virtualization overview berhè tesfay senior system engineer [email protected]
TRANSCRIPT
Agenda> Virtualization Overview> Trend’s Software Virtual Appliance Strategy> Certified By Trend Micro Program Overview> IWSVA > VMware Performance Tuning> VMware Troubleshooting
What is Virtualization?> Allows one computer to perform the job of multiple computers> Resources are shared through virtualized computers> Single computer can host multiple OS and applications
> Hypervisor transforms hardware into software to create virtual machines with their own CPU, memory, disk, and network controllers
> Multiple virtual machines run on the same physical HW without interfering with each other
Major Virtualization Players> VMware> Citrix XenServer> Microsoft Server 2008 Hyper-V> Sun LDOM (Sparc), Sun xVM VirtualBox (x86)
Market Drivers of Virtualization
Osterman Research Rpt 02/08
Trend’s Software Virtual Appliance Strategy
> A move away from traditional hardware appliances> Consolidating software to single SVA platform> Flexible deployment types to maximize sales
> Software Appliance> Virtual Appliance
> SVA Strategy Allows Trend Micro To…> Keep up with changing technology in malware detection/prevention> Adopt to latest CPU technology within a few months> Reduce development costs and consolidate to single platform
> Traditional Security Appliances Can’t Keep Up With Malware> Appliance useful life reduced to ~18/24 months> Requires more and more CPU and memory> ASICs are too expensive to develop and are out of date quickly
Flexible Software Virtual Appliance Approach
Trend Micro
IxSVA Application
Virtual
Appliance
Software
Appliance
Provides virtualized
deployments via Hypervisor
technologies
Provides “bare-metal”
installation with tuned,
security-hardened OS
Hardened, Integrated OS & Security Application
Future:
Trend SVA Benefits
> Reduce Costs> Increase IT Flexibility
> Improve Disaster Recovery & Business Continuity
•Provide operational flexibility
•Simplify management
•Optimize IT resources
•Consolidate and reduce costs
•Mitigate cost of proprietary hardware
•No need to install & support OS
•Standardize hardware configurations
•Provide more capacity at lower costVirtual Appliance Software Appliance
IxSVA
Software Virtual Appliance
VMware Virtual Appliance
Trend Micro IxSVA
Included here
InterScan Web Security Virtual Appliance
“Certified by Trend Micro”Trend Micro Virtual Software Appliance Platform Certification Program
Independent Hardware/Appliance Vendor (IHV,IAV) Benefits
• Broaden your security offerings and increase market opportunity
• Assure customer satisfaction• Fully supported platform by Trend Micro• Increase cost-effectiveness of technology investment
Customer Benefits• Assured compatibility with Trend Micro software
virtual appliances• Fully supported platform by Trend Micro • Convert idle existing assets to security defenses• Increase cost-effectiveness of technology investment
““Certified by Trend Micro” Appliance Platforms will be Supported by Trend MicroCertified by Trend Micro” Appliance Platforms will be Supported by Trend Micro
The “Certified by Trend Micro” program provides Independent Hardware / Appliance Vendors (IHVs) the ability to go to market with Trend Micro software virtual appliance solutions that have been tested and verified on their appliance or server platforms.
Certification Process, in Partnership with AppLabs
How Do Vendors Get Certified?> Trend certification test suite is run on vendor’s HW for 72 hours> Tests are performed by AppLabs (Trend’s certification partner)> Results are validated and accepted or denied by Trend PDG> HW that passes are accepted into “Certification Program”> Vendor provides HW to PDG and Core Support for duration of certification
How Does Customer Get Support for SVA?
