1 |
On Wednesday, January 20, 2016 01:46:29 AM lee wrote: |
2 |
> "J. Roeleveld" <joost@××××××××.org> writes: |
3 |
> > On Tuesday, January 19, 2016 01:46:45 AM lee wrote: |
4 |
> >> "J. Roeleveld" <joost@××××××××.org> writes: |
5 |
> >> > On Monday, January 18, 2016 02:02:27 AM lee wrote: |
6 |
> >> >> "J. Roeleveld" <joost@××××××××.org> writes: |
7 |
|
8 |
> >> > |
9 |
> >> > Yes |
10 |
> >> > |
11 |
> >> >> That would be a huge waste of resources, |
12 |
> >> > |
13 |
> >> > Diskspace and CPU can easily be overcommitted. |
14 |
> >> |
15 |
> >> Overcommitting disk space sounds like a very bad idea. Overcommitting |
16 |
> >> memory is not possible with xen. |
17 |
> > |
18 |
> > Overcommitting diskspace isn't such a bad idea, considering most installs |
19 |
> > never utilize all the available diskspace. |
20 |
> |
21 |
> When they do not use it anyway, there is no reason to give it to them in |
22 |
> the first place. And when they do use it, how do the VMs handle the |
23 |
> problem that they have plenty disk space available, from their point of |
24 |
> view, while the host which they don't know about doesn't allow them to |
25 |
> use it? |
26 |
|
27 |
1 word: Monitoring. |
28 |
When you overcommit any resource, you need to put monitoring in place. |
29 |
Then you also need to ensure you have the ability to increase that resource |
30 |
when required. |
31 |
|
32 |
> Besides, overcommitting disk space means to intentionally create a setup |
33 |
> which involves that the host can run out of disk space easily. That is |
34 |
> not something I would want to create for a host which is required to |
35 |
> function reliably. |
36 |
|
37 |
The host should not crash when a VM does or when the storage assigned to VMs |
38 |
fills up. |
39 |
If it does, go back to the drawing board and fix your design. |
40 |
|
41 |
> And how much do you need to worry about the security of the VMs when you |
42 |
> build in a way for the users to bring the whole machine, or at least |
43 |
> random VMs, down by using the disk space which has been assigned to |
44 |
> them? The users are somewhat likely to do that even unintentionally, |
45 |
> the more the more you overcommit. |
46 |
|
47 |
See comment about monitoring. |
48 |
If all your users tend to fill up all available diskspace, you obviously can |
49 |
not overcommit on diskspace. |
50 |
|
51 |
> > Overcommitting memory is, i think, on the roadmap for Xen. (Disclaimer: At |
52 |
> > least, I seem to remember reading that somewhere) |
53 |
> |
54 |
> That would be a nice feature. |
55 |
|
56 |
For VDIs, I might consider using it. |
57 |
But considering most OSs tend to fill up all available memory with caches, I |
58 |
expect performance issues. |
59 |
|
60 |
> >> >> plus having to take care of a lot of VMs, |
61 |
> >> > |
62 |
> >> > Automated. |
63 |
> >> |
64 |
> >> Like how? |
65 |
> > |
66 |
> > How do you manage a large amount of physical machines? |
67 |
> > Just change physical to VMs and do it the same. |
68 |
> > With VMs you have more options for automation. |
69 |
> |
70 |
> Individually, in lack of a better way. Per user when it comes to |
71 |
> setting up their MUAs and the like, in lack of any better way. It |
72 |
> doesn't make a difference if it's a VM or not, provided that you have |
73 |
> remote access to the machine. |
74 |
|
75 |
This is where management tools come into play. (Same methods apply to physical |
76 |
and virtual) |
77 |
|
78 |
When talking MS Windows, domains with their policies are very useful. Couple |
79 |
that with WSUS for the patching and software distribution tools for the |
80 |
additional software installs, and you have a very nice setup. |
81 |
|
82 |
For Linux, I would recommend tools like Ansible or Puppet to control the |
83 |
software on the machines. |
84 |
|
85 |
For any OS, I would prevent my users from installing random software. And what |
86 |
is installed, would be mostly pre-configured out-of-the-box. |
87 |
|
88 |
> When you one VM for many users, you install the MUA only once, and when |
89 |
> you need to do updates, you do them only once. When you have many VMs, |
90 |
> like one for each user, you have to install and update many times, once |
91 |
> on each VM. |
92 |
|
93 |
Management tools. |
94 |
|
95 |
> > Depends on the requirements. It's cheaper then a few hundred seperate |
96 |
> > windows licenses. |
97 |
> |
98 |
> It's still more expensive than one, or than a handful, isn't it? |
99 |
|
100 |
The same cost applies to running physical boxes instead of VMs. |
101 |
|
102 |
> > Last time I had to fully reinstall a windows machine it took me a day to |
103 |
> > do |
104 |
> > all the updates. Microsoft even has server software that will keep them |
105 |
