Architectural Decisions for Linuxone Hypervisors

July 2019 Webcast

Virtualization options for Linux on IBM Z & LinuxONE

Richard Young Executive IT Specialist Virtualization and Linux IBM Systems Lab Services

Wilhelm Mild IBM Executive IT Architect for Mobile, IBM Z and Linux IBM R&D Lab, Germany Agenda

➢ Benefits of virtualization • Available virtualization options • Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide • Virtualization decision guide • Summary

2 © Copyright IBM Corporation 2018 Why do we virtualize? What are the benefits of virtualization?

▪ Simplification – use of standardized images, virtualized hardware, and automated configuration of virtual infrastructure ▪ Migration – one of the first uses of virtualization, enable coexistence, phased upgrades and migrations. It can also simplify hardware upgrades by make changes transparent. ▪ Efficiency – reduced hardware footprints, better utilization of available hardware resources, and reduced time to delivery. Reuse of deprovisioned or relinquished resources. ▪ Resilience – run new versions and old versions in parallel, avoiding service downtime ▪ Cost savings – having fewer machines translates to lower costs in server hardware, networking, floor space, electricity, administration (perceived) ▪ To accommodate growth – virtualization allows the IT department to be more responsive to business growth, hopefully avoiding interruption

3 © Copyright IBM Corporation 2018 Agenda

• Benefits of virtualization ➢ Available virtualization options • Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide • Virtualization decision guide • Summary

4 © Copyright IBM Corporation 2018 What hypervisors and virtualization are available on Linux on IBM Z & LinuxONE ❑ IBM PR/SM (traditional ) or via DPM (Dynamic Partition Manager) – Firmware based virtualization to securely share and partition hardware resources. DPM providing graphical interface & REST interfaces with simplified management, automation, and dynamic capability. ❑ IBM z/VM – IBM developed, software based mainframe virtualization that can be traced back to the beginning of Virtualization in computing ❑ Linux KVM – Open source software based virtualization. Supports multiple hardware architectures. Kernel based virtual machines started in mid 2000’s. ❑ Containers – System Containers and Application containers. Via Linux cgroups and namespaces, provide isolated and managed environment for applications to run. Containers share a single host kernel. ❑LXD Containers – LXD is a system container manager. Unprivileged containers with a CLI and API. Also has OpenStack integration ❑Docker based Containers - Simplified container with a toolset for Container image build process, an API & CLI, a registry. Clustering added with Swarm. ❑ IBM Secure Service Container (SSC) – Fully encrypted workload in a partition. Traditional system administrator access removed. Limited and encrypted network access. Primarily deployed with (ICP) IBM Cloud Private - (SSC for ICP – a Kubernetes based deployment/orchestration solution)

5 © Copyright IBM Corporation 2019 Agenda

• Benefits of virtualization • Available virtualization options ➢ Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide • Virtualization decision guide • Summary

6 © Copyright IBM Corporation 2018 Considerations for virtualization decisions

❑ Software supported in combination with it ❑ Open vs proprietary ❑ Hardware support – i.e. NVMe, CTC, ISM ❑ Outage avoidance – Live migration/relocation ❑ Current in house standards – Distros ❑ Feature/Function and requirements ❑ Available skill set in house to manage ➢Live relocation requirements x, y ,z ❑ Ability to hire talent with needed skills ❑ Dynamic by design – No outages to change ❑ Learning curve / duration to become ❑ Performance / Scalability fluent/expert – Simplicity vs complexity ❑ Ecosystem – Documentation, training, 3rd ❑ Level of Isolation / security party solutions and support ❑ Certifications & Multitenancy requirements ❑ Cost – Direct / Indirect for additional features ❑Monitoring , Security, Automation, Auditing, rd ❑ Automation capability – Rest APIs or 3 party Time to train tooling – i.e. Kickstart deployment, OpenStack, or Ansible

2019 IBM Systems Technical University 7 © Copyright IBM Corporation 2019 Agenda

• Benefits of virtualization • Available virtualization options • Considerations for virtualization decisions ➢ Virtualization options for LinuxONE & IBM Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide • Virtualization decision guide • Summary

8 © Copyright IBM Corporation 2018 IBM Z and LinuxONE Virtualization Built-in, Shared Everything Architecture

IBM® Z & LinuxONE™ Systems Hardware assisted virtualization • Cores are designed to run at near 100% utilization nearly 100% of the time • Provisioning of virtual servers in seconds • High granularity of resource sharing (<1%)

