| 1 |
On Wednesday, January 20, 2016 01:46:29 AM lee wrote: |
| 2 |
> "J. Roeleveld" <joost@××××××××.org> writes: |
| 3 |
> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: |
| 4 |
> >> "J. Roeleveld" <joost@××××××××.org> writes: |
| 5 |
> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: |
| 6 |
> >> >> "J. Roeleveld" <joost@××××××××.org> writes: |
| 7 |
|
| 8 |
> >> > |
| 9 |
> >> > Yes |
| 10 |
> >> > |
| 11 |
> >> >> That would be a huge waste of resources, |
| 12 |
> >> > |
| 13 |
> >> > Diskspace and CPU can easily be overcommitted. |
| 14 |
> >> |
| 15 |
> >> Overcommitting disk space sounds like a very bad idea. Overcommitting |
| 16 |
> >> memory is not possible with xen. |
| 17 |
> > |
| 18 |
> > Overcommitting diskspace isn't such a bad idea, considering most installs |
| 19 |
> > never utilize all the available diskspace. |
| 20 |
> |
| 21 |
> When they do not use it anyway, there is no reason to give it to them in |
| 22 |
> the first place. And when they do use it, how do the VMs handle the |
| 23 |
> problem that they have plenty disk space available, from their point of |
| 24 |
> view, while the host which they don't know about doesn't allow them to |
| 25 |
> use it? |
| 26 |
|
| 27 |
1 word: Monitoring. |
| 28 |
When you overcommit any resource, you need to put monitoring in place. |
| 29 |
Then you also need to ensure you have the ability to increase that resource |
| 30 |
when required. |
| 31 |
|
| 32 |
> Besides, overcommitting disk space means to intentionally create a setup |
| 33 |
> which involves that the host can run out of disk space easily. That is |
| 34 |
> not something I would want to create for a host which is required to |
| 35 |
> function reliably. |
| 36 |
|
| 37 |
The host should not crash when a VM does or when the storage assigned to VMs |
| 38 |
fills up. |
| 39 |
If it does, go back to the drawing board and fix your design. |
| 40 |
|
| 41 |
> And how much do you need to worry about the security of the VMs when you |
| 42 |
> build in a way for the users to bring the whole machine, or at least |
| 43 |
> random VMs, down by using the disk space which has been assigned to |
| 44 |
> them? The users are somewhat likely to do that even unintentionally, |
| 45 |
> the more the more you overcommit. |
| 46 |
|
| 47 |
See comment about monitoring. |
| 48 |
If all your users tend to fill up all available diskspace, you obviously can |
| 49 |
not overcommit on diskspace. |
| 50 |
|
| 51 |
> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At |
| 52 |
> > least, I seem to remember reading that somewhere) |
| 53 |
> |
| 54 |
> That would be a nice feature. |
| 55 |
|
| 56 |
For VDIs, I might consider using it. |
| 57 |
But considering most OSs tend to fill up all available memory with caches, I |
| 58 |
expect performance issues. |
| 59 |
|
| 60 |
> >> >> plus having to take care of a lot of VMs, |
| 61 |
> >> > |
| 62 |
> >> > Automated. |
| 63 |
> >> |
| 64 |
> >> Like how? |
| 65 |
> > |
| 66 |
> > How do you manage a large amount of physical machines? |
| 67 |
> > Just change physical to VMs and do it the same. |
| 68 |
> > With VMs you have more options for automation. |
| 69 |
> |
| 70 |
> Individually, in lack of a better way. Per user when it comes to |
| 71 |
> setting up their MUAs and the like, in lack of any better way. It |
| 72 |
> doesn't make a difference if it's a VM or not, provided that you have |
| 73 |
> remote access to the machine. |
| 74 |
|
| 75 |
This is where management tools come into play. (Same methods apply to physical |
| 76 |
and virtual) |
| 77 |
|
| 78 |
When talking MS Windows, domains with their policies are very useful. Couple |
| 79 |
that with WSUS for the patching and software distribution tools for the |
| 80 |
additional software installs, and you have a very nice setup. |
| 81 |
|
| 82 |
For Linux, I would recommend tools like Ansible or Puppet to control the |
| 83 |
software on the machines. |
