Virtual machine management (VMM)

Australia may be one of the most mature markets when it comes to the adoption of server virtualizaton, many organisations’ approach to managing virtual server machines, or VMs, could be described as ‘immature’, Tim Lohman, finds.

Computerworld feature Virtualization 101: What is virtualization?

Australia has been quick to adopt server virtualization for its ability to cut infrastructure costs and make organisations more agile but as often happens, the development of management techniques to handle this disruptive technology has struggled to keep up.

Managing virtual servers in the same way as their physical counterparts can lead to VM sprawl, security holes, capacity and performance blow-outs, the wrong mix of skills and potential collapse by the side of the road to on-demand infrastructure and the private Cloud.

The good news is that, like the physical world, the virtual world is indeed manageable, so long as you are aware of the challenges and the emerging best practices.

VM Sprawl

Far and away the most widely reported and common issue in managing server VMs is VM sprawl — the uncontrolled proliferation of virtual machines.

The great benefit of server virtualization is the incredible ease with which organisations can build and deploy virtual servers. However, it is this very ability that if unmanaged, can lead to tens or even hundreds of servers being created right under IT’s nose. On top of the impact on physical server and storage performance and capacity, there’s the related issues of whether these rogue VMs are compliant with security policies and software licensing.

The solution, Intelligent Business Research Services (IBRS) advisor, Kevin McIsaac, says, is actually very straight forward. Creating a virtual machine shouldn’t be a technical job; it should just be seen to be a part of the change management process.

McIsaac says the process should begin with the submission of a formal request for a given VM to be created, then that request should go through an approval cycle. Only then should the VM be created.

“You also want to record who owns that virtual machine, who the primary consumer of the service is, and what the purpose of the machine is — is it dev/test or is it something mission critical like for running email? You should also record things like ‘infrastructure criticality’ — is the VM mission-critical or just nice to have? Then you should put on an expiration period; how long should that machine be around for.

“Through having this record of your virtual machines you then have an expiration date so you can then call up the owner and ask if they are done with it. All of this is lifecycle management, but the other way to look at is being part of change management. It should all be grounded in change management even though it is partly lifecycle management.”

Milestone Group director global business operations, Simon Whitie, says there are now tools available, such as those available via the VMware ESX platform, to enable IT departments to differentiate user access to VMs.

“We can essentially delegate the viewing and management of say, an individual development VM, to the development team,” he says. “We have root control over all VMs but can create subset views depending on the access or the administration rights we are happy to delegate.

“In other words, we don’t have one access control level that allows for server sprawl, other than essentially me approving it and one of the IT services team actually creating the instance and making it available. Once it is available we can delegate the guest OS rights for those guys to do whatever they like.”

Tools can be part of the solution but it is important to have the right mix in managing your virtual infrastructure, Gartner analyst, Errol Rasit, stresses. Otherwise they could become part of the problem.

“Virtualization vendors have a whole suite of paid-for tools available to end-user organisations to really mange the whole life cycle of virtual machines,” he says. “However there is a stage where you can over-automate and lose control through having too many alerts or maybe not enough, so you really need the right mix.”

Another approach to managing VM sprawl is to set up a charge-back mechanism, where IT makes the business pay for its use of VMs and the physical resources which underpin them. In this way, IT department can show the business what the real cost of VMs, Roaring 40s IT manager, Steane Walsh, says.

“One of the challenges with virtualization is you put in all this capacity and people assume that it is almost free,” he says. “Unless you go and allocate that cost back into new projects, you end up chewing up all your virtualization resources. You’ll have to go to management and ask for another million bucks to effectively go and put another VM cluster in.”

Walsh says Roaring 40s set up its internal chargeback system based on three areas: Servers or virtual boxes, storage based on gigabyte blocks, and an operational cost. “It is just much easier at the start of a project to say that they have to allocate it as part of their costs and explain to them why rather than trying to recover the costs later in the project,” he says.

Walsh says this approach also helps complying with software licensing requirements — something that can get out of hand quickly if the business is allowed to create its own virtual machines at will.

“I think people can forget that even though it is virtual, it is still a server and you have a Microsoft or Red Hat licence [to pay for], plus the maintenance costs on top of that,” he says. “I’m in an outsourced agreement with Logica, so I really feel it in the hip pocket. For every server someone has to look after, the outsourcer is going to charge us man hours for taking on the risk and responsibility of managing that.”