1 LPAR – PR/SM or IBM DPM* – up to 85 Logical Partitions • Upgrade of physical resources without taking the system down • Scalability of up to 1000’s of virtual servers • More with less: more virtual servers per core, sharing of physical resources • Extensive life-cycle management 2+3 KVM and z/VM – 1000s of Virtual Machines • HW-supported isolation, highly secure (EAL5+ or EAL4+ certified)

9 © Copyright IBM Corporation 2018 Architectural Options 1.Firmware hypervisor management ❑Traditional PR/SM ❑IBM Dynamic Partition Manager 2.Optionally, one or more software hypervisor ❑IBM z/VM ❑KVM 3.Optionally, one or more container technology ❑Docker ❑IBM SSC for ICP ❑OKD

10 © Copyright IBM Corporation 2018 IBM LinuxONE Virtualization

All Linux images are capable of hosting containers

Simplified view of virtualization options on IBM LinuxONE

SLES

RHEL

SLES

Ubuntu

RHEL

Ubuntu SLES

SLES Ubuntu RHEL RHEL

Ubuntu SLES

RHEL Virtual & Ubuntu Virtual2 IBM z/VM IBM z/VM IBM z/VM IBM z/VM CPUs IBM z/VM LPAR8

Virtual CPUs Ubuntu RHEL

SLES RHEL

SLES

SLES Ubuntu

RHEL There are typically dozens,

Ubuntu

RHEL

SLES

Ubuntu

RHEL SLES

Ubuntu even hundreds of Linux servers in a KVM or z/VM LPAR. SLES KVM Ubuntu KVM RHEL KVM IBM z/VM Traditional Logical LPAR1 LPAR2 LPAR3 LPAR4 LPAR5 LPAR6 LPAR7 CPUs PR/SM or PR/SM+ Real P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 IBM DPM CPUs*

P1 – P12 are Physical cores, also known as Integrated Facility for Linux (IFL) processors) * - Only one shared pool of cores per system

11 © Copyright IBM Corporation 2018 What is IBM Dynamic Partition Manager?

• Built on existing PR/SM technology capabilities

• Simplified, consumable, enhanced, partition life-cycle and integrated dynamic I/O management capabilities LINUX LINUX LINUX LINUX • Provides the technology foundation that enables APIs for IaaS and secure, private KVM Clouds

PR/SM DPM IBM DPM Powerful and easy HMC

12 © Copyright IBM Corporation 2018 Technical Specifications for DPM

IBM z14, z13, z13s, IBM LinuxONE Emperor I & II Supported Operating Environments or Rockhopper – Linux/KVM – FCP and FICON – z/VM 6.4 and newer - FCP and FICON – HW for DPM Feature Code #0016 – IBM Secure Service Container Appliances - FCP and – Two dedicated FICON OSA-Express6S 1000BASE-T Ethernet #0426 or OSA-Express5S 1000BASE-T Ethernet #0417 • Support for auto-configuration of devices to simplify Linux installation, where Linux distribution installers exploit function Supported IO Adapters • Secure FTP through HMC for boot and install of operating – FICON Express including 16S+ (Type FCP & FICON) system via FTP – FCP Express32S • Optionally specify VLANs to use on configured OSA – OSA-Express5S, 6S, and 7S adapters – Crypto Express5S and Crypto Express6S No support yet for – zEDC Express • GDPS® Virtual Appliance – RoCE Express and RoCE Express2 • FICON CTC ( Required for z/VM SSI LGR ) – HiperSockets • FICON attached Tape • ISM ( SMC-D ) • Internal NVMe SSDs

13 © Copyright IBM Corporation 2019 Architectural Options 1.Firmware hypervisor management ❑Traditional PR/SM ❑IBM Dynamic Partition Manager 2.Optionally, one or more software hypervisor ❑IBM z/VM ❑KVM 3.Optionally, one or more container technology ❑Docker ❑IBM SSC for ICP ❑OKD

14 © Copyright IBM Corporation 2018 z/VM Virtualization - Overview

➢ Virtualizes CPU, Memory, I/O devices, disks, Networks, Switches with possible overcommitment

➢ Highly effective and granular sharing and resource shifting definition for Linux guests

➢ Cluster for up to four z/VM images or physical systems as members of a Single System Image (SSI) cluster

