Month: December 2009

Can You Install Hyper-V in a VM?

The answer is sort of.  Strictly speaking it is possible.  You can indeed enable the Hyper-V role in a Server Core installation of Windows Server 2008 and Windows Server 2008 R2.  I’ve done it on both OS’s on both VMware Workstation 6.5 and on Hyper-V.  Logically this means you can deploy Hyper-V Server 2008 and Hyper-V Server 2008 R2 in a VM.

You can even create VM’s on the hosts.  However, the hardware requirements are not passed through to the VM’s and therefore the hypervisor never starts up.  That means you cannot start up those VM’s.

Why would you care?  You certainly cannot do it in a production scenario.  But you might find it handy when doing some demos, lab work or testing of clustering or VMM.

EDIT:

I have been told (but I have not tried this so I cannot say it will work) that you can get Hyper-V to install and run in an ESXi 3.X virtual machine.  The performance is said to be awful, but might be useful for a lab with limited hardware.

Dell Plans To Terminate All Production In Europe

Silicon Republic has just reported this.  As Dell winds down the Limerick (southwest Ireland) plant and transfers the remaining work to Lodz in Poland, they are also looking to transfer ownership of Lodz to Foxconn.  This is subject to EU approval; I’m fairly sure (bit not entirely) that Dell got funding to set up in Poland.

Core Configurator 2.0 Is Relased

The tool that makes Windows Server Core Installation more palatable to people has been upgraded to support Windows Server 2008 R2 Core Installation.  This tool allows you do do common tasks via a limited GUI instead of searching the Net for the command line alternatives.

Pics.jpg

The tasks you can do with it include:

  • Product Licencing
  • Networking Features
  • DCPromo Tool
  • ISCSI Settings
  • Server Roles and Features
  • User and Group Permissions
  • Share Creation and Deletion
  • Dynamic Firewall settings
  • Display | Screensaver Settings
  • Add & Remove Drivers
  • Proxy settings
  • Windows Updates (Including WSUS)
  • Multipath I/O
  • Hyper-V including virtual machine thumbnails
  • Join Domain and Computer rename
  • Add/remove programs
  • Services
  • WinRM
  • Complete logging of all commands executed

You can download it now.  It’s interesting to see that it is written in PowerShell and is totally open source, i.e. you can amend it.

Sizing Virtualisation CPU Requirements

I’ve been analysing our CPU utilisation figures and I’m impressed by how well Hyper-V is running and upset at how much hardware we’ve used.

We’re a hosting company.  We have no idea what our physical requirements will be for our private cloud.  A customer might come in wanting a low end virtual web server.  Or they might come in and want some highly available a working floating point number crunching VM.  I don’t have crystal ball or a Ouija board so how am I to know?

I looked at the figures this week and what I’m seeing is that we are barely touching the CPU resources in our hosts.  We started off guessing what our future requirements would be.  We put in dual quad core CPU’s and hoped for the best.  What I’m seeing today is full hosts (RAM-wise) that barely touch their available CPU resources.  I have a recently purchased and filled single CPU host that averages around 25% CPU utilisation.

Our unpredictability makes us different to most who are implementing virtualisation for the first time.  Most people already have existing physical servers that they plan to migrate to their new virtualisation platform.  They can run some monitoring (either done by a consultant for the specific task) or use something like Operations Manager with the additional VMM reports.  In this scenario if a server uses 50% of it’s existing single quad core CPU then it’s going to use 25% or thereabouts of the resources on a dual quad core CPU host (assuming similar generation of CPU).

What about low end requirements?  How many of those sorts of VM’s can you get on Hyper-V?  Windows Server 2008 R2 Hyper-V is very scalable.  You can have up to 64 logical processors (physical CPU cores) in a host (Enterprise and Datacenter editions).  Each logical processor can support up to a maximum of 8 virtual processors (that’s the CPU assigned to a VM).  A standalone host can have up to 384 virtual processors.  A clustered node can have up to 64 running virtual processors.  Make sure your storage and RAM can handle the associated loads on their resources first.

Now I have some empirical data that I can make semi-informed decisions on (no crystal ball, remember!).  Our next purchases will feature the Nehalem processors which increase the load capacity over our current hosts.  We will increase the RAM capacity per host, thus increasing the amount of VM’s per host.  I think I’ll be going single CPU.  That will reduce power, purchase and SPLA licensing costs.  Between VMM and OpsMgr, I’ll know if that needs to increase.

