Overview of the Citrix XenServer 7.1 Hypervisor Innovations
In the previous article, I briefly described the main innovations of XenServer 7.1. Today we will dwell on the improvements of the seventh version of XenServer and additions to 7.1. Interested please under the cat.
So, let's go through the main innovations of the seventh generation of Citrix XenServer:
I. First of all, it is worth noting the improvements made to optimize the installation of specialized virtualization tools that previously needed to be installed independently. Now they can be installed via the built-in Windows Update Downloader from the repository of this OS. The main problem with installing XenTools arises in a situation where the number of virtual machines is in the hundreds. Usually it looked like this: mount the disk image with XenTools, run the executable file for installation, Windows restarts and completes the installation of virtualization tools. But in a situation where a large number of VMs are running on one XenServer or we have several hypervisors, installation becomes a big problem for the final customer (and especially the network administrator). In XenServer 7, another option is implemented: Windows installed on the hypervisor determines where it is installed, downloads the necessary utilities in order to manage the operating system of the virtual machine with Windows Update. As a result, the administrator does not need to manually install updates for each machine. However, it is worth considering that this option is valid only for the Enterprise edition of XenServer.
Ii. Integration of the hypervisor with Citrix Insight Services is now available, which makes it possible to obtain an analysis of the existing infrastructure and errors, even if the customer does not have an official contract for Citrix technical support. Insight Services is open to all users, including free editions, and if the customer has a need to check the virtual infrastructure for errors, he can already diagnose himself at the initial stage. Using the account for cis.citrix.com , the administrator connects to the service via XenServer, selects the desired action in the appropriate menu, and the server sends logs to Citrix for analysis. After the logs are parsed, the client will receive an e-mail link to access the detailed report on the state of the infrastructure, which, from the point of view of Citrix, it is recommended to fix or install additionally. As an example, last year, one of the customers tested that three different firmware versions were installed on 3 servers, one of which contained a critical error that manifests itself in working with any virtual infrastructure, which the manufacturer’s website honestly warned equipment. It also turned out that all three versions of the assembly were installed on all three XenServer servers, and the set of updates was also different. In fact, using Citrix Insight Services has been able to eliminate most of the problems with the virtual infrastructure.
')
You can configure the system to periodically collect action logs. For example, once every two weeks (the administrator can specify what he thinks is acceptable to send for analysis and what is not) in the automated mode, these logs will be sent for analysis, after which the administrator will receive recommendations for eliminating certain errors and general system configuration. If the administrator does not want to “let it go” in automatic mode, he unchecks the corresponding menu. At the same time, there is still a possibility from the XenCenter menu, without downloading logs automatically, by going through the menu to select the necessary action logs or other information that you need to send for analysis and upload data to Citrix Insight Services. If the customer has a paid edition with a support, then it is enough to indicate the case number and the corresponding logs will be uploaded to this case (so that the support does not have to ask for a remote connection to the infrastructure, and the administrator will resolve issues with providing remote access).
Iii. In the seventh version of XenServer, the composition and size of partitions were significantly changed. In previous versions of the hypervisor, all the action logs were on the dom0-section, which could lead to problems with a large amount of information collected by the logs. Now they have a separate section, which reduces the risk of the system "freeze" when, in an abnormal situation, magazines start to clog the dom0 section. The size of the primary and backup sections has also been increased. In order to deploy the infrastructure of the hypervisor XenServer 7 now requires at least 42 GB of free hard disk space on the server. But we must understand that this is not the size of the distribution kit, but the size of the disk capacity under the partitions with which the system is controlled. Now the layout looks like this: 1 GB per swap, 4 GB for storing logs, 18 GB for the main one and 18 GB for the backup partitions, 0.5 GB for UEFI, if it is loaded using it. On those machines where UEFI is installed, loading through it is supported, but this feature only appears for those installations that are installed from scratch. That is, if there is an old server with installed XenServer 6.5, and the server has UEFI, then in order to enable the ability to boot from UEFI, you need to completely reinstall the XenServer hypervisor, and not perform the upgrade procedure.