> > locally and push them to the clients. |
106 |
> |
107 |
> That would be useful to have. Where could I download that? |
108 |
> |
109 |
> Last time I installed a VM, it took a week until the updates where |
110 |
> finally installed, and you have to check on it every now and then to |
111 |
> find out if it's even doing anything at all. The time before, it wasn't |
112 |
> a VM but a very slow machine, and that also took a week. You can have |
113 |
> the fastest machine on the world and Windoze always manages to bring it |
114 |
> down to a slowness we wouldn't have accepted even 20 years ago. |
115 |
|
116 |
Google for "WSUS". |
117 |
It's been around for a very long time now (since 2005). |
118 |
|
119 |
> >> The hardware has already been replaced, and the problem persists. Other |
120 |
> >> machines of identical hardware that don't run xen don't show any issues. |
121 |
> > |
122 |
> > I still say the hardware is buggy. With replacing, I meant replace it with |
123 |
> > different hardware, not a different version of the same buggy stuff. |
124 |
> |
125 |
> The hardware is known to be 100% reliable by own experience for over a |
126 |
> year, for all the machines. Only when xen is running, the problem shows |
127 |
> up. |
128 |
> |
129 |
> Replacing the machine with another, identical one, allows to rule out |
130 |
> that the particular machine which was replaced has an issue and was very |
131 |
> easy to do, so that was a very reasonable second step after trying |
132 |
> different network cards. Three different network cards, from three |
133 |
> different manufactures, lead to the same error message. |
134 |
> |
135 |
> Googling the error message shows that quite a few ppl, with entirely |
136 |
> different hardware, usually not running xen, have had the same message |
137 |
> with very similar symptoms. |
138 |
> |
139 |
> This currently leaves these possibilities: |
140 |
> |
141 |
> |
142 |
> 1.) Xen doesn't work with this hardware. |
143 |
|
144 |
Xen doesn't touch the network interfaces, it's the host that handles that. |
145 |
|
146 |
> 2.) The problem might somehow be caused by an SSD. |
147 |
|
148 |
Network issues caused by SSD? |
149 |
Sounds like buggy hardware, replace. |
150 |
|
151 |
> 3.) The error message is actually true and something yet unknown is |
152 |
> going on on the network. |
153 |
> |
154 |
> 4.) The problem may have been fixed a while ago in the kernel and has |
155 |
> not been fixed in the xen kernel. |
156 |
|
157 |
Xen kernel? |
158 |
I use hardened-sources or gentoo-sources for the host. |
159 |
Which Xen kernel are you talking about? |
160 |
|
161 |
> 5.) The gplpv drivers the VMs use cause the problem. |
162 |
|
163 |
Contact the developer to get a debug-version. |
164 |
|
165 |
> 6.) It's an issue with power management since the problem occurs when |
166 |
> the machine and the VMs are not used/busy, at night. Disabling the |
167 |
> power management for the network card has not made a difference, |
168 |
> though. |
169 |
|
170 |
Powermanagement of the switches? |
171 |
|
172 |
> 3.) is currently being worked on. It needs to be figured out and, if |
173 |
> there's something weird going on, to be solved in any case. 6.) seems |
174 |
> unlikely, 1.) and 2.) can be decided when the the hardware is replaced |
175 |
> with something entirely different, which is the most painful and most |
176 |
> time-consuming option. That would leave 4.) and 5.), and 3.) if 3.) |
177 |
> cannot be resolved. |
178 |
> |
179 |
> It's easy to say that "the hardware is buggy". I'm not convinced that |
180 |
> it is. In any case, you can always run into a situation in which xen |
181 |
> doesn't work as well as you might wish or have experienced so far. |
182 |
|
183 |
Hardware should do what it's designed to do. |
184 |
If it can't handle the function it is build for, it's buggy. |
185 |
|
186 |
|
187 |
> >> It's time consuming when you have to reinstall the VMs to migrate them |
188 |
> >> to kvm. And when you don't have the installers of all the software |
189 |
> >> that's on some of the VMs and can't get them, you either have to run |
190 |
> >> them without virtio drivers or you can't migrate them. |
191 |
> > |
192 |
> > There are Howtos on the internet describing how to migrate VMs from 1 |
193 |
> > technology to another. Shouldn't be too hard. |
194 |
> |
195 |
> I looked for them. Did you find one that tells you how to install |
196 |
> the virtio drivers on an existing Windoze 7 VM and that actually works? |
197 |
> It's already very difficult to get rid of gplpv drivers. |
198 |
|
199 |
The following usually works: |
200 |
Boot up in safe mode, delete the drivers, reboot, install virtio, reboot. |
201 |
|
202 |