Cannot Delete Cluster Object From Operations Manager 2007

I recently decommissioned a Windows Server 2008 Hyper-V cluster.  It was monitored by OpsMgr 2007 R2.  When we shutdown the last cluster node I tried to remove both its agent object and the agentless managed cluster object from OpsMgr administration.  I couldn’t.  The cluster just refused to disappear.  The server agent would delete because there was a remaining dependency – the cluster object which relied on it as a proxy.

It had a red state (ruining my otherwise all green status view) and, more annoyingly, many of the migrated resources (VM’s) still seemed to be linked to the old cluster despite being moved to the new cluster.

I searched and found lots of similar queries.  The official line from MS is that there is no supported way to do this deletion.  There is a hack but the instructions didn’t work for me – I couldn’t find the key piece of info – plus it is unsupported.

So I uninstalled the agent manually.  No joy.  I waited.  No joy.  I rebuilt the server and added it to our Windows Server 2008 R2 Hyper-V cluster.  No joy.  I installed the OpsMgr agent and enabled the proxy setting.

That was yesterday.  This morning I logged in and the old cluster object is gone.  Vamoose!  I guess OpsMgr figured out that the server was now in a new cluster and everything was good.

Microsoft Responds to Black Screen of Death Claims

It was widely reported that a UK company was claiming that one of last weeks security updates by Microsoft was causing a “black screen of death” where Explorer would show nothing when you logged in.  Microsoft responded overnight:

“While these reports weren’t brought to us directly, from our research into them, it appears they’re saying that our security updates are making permission changes in the registry to the value for the HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogonShell  key.

We’ve conducted a comprehensive review of the November Security Updates, the Windows Malicious Software Removal Tool, and the non-security updates we released through Windows Update in November. That investigation has shown that none of these updates make any changes to the permissions in the registry. Thus, we don’t believe the updates are related to the “black screen” behavior described in these reports.

We’ve also checked with our worldwide Customer Service and Support organization, and they’ve told us they’re not seeing “black screen” behavior as a broad customer issue. Because these reports were not brought to us directly, it’s impossible to know conclusively what might be causing a “black screen” in those limited instances where customers have seen it”.

There you have it.  Prevx didn’t do the responsible thing, i.e. contact Microsoft directly, and instead decided to generate some publicity for themselves.  Their claims have been refuted so this leads me to wonder: are these developers more of the same who don’t comply with documented standards and just write rubbish code and to hell with their customers?  I don’t know them, never dealt with them and certainly never heard of them before yesterday.  You decide 🙂

Technorati Tags: ,

Stocking Filler Gift Alternatives

OK – this is not a techie blog post.  But please do keep reading.

Most of us celebrate some sort of festival at this time of year where gifts are exchanged.  And sometimes we give rubbish gifts just because we have to give something.  It ends up being binned, re-gifted, etc.  Why not this year, you give something that will make a real difference in someone’s life?

There are organisations out there that offer a service.  I hate to call them charities because these are the sort of organisations that help people to help themselves.  Whether it be disadvantaged people in your own locality, those innocently caught up in war torn regions, people in poor countries suffering drought for 3 years running or the families of those plagued by HIV AIDS in undeveloped countries.

The service they offer is that they will sell you a gift that they will provide to those in need.  Whether it’s a meal and a bed on a cold night, a HIV medical service, a fruit and vegetable garden, a stove, a pot, a chicken.  It’s all intended to help people to help themselves instead of the handout of a bag of grain.

For as little as a few Euros or Dollars you can purchase a gift.  In return you are given a gift card to give to the person who would have alternatively been given that throw away “stocking filler”.  They’ll have been given something real.

Two organisations I’ve used in the past are Concern Gifts and Oxfam Unwrapped.  Both are organisations that believe in teaching a man how to fish rather than giving him the fish.  They operate in the “third world” helping those who need it most.  In Ireland you can help the poor in your area by checking out the Saint Vincent de Paul Society.

If you want to consider something different again then consider adopting a rescued animal of a threatened species.  I have a thing for Cheetahs and the Cheetah Conservation Society in Namibia does a lot to help, rescue and rehab animals down there.  They also work with native farmers to teach them about the animals and to use alternative effective but expensive methods to protect their flocks of goats.  There are similar efforts for all of the threatened species around the world: Orang-utan, Gorilla, you name it, there’s an organisation you can help.

The threats to the rain forests around the world are significant.  They are the lungs of the planet but are being torn asunder to grow ethanol crops thanks to the misguided efforts of the Greens.  Even if you don’t believe in global warming there is no doubt that there is a diverse world of ecological wonders in those forests.  Even small pockets have unique and amazing species of plant, animal and bird.  Do a quick search and you’ll find something to make a difference.

