RHEL KVM

Resource sharing

You can share resources easily within the KVM environment on all levels CPU, memory, storage, and network. You can dedicate resources to guests, but all are visible on the Linux hypervisor layer. The dedication is not as strict as for z/VM, unless a special implementation is made.

Cluster HA/DR

It is done on the same level as LPAR. There are no special facilities to support the administrator to implement DR. But with IBM® Storage you can implement similar mechanisms. Like z/VM, KVM includes LGR and allows to transfer a guest from one hypervisor to another.

IBM Secure Execution

With KVM on IBM Z® and IBM LinuxONE you can start guests in IBM Secure Execution mode. IBM Secure Execution is a security technology that is introduced with IBM z15 and LinuxONE III. IBM Secure Execution protects the boot image, the guest memory, and guest state boundaries for KVM guests. This allows to protect the guest even against the root user for that hypervisor.

For details see Introducing IBM Secure Execution for Linux.

You can run Red Hat OpenShift on IBM Z and IBM LinuxONE with IBM Secure Execution enabled. At installation time, the guest is protected. After installation the cluster is protected by IBM Secure Execution, no matter if you have a single-node cluster, three-node cluster, or full cluster. During cluster installation, the root file system is encrypted with a unique key that is kept safe on the encrypted boot loader. The security boundary for a cluster that is installed with IBM Secure Execution is the full cluster against outside users. Within the protected cluster, all operations are the same as of for an unprotected cluster. Network connections are the same as well and need to be protected by using, for example, IPsec for encryption of data on flight.

For installation details see Installing RHCOS using IBM Secure Execution (Red Hat documentation).