➢ Live Linux Guest Relocation (LGR) between the nodes of a SSI cluster

➢ Contains LDAP and RACF Security capabilities

15 © Copyright IBM Corporation 2018 Combine LPARs with z/VM CPU Pooling

▪LPAR with 5 Linux CPU / IFLs ▪Create 2 Pools – one with 4-CPU / cores and one with 1-CPU / core ▪Place the four WAS guests in the 4-cores pool and the two DB2 guests in the 1-core pool • Requires 4-core WAS entitlement • Requires 1-core DB2 entitlement

WAS WAS WAS WAS DB2 DB2 PVU Entitlements Guest Guest Guest Guest Guest Guest 700 2 vores 2 cores 2 cores 2 cores 1 cores 1 cores 600 500 cores Pool cores Pool 400 WAS 300 DB2 Capacity 4 cores Capacity 1 core 200 100 LPAR with 5 cores 0 5-cores LPAR With cores Pooling

▪Avoids increase in software license requirements (and costs) ▪Reduces z/VM system management and maintenance workload ▪Consolidates resources (memory, paging, network) for greater efficiency

Note: All PVU Entitlement examples based on a per core base

16 © Copyright IBM Corporation 2018 z/VM CPU Pooling

— CPU Pooling • Create pool of CPU resources available for a group of Linux guests in a z/VM environment • Allows capping of CPU utilization for a set of guests to better balance resource utilization

— IBM License Metric Tool (ILMT) • Is a no-charge tool used to determine PVU licensing requirements • New Linux interface exploited by ILMT to assess software license conformance • Ability to track CPU pools available in ILMT • Additionally – improvements made to not be drag on CPU resources

Using ILMT you are only charged for the CPU pool capacity (sub-capacity pricing) • in use by Passport Advantage PVU-based software

17 © Copyright IBM Corporation 2018 z/VM virtualization scalability

▪ Proven support for up to 32 logical cores / 64 in SMT mode in host and 64 virtual cores in guest ▪ 80 logical cores targeted for 2H 2019 per continuous delivery webpage ▪ Supports up to 2TB of central storage, 4TB of central is TBD (watch continuous delivery news) ▪ Virtual machine support for up to 1 TB of memory ▪ 65635 IO devices (subchannels) for host, 24K devices per virtual machine ▪ Concurrent IO to ECKD disk device = 1 (Up to 8 with HyperPAV) ▪ Largest device: ECKD CMS mindisk (up to 22.5GB), EAV ~45GB. Non-CMS ECKD: 45GB / ~180GB EAV (CP only the first (64K cylinders). ▪ Dynamically add processors, memory, I/O adapters, devices and network cards … no disruption

▪ Continuous Delivery News: http://www.vm.ibm.com/newfunction/

18 © Copyright IBM Corporation 2018 z/VM Cluster functionality Single System Image Clustering and Live Guest Relocation

▪ Previously optional priced feature –Now included in z/VM 7.1 base ▪ Connect up to four z/VM systems as members of a Single System Image cluster ▪ Cluster members can be run on the same or different physical System ▪ Simplifies management of a multi-z/VM environment

− Single user directory − Cluster management from any member Cross- system communications for “ single system image ” management ▪ Apply maintenance to all members in the cluster z/VM 1 z/VM 3 from one location ▪ Issue commands from one member to operate on another

− Built-in cross-member capabilities Shared disks − Resource coordination and protection of network and disks z/VM 2 z/VM 4 Cross- system external network Private disks connectivity for guest systems

19 © Copyright IBM Corporation 2018 Effective Virtualization with Linux and z/VM

Linux Shared Memory Exploitation for many Virtual machines via z/VM Discontiguous Saved Segments (DCSS) DCSS DCSS DCSS “B” “B” “B” —DCSS support is Data-in-Memory technology • Share a single, real memory location among multiple DCSS DCSS DCSS DCSS virtual machines “A” “A” “A” “C” Virtual • Can reduce real memory utilization Memory —Use Cases:

• As fast Swap device Linux Linux Linux Linux Linux • For sharing read only data • For sharing code (e.g. program PGM executables/libraries) “C”

Real Memory PGM —The large DCSS allows the installation of a full “B” DCSS DCSS “B” DCSS middleware stack in the DCSS (e.g. WebSphere, “A” “C” DB2, etc) PGM —The DCSS becomes a consistent unit of one “A” software level http://public.dhe.ibm.com/software/dw/linux390/perf/ZSW03186USEN.PDF

20 © Copyright IBM Corporation 2018 IBM Wave for z/VM – graphical interface IBM Wave for z/VM provides the graphical interface that simplifies and helps to automate the management of z/VM and Linux virtual servers for Linux on Z and IBM LinuxONE systems

▪ Monitors and manages virtual servers and resources from a single graphical interface ▪ Simplifies and Automates tasks ▪ Provisions virtual resources (Linux Guests, Network, Storage) ▪ Supports advanced z/VM capabilities such as Single System Image and Live Guest Relocation ▪ Allows delegation of administrative capabilities to the appropriate teams

A simple, intuitive graphical tool providing management, provisioning, and automation for a z/VM environment, supporting Linux virtual servers.

