Virtuozzo 7 combines well-known Systems Container™ technology, KVM-based virtual machines and software-defined storage in a single solution covered by production support. In Virtuozzo 7 we have replaced our proprietary hypervisor with KVM. Nowadays KVM has become fast and reliable enough to suit our customers’ needs. For this reason we decided not to continue developing a proprietary hypervisor and switch to KVM. Still, KVM lacks many required features, so we introduced over 200 improvements when adding KVM support in our brand new Virtuozzo 7 platform. As for containers, we switched Virtuozzo to new 3.10+ Linux kernel, started using cgroups and namespaces instead of kernel modules, and replaced container’s ID by UUID as per requests from our customers.
We have added a lot of technical improvements to Virtuozzo 7, and I will describe many of them in this post, with the goal of allowing our customers to understand what new or improved services they will be able to offer on top of the new Virtuozzo to earn more money or attract new customers.
Production-ready KVM for service providers
Many of our customers use Virtuozzo Containers™ to build what is called a Virtual Private Server (VPS)—a service that has been popular for over a decade. At the same time, Virtuozzo is the only solution that allows you to combine containers and virtual machines in the same environment. Container users can leverage dozens of Linux distributions in a container, and most Linux applications work fine and even faster in containers in comparison with VMs. However, for an application that needs to use a custom kernel module, depends on a kernel feature that isn’t in the host kernel, or simply designed for a different OS (like Windows), it won’t work in a Linux container. In these cases, one can use virtual machines and avoid any OS or application compatibility issues.
Virtual machines allow you to offer some new services in addition to a traditional Linux VPS. A service provider can offer Windows hosting in addition to Linux hosting on the same platform. Our performance measurement results show that Windows runs faster on Virtuozzo in comparison with traditional KVM. Added guest tools with a unified interface and integrated auto-ballooning, which we implemented in Virtuozzo 7, allow you to build a unified cost-effective platform for Linux and Windows hosting.
Figure 1. Performance comparison of Windows VMs running on CentOS KVM and Virtuozzo
If you want to use KVM to host enterprise class applications or would like to reduce your efforts to restore instances in case of host failure you need high availability for your KVM. Virtuozzo 7 together with Virtuozzo Storage supports high availability for containers and virtual machines out-of-the-box.
New kernel adds more freedom and stability
The new kernel in Virtuozzo 7 adds support for new hardware, getting maximum efficiency from modern, more powerful servers to reduce the hardware footprint and improve energy efficiency in your datacenter. The new kernel also gives us an opportunity to introduce new technologies like CRIU and ReadyKernel in Virtuozzo 7. CRIU is a software tool for a Linux operating system that allows you to freeze a running container and checkpoint it to a hard drive as a collection of files. You can then use the files to restore and run the application from the point it was frozen at. CRIU together with the P.Haul project builds a foundation of container live migration based on new and community-endorsed technologies – a great improvement from the previous live migration implementation in Virtuozzo 6. The distinctive feature of the CRIU project is that it is mainly implemented in the user space and not in the kernel. User space implementation significantly reduces the amount of changes and patches we need in the kernel to develop and maintain container live migration, thus it reduces the number of updates where reboots may be required.
ReadyKernel—rebootless updates for Virtuozzo and Linux guests
We know you don’t like the idea of rebooting all your servers simply to install a critical security patch or a kernel update to your Linux hosts or guests. History shows that Red Hat releases kernel updates approximately 9 times a year. Add to that the fact that virtualization software also has critical updates several times a year. While it’s impossible to predict release dates and prepare for them, most of these updates may contain public vulnerabilities and should be installed promptly.
The feature of Virtuozzo 6 installing kernel updates without a reboot is called the Rebootless Kernel Update (RKU). RKU suspends running containers and virtual machines and boots a new kernel, later resuming suspended VMs and containers. This mechanism allowed us to boot almost any kernel, no matter how many changes it brought. However, it is not without its own issues – although VMs and containers didn’t reboot, the downtime—lk during suspension was fairly significant – was tens of seconds or more on larger servers. Virtuozzo 7 is based on the new 3.10+ kernel, so we implemented support of kpatch technology to replace RKU to improve our rebootless update capability. It enables Virtuozzo customers to apply critical security patches to the kernel immediately, without having to suspend instances for users to log off or for scheduled reboot windows. It gives more control over uptime without sacrificing security or stability. But kpatch itself is just a tool and requires someone to build and test patches for every kernel version. Kpatch also cannot guarantee that a patch is safe to apply. Therefore, a qualified engineer should build and analyze in-depth every patch before applying it.
Virtuozzo 7 includes a complementary subscription to the ReadyKernel service that delivers the latest security patches and kernel updates as fast as possible and installs them automatically (or manually if you prefer) without a system reboot. ReadyKernel is available for Virtuozzo 7, Virtuozzo Linux and will be offered for other Linux distributions in a future, so it provides a great deal of flexibility.
ReadyKernel in Virtuozzo 7 can install security patches and kernel updates without instance suspension and host reboot – with zero downtime and no additional administrative efforts. ReadyKernel is also available for Virtuozzo Linux – a RHEL compatible Linux distribution focused on security in public cloud and designed to eliminate scheduled downtime, an also offered at very competitive price. Now you can attract additional customers who want to have a predictable SLA and minimize security and maintenance risks for their applications.