Iv. One of the main sources of cost for desktop virtualization is data storage. From here we will explain growth of popularity of hyperconvergent systems when requirements to a data storage system decrease. In the seventh version of XenServer, the list of supported storage access protocols was expanded. In addition to regular fiber channels, network cards with fiber channel over ethernet from Broadcom, Intel and HP are now supported. ISCSI boot is also supported on Cisco UCS servers, which allows diskless servers to be used and freely connected to a disk shelf.
V. Citrix was the first company that first implemented GPU forwarding to a virtual machine, and then virtualization of NVIDIA GRID graphics cards. The XenServer 7 version supports up to 128 virtual graphics cards per server and provides support for virtual graphics cards (vGPU) for Linux guest operating systems. It also became possible to use virtual graphics processors without installing a graphics card. This is realized when using servers with Intel Broadwell and Skylake processors with the C226 chipset. In this case, the integrated Intel Iris Pro graphics can be cut into seven virtual GPUs. Plus, the solution is that for many application products the speed of the graphics card is not very important, the main thing is that the card was in principle visible to the system. Currently, only XenServer has this feature, but it works only for single-processor servers. The benefits are office and other Windows applications, applications for viewing CAD-models. It should be noted that the division into virtual graphics cards is possible both within the virtual desktop and in terminal mode.
Vi. If we talk about security VDI, then today there are several options for protection. The usual approach - in the virtual OS there is a full-fledged agent that works in non-privileged mode and tracks changes in the system. The agent notices something and tries to deal with it. However, if there are several dozens or even hundreds of virtual machines on the server, the situation is when the system serves only itself. With a light agent, the situation is simpler - the system works with an external virtual machine with which the agent exchanges a hash. Although the load is significantly reduced, but not all the same. XenServer 7.1 implements the agentless version of protection against zero-day vulnerabilities. Bitdefender, along with Intel and Citrix, developed and integrated with the hypervisor a separate virtual machine that scans the memory of guest virtual machines. The Security Appliance runs on the hypervisor and is engaged in analyzing the memory of virtual machines independently. Within the framework of the virtual OS itself no agents work. When a malicious activity appears, it is blocked at the hypervisor level.
Bitdefender Hypervisor Introspection (HVI)
VII. XenServer 7 supports containers not only for Linux, but also for Windows Server 2016. For some developers, such a scheme is highly demanded, because it allows for flexibility in developing and upgrading applications, as well as speeding up the development cycle. As part of XenCenter, there is a single container management interface; the administrator can see all types of containers and can provide their work cycles. If we talk about the Docker console (supported for Debian 8, Ubuntu 14.04, CoreOS & RHEL / CentOS / OEL 7.x), then it can also be accessed from XenCenter. The same applies to Windows Server 2016 containers.
Viii. Changes were made in the operation of the Datapath and Control-Plane processes in the management domain (dom0), since previously the increased load on data transmission over the network or work with disk operations caused XenServer management services to stop responding. With the release of XenServer 7, these processes are divided into a separate group (Cgroups), which allows them not to depend on the load that is created by the network and disk subsystem. This has significantly reduced the time to load virtual machines and increase the reliability and stability of the hypervisor.
Cgroups allows Control-Plane processes to work when needed.
Ix. In version 7.1, the Live-patching mechanism is applied, offering batch update application. Previously, in order to install any new patch on the hypervisor, a system reboot was required. Live-patching, developed by Citrix and Oracle (for Linux - Red Hat), allows you to determine when the patch is loaded, if it requires changes related to the reboot, and if it is not required, the update is applied without interrupting the hypervisor. First, the patch (in the form of RPM) is installed in RAM and only if possible is transferred to the disk. The system informs the administrator that you need to reboot, or you can wait until the completion of the work or a scheduled reboot. In this case, in-memory system changes will be accepted. If a mandatory reboot is required, the administrator will receive a warning about this. The fix packs for XenServer have changed the format - now they are released in the standard iso-file format. They do not need to be separately loaded into the dom0, just a new virtual disk connection appears, an iso-file is mounted and the corresponding component is updated.