21 © Copyright IBM Corporation 2018 Operations Manager for z/VM

Increase productivity Improve system availability ➢ Authorized users to view and interact with monitored ➢ Monitor virtual machines and processes virtual machines without logging onto them ➢ Take automated actions based on console messages ➢ Multiple users view/interact with a virtual machine ➢ Reduce problems due to operator error simultaneously

Monitor Respond to system events page and (user state changes) spool usage

Console monitoring Schedule tasks Service Virtual Machine being monitored Idle monitor Operations Manager for z/VM Service Virtual Take action Machine being monitored • View & interact Console monitoring with consoles • View spool files Automation Integration ➢ Routine activities done more effectively with ➢ Fulfill take action requests from performance monitoring minimal operations staff products (e.g. OMEGAMON XE on z/VM and Linux) ➢ Schedule tasks to occur on a regular basis ➢ Send alerts to email, central event management systems (e.g. Netcool\OMNIbus), etc.

22 © Copyright IBM Corporation 2018 KVM virtualization What is KVM? (Kernel-based Virtual Machine) – KVM is an open source hypervisor Virtual Machine that is an extension of Linux via a Virtual Machine Virtual Machine optional packages – The “KVM” module is added to the Linux Linux Linux Applications Applications Applications Linux kernel that implements the virtualization architecture Linux Linux Linux Guest OS Guest OS Guest OS – KVM typically receives hypervisor virtualization management via Other libvirt exploiters Libvirt which abstracts over Linux Host

different “hypervisors”: KVM, Xen.. Libvirt QEMU KVM OpenStack – Qemu provides emulation and IBM z Systems works with KVMs capabilities. virsh CLI – Guests run as one or more Virtualization Manager therads/processes in the KVM host Aka Virt-Manager Features & Benefits of KVM for IBM Z and LinuxONE

Features of KVM for Z Benefits

KVM Hypervisor ▪ Supports running multiple disparate Linux instances on a single system

Processor sharing ▪ Supports sharing of CPU resources by virtual servers

I/O sharing ▪ Enables sharing of physical I/O resources among virtual servers to enable better utilization Memory and CPU overcommit ▪ Support over-commitment of memory and swapping of inactive memory

Live virtual server migration ▪ Enables workload migration Dynamic addition and deletion of virtual devices ▪ Helps eliminate downtime to modify device configurations for virtual servers

Thin provisioned virtual servers ▪ Supports copy-on-write virtual disks which saves on storage by not needing full disks until used Installation/Configuration tools ▪ Supplies tools to install and configure KVM Transactional Execution (TX) exploitation ▪ Supports improved performance of multi-threaded applications when running on supported servers

24 © Copyright IBM Corporation 2018 KVM Live Migration and Clustering

Live Migration Inherits Linux clustering capabilities — Same as other KVM hardware platforms — Clustered filesystems — Does not require FICON CTCs • GPFS/Spectrum Scale — Requires only some sort of network • GFS2 connectivity (TCP or RDMA) • NFS v4 • OSA 1Gb, 10Gb, 25Gb • GlusterFS • RoCE Express 10Gb, 25Gb ? — Open Source - Linux HA — No cluster pre-definition required, other • PaceMaker than guest needs to target the same or • CoroSync newer machine model with access to the — Commercially - IBM System Automation same compute resources — Precopy and Postcopy live migration options — Can monitor status and convert the type of copy

25 © Copyright IBM Corporation 2019 KVM virtualization scalability

Linux Host support KVM Guest Support • CPUs/core 256 (170 on z14) • Guest domains - up to 4096 with • Memory Up to 16 TB supporting memory and CPU • IO devices 64K per sub channel set • Up to 248 virtual CPs • Virtual NICs 8192 • Virtual block devices – up to 1024 • Fast internal network IO (Open Virtual • Virtual IDE - up to 4 virtual Switch) • Virtual NICs – up to 32 • Dynamic add/remove of CPU, Memory, and • Memory Overcommitment IO devices. • Virtual DVDs • Channel subsystems and Subchannel sets • Text and graphical consoles • HiperSockets, RoCE Express, and ISM SMC-D • RocE Express virtual functions • ECKD, SCSI, Internal NVMe Storage • CryptoExpress • Large Pages • Concurrent live guest migrations – 64 • Large pages 2019 IBM Systems Technical University 26 © Copyright IBM Corporation 2019 Linux shared memory technology