Next: Security and performance, capacity, storage

Page Break

Security

Gartner’s Rasit argues that, generally, security is quite high in the virtual world as there is nothing that inherently makes VMs less secure than their physical counterparts. However, issues can arise when moving VMs between physical servers.

“Within a firewall VMs are as secure as moving a physical server from one location to another,” he says. “But when you are moving from one data centre or from one country to another then all the LAN and WAN management around security has to be in place.

“If you are looking at Cloud bursting — moving your virtual machine out to a Cloud provider — then there are additional security considerations as it's not just lines of code but your data too which is being moved to a third party.”

CA’s A/NZ director, solution sales, Peter Sharples, says security is an issue when it comes to access — making sure a person is authenticated before letting them change and add VMs in the virtual environment. The other areas to consider are the potential risk of a ‘horizontal attack’.

“We’re yet to see it in Australia, but it is where someone hacks the hypervisor management solution and therefore, gains access to all the VMs in that horizontal environment,” he says.

IBRS’ McIsaac says that when it comes to managing antiviruses, the way to go about removing your security product from running in the operating system and instead, put it into a separate VM which then inspects all other VMs running on a physical server.

“That… solves problems with contention as now you have single instance of your antivirus, instead of one for each virtual machine,” he says. “However, many people do segregation of workloads via the network: A demiliterised zone versus an internal zone.

“But, if you throw everything on one box, where did your network go? Well, it’s inside your Intel box. So where did your firewalls and demiliterised zone go? People haven’t come to grips with that.”

Performance, capacity, storage

CA’s Sharples says while server virtualization has made the provisioning of infrastructure much quicker, what it hasn’t done is speed up the manual processes — order requisition, asset management and configuration management — associated with infrastructure provision. As a result, the performance and overall benefits of virtualization can suffer or stall.

“Understanding that and automating those simple, repetitive tasks like change management and request management as much as is practical is important,” he says. “But, the key to success is to understand your processes. It is pointless automating a bad process as you will just get a bad outcome more quickly.”

On top of processes, IT managers also need to understand the physical capacity of their data centre and how it relates to the provisioning of virtual machines. In other words, capacity management.

“Is over-provisioning hurting performance or is under-provisioning and wasting assets because they are under-utilised?” he says. “You also need to understand how that relates back to the performance of your critical business systems. Do you have the confidence your virtual platform will support end-business performance?”

IBRS’ McIsaac argues that the major issue is less a performance one and more about the way cutting down physical hardware can hurt your risk mitigation strategies.

“Capacity management is much more of an issue today, as if you have a problem it’s not just going to impact one box, one application and one set of users; it will potentially impact everybody, as they could be all on the same piece of infrastructure,” he says. “When you do have a problem, it tends to be far, far greater.”

That being said, having a large number of VMs on a single piece of physical hardware can place a high load on your storage when it comes to backing up your data.

“You will need to recognise that if you move your physical instances to virtual machines, you will at some stage need to revisit you backup as you do have the issue of resource contention,” McIsaac says. “Many people don’t review their backups that often; their view is: How can I make this as simple as to deal with as possible rather than thinking about the fact they may have to recover them at some stage.”

Gartner’s Rasit says a lot of organisations often find that when they move to a virtual infrastructure, they have to build a SAN architecture to gain a more rapid response from their storage via a ‘boot-from-SAN’ functionality.

“NAS is good for low-level low frequency storage but with virtual world, you need faster access,” he says. “Close management of storage is important, as if it you don't look after your storage utilisation [rates] usually go down.”

Skills

Lastly, moving to a virtual environment can have a significant impact on the organisational structure of an IT department, IDC senior analyst, Trevor Clarke, says.

Consequently, ensuring you have the right skills internally, or adequate support from an integration partner, to roll out a virtual environment is critical. It’s a position the National Museum of Australia’s manager, information technology & services, Chris Gill, couldn’t agree with more.

“We’ve had fantastic assistance from what we call an IT infrastructure architect, who helped us progress to where we are today,” he says. “You need someone who is totally across how the resources are allocated in a particular environment, know what that capacity is for expansion as needed, and also an awareness of capacity requirements over coming years so that the environment has the capacity to meet needs over the coming three years.

“If you do bring it a partner, it should particularly be a partner of VMware’s or someone who has that expertise and has strong support from VMware or EMC. I wouldn’t just rely on one individual but an organisation with additional resources to assist as needed.”