Or maybe you have time and skills to give?  There millions of options: help build a house for someone hit by disaster near home or in a poor country, help rebuild/recycle a PC to be sent to a school in Africa, help distribute meals to those who can’t help themselves.

The point is – don’t waste money on something that has no value.  Do something else instead.  Be that good Samaritan and help someone you don’t know and might never meet.

Can You P2V Linux?

Eek!  What a scary thought.  I was asked tonight if this was possible.  Not with VMM and not with VMware’s tools AFAIK.  I had no idea.  I did some searching.  Apparently PlateSpin can do it with PowerConvert.  There’s a messy solution for cloning Linux machines.  This process will probably get easier when the Linux distros are available with the Hyper-V integration components installed.  But most P2V operations will likely be on older distros so things won’t be easy. 

I’m not touching this one with a barge pole 🙂

How Hyper-V SCSI is Really IDE And It Doesn’t Matter

Ben Armstrong has done a good job at explaining how it doesn’t matter if you use IDE or SCSI disks in your VM.

It turns out that under the hood there’s no real difference between them.  And as you probably already know, the real decision is if you are using SAS or SATA disks underneath the virtualisation layer.

Hyper-V and VLAN’s

How do you run multiple virtual machines on different subnets?  Forget for for just a moment that these are virtual machines.  How would you do it if they were physical machines?  The network administrators would set up a Virtual Local Area Network or VLAN.  A VLAN is a broadcast domain, i.e. it is a single subnet and broadcasts cannot be transmitted beyond its boundaries without some sort of forwarder to convert the broadcast into a unicast.  Network administrators use VLAN’s for a bunch of reasons:

  • Control broadcasts because they can become noisy.
  • They need to be creative with IP address ranges.
  • The want to separate network devices using firewalls.

That last one is why we have multiple VLAN’s at work.  Each VLAN is firewalled from every other VLAN.  We open up what ports we need to between VLAN’s and to/from the Internet. 

Each VLAN has an ID.  That is used by administrators for configuring firewall rules, switches and servers.

How do you tell a physical server that it is on a VLAN?

There’s two ways I can think of:

  • The network administrators would assign the switch ports that will connect the server to a specific VLAN
  • The network administrators can create a “trunk” on a switch port.  That’s when all VLAN’s are available on that port.  Then on the server you need to use the network card driver or management software to specify which VLAN to bind the NIC to.  Some software (HP NCU) allows you to create multiple virtual network cards to bind the server to multiple VLAN’s using one physical NIC.

How about a virtual machine; how do you bind the virtual NIC of a virtual machine to a specific VLAN?  It’s a similar process.  I must warn anyone reading this that I’ve worked with a Cisco CCIE while working on Hyper-V and previously with another senior Cisco guy while working on VMware ESX and neither of them could really get their heads around this stuff.  Is it too complicated for them?  Hardly.  I think the problem was that it was too simple!  Seriously!

Let’s have a look at the simplest virtual networking scenario:

imageThe host server has a single physical NIC to connect virtual machines.  A virtual switch is created in Hyper-V to pass the physical network that is attached to that NIC to any VM that is bound to that virtual switch.

You can see above that the switch only operates with VLAN 101.  Every server on the network operates on VLAN 101.  The physical servers are on it, the parent partition of the host is on it, etc.  The physical switch port is connected to the virtual machine NIC in the host using a physical network cable.  In Hyper-V, the host administrator creates a virtual switch.

Network admins: Here’s where you pull what hair you have left out.  This is not a switch like you think of a switch.  There is no console, no MIB, no SNMP, no ports, no spanning tree loops, nada!  It is a software connection and network pass through mechanism that exists only in the memory of the host.  It interacts in no way with the physical network.  You don’t need to architect around them.

The virtual switch is a linking mechanism.  It connects the physical network card to the virtual network card in the virtual machine.  It’s as simple as that.  In this case both of the VM’s are connected to the single virtual switch (configured as an External type).  That means they too are connected to VLAN 101.

How do we get multiple Hyper-V virtual machines to connect to multiple VLAN’s?  There’s a few ways we can attack this problem.

Multiple Physical NIC’s

In this scenario the physical host server is configured with multiple NIC’s. 

