secure cloud-scale virtualization

1 Copyright © 2011, Oracle and/or its affiliates. All rights

reserved.

Secure Cloud-Scale Virtualization

Steffen Weiberle

Principal Solutions Consultant

Oracle Solaris 11


reserved.

Agenda

• Integrated Virtualization

• Use Cases for Zones

• Network Virtualization and Resource Control

• Built for Cloud Deployments


reserved.

Integrated Virtualization

Software

Management

Network

Virtualization

Data

Management

Provisioning

Security


reserved.

Integrated Virtualization

Security -ZFS Encryption

-Immutable Zones

-Delegated Admin

Software

Management -IPS

-Repositories

-Boot Environments

Network

Virtualization -Network in a box

-Bandwidth Control

-Resource Mgmt

Data

Management -ZFS

-COMSTAR

Provisioning -Automated Installer

-Distro Constructor


reserved.

Independent, Efficient, Virtualization

• Oracle Solaris Zones are more complete

– More flexible content with IPS

– NFS Server in a zone

– Delegated ZFS Datasets

– Exclusive IP by Default

– Recognized Hard Partition

– Full support for Oracle stack

– Legacy support: Oracle Solaris 10 Zones

• The default environment for your

application


reserved.

Agenda






reserved.

Consolidate to efficiency


reserved.

Self Service, Rapid Deployment

• Bring Services online quickly

– Isolated

– Fast zone boot

– Encapsulated

– VM Templates

– Zone cloning and attach/detach

– Minimized out of the box

– Resource control

• Deploying in a zone brings business

agility by default


reserved.

Seamless Upgrades Oracle Solaris 11 Zones, Oracle VM

• Seamless upgrades from previous version – Assisted with a built-in pre-flight checker

• Live migration with OVM SPARC and OVM x86

Solaris 10

Live

Migrate

S10 Zone

Solaris 11

Oracle VM

S11 Zone S10 Zone

Solaris 11

S10 Zone

Oracle VM

S11 Zone v2v

Solaris 10

p2v

S10 Zone

Solaris 10

S10 Zone S10 Zone

v2v

p2v v2v


reserved.

Tailored Security: Defense with Depth

• Always secure Oracle Solaris Zones

add even more control and depth

– Immutable Zones: strict or relaxed

– Data protection with RO storage access

– Data link protection for mis-behaving

applications

– Access protection with Delegated

Administration

– Secure by default

• No special hardware needed, built-in,

secure, cost free


reserved.

Zones and Resource Control (1)

Resource Control Control Name

Exclusive CPUs for a zone zonecfg:dedicated-cpu

Absolute limit on the amount of CPU resources for this zone zone.cpu-cap

Number of fair share scheduler (FSS) CPU

shares for this zone zone.cpu-shares

Total amount of physical locked memory available to a zone. zone.max-locked-memory

Total amount of System V shared memory allowed for this zone zone.max-shm-memory


reserved.

Zones and Resource Control (2)

Resource Control Control Name

Total amount of RAM that can be consumed by a zone’s processes zonecfg:capped-memory:physical

Total amount of swap that can be consumed by user process address space mappings and tmpfs mounts for this zone.

zone.max-swap

Maximum number of processes that a zone can run zone.max-processes

Maximum number of software threads that a zone can run zone.max-lwps


reserved.

Plan for Capacity With Clear Observability

• To plan you need to clearly see your

environment

– zonestat

– flowstat

– DTrace

• OEM Ops Center to bring it together

• Plan for consolidation

• Plan for expansion

• Unbeatable observability with clarity


reserved.

HA for Oracle Solaris Zones Deployments

Server 3 Server 1 Server 2

Zone1 App

App

App

App

Zone 4

Zone2

App App

Zone 4

Physical Cluster

Zone Clusters Independent virtual clusters: •Application protection with resource

dependencies management, policy based restart

and failover

• Ease of use with delegated administration

across virtual cluster

• Ideal for multi-tiered workloads and

consolidation

Failover Zone Highly available resource:

• Zone protection with resource dependencies

management, restart and failover

• Ideal for packaged, closed workloads


reserved.

Agenda






reserved.

Network

Virtualization Virtual NICs, Virtual Switching, Network in a Box

Bandwidth

Partitioning

Built-in QOS: bandwidth limits for data links and on a per-

flows basis

Resource

Control

Constraint traffic processing to CPUs or CPU pools

dedicated to zones

Observability Real-time usage and history for VNICs, hardware

resources, and traffic flow

Scalability Parallel traffic from hardware to applications, Dynamic

Polling, NUMA I/O

Crossbow: Built-in Network Virtualization and Resource Control


reserved.

Parallel Network Virtualization Architecture

Virtualization and QoS designed-in

Independent Hardware Lanes with

dedicated resources (CPUs, I/O

threads, interrupts): from the NIC to

applications

VNIC behaves just like a regular

NIC (link speed, stats, MAC

address)

Hardware and software fanouts for

best scalability

Adaptive polling mode depending

on load


reserved.

Network Resource Control

Set bandwidth limit on a VNIC

(virtual link speed)

QoS integrated in the core

stack, no separate component to

configure

Constrain the CPUs used by

VNICs or data links by CPU ids

or pool names

Integrated with Solaris resource

management and zones # dladm create-vnic -l net0 \ -p maxbw=100M vnic0


reserved.

Controlling and Observing Flows Control the Un-Controllable

Built-in QoS can be applied to

traffic flows specified by the

administrator

Managed by flowadm(1M) and

specified by source and

destination IP addresses, protocol,

port number, etc.

Flows can be observed in real time

with flowstat(1M), or a history can

be obtained using extended accounting


reserved.