> > And keeping the installers at hand is, in my opinion, a requirement of |
203 |
> > sane |
204 |
> > system management. |
205 |
> > I have installers for all the versions of software I deal with. |
206 |
> |
207 |
> Indeed --- but some predecessor decided not to keep an installer which |
208 |
> would be required and is now unavailable. So the only options are to |
209 |
> leave the VM running under xen or to run it under KVM without virtio |
210 |
> drivers. The latter is bad idea because the application the installer |
211 |
> would be needed for already has severe performance problems built in, |
212 |
> and making it worse isn't a good idea. |
213 |
|
214 |
Request installers from the original source? |
215 |
Or consider it legacy and migrate away soonish. |
216 |
What is your recovery plan if the server it's on dies a horrible death? |
217 |
|
218 |
> >> > The biggest reason why I don't use KVM is the lack of full snapshot |
219 |
> >> > functionality. Snapshotting disks is nice, but you end up with an |
220 |
> >> > unclean- |
221 |
> >> > shutdown situation and anything that's not yet committed to disk is |
222 |
> >> > gone. |
223 |
> >> |
224 |
> >> I'm not sure what you mean. When you take a snapshot while the VM is not |
225 |
> >> shut down, what difference does it make whether you use xen or kvm? |
226 |
> > |
227 |
> > A "snapshot" for KVM is ONLY the disks. |
228 |
> > With Xen, VMWare and Virtualbox, I can also make a snapshot/copy of what's |
229 |
> > in memory. It's that which makes the difference. |
230 |
> |
231 |
> Is that possible without freezing the VM while you make a snapshot of |
232 |
> the memory? |
233 |
|
234 |
No |
235 |
|
236 |
> If not, how is it so much better than shutting the VM down? |
237 |
|
238 |
It's faster in most cases. |
239 |
Exception being, the VM having such a large amount of memory assigned that the |
240 |
disk-I/O to store the memory takes longer than a reboot. |
241 |
|
242 |
Or, in my usual use-case for needing snapshots, is in the middle of a lengthy |
243 |
manual process, I want to take a snapshot of the current situation and a |
244 |
reboot at that point in time will actually cause issues. |
245 |
The software being used is usually in memory and a disk-only snapshot (eg. |
246 |
system crashed simulation when restoring) will mean I can start over. |
247 |
|
248 |
> >> >> Then there's the question how well vnc or spice connections work over |
249 |
> >> >> a |
250 |
> >> >> VPN that goes over the internet. |
251 |
> >> > |
252 |
> >> > VNC works quite well, as long as you use a minimal desktop. (like |
253 |
> >> > blackbox). Don't expect KDE or Gnome to be usable. |
254 |
> >> > I haven't tried Spice yet, but I've read that it performs better. |
255 |
> >> |
256 |
> >> It's not like you had a choice when you have Windoze VMs. |
257 |
> > |
258 |
> > Windows has RDP, which is a lot better than VNC. Especially when dealing |
259 |
> > with low-bandwidth connections. |
260 |
> |
261 |
> Wasn't RPD deprecated earlier in this discussion because it seemed to be |
262 |
> not sufficiently secure? |
263 |
|
264 |
Login to the RDP session can be linked to 2FA or smart-cards which need to be |
265 |
plugged into the laptop. |
266 |
Don't ask me how, but I have seen it work. |
267 |
|
268 |
Couple that with a VPN (Which I consider an absolute must when allowing |
269 |
employees to work from elsewhere via the internet). |
270 |
|
271 |
It can be made more secure than a simple VNC or NX connection. |
272 |
|
273 |
> >> > That depends on where you are. |
274 |
> >> |
275 |
> >> In this country, you have to be really lucky to find a place where you |
276 |
> >> can get a decent internet connection. |
277 |
> > |
278 |
> > Then in your country, working from home might not be the best option. |
279 |
> |
280 |
> That probably goes for most countries. |
281 |
|
282 |
Probably, I tend to only deal with countries in Europe and the US. This does |
283 |
make me less clued up of the reality in other regions. |
284 |
|
285 |
> >> > The company could host the servers in a decent datacentre, which should |
286 |
> >> > take care of the bandwidth issues. |
287 |
> >> |
288 |
> >> And give all their data out of hands? And how much does that cost? |
289 |
> > |
290 |
> > I'm talking about putting your own hardware there, not letting the |
291 |
> > datacentre company access to the servers. |
292 |
> |
293 |
> How could they reside in a datacenter without the ppl there having |
294 |
> physical access to them? |
295 |
|
296 |
Locked cages which you provide and control access to? |
297 |
If you're worried about people sniffing encrypted network traffic, I would say, |
298 |
good luck building your own secure WAN. |
299 |
|
300 |
