Jason Antman’s Blog

As I mentioned in Downtime past few days, coping with storms, as a result of some things I noticed with a recent power outage, I’ve decided to take the leap to virtualization. Given the cost of current hardware that supports HVM (Intel VT-x or AMD-V ), I immediately decided that I might as well give up on any thoughts of doing full virtualization or getting new-ish hardware. So I settled on the next step up from what have now – a set of HP Proliant DL360 G3 servers. I got them with a 90 day warranty from a reputable dealer, dual 2.8GHz Xeon (512K cache), 2Gb RAM, dual 36.4Gb U320 15k RPM SCSI disks and dual power supplies for $99 each. My next step is to decide what virtualization software to use.

My main goals for the project are:

• Lower power consumption through consolidation of servers.
• Possibility to add capacity or resources by remotely powering up an idle server and migrating VMs to it.
• Limited fault tolerance – ability to manually restore a VM that was running on failed hardware, onto an idle server.

I originally thought Xen, just out of reflex. However, given that all of my servers have the same base – the same distribution and, ideally, the same kernel and patch level – it seemed like a lot of overhead to duplicate that for multiple VMs. So I started looking into OS-level virtualization. There are relatively few options, and I’ll admit that aside from Solaris Containers (which I learned about while working at Sun) I don’t know much about it. But OpenVZ seems to be the front runner in that area. My initial impression was that it made a lot of sense – keep one common kernel, but allow containers/virtual environments (CTs/VEs) to have, essentially, their own userland. Unfortunately, it doesn’t seem to be as hyped as Xen, and I haven’t heard very much about it in the enterprise context. And it requires running a kernel from the OpenVZ project, which means I can’t just script updates through yum as easily as normal.

On the up size, OpenVZ would allow me to eliminate the duplication of the kernel, and seems to have much less overhead than Xen (and logically so). On the down side, I lose the ability to virtualize other OSes, kernel versions, or make pre-packaged VMs. I’ve decided that if I wanted to do that, I could dedicate a single machine.

I’ve spent the last day or so doing a lot of research, and have come up with the following questions and concerns about OpenVZ which I hope to be able to answer (I’ll post the answers in a follow-up).

• How do I handle distribution and kernel upgrades? The logical solution would be to migrate the CT to another host while I upgrade CT0 (the hardware OS/host/dom0 in Xen speak). But if the guest and host kernels must match, how does this work?
• Can I do package upgrades within the guest/CT easily? WIll this play well with Puppet?
• How will I handle backups? Is it logical to run bacula within each CT, or just on CT0? If just on CT0, how do I easily verify that a particular CT was backed up?
• WIll everything play well with Puppet? (see below)
• Am I willing to throw away my KickStart-based installs? And, similarly, am I willing to give up the possibility of migrating from a container to a Xen host or a physical host (easily)?
• OpenVZ live migration relies on rsync. This means that there’s a significant delay (compared to shared storage) and also that I can’t migrate off of a host that’s down. Is there a way around this?
• Similarly, live migration requires root SSH key exchange (passwordless) between the hosts. This seems about equivalent to using hosts.equiv. Do I really want root on one box to mean root on another box (and all of the containers on that box)?
• Can I still firewall CT0? How will this work?

It seems to me that OpenVZ may be significantly less enterprise-class than Xen. Sure, this is just my home setup, but I hold it to the same standards I use for my work systems. In fact, I usually test new technologies at home before I suggest them at work. A lot of the writing on the OpenVZ wiki seems to be riddled with spelling errors. They claim “zero downtime” live migration, but if they have to rsync 2Gb of MySQL tables, that sounds like a lot more than “zero”. And, most shockingly, the Hardware testing wiki page talks about making sure your hosts aren’t overclocked or undercooled, and running cpuburn to test your system under high load. Sorry, but the engineers at HP, Sun, IBM, etc. handle that for me and most people I know. So, I’m a bit worried about the seriousness of the OpenVZ project.

Most worrisome is a post I found in the OpenVZ forum, “Stopping puppet on hn stops it in all VE”. It seems that, since CT0 is aware of all of the guest container processes, they show up in ps lists. Most, if not all RedHat init scripts use killproc to stop and restart services. This means that a service syslog stop on the CT0 (host) will stop all syslog processes, including all of them in the CTs. This seems like a major issue. Sure, I could replace killproc on CT0 with a script that parses the process list, isolates the PIDs for those running on CT0, and kills them. But what else needs to be fixed? Nagios check scripts would need to be adjusted. Is there anything else that would come back and bite me?

The bottom line is that (I guess this is logical) it seems that containers in OpenVZ will seem - and act - a lot less like a logical host than they would under Xen.

Projects OpenVZ, virtualization, xen

From PRNewsWire: Microsoft and Novell Deliver Joint Virtualization Solution Through Partners. The headline of the press release: “Supported by Dell and other channel partners, solution includes SUSE Linux Enterprise Server running as optimized guest on Windows Server 2008 Hyper-V.”