> Support rep triages problem to isolate if application, OS or hardware platform> Trend will support SVA’s application and OS> Hardware platform is supported if server is Trend Certified> Otherwise, customer must resolve hardware issues with their reseller or
hardware vendor
Trend Supports SVA Operating System> IWSVA and IMSVA is based on CentOS 5.x operating system> CentOS is a branch of RedHat’s Enterprise Server> Vulnerabilities that affect IxSVA will be reviewed and patched through open
source community and Trend> OS patches will be distributed through Trend’s download site
Trend Micro’s First SVA - IWSVA
IWSVA Software Virtual Appliance> Single CD install contains everything
customer needs> Installer Wizard for rapid sub 15 minute
installation> Broad hardware platform support with many
off-the-shelf servers
> Installable as Software Appliance or Virtual Appliance
> Purpose-build, hardened 64 bit OS that is performance tuned
> Industry standard Command Line Interface (CLI)
> Simple to scale with more powerful hardware or more VM instances
IWSVA New Features> Features latest Trend Micro WTP
technology> CLI interface for true appliance functionality> Transparent Bridge Mode support for
seamless deployment > Reporting DB enhancements to match high-
performance hardware capabilities> Configuration migration from IWSA 3.1,
IWSS 3.1 Linux, IWSS 3.1 Windows> Bundles SQUID 3.0 for convenience, ICAP
v1.0 support
Availability> GA: August 4, 2008
Trend Micro Internal & Confidential
IWSVA HW Requirements
Minimum > Single 2.0 GHz Intel Core2Duo 64-bit
processor supporting: Intel(TM) VT(TM) or equivalent
> 2GB RAM> 8GB disk space> Monitor that supports 800 x 600 resolution with
256 colors or higher
Recommended> Dual 2.8 GHz Intel Core2Duo 64-bit processor or
equivalent for up to 4000 users> Dual 3.0 GHz Intel QuadCore 64-bit processor
or equivalent for up to 8000 users> 4GB RAM supports up to 4000 users> 8GB RAM supports up to 8000 users> 300GB disk space or more for log intensive
environments (fast 15K RPM SAS drives)
Certified Platforms• Dell PowerEdge 1950 Series II/III• Dell PowerEdge 2950 Series II/III• HP Proliant DL 380• IBM Systems x3550
IWSVA GA Certified HW Reference
How Does This Relate to Our Existing Form Factors?
SoftwareVirtual
Host
Architecture
Trend Hardware
Trend
Appliance OS
IxSA
IHV Hardware
Native OSWindows, Linux, Solaris
IxSS
Virtual
Appliance
Software
Appliance
IHV Hardware
Trend
Linux OS
IxSVA
IHV Hardware
Native OSWindows, Linux, Solaris
VM VM VM
VMware Server
IxSS
OS
IHV Hardware
VM VM VM
VMware ESX
IxSVA
Lx OS
Hardware
Appliance
Sizing at Glance – Software Appliance
Conditions:
• Zero TCP connection failure & Zero HTTP transaction failure
• Less than 2 seconds for an average page load.
Hardware:
• Dell 1850: 1 x Xeon DualCore x 2.80 GHz / 2Gb / 1 x 146Gb 15K SCSI / 2 x Gigabit NICs
• Dell 1950: 2 x Xeon E5335 DualCore x 2Ghz/ 4GB / 2 x 73Gb 15K RPM SAS / 2 x Gigabit NICs
• Dell 1950: 2 x Xeon 5160 DualCore x 3Ghz/ 4GB / 2 x 73Gb 15K RPM SAS / 2 x Gigabit NICs
• Dell 2950: 2 x Xeon X5460 QuadCore x 3.16Ghz / 8GB / 3 x 73Gb 15K RPM SAS / 2 x Gigabit NIC
Server Type MemoryConcurrent
Connections
HTTP Transactions per Second
Throughput(Mbits per second)
Total User Population per
device
2 CPU (Xeon 80546K)
2GBytes 500 340 40 Mbits / second Up to 700
4 CPU (Xeon E5335)
4GBytes 2400 1590 188 Mbits / second Up to 3400
4 CPU (Xeon 5160)
4GBytes 2700 2191 262 Mbits / second Up to 3800
8 CPU (Xeon X5460)
8GBytes 6700 5155 615 Mbits / second Up to 9500
* See sizing guide for more sizing calculations
17
Sizing at Glance – Virtual Appliance
Conditions:
• Zero TCP connection failure & Zero HTTP transaction failure
• Less than 2 seconds for an average page load.
