Published: 23 Jun 2009
Let's face it: Many virtualization administrators fail to pay adequate attention to security, resource requirements and virtual machine monitoring tasks that their virtualization environments require. But giving these factors short shrift can invite security breaches, virtual machine (VM) performance problems and system downtime. Monitoring your virtualization environment is the cornerstone of maintaining your infrastructure's health.
In the first two parts of this series, we discussed how to plan a virtualization project, then how to build and configure a virtual environment. In this, part three of a four-article series on virtualization deployment projects, we outline how to secure, populate and monitor your virtual environment.
Securing your virtual environment
When implementing a virtual environment, admins often fail to take the time to properly secure the environment, which is a big mistake. Most bare-metal hypervisors are reasonably secure out of the box, but there is always room for improvement. In addition, it's fairly simple to make a hypervisor less secure by changing default settings or misconfiguration. Security is amplified in a virtual environment, where a single physical server runs many virtual servers, and inadequate security on a physical server can directly affect the security of all virtual servers running on that host.
Traditional security practices don't always apply to virtual environments, and there are special considerations of which you should be aware. Therefore, you must take the time to understand security in virtual environments and apply recommended security settings to all the components that make up your virtualization environment, including hosts, VMs, networks and management servers.
Protecting host servers cannot be emphasized enough. Think of a host server as a castle with virtual machines protected inside that castle. If an attacker compromises your castle's defenses, he gains free access to everything inside as well. You should do everything you can to make sure your castle's defenses are adequate, and do not forget to put water in the moat and raise the drawbridge. To do so, many third-party vendors offer security products specifically to monitor and secure VMs, hosts and virtual networks.
Many security administrators are wary of virtual hosts because of the increased security risks and also some misperceptions about what makes VMs insecure. Take the time to explain to your security team how security works in a virtual environment. Also, outline the extra steps you have taken to further protect hosts and virtual machines. Once you educate them about virtual security, they should be more comfortable and willing to work with you.
Populating your virtual environment
Virtual machines are easy to create - in fact, too easy. But in fact, VMs can cause substantial problems once they propagate. One of the biggest problems in virtual environments is VM sprawl, or the uncontrolled growth of virtual machines in a virtual environment. Star Trek fans may recall how the cuddly aliens in the popular episode "The Trouble with Tribbles" reproduced so quickly that they threatened to overwhelm the host ship's food supplies. VM sprawl is similar, in that virtual machines often get created without regard for the resources that they consume and, thus, these VMs can overwhelm the host server's resources.
To address sprawl, you can implement one of the many products that support chargeback and creating reports on resource usage for virtual environments. In addition, limiting the number of people who can create virtual machines and establishing a formal process for requesting new virtual machines can prevent sprawl and unmonitored virtual machines. You should consider requiring justification for requests for any new virtual machines and institute an approval process to force users to think twice about whether they need to create a new VM. Finally, creating resource pools can help limit the amount of resources available on your host servers for new virtual machines.
It's important to control sprawl early on. Otherwise, before you know it, you may use all your host resources and create bottlenecks that reduce the performance of virtual machines. IT pros need to be made aware that virtual machines are not free and that they bring an associated cost, regardless of how they are configured. Having tight controls on your virtual environment is the key to limiting the unnecessary growth of virtual machines on host servers.
Monitoring your virtual environment
Monitoring a virtualization environment is important to ensure that it stays healthy and functions properly. Often, problems may not be obvious, and a good monitoring system alerts you to problems so they can be resolved. In virtual environments, even small problems can have major effects because so many virtual machines run on a single host, and all these VMs contend for that host's resources. So it's important not to ignore monitoring; without it, your virtual environment may be trying to tell you something that you can't hear because you're not listening.
There are several things that you should monitor, such as performance, server hardware and virtualization software-specific alarms and events. Host hardware failures can be disruptive in virtual environments despite technologies such as high availability (HA) and fault tolerance designed to minimize system downtime. Knowing when a fan, drive or memory module has failed so you can take action can minimize disruption to your environment.
In virtualization environments, monitoring the performance of hosts and virtual machines is essential because many VMs compete for host resources, and a single bottleneck can greatly undermine the performance of VMs. Resource bottlenecks are not always obvious, and monitoring the performance of hosts can help identify lurking bottlenecks that need correction. When monitoring performance of virtual machines, you should rely on tools that are designed for virtual environments because many operating system tools such as Windows Performance Monitor are not aware of the underlying virtualization layer and can provide inaccurate results on certain counters and measurements.
The root causes of performance issues are often not obvious and can have a ripple effect on many virtual machines and host servers. So you should configure monitoring in your environment and understand the metrics and data that are reported to proactively eliminate bottlenecks and problems. Also consider the many third-party monitoring and reporting tools available. These tools are more robust and powerful than the tools that are built into virtualization products and greatly enhance monitoring abilities.
|Eric Siebert, is a 25-year IT veteran who specializes in Windows and VMware system administration. He is a guru-status moderator on the VMware community VMTN forums and maintains VMware-land.com, a VI3 information site. He is also the author of the upcoming book VI3 Implementation and Administration , which is due out in June 2009 from Pearson Publishing. Siebert is also a regular on VMware's weekly VMTN Roundtable podcast.|