Secure Cloud-Scale Virtualization
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Secure Cloud-Scale Virtualization

on

  • 719 views

Solaris Virtualization presentation given at Solaris 11 Technical Forum in Conshohocken PA and Reston VA in May, 2012.

Solaris Virtualization presentation given at Solaris 11 Technical Forum in Conshohocken PA and Reston VA in May, 2012.

Statistics

Views

Total Views
719
Views on SlideShare
719
Embed Views
0

Actions

Likes
1
Downloads
10
Comments
1

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Solaris Virtualization presentation delivered by Steffen Weiberle at the Conshohocken PA Solaris 11 Technology Forum on May 23.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Secure Cloud-Scale Virtualization Presentation Transcript

  • 1. Oracle Solaris 11 Secure Cloud-Scale Virtualization Steffen Weiberle Principal Solutions Consultant1 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 2. Agenda • Integrated Virtualization • Use Cases for Zones • Network Virtualization and Resource Control • Built for Cloud Deployments2 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 3. Integrated Virtualization Provisioning NetworkSecurity VirtualizationSoftware DataManagement Management 3 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 4. Integrated Virtualization Provisioning -Automated Installer -Distro Constructor NetworkSecurity-ZFS Encryption Virtualization-Immutable Zones -Network in a box-Delegated Admin -Bandwidth Control -Resource MgmtSoftware DataManagement Management-IPS -ZFS-Repositories -COMSTAR-Boot Environments 4 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 5. Independent, Efficient, Virtualization• Oracle Solaris Zones are more complete – More flexible content with IPS – NFS Server in a zone – Delegated ZFS Datasets – Exclusive IP by Default – Recognized Hard Partition – Full support for Oracle stack – Legacy support: Oracle Solaris 10 Zones• The default environment for your application 5 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 6. Agenda • Integrated Virtualization • Use Cases for Zones • Network Virtualization and Resource Control • Built for Cloud Deployments6 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 7. Consolidate to efficiency7 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 8. Self Service, Rapid Deployment • Bring Services online quickly – Isolated – Fast zone boot – Encapsulated – VM Templates – Zone cloning and attach/detach – Minimized out of the box – Resource control • Deploying in a zone brings business agility by default8 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 9. Seamless Upgrades Oracle Solaris 11 Zones, Oracle VM • Seamless upgrades from previous version – Assisted with a built-in pre-flight checker • Live migration with OVM SPARC and OVM x86 p2v v2v p2vSolaris 10 S10 Zone S10 Zone S10 Zone S10 Zone S11 Zone S10 Zone S10 Zone S11 Zone v2v v2v Solaris 10 Solaris 10 Solaris 11 Solaris 11 Oracle VM Oracle VM Live Migrate 9 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 10. Tailored Security: Defense with Depth• Always secure Oracle Solaris Zones add even more control and depth – Immutable Zones: strict or relaxed – Data protection with RO storage access – Data link protection for mis-behaving applications – Access protection with Delegated Administration – Secure by default• No special hardware needed, built-in, secure, cost free 10 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 11. Zones and Resource Control (1)Resource Control Control NameExclusive CPUs for a zone zonecfg:dedicated-cpuAbsolute limit on the amount of CPU resourcesfor this zone zone.cpu-capNumber of fair share scheduler (FSS) CPU zone.cpu-sharesshares for this zoneTotal amount of physical locked memoryavailable to a zone. zone.max-locked-memoryTotal amount of System V shared memoryallowed for this zone zone.max-shm-memory11 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 12. Zones and Resource Control (2)Resource Control Control NameTotal amount of RAM that can be consumed bya zone’s processes zonecfg:capped-memory:physicalTotal amount of swap that can be consumed byuser process address space mappings and zone.max-swaptmpfs mounts for this zone.Maximum number of processes that a zone canrun zone.max-processesMaximum number of software threads that azone can run zone.max-lwps12 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 13. Plan for Capacity With Clear Observability • To plan you need to clearly see your environment – zonestat – flowstat – DTrace • OEM Ops Center to bring it together • Plan for consolidation • Plan for