| 84 |
|
| 85 |
For any OS, I would prevent my users from installing random software. And what |
| 86 |
is installed, would be mostly pre-configured out-of-the-box. |
| 87 |
|
| 88 |
> When you one VM for many users, you install the MUA only once, and when |
| 89 |
> you need to do updates, you do them only once. When you have many VMs, |
| 90 |
> like one for each user, you have to install and update many times, once |
| 91 |
> on each VM. |
| 92 |
|
| 93 |
Management tools. |
| 94 |
|
| 95 |
> > Depends on the requirements. It's cheaper then a few hundred seperate |
| 96 |
> > windows licenses. |
| 97 |
> |
| 98 |
> It's still more expensive than one, or than a handful, isn't it? |
| 99 |
|
| 100 |
The same cost applies to running physical boxes instead of VMs. |
| 101 |
|
| 102 |
> > Last time I had to fully reinstall a windows machine it took me a day to |
| 103 |
> > do |
| 104 |
> > all the updates. Microsoft even has server software that will keep them |
| 105 |
> > locally and push them to the clients. |
| 106 |
> |
| 107 |
> That would be useful to have. Where could I download that? |
| 108 |
> |
| 109 |
> Last time I installed a VM, it took a week until the updates where |
| 110 |
> finally installed, and you have to check on it every now and then to |
| 111 |
> find out if it's even doing anything at all. The time before, it wasn't |
| 112 |
> a VM but a very slow machine, and that also took a week. You can have |
| 113 |
> the fastest machine on the world and Windoze always manages to bring it |
| 114 |
> down to a slowness we wouldn't have accepted even 20 years ago. |
| 115 |
|
| 116 |
Google for "WSUS". |
| 117 |
It's been around for a very long time now (since 2005). |
| 118 |
|
| 119 |
> >> The hardware has already been replaced, and the problem persists. Other |
| 120 |
> >> machines of identical hardware that don't run xen don't show any issues. |
| 121 |
> > |
| 122 |
> > I still say the hardware is buggy. With replacing, I meant replace it with |
| 123 |
> > different hardware, not a different version of the same buggy stuff. |
| 124 |
> |
| 125 |
> The hardware is known to be 100% reliable by own experience for over a |
| 126 |
> year, for all the machines. Only when xen is running, the problem shows |
| 127 |
> up. |
| 128 |
> |
| 129 |
> Replacing the machine with another, identical one, allows to rule out |
| 130 |
> that the particular machine which was replaced has an issue and was very |
| 131 |
> easy to do, so that was a very reasonable second step after trying |
| 132 |
> different network cards. Three different network cards, from three |
| 133 |
> different manufactures, lead to the same error message. |
| 134 |
> |
| 135 |
> Googling the error message shows that quite a few ppl, with entirely |
| 136 |
> different hardware, usually not running xen, have had the same message |
| 137 |
> with very similar symptoms. |
| 138 |
> |
| 139 |
> This currently leaves these possibilities: |
| 140 |
> |
| 141 |
> |
| 142 |
> 1.) Xen doesn't work with this hardware. |
| 143 |
|
| 144 |
Xen doesn't touch the network interfaces, it's the host that handles that. |
| 145 |
|
| 146 |
> 2.) The problem might somehow be caused by an SSD. |
| 147 |
|
| 148 |
Network issues caused by SSD? |
| 149 |
Sounds like buggy hardware, replace. |
| 150 |
|
| 151 |
> 3.) The error message is actually true and something yet unknown is |
| 152 |
> going on on the network. |
| 153 |
> |
| 154 |
> 4.) The problem may have been fixed a while ago in the kernel and has |
| 155 |
> not been fixed in the xen kernel. |
| 156 |
|
| 157 |
Xen kernel? |
| 158 |
I use hardened-sources or gentoo-sources for the host. |
| 159 |
Which Xen kernel are you talking about? |
| 160 |
|
| 161 |
> 5.) The gplpv drivers the VMs use cause the problem. |
| 162 |
|
| 163 |
Contact the developer to get a debug-version. |
| 164 |
|
| 165 |
> 6.) It's an issue with power management since the problem occurs when |