*Rant Alert* Right, there’s a certain small number of journalists/consultants who are saying “you should always try to have 1 NIC for every VM on the host”.  Duh!  Let’s get real.  Most machines don’t use their GB connections in a well designed and configured network.  That nightly tape backup over the network design is a dinosaur.  Look at differential, block level continuous incremental backups instead, e.g. Microsoft System Center Data Protection Manager or Iron Mountain Live Vault.  Next, who has money to throw at installing multiple quad NIC’s with physical switch ports all over the place.  The idea here is to consolidate!  Finally, if you are dealing with blade servers you only have so many mezzanine card slots and enclosure/chassis device slots.  If a blade can have 144GB of RAM, giving maybe 40+ VM’s, that’s an awful lot of NIC’s you’re going to need :)  Sure there are scenarios where a VM might need a dedicated NIC but there are extremely rare. *Rant Over*

imageIn this situation the network administrator has set up two ports on the switches, one for each VLAN to connect to the Hyper-V host.  VLAN 101 has a physical port on the switch that is cabled to NIC 1 on the host.   VLAN 102 has a physical port on the switch that is cabled to NIC 2 on the host.  The parent partition has it’s own NIC, not shown.  Virtual Switch 1 is created and connected to NIC 1 and Virtual Switch 2 is created and connected to NIC 2.  Every VM that needs to talk on VLAN 101 will be connected to Virtual Switch 1 by the host administrator.  Every VM that needs to talk on VLAN 102 should be connected to Virtual Switch 2 by the host administrator.

Virtual Switch Binding

You can only bind one External type virtual switch to a NIC.  So in the above example we could not have matched up two virtual switches to the first NIC and changed the physical switch port to be a network trunk.  We can do something similar but different.

imageWhen we create an external virtual switch we can tell it to only communicate on a specific VLAN.  You can see in the above screenshot that I’ve built a new virtual switch and instructed it to use the VLAN ID (or tag) of 102.  That means that every VM virtual NIC that connects to this virtual switch will expect to be on VLAN 102 with no exceptions.

Taking our previous example, here’s how this would look:

imageThe network administrator has done things slightly different this time.  Instead of configuring the two physical switch ports to be bound to specific VLAN’s they’re simple configured trunks.  That means many VLAN’s are available on that port.  The device communicating on the trunk must specify what VLAN it is on to communicate successfully.  Worried about security?  As long as you trust the host administrator to get things right you are OK.  Users of the virtual machines cannot change their VLAN affiliation.

You can see that virtual switch 1 is now bound to VLAN 101.  Every VM that connects to virtual switch 1 will be only able to communicate on VLAN 101 via the trunk on NIC 1.  It’s similar on NIC 2.  It’s set up with a virtual switch on VLAN 102 and all bound VM’s can only communicate on that VLAN.

We’ve changed where the VLAN responsibility lies but we haven’t solved the hardware costs and consolidation issue.

VLAN ID on the VM

Here’s the solution you are most likely to employ.  For the sake of simplicity let’s forget about NIC teaming for a moment.

imageInstead of setting the VLAN on the virtual switch we can do it in the properties of the VM.  To be more precise we can do it in the properties of the virtual network adapter of the VM.  You can see that I’ve done this above by configuring the network adapter to only communicate on VLAN (ID or tag) 102.

This is how it looks in our example:

imageAgain, the network administrator has set up a trunk on the physical switch port.  A single external virtual switch is configured and no VLAN ID is specified.  The two VM’s are set up and connected to the virtual switch.  It is here that the VLAN specification is done.  VM 1 has it’s network adapter configured to talk on VLAN 101.  VM 2 is configured to operate on VLAN 102.  And it works, just like that!

Waiver: I’m seeing a problem where VMM created NIC’s do not bind to a VLAN.  Instead I have to create the virtual network adapter in the Hyper-V console.

Here’s one to watch out for if you use the self servicing console.  If you cannot trust delegated administrators/users to get VLAN ID configuration right or don’t trust them security-wise then do not allow them to alter VM configurations.  If you do then they can alter the VLAN ID and put their VM into a VLAN that it might not belong to.

Firewall Rules

Unless network administrators allow it, virtual machines on VLAN 101 cannot see virtual machines on VLAN 102.  A break out is theoretically impossible due to the architecture of Hyper-V leveraging the No eXecute Bit (AKA DEP or Data Execution Prevention).

Summary

You can see that you can set up a Hyper-V host to run VM’s on different VLAN’s.  You’ve got different ways to do it.  You can even see that you can use your VLAN’s to firewall VM’s from each other.  Hopefully I’ve explained this in a way that you can understand.