Enterprise adoption of KVM is growing, and KVM features are continually being updated and expanded. Development in KVM is focused not only on high performance – the must-have for enterprise adoption – but also on support for application developers and Systems Administrators storage, usability, high availability, disaster recovery, and security. As an active participant in the KVM development community, IBM continues to dedicate its considerable expertise to open virtualization with KVM. (Learn more about the IBM KVM commitment.) Here is a look at some of the KVM features we expect to see in upcoming enterprise Linux releases – and why they will matter to enterprise users.
Support for Application Developers and Systems
Among the new features that have emerged upstream in KVM is a new tracing framework for Qemu-KVM environment subsystem that is important for developers and administrators who want to trace their workloads. It allows tracing all the way from the guest into the host kernel and back. For developers, it is a way to debug issues, and for administrators, it is useful for debugging issues in the field. For example, if they are experiencing poor performance or something unexpected in the field they can turn tracing on and then send the trace logs to the developers for remediation. Or, if administrators want to understand how an application is working in their data center, they can turn tracing on and evaluate that themselves. It provides a lot of information on the speed of execution proceeds through different components. If they write a trading application they can see how much time is spent processing the packet, and how much time is spent in the database.
Why it matters
This is really good for troubleshooting anything in the data center, where you can have a complicated situation, with interaction between networking, storage, hypervisors, and applications.
IBM is working on something called KVM FS. This is an integrated clustered file system. It is based on the Gluster File System that Red Hat acquired recently. KVMFS exports a block device directly to the guest as a file. The guest treats it as virtual block image. And then, when the guest sends a block command (usually a SCSI command) to the file, the host benefits from storage offload capability, meaning that KVM FS will pass that block command directly to the hardware. VMware calls that capability VAAI or storage offload integration or storage offload API. And the second thing that KVM FS enables is a shared file system so when you migrate the guest that block device is still available on the new host. This is scheduled to be done by the end of this year.
Why it matters
This will be important to everybody except the most high-end customers. On the high end, we already have enterprise storage and clustered storage like GPFS and SONAS and we have NFS filers that do most of those things and as well as other things not directly associated with virtualization. But those are big, expensive products that are hard to install that are designed for large data centers.
There are four things about KVM FS that are important. The first is that it is integrated so you don’t need to install it and clustered file systems are typically really difficult to install. Second, it is designed to serve up virtual disk images - it knows that it is working with virtual disk images that represent a virtual machine and it treats them that way specifically. When you back up a file, it knows that you are backing up a virtual machine and it knows that you need to do something like take a snapshot of the virtual machine and then back up the base image. Third, it also allows you to migrate that virtual machine and have access to the virtual machine image file. That is why it’s so notable and such a good feature. And fourth, VMware has a feature called VM FS which is integrated clustered file system that does the same thing as KVM FS, so KVM FS is significant because it will give KVM something that is directly analogous to VMware’s VM FS.
Usability and Device Support
VFIO (Virtual Function I/O) is a new subsystem for passing I/O devices directly through to guests. Right now, we do PCI pass-through where you can take an I/O device and give control of that device to a guest - and we do that with some of our benchmarks because you can get very good performance on that I/O device when the guest is interacting directly with the device. However, it’s difficult to do that and not all devices have support for that. VFIO makes it really simple to pass a device to a guest and it broadens the support significantly because of the way it is architected – so if a device is supported in the kernel it will almost certainly be supported in the guest.
Why it matters
If you are a developer doing PCI pass-through today to improve I/O device performance, this is going to simplify your life quite a bit.
High Availability and Disaster Recovery
There is a feature upstream now that does continuous replication for mirroring and disaster recovery in virtual environments. It has been submitted by a company called Zerto which has a product for VMware. Zerto needs to refactor its patches to get them accepted but I think they will do that. It is really good to see them submitting this for KVM.
Why it matters
Zerto has a good product. This patch set continuously mirrors the storage. This will very helpful because the Zerto product, combined with live migration provides a failover scenario that is really effective.
Another improvement on the way is support for the Trusted Computing platform module that provides encryption key storage and support for encryption. This enables the storing of encryption keys in a tamper-resistant piece of hardware and then using those keys to validate software images.
The specific feature on the way is called a “static root of trust,” and it is the first step in Trusted Computing. It means that the first thing you do is validate the boot block to make sure it has not been tampered with, and then you validate the boot loader - and if the boot loader is good, it validates the kernel that it boots. And then, at that point you can validate other software that you load, extending the trust chain. The reason it is static is that it has to start at boot up and you can’t re-establish that chain of trust until you boot the machine up again.
Why it matters
IBM has been shipping this Trusted Computing module on its x86 hardware for several years, and the U.S. government is going to be support for Trusted Computing in purchased computer systems. We are using it to prevent routeroute, which are foreign code routines that modify the kernel or some piece of trusted software maliciously. However, some developers in the kernel community are skeptical because a vendor can use this to prevent modifying the software on their computer or on their device, so a vendor could lock down a device or protect digital media. Both of those things are true. A vendor could do both of those things. This argument has been going on for a number of years. But now with Red Hat’s support, Trusted Computing is going into upstream Linux and it is being added to KVM.
IBM Distinguished Engineer & Chief Virtualization Architect, Open Systems Development Software Architect