— Kernel same page merge • KSM is a memory-saving de-duplication feature, that merges anonymous (private) pages (not pagecache ones). Although it started this way, KSM is currently suitable for more than Virtual Machine use, as it can be useful to any application which generates many instances of the same data • Simple, no preplanning or complex setup and ongoing maintenance. The system just combines identical pages. • Requires come amount CPU to manage pages • Utilizes Copy On Write should the pages of memory diverge — In memory filesystems and Plan 9 filesystem • ramfs /tmpfs • 9p (Plan 9) filesystem sharing between host and guest systems. R/O or R/W — Container memory sharing examples: • Typically share the host kernel • External volumes (R/O access to a host filesystem) • --ipc="" : Set the IPC mode for the container, 'container:': reuses another container's IPC namespace 'host': use the host's IPC namespace inside the container

27 © Copyright IBM Corporation 2019 Monitoring and Automation with KVM

Automation Monitoring • OpenStack • IBM Tivoli Monitoring (Linux resources) • Chef • Nagios • Ansible • ELK • Puppet • Grafana • Nagios • Zabbix • Linux HA (PaceMaker, CoroSync) • OpenNMS • IBM System Automation • Cacti

28 © Copyright IBM Corporation 2019 KVM Virtual Machine Manager

Guest Management • Lifecycle stop,start,create,destroy • Suspend/resume • Snapshotting • Cloning • Guest resource dynamic add/remove • Console (text & graphical) • Live resize CPU & Memory • Live Migration • Resource monitoring Host Management • Network resources • Storage resources

29 © Copyright IBM Corporation 2019 Summary of KVM and z/VM for IBM LinuxONE

LPAR virtualization LPAR virtualization can be done via the new upcoming IBM DPM or traditional PR/SM

IBM z/VM KVM • World class quality, security, • Standardizes configuration and IBM LinuxONE System reliability - powerful and versatile operation of server virtualization • Scalability creates cost savings • Leverage existing Linux skills/tools opportunities

• Flexibility and agility leveraging the Linux

• Exploitation of advanced Linux open-source community

Linux

Linux on z on Linux z on Linux technologies, such as: z on Linux • Shared memory (KSM) • Shared memory (Linux kernel, executables, communications) z/VM KVM • Granular resource controls based in cgroups • Granular control over resource pool LPAR LPAR • Provides an open-source virtualization • Provides virtualization for all Z Processors, Memory and IO choice operating systems Support Element • Utilizes standard libvirt API • Can integrate with external tools via exposed z/VM REST APIs • Full OpenStack deployment possible

31 © Copyright IBM Corporation 2018 What requirements might lead you to pick one over another?

o Current staff skillset? o Need for full OpenStack support / Integration • z/VM or Linux and/or KVM skills with open standards • Performance Toolkit or SAR o FICON interfaces required for z/VM SSI • RACF vs LDAP, /etc/passwd, selinux clustering • Linux audit vs RACF SMF o z/VM Live relocation only on ECKD based disk • DIRMAINT vs Virt-manager & virsh storage • VMSES vs rpm, apt, zypper, yum, dnf • 3270 emulator vs VNC GUI or ssh emulator o Need to encrypt hypervisor filesystems? o Middleware or application support o ECKD and the use of multiple channel statements? subsystems or channel subsets. o Perceived complexity by client? o Approach to High Availability or Disaster Recovery o Multifactor Authentication Security o DR Via IBM GDPS or another method (Middleware) o Hyperswap via GDPS or without? (ie V7000)

2019 IBM Systems Technical University 32 Choice in Hypervisors

Target environments for KVM Target environments for z/VM

(New) Linux environments that … Linux installs that … • Committed to open technologies, open- • Already use z/VM for Linux workloads source oriented • Are skilled in z/VM and prefer a mature model • Are x86 centric, and are familiar with KVM or • Are invested in tooling for z/VM environment containers • Require technical capabilities in z/VM (e.g., • Have Linux admin skills with KVM GDPS managed HyperSwap...) • Need to integrate into a distributed • Require a software certification (e.g., Oracle Linux/KVM environment, using standard DB) interfaces (ie full OpenStack deployment) • Virtualization of non-Linux operating systems

Both can coexist on the same server in different partitions should you require capabilities/features of both.