Advanced Memory Management
Virtuozzo 7 introduces a new memory management system that helps containers, virtual machines and Virtuozzo Storage deliver better performance and density minimizing impact of resource-oversold environments. We call it VCMMD. One of the technologies that we specifically built for Virtuozzo 7 as part of VCMMD is a new Advanced Memory Management (AMM) technology. AMM controls memory management technologies such as memory ballooning and kernel same-page merging (KSM) as a way to improve workload density. The “secret sauce” of AMM is an auto-ballooning algorithm that incorporates different memory working set (WSS) prediction techniques. They allow a more efficient over-commitment of memory resources with the least impact on customer’s workloads. AMM supports Windows and Linux guests.
VCMMD also includes other resource management features like Online Memory Management (OMM) and memory guarantees for containers. OMM allows you to increase or decrease virtual machine memory without a reboot. This enables your customers to change VM configurations online without service interruption.
It also provides a means for you to offer a new Pay-As-You-Grow (PAYG) billing model to them and give them the ability to scale their VM vertically according to the current workload. They can also change the billing plan without a reboot.
Now you can guarantee the minimal amount of available RAM not only for virtual machines, but for containers also. This feature allows you to limit the over commitment ratio in your environment. For example, if you would like to set the over commitment ratio to 2:1 you just need to set the guarantee to 50% for all containers and VMs. Effective over commitment allows you to lower your datacenter costs resulting in more competitive pricing- it’s win-win situation. Your customer usually won’t consume all resources they bought, while our predictive algorithm provides resources to the customer as soon as they are needed.
More flexible, fast and reliable backup…and even restore
We completely reworked our backup engine in Virtuozzo 7. We leveraged the availability of the new block level backup API and CBT (changed block tracking mechanism) in QEMU/KVM and created backup using a standard snapshot procedure storing containers and virtual machine backups in standard QCOW2 format. Virtuozzo 7 no longer needs to read a full backup file to create incremental backups, making incremental backups much faster than Virtuozzo 6.
Storing backups in the standard QCOW2 format and representing restore points as a snapshots also makes it possible to remove any backup as a part of the backup rotation procedure, making backup deletion on par with removing a snapshot. This effectively enables an “always incremental” backup, where the user only has to do full backups the first time, greatly reducing backup window requirements.
It also gives you the ability to perform an emergency restore from a backup even when the backup utility fails – because the backup is simply a QCOW2 file and you can convert it to any image you want with standard qemu-img utility.
OpenStack support and new management options
Starting with Virtuozzo 7 we support the managing of Virtuozzo containers and virtual machines through Libvirt. Such support enables Virtuozzo to work with large ecosystem of libvirt-based management tools including OpenStack and Virtual Machine Manager. Virtuozzo customers and OpenStack users now have the ability to leverage the full power of OpenStack to manage private or public clouds based on Virtuozzo containers and virtual machines through OpenStack API or Horizon dashboard. Virtuozzo Storage is also supported in OpenStack to provide SDS storage to store ephemeral disks, glance images and cinder volumes. But if all you need is a simple and easy-to-use tool to manage the Virtuozzo environment, you can opt out of the Virtual Machine Manager tool.
You’ll find some very useful information about OpenStack and VMM integration here: https://openvz.org/Setup_OpenStack_with_Virtuozzo_7
What else is coming?
Encryption of user data cannot protect from all data leakage scenarios, but it will definitely prevent many of those, and complicate and increase the cost of an attack. Virtuozzo 7 allows you or your customer to encrypt root or any additional disk of the container or virtual machine. We support KMIP and PKCS11 key management protocols to provide access to key management systems. Encryption does not interfere with instance migration, managing snapshots or backup operations, so a customer can use their instance as usual and simply enable encryption via a checkbox in their provisioning system and feel safe. Container disk encryption will be available at Virtuozzo 7 Update 1 while virtual machine disk encryption will be available later this year.
Application Catalog powered by Bitnami
These days one of the most popular customer demands is a service that allows to quickly deploy pre-configured and ready-to-use applications. Many providers already have an application catalog in their portfolio. However, building and maintaining dozens of such applications can be a major expense and challenge for a service provider, as having outdated applications with security vulnerabilities may pose a serious risk.
To answer this need, we partnered with Bitnami to offer a new subscription service called Virtuozzo Application Catalog. Available as an additional subscription for Virtuozzo, the catalog provides the latest versions of dozens of applications and development stacks, tested, optimized and ready to be deployed. Among them are WordPress, Redmine, SugarCRM, Alfresco, Drupal, MediaWiki, GitLab etc. Every application is pre-compiled and pre-configured with all the necessary dependencies and works out-of-the-box as a container or virtual machine. You no longer need to waste enormous amounts of time fixing and updating your own application catalog.
You can integrate the image catalog into your own provisioning system, provide a seamless one-click experience deploying applications, and thus promote additional consumption of IaaS-based hosting products. Our Application Catalog is already available for Virtuozzo 6 users and you are welcome to try it or start to use it in production. The Application Catalog will be available for Virtuozzo 7 starting with Update 1.
Upgrading to Virtuozzo 7
We created a comprehensive list of upgrade paths to help you choose the best upgrade scenario for your infrastructure and lead you through the upgrade process. The first release of Virtuozzo 7 supports an upgrade with instance migration with a spare server. You need to install Virtuozzo 7 on a spare server and then move your containers and virtual machines there. Detailed information on this scenario is available in the Virtuozzo 7 Upgrade Guide.
Virtuozzo 7 Update 1 will also support an in-place upgrade for nodes with containers only and upgrades with a mixed mode (Virtuozzo 6 and Virtuozzo 7) Storage cluster. A mixed mode of the Virtuozzo Storage cluster allows you to perform server-by-server migration while still maintaining cluster integrity, thus greatly reducing network traffic and upgrade time.