| 166 |
> the machine and the VMs are not used/busy, at night. Disabling the |
| 167 |
> power management for the network card has not made a difference, |
| 168 |
> though. |
| 169 |
|
| 170 |
Powermanagement of the switches? |
| 171 |
|
| 172 |
> 3.) is currently being worked on. It needs to be figured out and, if |
| 173 |
> there's something weird going on, to be solved in any case. 6.) seems |
| 174 |
> unlikely, 1.) and 2.) can be decided when the the hardware is replaced |
| 175 |
> with something entirely different, which is the most painful and most |
| 176 |
> time-consuming option. That would leave 4.) and 5.), and 3.) if 3.) |
| 177 |
> cannot be resolved. |
| 178 |
> |
| 179 |
> It's easy to say that "the hardware is buggy". I'm not convinced that |
| 180 |
> it is. In any case, you can always run into a situation in which xen |
| 181 |
> doesn't work as well as you might wish or have experienced so far. |
| 182 |
|
| 183 |
Hardware should do what it's designed to do. |
| 184 |
If it can't handle the function it is build for, it's buggy. |
| 185 |
|
| 186 |
|
| 187 |
> >> It's time consuming when you have to reinstall the VMs to migrate them |
| 188 |
> >> to kvm. And when you don't have the installers of all the software |
| 189 |
> >> that's on some of the VMs and can't get them, you either have to run |
| 190 |
> >> them without virtio drivers or you can't migrate them. |
| 191 |
> > |
| 192 |
> > There are Howtos on the internet describing how to migrate VMs from 1 |
| 193 |
> > technology to another. Shouldn't be too hard. |
| 194 |
> |
| 195 |
> I looked for them. Did you find one that tells you how to install |
| 196 |
> the virtio drivers on an existing Windoze 7 VM and that actually works? |
| 197 |
> It's already very difficult to get rid of gplpv drivers. |
| 198 |
|
| 199 |
The following usually works: |
| 200 |
Boot up in safe mode, delete the drivers, reboot, install virtio, reboot. |
| 201 |
|
| 202 |
> > And keeping the installers at hand is, in my opinion, a requirement of |
| 203 |
> > sane |
| 204 |
> > system management. |
| 205 |
> > I have installers for all the versions of software I deal with. |
| 206 |
> |
| 207 |
> Indeed --- but some predecessor decided not to keep an installer which |
| 208 |
> would be required and is now unavailable. So the only options are to |
| 209 |
> leave the VM running under xen or to run it under KVM without virtio |
| 210 |
> drivers. The latter is bad idea because the application the installer |
| 211 |
> would be needed for already has severe performance problems built in, |
| 212 |
> and making it worse isn't a good idea. |
| 213 |
|
| 214 |
Request installers from the original source? |
| 215 |
Or consider it legacy and migrate away soonish. |
| 216 |
What is your recovery plan if the server it's on dies a horrible death? |
| 217 |
|
| 218 |
> >> > The biggest reason why I don't use KVM is the lack of full snapshot |
| 219 |
> >> > functionality. Snapshotting disks is nice, but you end up with an |
| 220 |
> >> > unclean- |
| 221 |
> >> > shutdown situation and anything that's not yet committed to disk is |
| 222 |
> >> > gone. |
| 223 |
> >> |
| 224 |
> >> I'm not sure what you mean. When you take a snapshot while the VM is not |
| 225 |
> >> shut down, what difference does it make whether you use xen or kvm? |
| 226 |
> > |
| 227 |
> > A "snapshot" for KVM is ONLY the disks. |
| 228 |
> > With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's |
| 229 |
> > in memory. It's that which makes the difference. |
| 230 |
> |
| 231 |
> Is that possible without freezing the VM while you make a snapshot of |
| 232 |
> the memory? |
| 233 |
|
| 234 |
No |
| 235 |
|
| 236 |
> If not, how is it so much better than shutting the VM down? |
| 237 |
|
| 238 |
It's faster in most cases. |
| 239 |
Exception being, the VM having such a large amount of memory assigned that the |
| 240 |
disk-I/O to store the memory takes longer than a reboot. |