Physical Hardware:
• VMware ESX 3.5 running on Dell 2950 in a virtual machine configured similar to Dell 1950
• Virtual Appliance configured with specific resource allocations
Virtual Appliance vs. Software Appliance
The performance degradation is 12 - 15% due to the overhead of performing the virtualization
Server Type MemoryConcurrent
Connections
HTTP Transactions per
Second
Throughput(Mbits per second)
Total User Population per
device
4 vCPU (4Ghz Allocation)
4GBytes 1000 727 87 Mbits / second Up to 1400
4 vCPU (8Ghz Allocation)
4GBytes 2100 1486 177 Mbits / second Up to 3000
4 vCPU (12Ghz Allocation)
4GBytes 2400 1636 193 Mbits / second Up to 3400
* See sizing guide for more sizing calculations
18
Performance Sizing VariablesNumber (Connections/User x Concurrent User % x User Population)
Of = ------------------------------------------------------------------------------------ X (1 – Cache %)
Servers Server’s Maximum Concurrent
Connections
Example:Average connections per user: 3
Concurrent Users on Internet: 33%
User Population: 15000 users
Dell 2950 Server (8 Cores, 8G Ram): 6700
Cache Percentage: 0% (no caching)
(3 x .33 x 15000)
# of Servers = ------------------------------ X (1 - 0) Equals: 2.22 servers
6700 max cps (Dell 2950)
Round up to nearest whole server: 3 Dell 2950 servers
Calculating Maximum of Users per Server
Maximum Server’s Maximum Concurrent Connections
# Of = ---------------------------------------------------------------- X Concurrent users % on Internet
Users Connections per User
Example:Average connections per user: 4
Concurrent Users on Internet: 33%
Dell 2950 Server (8 Cores, 8G Ram): 6700
6700 max cps (Dell 2950)
# of Users = ------------------------------------ Equals: 5075 users maximum for this server
(4 x .33)
Supporting IxSVA Products Under VMware
> Create Virtual Machine
> Install SVA Application
> Performance Tune Virtual Machine (if necessary)
> Troubleshooting Tips
Installation on VMware ESX
1. Upload the IWSVA CD image to VMware server
2. Create a New Virtual Machine and assign resources
3. Bind CD ISO to CD autostart and start Virtual Machine
4. Go through the Installation Process
Login and Upload the IWSVA ISO Image
Create the Virtual Machine
Install IWSVA
Performance Tuning - VMware ESX
> Performance tune ESX, VMkernel, Guest OS
> Install VMware Tools to Guest OS for memory management
> Allocate resource pools for the application> Use the Trend Micro product readme as a guide for resource allocations
> Configure the Virtual Machine to use Virtual SMP
> For high throughput applications (IWSVA, IMSVA)> Use 2 or more physical network cards for the vSwitch where the products
are connected to> Use only 1Gbit physical network cards
Performance Tuning - VMware ESX> Underlying hardware needs to be utilized according to best practice> Use high performance RAID storage where possible
> 15K RPM disks> Large Stripe Size
> For networking> Use gigabit only> One dedicated connection for console access> Two or more dedicated physical NIC’s per configured vSwitch
Performance Tuning - VMware ESX
> Avoid the VMkernel swapping> Monitor /proc/vmware/swap/stats file. If constantly over 0, add
more physical memory
> Tuning the Guest OS can offer significant performance improvements> Install VMware Tools> Disable unused services in OS> Disable unused hardware in virtual machine profile> Use SCSI for disk type profile
Performance Tuning – Guest OS> One main function of VMware Tools is to deallocate memory from
selected virtual machines when RAM is scarce
ample memory; balloon remains uninflated
inflate balloon
Driver demands memory from
guest OS
Guest is forced to page out to its own paging area;
VMkernel reclaims memory
deflate balloon
Driver relinquishes memory
Guest may page in; ESX Server grants
memory
Virtual Machine Resource Pools> Resource pools allows VMware ESX to pre-allocate compute and
memory resources for dedicated use> For IWSVA it is best to allocate the following for a resource pool
>4096Mb RAM>3000Mhz
> If no resource pool or reservation is defined, 50% of configured requirements is captured for that VM
VMware ESX Guest OS Performance Monitoring
> Use the VI3 Client to view Guest OS performance
> Change chart options to
gather the statistics you
are after
Troubleshooting and Fault Analysis
> Virtual machine problems can be caused by> Not enough physical resources> Not enough virtual resource available (allocation issues)> Guest OS or application failures> Misconfigurations
Q&A