5 Things to Know about PowerKVM (especially security)
AxelBuecker 270000KUKR Comments (2) Visits (8932)
In today’s virtualized world, many of us look into creating and running their own private cloud environment. We want to choose the best available option when it comes to reducing operational costs, improving management and security, and enhancing reliability.
I know that's a difficult task for any technology, but in April 2014 IBM announced the new POWER8 architecture, which can provide the right solution for our most important options. POWER 8 is designed for the highest critical applications, with a robust hardware infrastructure, and high level processing and memory utilization. It also is four times faster than the previous generation, and best of all, we can implement our cloud model choosing between two hypervisors: PowerVM and PowerKVM.
Yes, POWER8 supports a hypervisor for specific Linux guests based on the KVM hypervisor, which can help increase business flexibility and overall IT productivity. Let's talk about it.
1. Open source server virtualization
PowerKVM is the first open source server virtualization available for IBM Power Systems. Because the source code for this implementation is publicly available, organizations can develop optimized applications and obtain improved performance results with Linux applications on the POWER architecture. In addition, some organizations favor the fact that they are able to inspect the source code to ensure that a certain level of security has been obtained.
PowerKVM guests can reach performance levels that are very close to their non-virtualized counterparts, demonstrating very low KVM hypervisor overhead on POWER8 systems. In some cases, performance of a PowerKVM guest is reduced by as little as 3% compared to non-virtualized performance. For flexible scalability IBM provides several POWER8 models to select from. If you begin deploying your virtualized environment on an entry-level machine, PowerKVM allows you to migrate virtual machines to systems with more performance without business impact or downtime of your virtual machines. And this even works on the same hardware if you want to increase memory or add any CPUs or I/O devices.
Many organizations have deployed 200, 500, or 1,000 Linux physical serves, and PowerKVM can help you virtualize those Linux servers and provide a single management platform for virtualization called IBM PowerVC.
PowerVC is the new IBM advanced virtualization management offering built on OpenStack, which delivers virtualization management for Linux as well as IBM i and IBM AIX environments on IBM Power Systems. You can manage and deploy virtual images, obtain health status of virtualized environment, create templates to simplify the machine deployment process and manage live VM mobility between different PowerKVM hosts.
One of the main objectives of open source is to allow everyone to learn from it and to create better solutions because of it. This way, everyone in the industry can create new applications and new custom designs specifically for Linux servers running on IBM Power Systems and feed those back into the open source community for further improvements. At the end – we can all win and gain the most from these optimized systems.
Most organizations today are very concerned with security, and they should be. The big question is "If we migrate to a virtualized infrastructure, will we have security features available to keep our systems secure?". The answer is a definite "Yes!".
To address security for the PowerKVM hypervisor level I recommend taking a close look at the following seven steps:
To remotely manage your cloud environment in a secure fashion you need to configure proper authentication mechanisms using Simple Authentication and Security Layer (SASL) and Transport Layer Security (TLS). This allows you to manage user IDs and passwords with an internal PowerKVM database and use X.509 certificates.
A PowerKVM host can be a lucrative target for people with malicious intent, no matter if they are within your organization or not. You should use VLAN tagging to create different networks to access the PowerKVM host and its guests, and to separate network traffic.
Configure network filter drivers or firewall rules for each guest network device to prevent MAC and IP spoofing.
Use the PowerKVM sVirt tool to provide guest isolation. With proper configuration a guest process can only access the data (image files) that it has been granted access to.
Ensure that you are storing PowerKVM guest disk images in a protected place. Review your Linux user/group access permissions and SELinux labels.
Encrypt all PowerKVM guest disk images that are not running to ensure that they are safe and cannot be tampered with. Use the cryptsetup tool to encrypt your images using AES-256.
Enable audit mode to track PowerKVM host and guest changes and interactions at all times. You need to be able to provide a history of what actions were implemented on any of your PowerKVM hosts and guests.
If you properly utilize the various capabilities I introduced above, PowerKVM has the potential to be the better option to virtualize Linux servers, and with that, to improve your overall IT business situation.
I invite you to learn more about this on the IBM
For even more technical information make sure you read the IBM
Thiago Costa is a senior IT Specialist working in the Strategic Outsourcing group in IBM Brazil. He holds a B.S. degree in Computer Science from UNAMA and an MBA in Project Mananegent from FGV. He has over 13 years of experience with UNIX and Linux, spending the past 8 years at IBM.
His areas of expertise include IBM Power Systems, Linux, virtualization, and cloud computing. He is a Certified Advanced Technical Expert for Power Systems IBM AIX, a Certified Solution Architect for Cloud Computing Infrastructure, and a Red Hat Certified Engineer.