
• Guarantee types of network traffic for
your applications
• Protect your systems from inside
bandwidth hogs
• Provide the correct levels of service
37 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Divide and guarantee
• Bigger systems and fatter pipes need
carving up
– Oracle Solaris Zones for isolation and
resource control
– Break up the fat network pipes with
bandwidth control
– Observe usage and adjust resources
dynamically without the need for outages
• Better and new resource controls
– See what you are using and account for it
– New chargeback models for networking
• More reliable
38 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Higher Consolidation Power the applications not the technology
38
HypervisorSolaris 11
OSOSOS
Fat hypervisor steals memory resources
and introduces latency
Waste memory and disk space
on multiple fat OSes
Applications get the leftover
resources
CPU oversubscription introduces scheduling
inefficiencies
Solaris 10
OVM for SPARC
Zone Zone
Zone S10 Zone
Zone Zone
S8 Zone Zone
Zone S9 Zone
Inflexible, dedicated resources
Lots of threads for bare metal CPU
performance
Thin, efficient hypervisor
Minimized single
instance OS
Share resources
39 Copyright © 2011, Oracle and/or its affiliates. All rights
reserved.
Reliable, Available, Serviceable
• Network Virtualization not only
reduces cost
• Reduce or eliminate networking risk
– Eliminate cables
– Avoid user mistakes, wrong box, wrong
cable
– More observable to trace errors
– Easier to correct with software
implementation
– Leverage Solaris and SPARC RAS