VMware ESX Guest Disk IO

Published April 6th, 2009 by Paul De Audney

Knowing the state of your disk IO latency in VMware ESX can help you pre-empt performance & capacity issues before the occur. There are a few guidelines you should keep in mind. These notes are directed towards people using directly attached storage.

  • Write latency should be 0, because you have that fancy battery backed controller caching writes, right?
  • Read latency should be under 8ms.
  • Use the smallest stripe size possible for your RAID array setting. This helps keep random IO performance acceptable at the cost of some sequential performance.
  • Do not virtualise very heavy random IO workloads on shared arrays, other guest VMs wont like you for it.
  • Unless you have a very compelling reason not too, use RAID 10.

Some other notes, specific to Linux guests are:

  • Mount file systems with noatime and nodiratime, this will help reduce random IO.
  • Allocate enough memory to have some buffers.
  • Do anything possible to stop your VM swapping heavily (see point above).

As with any system, having great monitoring and performance trending allows for you to have an excellent overview of your infrastructure. Even if you don’t have external systems for performance trending, the VMware Infrastructure client with a few tweaks will display the data you want to see.

  1. Login to the VI Client.
  2. Click on an object in the left navigation tree.
  3. Click on the performance tab at the top of the main display pane.
  4. Click the “Change Chart Options” button
  5. Select the Disk chart option from the left expanding menu.
  6. Now change the counters, pick the Latency counters and Number counters, un-ticking the KBps  counters.
  7. Save the chart settings as disk-latency.

Now you can view in real time what is happening with your disk IO on the VMware ESX server. If you are more familiar with using a command line and Linux, you can SSH in to the ESX COS and use the command esxtop to view disk performance information.

  1. Launch esxtop (as root)
  2. Press “v”
  3. Press “s” and then “1″

Now you can see the per VM disk usage counters, with a 1 second sample period.

These rules of thumb are also applicable to Xen and Hyper-V.

Tags: , , , , , ,
Posted in FTW

 Leave a comment

0
Comments

Firewalling VMware ESX for console access

Published February 23rd, 2009 by Barney Desmond

One of Anchor’s more recent product offerings is VMware-based virtual private servers. As one of my colleagues has already detailed, we take extra measures to secure the VMware host server to reduce the possibility of a compromise.

Our VPS offering uses VMware ESX, which runs on bare metal and doesn’t have a host operating system. This isn’t the full story – according to documentation it boots a Redhat Enterprise Linux 3 system, then loads the vmkernel which is where the real work is done. One of the nice things about this approach is that there’s a userspace environment in which to run support software, like good monitoring components.

We ran into an odd problem recently with an ESX host server on a dedicated network segment, namely that we couldn’t view the console for VM guests. Nothing would happen for about 30 seconds, then the VMware Infrastructure Client (VIC) would report a connection failure.

Most people using VMware now have probably used the vanilla VMware Server once or twice. It’s pretty easy to understand, and because it runs on top of your usual OS, firewalling it as simple as opening holes for legitimate clients to connect to TCP port 902. That’s not the case with VMware ESX, and without reading the manuals it’s not immediately obvious what the problem is.

As it turns out, the VIC is attempting to connect to TCP port 903 on the host server. If one assumed that the VMware hypervisor is just a modified linux system (which is what it looks like, but isn’t quite) you should be able to see a listening port in the output of netstat -tnlp, but you can’t.

[root@miyuki root]# netstat -tnlp
Proto Local Address       Foreign Address     State       PID/Program name
tcp   0.0.0.0:5666        0.0.0.0:*           LISTEN      2684/nrpe
tcp   127.0.0.1:32771     0.0.0.0:*           LISTEN      1807/cimserver
tcp   0.0.0.0:5988        0.0.0.0:*           LISTEN      1807/cimserver
tcp   0.0.0.0:5989        0.0.0.0:*           LISTEN      1807/cimserver
tcp   127.0.0.1:8005      0.0.0.0:*           LISTEN      1652/webAccess
tcp   0.0.0.0:902         0.0.0.0:*           LISTEN      1598/xinetd
tcp   0.0.0.0:199         0.0.0.0:*           LISTEN      1489/snmpd
tcp   0.0.0.0:8009        0.0.0.0:*           LISTEN      1652/webAccess
tcp   0.0.0.0:80          0.0.0.0:*           LISTEN      1765/vmware-hostd
tcp   0.0.0.0:8080        0.0.0.0:*           LISTEN      1652/webAccess
tcp   0.0.0.0:22          0.0.0.0:*           LISTEN      1498/sshd
tcp   127.0.0.1:8889      0.0.0.0:*           LISTEN      1839/openwsmand
tcp   0.0.0.0:2265        0.0.0.0:*           LISTEN      1732/osirisd
tcp   0.0.0.0:443         0.0.0.0:*           LISTEN      1765/vmware-hostd

As a little more reading revealed, the VIC makes an extra connection to port 903 for console data. This marks a significant change from the earlier model of passing everything through the same connection, and the reason for such a change is unclear.

We’ll assume there’s some performance benefit to be had there. What we find more interesting/important is that port 903 is entirely “under the radar”, as it’s implemented in vmkernel. The other traffic on the box is subject to our standard iptables rules as far as we can tell, including port 902, which is used for a lot of other management-client to host-server interaction.

tcpdump is also oblivious to port 903, so we’re guessing VMware passes traffic through the netfilter stack when it’s deemed to be convenient or necessary. If we had a spare ESX host sitting around doing nothing, I’d be interested to see if the packet counters shown in the output of ifconfig are also affected.

Tags: , , , , , , , , , , ,
Posted in WTF

 Leave a comment

0
Comments

VPS – Virtual Private Servers now available

Published January 21st, 2009 by Davy Jones

After dabbling with a variety of different virtualisation technologies over the last 2 years we’ve launched a Virtual Private Server (or VPS) offering based on VMware ESX server.

We’ve chosen ESX server for a number of reasons not to mention the ability to perform a sufficient level of monitoring on the host system and have the virtual machines behave in just about every respect the same as a traditional dedicated server would.

A VPS can offer a more affordable step between shared web hosting and dedicated servers but it also creates a more flexible hosting environment. Additional resources can be added to a server with as little effort as a reboot, and they can be added rapidly (hours vs days) in the event that increased performance is needed at short notice.

Learn more about the Anchor VPS service on our website.

Tags: , , , ,
Posted in Newsletter

 Leave a comment

0
Comments