expansion • Unbeatable observability with clarity13 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 14. HA for Oracle Solaris Zones Deployments Server 1 Server 2 Server 3Zone ClustersIndependent virtual clusters: Zone1 App App•Application protection with resource App Appdependencies management, policy based restartand failover Zone2• Ease of use with delegated administration App Appacross virtual cluster• Ideal for multi-tiered workloads andconsolidationFailover Zone Zone 4 Zone 4Highly available resource:• Zone protection with resource dependenciesmanagement, restart and failover• Ideal for packaged, closed workloads Physical Cluster 14 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 15. Agenda • Integrated Virtualization • Use Cases for Zones • Network Virtualization and Resource Control • Built for Cloud Deployments15 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 16. Crossbow: Built-in Network Virtualization and Resource Control Network Virtual NICs, Virtual Switching, Network in a Box Virtualization Bandwidth Built-in QOS: bandwidth limits for data links and on a per- Partitioning flows basis Resource Constraint traffic processing to CPUs or CPU pools Control dedicated to zones Real-time usage and history for VNICs, hardware Observability resources, and traffic flow Parallel traffic from hardware to applications, Dynamic Scalability Polling, NUMA I/O16 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 17. Parallel Network Virtualization Architecture Virtualization and QoS designed-in Independent Hardware Lanes with dedicated resources (CPUs, I/O threads, interrupts): from the NIC to applications VNIC behaves just like a regular NIC (link speed, stats, MAC address) Hardware and software fanouts for best scalability Adaptive polling mode depending on load 17 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 18. Network Resource Control Set bandwidth limit on a VNIC (virtual link speed) QoS integrated in the core stack, no separate component to configure Constrain the CPUs used by VNICs or data links by CPU ids or pool names Integrated with Solaris resource # dladm create-vnic -l net0 management and zones -p maxbw=100M vnic0 18 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 19. Controlling and Observing Flows Control the Un-Controllable Built-in QoS can be applied to traffic flows specified by the administrator Managed by flowadm(1M) and specified by source and destination IP addresses, protocol, port number, etc. Flows can be observed in real time with flowstat(1M), or a history can be obtained using extended accounting 19 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 20. Highly Available VNICs Link Aggregation provides transparent failover and increased throughput to VNICs and zones Compliant with IEEE 802.3ad IP Multipathing (IPMP) can also be used, but needs to be configured from within zones 20 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 21. Virtual Switching A virtual switch is created automatically  Use etherstubs instead of physical NICs when VNICs are configured  Build virtual switches that are independent Virtual switches allow VNICs to from any hardware communicate with each other and with hosts on the network  As many as you want on a single host 21 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 22. Private Virtual Network  Use a virtual switch to build a private network  Use a zone to firewall the private network, and route with physical network  Virtual router/firewall has very small footprint22 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 23. Virtual Multi-Tiered Architecture23 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 24. Simulating Network Latencies24 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 25. Data Center Modeling and Network Consolidation with Oracle Solaris 11Built-in Network Functions Network VirtualizationRouting, Firewall, Bridging, Virtual switching,Integrated Load Balancer, Virtual NICs, QOSVRRPSolaris Zones Resources controllightweight, small footprint CPU pools, NUMA I/O, memory capping 25 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 26. Infiniband and Zones Infiniband (IB) is the backplane for Engineered Systems – SPARC SuperCluster, Exadata, Exalogic IP over IB partitions are the IB equivalent of Ethernet VNICs IB P_KEY is the equivalent of a Ethernet VLAN Can apply same network resource control to IB partitions Allows mixing and matching of VNICs and IB partitions in a zone 26 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 27. Agenda • Integrated Virtualization • Use Cases for Zones • Network Virtualization and