Highly Available VNICs

Link Aggregation provides

transparent failover and

increased throughput to VNICs

and zones

Compliant with IEEE 802.3ad

IP Multipathing (IPMP) can also

be used, but needs to be

configured from within zones


reserved.

Virtual Switching

Use etherstubs instead of physical NICs

Build virtual switches that are independent

from any hardware

As many as you want on a single host

A virtual switch is created automatically

when VNICs are configured

Virtual switches allow VNICs to

communicate with each other and with

hosts on the network


reserved.

Private Virtual Network

Use a virtual switch to

build a private network

Use a zone to firewall the

private network, and route

with physical network

Virtual router/firewall has

very small footprint


reserved.

Virtual Multi-Tiered Architecture


reserved.

Simulating Network Latencies


reserved.

Data Center Modeling and

Network Consolidation with Oracle Solaris 11

Network Virtualization

Virtual switching,

Virtual NICs, QOS

Resources control

CPU pools, NUMA I/O,

memory capping

Solaris Zones

lightweight, small footprint

Built-in Network Functions

Routing, Firewall, Bridging,

Integrated Load Balancer,

VRRP


reserved.

Infiniband and Zones

Infiniband (IB) is the backplane for

Engineered Systems – SPARC

SuperCluster, Exadata, Exalogic

IP over IB partitions are the IB

equivalent of Ethernet VNICs

IB P_KEY is the equivalent of a Ethernet

VLAN

Can apply same network resource

control to IB partitions

Allows mixing and matching of VNICs

and IB partitions in a zone


reserved.

Agenda






reserved.

VLAN Separation

VNICs can be assigned a VLAN id

Virtual switch provides VLAN

separation

Local traffic between VNICs

Traffic to and from external hosts

Extend VLAN separation from

physical network into virtual switch


reserved.

Dynamic VLAN Provisioning Elastic and Isolated Virtual Networks in the Cloud

Global zone dynamically sends

updates to switch when VLANs

are configured on physical NIC

Switch updates VLANs

associated with each port

Messages are sent only from

global zone

Data link protection can be used

to block attempts from non-global

zone to add unauthorized VLANs

Based on IEEE 802.1d standard


reserved.

Network

Virtualization

Virtual NICs (VNICs), Virtual switching, Hardware-assisted virtualization, Automatic

VNICs for zones, SR-IOV Integration, VLAN isolation, Anti-spoofing protection

Resource

Control Integrated QOS, Bandwidth limits, Mapping to CPUs or CPU pools for isolation

Performance Parallel stack, NUMA I/O Framework, SR-IOV Integration, Dynamic Polling, Buffer

Management, Pre-mapped buffers, Kernel Socket API, 4x Lower latency vs KVM,

Converged Ethernet

Built-in Network

Funtionality Routing, Firewall, Load Balancing, VRRP, Bridging

Management IPMP re-architecture, Vanity naming, Automatic IP configuration, Centralized IP

administration, Centralized data link administration, Consolidated data link

properties, GLDv3 unification for legacy drivers

Observability Real-time data link, hardware, and flow statistics. History integrated with extended

accounting. Capture local traffic through through virtual switch and IP loopback path.

APIs Committed GLDv3 APIs, pluggable TCP congestion algorithms, IP Filter Hooks,

Kernel socket API

Cloud-Scale Networking With Solaris 11


reserved.

For More Information / Try Out Today

• Product overview and download

– oracle.com/solaris

• Oracle Technology Network

– oracle.com/technetwork/server-storage/solaris11

• System administrators community

– oracle.com/technetwork/systems

• @ORCL_Solaris

• facebook.com/oraclesolaris

• Oracle Solaris Insider

31


reserved.


reserved.

[additional backup slides]


reserved.

Test the un-testable

• Fully simulate your production

environment

– Reduce expense with software network

equipment

– More testing means better quality

– Easier to test different scenarios or even

different production environments

– Better define your production environment

network requirements


reserved.

Control the un-controlable

• Introducing network resource control

– Bandwidth control

– Flow control

• Split up large network pipes

• Guarantee types of network traffic for

your applications

• Protect your systems from inside

bandwidth hogs

• Provide the correct levels of service


reserved.

Divide and guarantee

• Bigger systems and fatter pipes need

carving up

– Oracle Solaris Zones for isolation and

resource control

– Break up the fat network pipes with

bandwidth control

– Observe usage and adjust resources

dynamically without the need for outages

• Better and new resource controls

– See what you are using and account for it

– New chargeback models for networking

• More reliable


reserved.

Higher Consolidation Power the applications not the technology

37

Hypervisor Solaris 11

OS OS OS

Fat hypervisor steals memory resources

and introduces latency

Waste memory and disk space

on multiple fat OSes

Applications get the leftover

resources

CPU oversubscription introduces scheduling

inefficiencies

Solaris 10

OVM for SPARC

Zone Zone

Zone S10 Zone

Zone Zone

S8 Zone Zone

Zone S9 Zone

Inflexible, dedicated resources

Lots of threads for bare metal CPU

performance

Thin, efficient hypervisor

Minimized single

instance OS

Share resources


reserved.

Reliable, Available, Serviceable

• Network Virtualization not only

reduces cost

• Reduce or eliminate networking risk

– Eliminate cables

– Avoid user mistakes, wrong box, wrong

cable

– More observable to trace errors

– Easier to correct with software

implementation

– Leverage Solaris and SPARC RAS

secure cloud-scale virtualization

Technology

oracle andor

secure oracle solaris

p2v s10 zone solaris

zone zonecfg

zones network virtualization

s10 zone s10 zone v2v

resource control control

oracle vm seamless upgrades