X. The PVS traffic caching function (provisioning server) increases the desktop download speed by 30% and guarantees a reduction in network traffic by up to 98%. If a virtual machine is now loaded from PVS, then for each virtual machine data is transferred, even if all of them are loaded from one image. When turning on PVS traffic caching, after loading one virtual machine, this data will be cached on the hypervisor and now when the next virtual machines are loaded, they will access dom0 without loading the network and the PVS server. As a result, if we run more than one machine from one image, we get a tangible gain by reducing the load on the network subsystem. To use this functionality, you need a PVS server version from 7.12 and Open virtual swich, as well as XenServer 7.1.
PVS operations cache on XenServer
Here are the most ambitious and significant changes to the system changes made in the seventh version of Citrix XenServer. In addition, there are a number of less significant innovations:
Since last year, Citrix began to produce LTSR versions of products (Long Term Service Release). The customer who chooses the LTSR version can be sure that, if necessary, this version will be supported for 10 years. XenServer 7.1 is the first LTSR version of the product. Her support will end in 2022, and her life cycle will end in 2027 (EOL).
Ask your questions in the comments and I’ll be happy to answer them.
So, let's go through the main innovations of the seventh generation of Citrix XenServer:
I. First of all, it is worth noting the improvements made to optimize the installation of specialized virtualization tools that previously needed to be installed independently. Now they can be installed via the built-in Windows Update Downloader from the repository of this OS. The main problem with installing XenTools arises in a situation where the number of virtual machines is in the hundreds. Usually it looked like this: mount the disk image with XenTools, run the executable file for installation, Windows restarts and completes the installation of virtualization tools. But in a situation where a large number of VMs are running on one XenServer or we have several hypervisors, installation becomes a big problem for the final customer (and especially the network administrator). In XenServer 7, another option is implemented: Windows installed on the hypervisor determines where it is installed, downloads the necessary utilities in order to manage the operating system of the virtual machine with Windows Update. As a result, the administrator does not need to manually install updates for each machine. However, it is worth considering that this option is valid only for the Enterprise edition of XenServer.
Ii. Integration of the hypervisor with Citrix Insight Services is now available, which makes it possible to obtain an analysis of the existing infrastructure and errors, even if the customer does not have an official contract for Citrix technical support. Insight Services is open to all users, including free editions, and if the customer has a need to check the virtual infrastructure for errors, he can already diagnose himself at the initial stage. Using the account for cis.citrix.com , the administrator connects to the service via XenServer, selects the desired action in the appropriate menu, and the server sends logs to Citrix for analysis. After the logs are parsed, the client will receive an e-mail link to access the detailed report on the state of the infrastructure, which, from the point of view of Citrix, it is recommended to fix or install additionally. As an example, last year, one of the customers tested that three different firmware versions were installed on 3 servers, one of which contained a critical error that manifests itself in working with any virtual infrastructure, which the manufacturer’s website honestly warned equipment. It also turned out that all three versions of the assembly were installed on all three XenServer servers, and the set of updates was also different. In fact, using Citrix Insight Services has been able to eliminate most of the problems with the virtual infrastructure.
')
You can configure the system to periodically collect action logs. For example, once every two weeks (the administrator can specify what he thinks is acceptable to send for analysis and what is not) in the automated mode, these logs will be sent for analysis, after which the administrator will receive recommendations for eliminating certain errors and general system configuration. If the administrator does not want to “let it go” in automatic mode, he unchecks the corresponding menu. At the same time, there is still a possibility from the XenCenter menu, without downloading logs automatically, by going through the menu to select the necessary action logs or other information that you need to send for analysis and upload data to Citrix Insight Services. If the customer has a paid edition with a support, then it is enough to indicate the case number and the corresponding logs will be uploaded to this case (so that the support does not have to ask for a remote connection to the infrastructure, and the administrator will resolve issues with providing remote access).