| 241 |
|
| 242 |
Or, in my usual use-case for needing snapshots, is in the middle of a lengthy |
| 243 |
manual process, I want to take a snapshot of the current situation and a |
| 244 |
reboot at that point in time will actually cause issues. |
| 245 |
The software being used is usually in memory and a disk-only snapshot (eg. |
| 246 |
system crashed simulation when restoring) will mean I can start over. |
| 247 |
|
| 248 |
> >> >> Then there's the question how well vnc or spice connections work over |
| 249 |
> >> >> a |
| 250 |
> >> >> VPN that goes over the internet. |
| 251 |
> >> > |
| 252 |
> >> > VNC works quite well, as long as you use a minimal desktop. (like |
| 253 |
> >> > blackbox). Don't expect KDE or Gnome to be usable. |
| 254 |
> >> > I haven't tried Spice yet, but I've read that it performs better. |
| 255 |
> >> |
| 256 |
> >> It's not like you had a choice when you have Windoze VMs. |
| 257 |
> > |
| 258 |
> > Windows has RDP, which is a lot better than VNC. Especially when dealing |
| 259 |
> > with low-bandwidth connections. |
| 260 |
> |
| 261 |
> Wasn't RPD deprecated earlier in this discussion because it seemed to be |
| 262 |
> not sufficiently secure? |
| 263 |
|
| 264 |
Login to the RDP session can be linked to 2FA or smart-cards which need to be |
| 265 |
plugged into the laptop. |
| 266 |
Don't ask me how, but I have seen it work. |
| 267 |
|
| 268 |
Couple that with a VPN (Which I consider an absolute must when allowing |
| 269 |
employees to work from elsewhere via the internet). |
| 270 |
|
| 271 |
It can be made more secure than a simple VNC or NX connection. |
| 272 |
|
| 273 |
> >> > That depends on where you are. |
| 274 |
> >> |
| 275 |
> >> In this country, you have to be really lucky to find a place where you |
| 276 |
> >> can get a decent internet connection. |
| 277 |
> > |
| 278 |
> > Then in your country, working from home might not be the best option. |
| 279 |
> |
| 280 |
> That probably goes for most countries. |
| 281 |
|
| 282 |
Probably, I tend to only deal with countries in Europe and the US. This does |
| 283 |
make me less clued up of the reality in other regions. |
| 284 |
|
| 285 |
> >> > The company could host the servers in a decent datacentre, which should |
| 286 |
> >> > take care of the bandwidth issues. |
| 287 |
> >> |
| 288 |
> >> And give all their data out of hands? And how much does that cost? |
| 289 |
> > |
| 290 |
> > I'm talking about putting your own hardware there, not letting the |
| 291 |
> > datacentre company access to the servers. |
| 292 |
> |
| 293 |
> How could they reside in a datacenter without the ppl there having |
| 294 |
> physical access to them? |
| 295 |
|
| 296 |
Locked cages which you provide and control access to? |
| 297 |
If you're worried about people sniffing encrypted network traffic, I would say, |
| 298 |
good luck building your own secure WAN. |
| 299 |
|
| 300 |
> >> > For the employees, if they want to work from home, it's up to them to |
| 301 |
> >> > ensure they have a reliable connection. |
| 302 |
> >> |
| 303 |
> >> It is as much problem of the company when they want the employees to |
| 304 |
> >> work at home. And the employees don't have a choice, they can only get |
| 305 |
> >> a connection they can get. |
| 306 |
> > |
| 307 |
> > If the company insists people work from home, they need to ensure the |
| 308 |
> > employees have the option for a usable connection. Most companies I deal |
| 309 |
> > with leave working from home as an option to the employees. |
| 310 |
> |
| 311 |
> Sometimes it's not an option, and there isn't anything a company could |
| 312 |
> do to improve what internet connection an employee can get, unless |
| 313 |
> they'd spend huge amounts of money to put cables or fiber glass into the |
| 314 |
> ground, provided that they'd get the permissions for that. |
| 315 |
|
| 316 |
Then the company doesn't have the right to force it onto their employees. |
