Feeds

Leave nothing behind when migrating virtual machines

Ensuring a smooth move

Application security programs and practises

We migrate virtual machines (VMs) for all sorts of reasons: to load balance our physical hosts, say, or to offload a server so it can be taken offline for maintenance, or because the original host has failed. But in every case we want no interruption to the VM's operation, or at least as little interruption as possible.

That means its network resources need to move with it so that when it lands on a target physical server it can immediately start processing data and moving it across the network.

Much of that is taken care of by the hypervisor and the migration tools, according to Jon Cairns, director of systems engineering for northern Europe at VMware.

“You do need the ESX hosts to be on the same subnet to ensure connections are maintained,” he says.

Double vision

He adds that to move a VM, you also need networked storage that both hosts can see, as it is only the image in memory, not the data, that moves. And it needs a fast interconnect – ideally a second network.

“VMotion starts with a pre-copy in the background. The VM is still accessible as normal but the software is doing a dynamic page copy. Then eventually it suspends the VM for a split-second, does a final copy and restarts it on the new host,” he says.

“VMotion manages the virtual MAC address, and when the memory copy is complete and the VM comes up, it pings the router to ensure the new host is recognised. Everything configured within the VM should go with it.”

Paul Martin, systems engineering manager EMEA for VM replication specialist Quest Software, says the same-subnet requirement can be a problem.

Play your cards

For example, if the reason for moving a VM is fail-over, it may not be an option to run both hosts on the same site or subnet. In this case one option is dual virtual network interface cards (NICs) within the VM, either using Powershell to automate NIC failover, or editing the VM by hand.

“Other customers use NAT [network address translation] to get round the problem of different subnets,” he says.

However, there are also network layer factors that are external to the VM. For example, the source and target hosts may also need to be on the same virtual LAN (VLAN), which can limit the reach of your migration capabilities.

A solution for some is bridged VLANs, says Martin. But he adds: “That doesn't work for everyone, as not every environment can cope with it.”

And as Ken Duda, vice-president of software engineering at switch developer Arista Networks, notes: “You don't want to carry every VLAN everywhere. So the 802.1Q trunk needs to be able to dynamically modify a VLAN in response to say a VM migration. But how do you do that?”

By hook or by crook

Arista's solution was provide the hooks in its Eos operating system so its software partners can use their management tools to tie VLANs to key places.

“The VMware tracer talks to the network management and automatically provides the VLAN connection rack to rack,” Duda says.

Other vendors use port profiles to achieve something similar. Port profiles allow you to configure an interface to a particular role on the network, for example by applying access control lists, attaching VLANs, setting up broadcast limits, and so on.

They can be used to push out the same configuration to multiple interfaces, and because they can be applied to physical or virtual interfaces they are also a useful way to set up ports on softswitches for VMs.

The challenge with VMs is that, since they are no longer tied to a physical interface, they are also not tied to a switch port. But when you move a VM, the softswitch in the new server must have the same policies, VLANs and security settings as the old one, otherwise the migration will fail. Port profiles let you edit the new switch to match the old one.

“You throw it into the cloud which then manages where it runs”

Yet however you manage your switch reconfiguration, it adds complexity and administration time and requires the server and network admins to co-ordinate their work. Network vendors and software developers are looking for ways to move port profiles automatically, so that they follow the VMs that need them.

Johan Ragmo, data business development manager for northern Europe at Alcatel-Lucent Enterprise, says this is one of the many jobs for the management layer within a data centre or private cloud that take care of VM migration, load balancing and so on.

“You need to build a virtual network profile, taking account of quality of service and so on, that's managed in software with the virtualisation manager,” he says.

Follow the leader

Cairns agrees. “The long-term concept is that each VM will carry with it a set of policies, such as security level, availability and so on, and you throw it into the cloud which then manages where it runs. Underneath that, a foundation layer ensures adherence,” he says.

Brocade's Simon Pamplin says this is why Brocade developed automatic migration of port profiles (AMPP). It is part of Brocade's Virtual Cluster Switching technology, which enables a migrating VM’s network profile to follow it automatically.

“If you want to move a virtual image, setting up its port profile is a headache,” Pamplin says. “AMPP presets the destination port with the correct settings.”

The message is that, for the moment at least, a VM migration should be seamless – within certain boundaries. The area within those boundaries is constantly growing, but as a server admin it is always wise to know where the VM boundaries currently lie. ®

Eight steps to building an HP BladeSystem

More from The Register

next story
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
Apple fanbois SCREAM as update BRICKS their Macbook Airs
Ragegasm spills over as firmware upgrade kills machines
SHOCK and AWS: The fall of Amazon's deflationary cloud
Just as Jeff Bezos did to books and CDs, Amazon's rivals are now doing to it
Amazon Reveals One Weird Trick: A Loss On Almost $20bn In Sales
Investors really hate it: Share price plunge as growth SLOWS in key AWS division
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.