Now, maybe I’m not up on the news regarding my favorite distribution, but it seems to me that a deal allowing SuSE to be virtualized as a guest under Windows is not only “joint”, but plain moronic. Despite the marketing efforts of Microsoft, Unix-based systems (including Linux) have always had the upper hand in availability, reliability, and performance.

I must say, from what I’ve heard, Windows Server is getting *much* better in these areas – and I’ve even heard that the latest version includes an option to install without a graphical environment, and even includes a command-line that’s useful. It’s about time.

However, it seems to me, that any virtualization deal between Microsoft and a Linux distributor can provide only one logical solution: Windows Server virtualized as a guest in a high-availability Linux host. More importantly, without the insane per-processor licensing – a per-VM instance license that’s hardware-agnostic and allows VMs to be migrated across hardware as the admin sees fit.

Oh, and one more insight. If Microsoft wants to be a serious player in the virtualization arena, here’s a few “simple” steps:

1. Get Windows Server to work correctly under Xen, VirtualBox, etc. Certify it. Provide the correct guest OS tool packages
2. Provide simple management of Windows in a virtualized environment – minimally, a standard SSH server that’s compatible with OpenSSH, a GUI-less environment, and a serial console.
3. Get rid of per-processor licenses. Provide a basic license that allows for, say, 10 VMs to be running at once, and allows as many installs as needed – the only licensing is based on the amount of VMs actually running. i.e., if you have 10 VMs and one gets corrupted, you can bring that one down and online a back-up image, without violating the license.
4. Make licensing processor-agnostic. Want to migrate a Xen VM (Windows guest) from a dual-core Pentium to an 8-core Xeon, or even a 16 processor SPARC? Sure, no problem.

Ideas and Rants microsoft, novell, suse, virtualization

Some links for today:

Microsoft’s new promised on interoperability, open standards. etc. – somewhat ironic given the Office Open XML debacle on “standards”. And Red Hat’s worries about it. (Ars Technica)

Groklaw’s lengthy analysis of the promises.

Pakistan removed from the Internet, causes global YouTube outage.

A Guardian article on the WikiLeaks debacle – perhaps the biggest affront to the First Amendment this year.

An InformationWeek article about some guys from BlackHat D.C. who said that they will be able to crack GSM encryption in under 30 minutes with $1,000 of technology or 30 seconds with $100,000 (FPGAs – Maybe a cluster of PS3’s?)

A Princeton Unviersity blog about cold boots possibly able to crack the Windows BitLocker system.

Yay! Firefox has hit its’ 500 Millionth download!!! And there was much rejoicing…

An ArsTechnica article on Internet Explorer, what should be done to fix it, and how there can still be a non-standards-compliant browser.

Jeremy’s Blog – the mind behind LinuxQuestions.org – provides a recap of the 2007 LQ Members’ Choice awards. Some interesting winners were VirtualBox for virtualization package, Debain for server distro, Knoppix for Live Distro, Eclipse for IDE/Web Development Environment, Python for language of the year, and – much to my chagrin – vi/vim for editor.

A LinuxJournal article on What’s Next for Open Source and Public Meida.

LinuxInsider – EU taking Microsoft’s promises with a grain of salt, noting that MS has made “at least four similar statements” in the past.

Chris Siebenmann – Where the risk is with virtualization (and iSCSI) and Wireless, machine rooms, and the Asus eeePC.

IBM DeveloperWorks – OOXML: What’s the big deal? – outlining the technical objections to OOXML as a standard. Linked from a rootprompt.org article mentioning that “OOXML is essentially a complete replication of every chunk of data that a Microsoft Office application might possibly save in a file”.

Slashdot YRO – a guy who got hist stock photos stolen, entered into a long legal battle, and won.

Microsoft’s Windows Vista Capable lawsuit granted class-action status.

A Washington Post article on Hans Reiser’s Geek Defense strategy.

A Slashdot post linking to news that Apple sent a cease-and-decist order to the Hymn Project, which produces software to remove DRM from iTunes songs. Apple had their ISP remove all download links. (I guess the only solution is for us all to buy bandwidth right from a NSP…)

Yahoo’s shareholders are suing it for not gobbling up the Microsoft deal.

Comcast getting sued AGAIN for P2P filtering.

A leaked RIAA training video for prosecutors, going so far as to say that IP piracy can lead to arrests for drugs, weapons, or terrorism. It also includes instructions on how to get a RIAA investigator certified as a court expert.

A New York Times article on – gasp – women using the Internet. Linked from Tom Limoncelli’s blog.

Interesting Links and Resources apple, bitlocker, cellphone, EU, firefox, gsm, microsoft, ooxml, pakistan, riaa, virtualization, wikileaks, windows, youtube