| 317 |
|
| 318 |
> Sooner or later, it might become very difficult to find anyone who's |
| 319 |
> still willing to spend all the time and money it takes to commute, or |
| 320 |
> someone who can still afford it at all, and it might become difficult to |
| 321 |
> find an employer willing to spend the money it takes to provide the |
| 322 |
> employees with offices. |
| 323 |
|
| 324 |
True, but if you end up paying for the privilege to work, why work at all? |
| 325 |
If I would end up with a negative balance because my costs are more then my |
| 326 |
income, I would quit on the spot and actually be better off. |
| 327 |
|
| 328 |
> When you consider the enormous amount of resources that are wasted for |
| 329 |
> commuting in an economy and that some economies might start to gain an |
| 330 |
> advantage over others by letting ppl work from their homes and by thus |
| 331 |
> becoming able to make more competitive offers to their customers, you |
| 332 |
> might come to think that it won't take very long before almost everyone |
| 333 |
> must work at their home. So this isn't a problem of a company, or some |
| 334 |
> companies, it's a problem for all companies and all employees, as it is |
| 335 |
> a problem for all economies and all countries. |
| 336 |
|
| 337 |
Countries where the infrastructure already exists will have this as an |
| 338 |
advantage. Currently, these are also the countries with the higher wages. |
| 339 |
If low-salary countries want to be able to compete on that level, the leaders |
| 340 |
of those countries should invest in the infrastructure, instead of their own |
| 341 |
fleet of expensive cars, private planes, castles,.... |
| 342 |
|
| 343 |
> >> >> It might work in theory. How would it be feasible in practise? |
| 344 |
> >> > |
| 345 |
> >> > Plenty of companies do it this way. If you don't want to pay for |
| 346 |
> >> > software |
| 347 |
> >> > like XenDesktop, you need to do all the work setting it up yourself. |
| 348 |
> >> |
| 349 |
> >> VNC is somewhat slow over a 1Gbit LAN. Did they find some way to |
| 350 |
> >> overcome this problem? |
| 351 |
> > |
| 352 |
> > Depends on the settings. |
| 353 |
> |
| 354 |
> Well, yes, I guess you can send something like 640x480 with some minimum |
| 355 |
> content that changes as little as possible with less trouble over an |
| 356 |
> internet connection than something one can actually work with. |
| 357 |
|
| 358 |
Try, lower quality, like less colours. |
| 359 |
When configured for LAN-settings, a 640x480 VNC session will perform worse then |
| 360 |
a 1280x1024 VNC session configured for 58k. |
| 361 |
Difference is, the larger screen looks horrible, but I can still work on it. |
| 362 |
|
| 363 |
> >> This sounds like it is for people with unlimited resources. |
| 364 |
> >> |
| 365 |
> >> BTW, access a VM through VNC, and you don't even have any way to make |
| 366 |
> >> the mouse pointer in the VNC window actually follow the mouse pointer |
| 367 |
> >> you're using, which makes it rather annoying to do anything in the VM |
| 368 |
> >> you're looking at. If you found a solution for that, I'd be curious as |
| 369 |
> >> to how you solved this problem. |
| 370 |
> > |
| 371 |
> > There is, it's even documented. |
| 372 |
> > I'm assuming you are talking about the VNC-console Xen provides? |
| 373 |
> > |
| 374 |
> > Configure the mouse to be a tablet in the VM config and the issue |
| 375 |
> > disappears. |
| 376 |
> Thanks, I can try that. I haven't seen this documented anywhere yet. |
| 377 |
|
| 378 |
Google for "xen vnc mouse out of sync" |
| 379 |
|
| 380 |
First hit: |
| 381 |
http://www.virtuatopia.com/index.php/Xen_mouse_pointer_appears_in_the_wrong_position_in_VNC_console |
| 382 |
|
| 383 |
Second hit: |
| 384 |
http://xen.1045712.n5.nabble.com/vnc-mouse-out-of-sync-td2588371.html |
| 385 |
(See 1st reply) |
| 386 |
|
| 387 |
-- |
| 388 |
Joost |
Archives