Iii. In the seventh version of XenServer, the composition and size of partitions were significantly changed. In previous versions of the hypervisor, all the action logs were on the dom0-section, which could lead to problems with a large amount of information collected by the logs. Now they have a separate section, which reduces the risk of the system "freeze" when, in an abnormal situation, magazines start to clog the dom0 section. The size of the primary and backup sections has also been increased. In order to deploy the infrastructure of the hypervisor XenServer 7 now requires at least 42 GB of free hard disk space on the server. But we must understand that this is not the size of the distribution kit, but the size of the disk capacity under the partitions with which the system is controlled. Now the layout looks like this: 1 GB per swap, 4 GB for storing logs, 18 GB for the main one and 18 GB for the backup partitions, 0.5 GB for UEFI, if it is loaded using it. On those machines where UEFI is installed, loading through it is supported, but this feature only appears for those installations that are installed from scratch. That is, if there is an old server with installed XenServer 6.5, and the server has UEFI, then in order to enable the ability to boot from UEFI, you need to completely reinstall the XenServer hypervisor, and not perform the upgrade procedure.
Iv. One of the main sources of cost for desktop virtualization is data storage. From here we will explain growth of popularity of hyperconvergent systems when requirements to a data storage system decrease. In the seventh version of XenServer, the list of supported storage access protocols was expanded. In addition to regular fiber channels, network cards with fiber channel over ethernet from Broadcom, Intel and HP are now supported. ISCSI boot is also supported on Cisco UCS servers, which allows diskless servers to be used and freely connected to a disk shelf.
V. Citrix was the first company that first implemented GPU forwarding to a virtual machine, and then virtualization of NVIDIA GRID graphics cards. The XenServer 7 version supports up to 128 virtual graphics cards per server and provides support for virtual graphics cards (vGPU) for Linux guest operating systems. It also became possible to use virtual graphics processors without installing a graphics card. This is realized when using servers with Intel Broadwell and Skylake processors with the C226 chipset. In this case, the integrated Intel Iris Pro graphics can be cut into seven virtual GPUs. Plus, the solution is that for many application products the speed of the graphics card is not very important, the main thing is that the card was in principle visible to the system. Currently, only XenServer has this feature, but it works only for single-processor servers. The benefits are office and other Windows applications, applications for viewing CAD-models. It should be noted that the division into virtual graphics cards is possible both within the virtual desktop and in terminal mode.
Vi. If we talk about security VDI, then today there are several options for protection. The usual approach - in the virtual OS there is a full-fledged agent that works in non-privileged mode and tracks changes in the system. The agent notices something and tries to deal with it. However, if there are several dozens or even hundreds of virtual machines on the server, the situation is when the system serves only itself. With a light agent, the situation is simpler - the system works with an external virtual machine with which the agent exchanges a hash. Although the load is significantly reduced, but not all the same. XenServer 7.1 implements the agentless version of protection against zero-day vulnerabilities. Bitdefender, along with Intel and Citrix, developed and integrated with the hypervisor a separate virtual machine that scans the memory of guest virtual machines. The Security Appliance runs on the hypervisor and is engaged in analyzing the memory of virtual machines independently. Within the framework of the virtual OS itself no agents work. When a malicious activity appears, it is blocked at the hypervisor level.
Bitdefender Hypervisor Introspection (HVI)
VII. XenServer 7 supports containers not only for Linux, but also for Windows Server 2016. For some developers, such a scheme is highly demanded, because it allows for flexibility in developing and upgrading applications, as well as speeding up the development cycle. As part of XenCenter, there is a single container management interface; the administrator can see all types of containers and can provide their work cycles. If we talk about the Docker console (supported for Debian 8, Ubuntu 14.04, CoreOS & RHEL / CentOS / OEL 7.x), then it can also be accessed from XenCenter. The same applies to Windows Server 2016 containers.