> >> > For the employees, if they want to work from home, it's up to them to |
301 |
> >> > ensure they have a reliable connection. |
302 |
> >> |
303 |
> >> It is as much problem of the company when they want the employees to |
304 |
> >> work at home. And the employees don't have a choice, they can only get |
305 |
> >> a connection they can get. |
306 |
> > |
307 |
> > If the company insists people work from home, they need to ensure the |
308 |
> > employees have the option for a usable connection. Most companies I deal |
309 |
> > with leave working from home as an option to the employees. |
310 |
> |
311 |
> Sometimes it's not an option, and there isn't anything a company could |
312 |
> do to improve what internet connection an employee can get, unless |
313 |
> they'd spend huge amounts of money to put cables or fiber glass into the |
314 |
> ground, provided that they'd get the permissions for that. |
315 |
|
316 |
Then the company doesn't have the right to force it onto their employees. |
317 |
|
318 |
> Sooner or later, it might become very difficult to find anyone who's |
319 |
> still willing to spend all the time and money it takes to commute, or |
320 |
> someone who can still afford it at all, and it might become difficult to |
321 |
> find an employer willing to spend the money it takes to provide the |
322 |
> employees with offices. |
323 |
|
324 |
True, but if you end up paying for the privilege to work, why work at all? |
325 |
If I would end up with a negative balance because my costs are more then my |
326 |
income, I would quit on the spot and actually be better off. |
327 |
|
328 |
> When you consider the enormous amount of resources that are wasted for |
329 |
> commuting in an economy and that some economies might start to gain an |
330 |
> advantage over others by letting ppl work from their homes and by thus |
331 |
> becoming able to make more competitive offers to their customers, you |
332 |
> might come to think that it won't take very long before almost everyone |
333 |
> must work at their home. So this isn't a problem of a company, or some |
334 |
> companies, it's a problem for all companies and all employees, as it is |
335 |
> a problem for all economies and all countries. |
336 |
|
337 |
Countries where the infrastructure already exists will have this as an |
338 |
advantage. Currently, these are also the countries with the higher wages. |
339 |
If low-salary countries want to be able to compete on that level, the leaders |
340 |
of those countries should invest in the infrastructure, instead of their own |
341 |
fleet of expensive cars, private planes, castles,.... |
342 |
|
343 |
> >> >> It might work in theory. How would it be feasible in practise? |
344 |
> >> > |
345 |
> >> > Plenty of companies do it this way. If you don't want to pay for |
346 |
> >> > software |
347 |
> >> > like XenDesktop, you need to do all the work setting it up yourself. |
348 |
> >> |
349 |
> >> VNC is somewhat slow over a 1Gbit LAN. Did they find some way to |
350 |
> >> overcome this problem? |
351 |
> > |
352 |
> > Depends on the settings. |
353 |
> |
354 |
> Well, yes, I guess you can send something like 640x480 with some minimum |
355 |
> content that changes as little as possible with less trouble over an |
356 |
> internet connection than something one can actually work with. |
357 |
|
358 |
Try, lower quality, like less colours. |
359 |
When configured for LAN-settings, a 640x480 VNC session will perform worse then |
360 |
a 1280x1024 VNC session configured for 58k. |
361 |
Difference is, the larger screen looks horrible, but I can still work on it. |
362 |
|
363 |
> >> This sounds like it is for people with unlimited resources. |
364 |
> >> |
365 |
> >> BTW, access a VM through VNC, and you don't even have any way to make |
366 |
> >> the mouse pointer in the VNC window actually follow the mouse pointer |
367 |
> >> you're using, which makes it rather annoying to do anything in the VM |
368 |
> >> you're looking at. If you found a solution for that, I'd be curious as |
369 |
> >> to how you solved this problem. |
370 |
> > |
371 |
> > There is, it's even documented. |
372 |
> > I'm assuming you are talking about the VNC-console Xen provides? |
373 |
> > |
374 |
> > Configure the mouse to be a tablet in the VM config and the issue |
375 |
> > disappears. |
376 |
> Thanks, I can try that. I haven't seen this documented anywhere yet. |
377 |
|
378 |
Google for "xen vnc mouse out of sync" |
379 |
|
380 |
First hit: |
381 |
http://www.virtuatopia.com/index.php/Xen_mouse_pointer_appears_in_the_wrong_position_in_VNC_console |
382 |
|
383 |
Second hit: |
384 |
http://xen.1045712.n5.nabble.com/vnc-mouse-out-of-sync-td2588371.html |
385 |
(See 1st reply) |
386 |
|
387 |
-- |
388 |
Joost |