33 © Copyright IBM Corporation 2019 Architectural Options 1.Firmware hypervisor management ❑Traditional PR/SM ❑IBM Dynamic Partition Manager 2.Optionally, one or more software hypervisor ❑IBM z/VM ❑KVM 3.Optionally, one or more container technology ❑Docker ❑IBM SSC for ICP ❑OKD

34 © Copyright IBM Corporation 2019 Containers in Linux – for application isolation

— linuxcontainers.org is the umbrella project behind Linux Containers (LXC), Linux Container management (LXD), Linux Container FileSystem (LXCFS) and Linux cgroup manager daemon (CGManager). • The goal is to offer a Linux distro and vendor neutral environment for the development of Linux container technologies. • The main focus is system containers, that offer an environment as close as possible as the one you'd get from a VM but without the overhead that comes with running a separate kernel and simulating all the hardware. This is achieved through a combination of kernel security features such as namespaces, mandatory access control and control groups (cgroups).

— Container goals and characteristics: ➢Isolated application environments within a Linux OS instance ➢Each container has its own, different address space but same kernel ➢Serve a single task ➢Self contained set of files for applications ➢Startup time and efficiency compare to native execution

35 © Copyright IBM Corporation 2019 Linux control groups and namespaces are used for isolation

⚫ To simplify: − “cgroups” will control resources in your container

⚫ CPU

⚫ Memory Container 1 Container 2

⚫ Disk I/O throughput Kernel Kernel Namespaces Namespaces

− “namespace” will isolate App App ⚫ process IDs

⚫ Hostnames cgroups cgroups App App App ⚫ User IDs

⚫ network access Kernel

⚫ interprocess communication Linux Guest ⚫ filesystems The basic functions of Docker for container development

Build Ship Run Describes steps to build container automatically from source Operator Dockerfile for Deploys

Application Containers

ContainerA

ContainerN ImageN Build M Docker ContainerB Source Code Docker Engine Get N Run N (Build) Image Repository Repository …

Push new Image to Docker Engine Repository Developer Creates App, Builds Host OS Container And pushes to Registry Server

2019 IBM Systems Technical University Approaches for Application Deployment Virtualization vs. Containers

Virtualization - Infrastructure oriented OpenStack App 1 App 2 App n . . . ➢ Customers have virtualized their servers to gain (running in (running in (running in (running in efficiencies a Guest VM) Guest VM 1) Guest VM 2) Guest VM n) OS Kernel OS Kernel OS Kernel OS Kernel ➢ Focus is on virtual server resource management ➢ Few applications per Guest VM / Operating System Hypervisor instance Infrastructure ➢ Provides application isolation - An application failure Virtual Virtual Virtual does not adversely affect other applications residing Network Compute in other Guest VMs Storage ➢ Provides persistence across server restarts

App 1 App 2 App n Docker containers - Service oriented . . . (running in (running in (running in Container 1) Container n) ➢ Application-centric - infrastructure resources are assumed Container 2) to be already in place Container Engine (i.e. DOCKER) ➢ Focus is on application isolation / management (running in a Guest VM) ➢ All containers for a given application reside in a single OS Kernel Guest VM / single Operating System instance Hypervisor / LPAR ➢ Has specific DevOps implications ➢ Provides a very dynamic application deployment model Infrastructure Virtual Virtual Virtual Network Compute Storage

38 © Copyright IBM Corporation 2019 IBM Secure Service Container (SSC) • SSC is a special LPAR and provides simplified mechanism for fast deployment and management of packaged solution • Provides tamper protection during installation and runtime • Ensures confidentiality of data and code -at flight and at rest • Management provided via Remote APIs (RESTful) and web interfaces only Docker Enablement • Enables containers to be delivered via distribution channels IBM Secure Service Container Application Interfaces Appliance Management Backend

Deploy your container workload in a Base Operating System highly secure environment API UI Management / REST

39 runC vs runQ runq is a hypervisor-based Docker runtime based on runc to run regular Docker images in a lightweight KVM/Qemu virtual machine.