Viii. Changes were made in the operation of the Datapath and Control-Plane processes in the management domain (dom0), since previously the increased load on data transmission over the network or work with disk operations caused XenServer management services to stop responding. With the release of XenServer 7, these processes are divided into a separate group (Cgroups), which allows them not to depend on the load that is created by the network and disk subsystem. This has significantly reduced the time to load virtual machines and increase the reliability and stability of the hypervisor.
Cgroups allows Control-Plane processes to work when needed.
Ix. In version 7.1, the Live-patching mechanism is applied, offering batch update application. Previously, in order to install any new patch on the hypervisor, a system reboot was required. Live-patching, developed by Citrix and Oracle (for Linux - Red Hat), allows you to determine when the patch is loaded, if it requires changes related to the reboot, and if it is not required, the update is applied without interrupting the hypervisor. First, the patch (in the form of RPM) is installed in RAM and only if possible is transferred to the disk. The system informs the administrator that you need to reboot, or you can wait until the completion of the work or a scheduled reboot. In this case, in-memory system changes will be accepted. If a mandatory reboot is required, the administrator will receive a warning about this. The fix packs for XenServer have changed the format - now they are released in the standard iso-file format. They do not need to be separately loaded into the dom0, just a new virtual disk connection appears, an iso-file is mounted and the corresponding component is updated.
X. The PVS traffic caching function (provisioning server) increases the desktop download speed by 30% and guarantees a reduction in network traffic by up to 98%. If a virtual machine is now loaded from PVS, then for each virtual machine data is transferred, even if all of them are loaded from one image. When turning on PVS traffic caching, after loading one virtual machine, this data will be cached on the hypervisor and now when the next virtual machines are loaded, they will access dom0 without loading the network and the PVS server. As a result, if we run more than one machine from one image, we get a tangible gain by reducing the load on the network subsystem. To use this functionality, you need a PVS server version from 7.12 and Open virtual swich, as well as XenServer 7.1.
PVS operations cache on XenServer
Here are the most ambitious and significant changes to the system changes made in the seventh version of Citrix XenServer. In addition, there are a number of less significant innovations:
- Although in previous versions of XenServer, the ability to migrate between stores was implemented, but the difficulty was that only a running virtual machine could be migrated. If the machine was turned off, the migration was impossible. Now this situation is fixed and the VM can be moved in any state.
- A PuTTY client has been added to connect to virtual machines from the console. The PuTTY executable is included in the XenCenter installation utility. The button on the “Console” tab launches the PuTTY client, which will connect to the VM or dom0 automatically.
- All the latest CPUs are supported, the Xen hypervisor is updated to version 4.7, dom0 is built on 64-bit CentOS 7.2.
- The section related to the integration of the Astive Directory has been revised. If the hypervisor was previously used in infrastructure with very large groups that we wanted to manage through XenCenter, then the system was slowed down due to checking a large number of security tokens. Now another provider is used to work with Active Directory and, as a result, scalability is guaranteed for infrastructures with millions of users and tens of thousands of groups, with integration with XenCenter.
- In addition to Microsoft Hyper-V, VMware ESXi and Nutanix Acropolis, you can now use Citrix XenServer in Nutriix hyper-convergent solutions. Currently, Acropolis does not have the ability to work with virtual graphics, cannot work with Bitdefender Hypervisor Introspection, there is no possibility to work with PVS traffic caching, so if you need any of the above functions, it is recommended to use XenServer. However, some XenServer functions cannot be used when integrating into Nutanix, since they are implemented by the hyperconvergent system functionality.
Since last year, Citrix began to produce LTSR versions of products (Long Term Service Release). The customer who chooses the LTSR version can be sure that, if necessary, this version will be supported for 10 years. XenServer 7.1 is the first LTSR version of the product. Her support will end in 2022, and her life cycle will end in 2027 (EOL).
Ask your questions in the comments and I’ll be happy to answer them.
Source: https://habr.com/ru/post/326420/
All Articles