Resource Control • Built for Cloud Deployments27 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 28. VLAN Separation VNICs can be assigned a VLAN id Virtual switch provides VLAN separation  Local traffic between VNICs  Traffic to and from external hosts Extend VLAN separation from physical network into virtual switch 28 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 29. Dynamic VLAN Provisioning Elastic and Isolated Virtual Networks in the Cloud Global zone dynamically sends updates to switch when VLANs are configured on physical NIC Switch updates VLANs associated with each port Messages are sent only from global zone Data link protection can be used to block attempts from non-global zone to add unauthorized VLANs Based on IEEE 802.1d standard 29 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 30. Cloud-Scale Networking With Solaris 11 Network Virtual NICs (VNICs), Virtual switching, Hardware-assisted virtualization, Automatic Virtualization VNICs for zones, SR-IOV Integration, VLAN isolation, Anti-spoofing protection Resource Integrated QOS, Bandwidth limits, Mapping to CPUs or CPU pools for isolation Control Parallel stack, NUMA I/O Framework, SR-IOV Integration, Dynamic Polling, Buffer Performance Management, Pre-mapped buffers, Kernel Socket API, 4x Lower latency vs KVM, Converged Ethernet Built-in Network Routing, Firewall, Load Balancing, VRRP, Bridging Funtionality IPMP re-architecture, Vanity naming, Automatic IP configuration, Centralized IP Management administration, Centralized data link administration, Consolidated data link properties, GLDv3 unification for legacy drivers Real-time data link, hardware, and flow statistics. History integrated with extended Observability accounting. Capture local traffic through through virtual switch and IP loopback path. Committed GLDv3 APIs, pluggable TCP congestion algorithms, IP Filter Hooks, APIs Kernel socket API30 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 31. For More Information / Try Out Today • Product overview and download – oracle.com/solaris • Oracle Technology Network – oracle.com/technetwork/server-storage/solaris11 • System administrators community – oracle.com/technetwork/systems • @ORCL_Solaris • facebook.com/oraclesolaris • Oracle Solaris Insider31 Copyright © 2011, Oracle and/or its affiliates. All rights 31 reserved.
  • 32. 32 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 33. [additional backup slides]33 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 34. Test the un-testable • Fully simulate your production environment – Reduce expense with software network equipment – More testing means better quality – Easier to test different scenarios or even different production environments – Better define your production environment network requirements34 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 35. Control the un-controlable• Introducing network resource control – Bandwidth control – Flow control• Split up large network pipes• Guarantee types of network traffic for your applications• Protect your systems from inside bandwidth hogs• Provide the correct levels of service 35 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 36. Divide and guarantee• Bigger systems and fatter pipes need carving up – Oracle Solaris Zones for isolation and resource control – Break up the fat network pipes with bandwidth control – Observe usage and adjust resources dynamically without the need for outages• Better and new resource controls – See what you are using and account for it – New chargeback models for networking• More reliable 36 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 37. Higher Consolidation Power the applications not the technologyApplications Waste get the memory leftover Share and disk resources Zone Zone resources space Zone S9 Zone Inflexible, on dedicated multiple resources OS OS OS fat OSes Minimized Zone S10 Zone S8 Zone Zone single instance OS Zone Zone Solaris 10 Solaris 11 Hypervisor OVM for SPARCFat hypervisor steals CPU oversubscription memory resources Lots of threads for introduces scheduling Thin, efficient and introduces bare metal CPU inefficiencies hypervisor latency performance 37 37 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.
  • 38. Reliable, Available, Serviceable• Network Virtualization not only reduces cost• Reduce or eliminate networking risk – Eliminate cables – Avoid user mistakes, wrong box, wrong cable – More observable to trace errors – Easier to correct with software implementation – Leverage Solaris and SPARC RAS 38 Copyright © 2011, Oracle and/or its affiliates. All rights reserved.