Key differences to other hypervisor- runc container runq container based runtimes: VM • minimalistic design, small code base • no modification to existing Docker tools (dockerd, containerd, runc...) Application • coexistence of runq containers Application and regular runc containers • no extra state outside of Docker (no libvirt, no changes to /var/run/...) Guest Kernel Qemu • small init program, no systemd • no custom guest kernel or custom Host Kernel qemu needed For more information: https://github.com/gotoz/runq

40 © Copyright IBM Corporation 2019 Secure Service Container for IBM Cloud Private V1.1.0 Architecture for Integration with ICP ICP – Kubernetes based Multi cloud management toolset Secure Service Container for ICP

ICP Worker 1 ICP Worker 2 ICP Proxy Node

IPSec IPSec IPSec IPSec Master Isolated VM OS Isolated VM OS Isolated VM OS Public IP Secure Service Container for ICP kernel kernel kernel Installer qemu qemu qemu Ansible

runQ x86 Machine Secure Service Docker Engine REST Container for ICP REST Secure Service Container SSC LPAR PR/SM

— Upstream community version of Redhat OpenShift container platform (aka OpenShift Enterprise) — Kubernetes based platform as a service — Support from https://www.sinenomine.net/products/linux/OpenShift — Ansible driven install is simple

Virtualization Description Advantages Considerations Option Traditional Divide one physical LinuxONE system into up to 85 • Comes with the system • Configuration for a non-Z PR/SM logical partitions (LPARs) running isolated and • Powerful / Efficient administrator secured in parallel. Share resources across LPARs • Supports z/OS, z/VSE, z/TPF, z/VM, Linux or dedicate to a particular LPAR.

Dynamic Easy-to-use version of PR/SM, designed to make it • Comes with the system • Does not support z/OS, z/VSE, Partition easy for distributed systems administrators to set up • Powerful / Efficient z/TPF Manager (IBM and manage the system. • Easy to use • No CTC support, required by DPM) • Supports z/VM, Linux, KVM SSC z/VM Single System Image

z/VM IBM proprietary solution for server virtualization • Very mature, efficient and resilient • Requires unique skills Supported on IBM LinuxONE Systems. z/VM will • CPU Pooling across LPARs • Steep learning curve for continue to be enhanced to support Linux • Only hypervisor Oracle supports on Z & LinuxONE distributed administrators Workloads. • Optional IBM Wave makes it easier to manage • Costs more than “free” KVM

KVM KVM provides an open-source choice for IBM • Included with the Linux distros • Each distro has their own LinuxONE systems virtualization for Linux • Open-source version of KVM –some workloads. Best for when the staff is not familiar with • Supports multiple chip architectures inconsistencies z/VM and are Linux-centric admins. • Easy for Linux admins • Not supported by Oracle on any • Includes OpenStack support platform

Containers The most popular open-source software container • Doesn’t need a hypervisor for isolating apps Docker technology that virtualizes the operating system • More efficient for applications and microservices • Varied levels of isolation Kubernetes instead of the hardware. • Highly portable – ubiquitous across platforms, • Existing applications may need SSC clouds, non-cloud rework • Included with Linux distros (Except SSC) • Images need to support Z

• Benefits of virtualization • Available virtualization options • Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers ➢ Firmware hypervisor decision guide • Virtualization decision guide • Summary

• Due to the simplified, dynamic, and agile nature of DPM, one would plan to use it by default unless you had an overriding requirement that prevented you from utilizing it. • Situations that would require you to use traditional PR/SM management:

Requirements driving traditional PR/SM

z/OS, VSE, or TPF operating systems These would not run on a LinuxONE

GDPS Virtual appliance HA/DR can be managed in other ways z/VM SSI Requires FICON CTC today, KVM does not have this requirement Internal NVMe SSD Can not configure internal NVMe with DPM FICON attached TAPE SCSI tape possible. Would not expect FICON tape in a LinuxONE only environment Internal Shared Memory (ISM) and SMC-D Only RoCE Express cards and HiperSockets can be configured in DPM today.

• Benefits of virtualization • Available virtualization options • Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide ➢ Virtualization decision guide • Summary

48 © Copyright IBM Corporation 2018 Software virtualization decision guide Linux on Linux under Linux under Linux Use Case LPAR KVM z/VM Containers Greater than 40/85 instances ● ● ● ● Oracle DB Certification ●<86/● ●/● ● ●/● Db2 LUW ●<86/● ● ● ● MongoDB, PostgreSQL, MariaDB, etc. ●<86/● ● ● ● No IBM Z skills, require simplified / easy ● ● ●/● ●

Cloud-native microservices, ICP/ OKD / ●value ●value Kubernetes ● ● add?/● add?/● Java, Node.js, J2EE ●<86/● ● ● ● Non-Docker apps (monolithic apps) ●<86/● ● ● ●

• Benefits of virtualization • Available virtualization options • Considerations for virtualization decisions • Virtualization options for LinuxONE & Z • Firmware hypervisors • Software hypervisors • Software Containers • Firmware hypervisor decision guide • Virtualization decision guide ➢ Summary

50 © Copyright IBM Corporation 2019 Virtualization options summary ❑ The virtualization decision is a per LPAR decision on IBM Z and IBM LinuxONE! • Up to 40 LPARs on Rockhopper II, up to 85 on Emperor II ❑ There are 4 virtualization options for LinuxONE & Linux on Z • Linux on “bare metal” (Linux on LPAR, no software hypervisor) • Linux under KVM • Linux under z/VM • Linux Containers – in a Linux on LPAR, under z/VM, or under KVM ❑ All options have advantages and all have considerations beyond what we covered here We’re happy to help you in your virtualization decision ❑ Software containers can be used in Linux on LPAR, Linux on z/VM, or Linux on KVM ❑ Oracle is certified under z/VM but not under KVM or VMWare ❑ SLES, RedHat & Ubuntu all include a KVM hypervisor ❑ All 3 distributions include Container engines today (i.e. Docker) ❑ Send us your observations!

Wilhelm Mild IBM Deutschland Research & Development GmbH IBM Executive IT Architect Schönaicher Strasse 220 71032 Böblingen, Germany

Office: +49 (0)7031-16-3796 [email protected] Notices and disclaimers

— © 2019 International Business Machines Corporation. No part of — Performance data contained herein was generally obtained in a this document may be reproduced or transmitted in any form controlled, isolated environments. Customer examples are without written permission from IBM. presented as illustrations of how those — U.S. Government Users Restricted Rights — use, duplication or — customers have used IBM products and the results they may have disclosure restricted by GSA ADP Schedule Contract with IBM. achieved. Actual performance, cost, savings or other results in other operating environments may vary. — Information in these presentations (including information relating to products that have not yet been announced by IBM) — References in this document to IBM products, programs, or has been reviewed for accuracy as of the date of services does not imply that IBM intends to make such products, initial publication and could include unintentional technical or programs or services available in all countries in which typographical errors. IBM shall have no responsibility to update IBM operates or does business. this information. This document is distributed “as is” without any warranty, either express or implied. In no event, shall IBM — Workshops, sessions and associated materials may have been be liable for any damage arising from the use of this prepared by independent session speakers, and do not necessarily information, including but not limited to, loss of data, business reflect the views of IBM. All materials and discussions are provided interruption, loss of profit or loss of opportunity. for informational purposes only, and are neither intended to, nor IBM products and services are warranted per the terms and shall constitute legal or other guidance or advice to any individual conditions of the agreements under which they are provided. participant or their specific situation. — IBM products are manufactured from new parts or new and used — It is the customer’s responsibility to insure its own compliance parts. with legal requirements and to obtain advice of competent legal In some cases, a product may not be new and may have been counsel as to the identification and interpretation of any previously installed. Regardless, our warranty terms apply.” relevant laws and regulatory requirements that may affect the customer’s business and any actions the customer may need to — Any statements regarding IBM's future direction, intent or take to comply with such laws. IBM does not provide legal advice product plans are subject to change or withdrawal without or represent or warrant that its services or products will ensure that notice. the customer follows any law.

— Information concerning non-IBM products was obtained from the suppliers — IBM, the IBM logo, ibm.com and [names of other referenced of those products, their published announcements or other publicly IBM products and services used in the presentation] are available sources. IBM has not tested those products about this publication trademarks of International Business Machines Corporation, and cannot confirm the accuracy of performance, compatibility or any other registered in many jurisdictions worldwide. Other product and claims related to non-IBM products. Questions on the capabilities of non- service names might be trademarks of IBM or other IBM products should be addressed to the suppliers of those products. companies. A current list of IBM trademarks is available on IBM does not warrant the quality of any third-party products, or the ability of the Web at "Copyright and trademark information" at: any such third-party products to interoperate with IBM’s products. IBM www.ibm.com/legal/copytrade.shtml expressly disclaims all warranties, expressed or implied, including but not limited to, the implied warranties of merchantability and fitness for a purpose. — The provision of the information contained herein is not intended to, and does not, grant any right or license under any IBM patents, copyrights, trademarks or other intellectual property right.