Archives for December 2017

Dec
13

Enabling AHV Turbo on AOS 5.5

Nutanix KB 4987

From AOS 5.5, AHV Turbo replaces the QEMU SCSI data path in the AHV architecture for improved storage performance.

For maximum performance, ensure the following on your Linux guest VMs:

Enable the SCSI MQ feature by using the kernal command line:
scsi_mod.use_blk_mq=y ( I put this in a /etc/udev/rules.d/)

Kernels older than 3.17 do not support SCSI MQ.
Kernels 4.14 or later have SCSI MQ enabled by default.
For Windows VMs, AHV VirtIO drivers will support SCSI MQ in an upcoming release.

AHV Turbo improves the storage data path performance even without the guest SCSI MQ support.

Solution

Perform the following to enable AHV Turbo on AOS 5.5.

Upgrade to AOS 5.5.
Upgrade to the AHV version bundled with AOS 5.5.
Ensure your VMs have SCSI MQ enabled for maximum performance
Power cycle your VMs to enable AHV Turbo.

Note that you do not have to perform this procedure if you upgrading from AOS 5.5 to a later release. AHV Turbo will be enabled by default on your VMs in that case.

Dec
12

Running IT: Docker and Cilium for Enterprise Network Security for Micro-Services

Well I think 40 min is about as long as I can last watching a IT related video while running after that I need music! This time I watched another video from DockerCon, Cilium – Kernel Native Security & DDOS Mitigation for Microservices with BPF

Skip to 7:23: The quick overview of the presentation is that managing IP Tables to lock down micro-services isn’t going to scale and will be almost impossible to manage. Cilium is open source software for providing and transparently securing network connectivity and load balancing between application workloads such as application containers or processes. Cilium operates at Layer 3/4 to provide traditional networking and security services as well as Layer 7 to protect and secure use of modern application protocols such as HTTP, gRPC and Kafka. BPF is used a lot of the big web-scale properties like Facebook and Netflix to secure their environment and to provide troubleshooting. Like anything with a lot of options there is a lot of ways to shoot yourself in the foot so Cilium provides the wrapper to get it easily deployed and configured.

The presentation uses that example of locking down a Kafka cluster via layer 7 instead of having the whole API left wind open which would happen if your were only using IP tables. Kafka is used for building real-time pipelines and streaming apps. Kafka is horizontally scalable and fault-tolerant so it’s a good choice to run it in docker. Kakfa is used by 1/3 of Fortune 500 companies.

Cilium Architecture

Cilium Integrates with:

Docker
Kubernetes
Mesos

Cilium runs as a agent on every host.
Cilium can provide policy for Host to Docker micro-service and even between two containers on the same host.

The demo didn’t pan out but the 2nd half of the presentation talks about Cilium using BPF with XDP. XDP is a further step in evolution and enables to run a specific flavor of BPF programs from the network driver with direct access to the packet’s DMA buffer. This is, by definition, the earliest possible point in the software stack, where programs can be attached to in order to allow for a programmable, high performance packet processor in the Linux kernel networking data path.

Since XDP can happen earlier on at the nic versus iptables with ipset, CPU can be saved, rules load faster and latency under load is a lot better with XDP.

Dec
05

Handling Network Partition with Near-Sync

Near-Sync is GA!!!

Part 1: Near-Sync Primer on Nutanix
Part 2: Recovery Points and Schedules with Near-Sync

Perform the following procedure, if network partition (network isolation) between the primary and remote site occurs.

Following scenarios may occur if the network partition occurs.

1.Network between primary site (site A) and remote site (site B) is restored and both the sites are working.
Primary site tries to transition into NearSync automatically between site A and site B. No manual intervention is required.

2.Site B is not working or destroyed (for whatever reason). If you create a new site (site C) and want to establish sub-hourly schedule from A to C.
Configure sub-hourly schedule from A to C.
The configuration between A to C should succeed. No other manual intervention is required.

3.Site A is not working or destroyed (for whatever reason). If you create a new site (site C) and try to configure sub-hourly schedule from B to C.
Activate the protection domain on site B and set up the schedule between site B and site C.

Dec
01

Supported Anti-Virus Offload for Nutanix Native File Services(AFS)


As the list grows with releases I will try to keep this updated.

As of AFS 2.2.1 supported AV ICAP based vendors:

McAfee Virus Scan Enterprise for Storage 1.2.0

Symantec Protection Engine 7.9.0

Kaspersky Security 10

Sophos Antivirus

Nutanix recommends the following file extensions for user profiles are added to the exclusion list when using the AFS Antivirus scanning:
.dat
.ini
.pol

Symantec Pre-Req

Each Symantec ICAP server needs the hot fix (SPE_7.9.0_HF03.zip) installed from http://www.symantec.com/docs/TECH216348.

Kaspersky Pre-Req
When running the Database Update task with the network folder as an update source, you might encounter an error after entering credentials.

Solution

To resolve, download and install the critical fix 13017 provided by Kaspersky

Download Link:

https://support.kaspersky.com/13017