Wednesday, September 21, 2011

VMWARE Memory Management and More

Today I was watching the presentation which Jonathan Klick did for VMWorld 2011, “Correctly Sizing Memory in Virtual Environments”

While it brings some good information, metrics and insights about what you should be watching when right sizing your environment, it just mention a lot of terms that you should me familiar with, like : EPT, Large Pages, TPS, etc..

So I decided it was time to shake off the dust and give you some more information about them.

First things first, when monitoring the memory metrics of your guests, understand what each one means: this will help you a lot.

Second, you need to understand what Transparent Page Sharing (TPS) is.
Let’s forget all the bits and bytes behind how a virtual memory page translates into a physical host memory, the important piece to know is that ESX was used to use small pages , 4k in size, so it was easy to ESX to identify common pages and instead of load 2 or more pages with the same data into memory, they just load on physical memory once and share them with the others guests. In basic terms it’s TPS. Easy ?

Now with the advent of new processors like Nehalem some new virtualization functions have been introduced to the processor, one of them is EPT (Extended Page Tables). When ESX identifies that capability on it’s processor they start using Large pages, 2mb in size, instead of using small pages

What Large pages has to do with TPS ? Well, because it’s unlikely that there will be 2 or more 2mb pages identicals, there’s no gain on wasting resources to identify them.
With consequence you will see a lot more host memory consumed and less memory being shared among guests.
So, is there any performance improvement using Large Pages ?
Definitely. Check the VMWare performance evaluation.

But what about TPS, has it been disabled ?
No. It still there, but it will be used more when there’s memory constraints.
When your host is suffering memory pressure the ESX will break these Large pages into small pages, that’s when TPS is back to game finding more easily equal pages and sharing them between guests, increasing the available memory on the host.

Making short a long history.
Keep Large Pages and EPT on. Let ESX take care of the memory management.

As you might know, there’s no size that fits all.
What I want to say with that is, I’m giving you some information about what’s out there, now it’s up to you to understand your environment, your applications, monitor them and tweak them to get the best of your software can offer.

good luck.

More reading:
Large Pages from Yellow Bricks

Monitoring TPS from Yellow Bricks

Large Pages a problem of perception


EPT affects TPS from VMWARE

Wednesday, September 14, 2011

Custom ESX firewal rules

As you know ESX has a built-in firewall. It means that no communication is allowed unless you specify it. Glad a few basic ports are opened by default.

Check here a list of the ports required for the majority of VMWARE functions.

You can open/close ports through vSphere Client or with esxcfg-firewall command.
But let’s agree that doing that through the vSphere Client is a lot easier: you don’t have to know the syntax of the command, logon through SSH on your host or even run remote commands.
You just go on Security Profile and check the desired rule.

There’s a problem with that approach, Security Profile just shows a couple of rules and ports to be checked.

What if you have an application that needs communication through a port which is not there ?
Would not be nice if you could create your own firewall rule ?

It’s possible!!!
VMWARE KB1021779 gives you the directions to accomplish that, changing the /etc/vmware/firewall/services.xml file.

I would be very carefully changing this file, it’s a system file which controls a lot of services, also it’s probably that some future patch will get in place and replace it, whipping out your customization.

So, my advice is to create an xml file in /etc/vmware/firewall/ and then create your rule details inside it.
There are a bunch of files at /etc/vmware/firewall/ just take a look at them for syntax understanding , it should be very easy to build your own.

Here’s an example of a rule I created called ExtraPort which opens TCP 3434 for inbound and outbound:

Once you create your file restart the mgmt-vmware service.

Next time you went through Security profile you will see your firewall rule in there.

You are now ready to give your junior system admin the task to open and close ports without worrying too much ; )

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive