Linux in the enterprise data center has been popular for many years. LAMP service, Web servers, proxy servers, firewalls, and load balancers, just a few basic Linux operating system use cases. In the past decade, with the improvement of the usability and improve the document, many Linux distributions use significantly increased. In the growth phase, we will virtualization technology into the data center. At the same time, when running Linux virtual machine to pay attention to some caveats.
Logical Volume Management
Many recent Linux distributions include the Logical Volume Manager (LVM) this technology, because it belongs to the disk and partition management, allowing administrators to perform a number of tasks. Some segmentation features - extended across multiple disks or data segment - in the virtual world may be less common, users will often in the same storage area network or the data stored in the data storage area. In addition to these, LVM also provides other interesting features. By enabling LVM, network administrators can extend the file system extensions different partition and file system at work, while keeping the file system and can be accessed online. According to strict compliance requirements, LVM allows us to perform a volume-based snapshots for backup and restore without calling vSphere brought functions.
My advice is, if you have a rigorous workload availability and use of online strategy adjustment, the virtual machine must be LVM partition. If you do not need a large amount of uptime or do not intend to install Linux on a separate partition runs, LVM complexity will be far greater than the benefits, ultimately disabling LVM.
The default installation of Linux usually prompting the user to use only one partition of all files. In some cases the right to do so, but when you try to adjust and improve the safety and performance of virtual machines, each file has a separate partition, such as / tmp, / var, / home, / usr, do more meaning - especially if you want each partition has different installation options. By using the / etc / fstab file, you can specify the corresponding line option for installing different partitions, as follows:
UUID = 0aef28b9-3d11-4ab4-a0d4-d53d7b4d3aa4 / tmp ext4 defaults, noexec 1 2
Such as Web servers, one of the most common use cases for the Linux virtual machine, we'll soon find some "default" installation option ultimately undermine security and performance plan.
Noatime / atime / relatime: These installation option determines how timestamps are included in the partition file. In older Linux releases, the default is "one," which means once every reader, the operating system for the file metadata write a timestamp - is, just read the number of calls. Provide external file has been using a Web server, you can imagine the cost of this process. By specifying storage "noatime" Web server data on the partition, you can not update the access time, reduce server overhead. The new release is the default option "relatime", its function is very powerful, if the modification time update only update the access time.
Noexec / exec: execute a given partition disable or enable binary files. For example, Web server is concerned, with the "noexec" install / tmp partition is significant. In fact, many hardening guidelines recommend use this option to improve security.
Care must be taken when the user changes the access time parameters. Some applications, such as e-mail-related features, requires a complete "one" installation option. In the case of the Web server, as long as safety guidelines allow it access, you can use the "noatime" Install Web server data. Noexec on, the judicious use of this option, many automatic setup and installation package to extract it to / tmp and started from there. It is easy to open and close, but at least I can / tmp add noexec.
VMXNET3 and PVSCSI
For a long time, we recommend the use of VMXNET3 network adapters and disk adapters paravirtualized virtual machine. Windows-based systems in a virtual machine, we can only specify these drivers also use VMware tools installed automatically. Using this hardware, Linux poses some challenges. First, the new version of the Linux distributions usually have their own VMXNET3 adapter and driver, even if VMware tools are installed, they will also be used as the default driver.
The old Linux distributions may contain an outdated VMXNET3 driver version, it may not provide a complete set of features included in the VMware Tools version for you. VMware KB2020567 overview of how to enable some features VMXNET drive. If you want to install VMware VMXNET3 driven tool, you can specify the following options when VMware Tools installation:
./vmware-install.pl -clobber-kernel-modules = vmxnet3
Low-cost CPU wants to get some extra throughput, paravirtualization SCSI adapter is a good way. Be sure to check the list of supported operating systems before making this choice, in order to ensure paravirtualization SCSI adapter supports kernel or distribution.
If possible, I recommend that administrators use VMXNET3 and PVSCSI. If you are using an older kernel on the installation of VMware Tools VMXNET3 version. If you are using a newer kernel, use the native Linux driver in the distribution.
Linux operating system will continue to store the page is moved from physical memory pages to the local swap partition, which is by design. In fact, VMware use of memory management functions do the same thing. But Linux memory management act a little different, even if the physical memory - virtual memory currently available, also moves memory pages. Linux virtual machine in order to reduce the inter-exchange activity, we can adjust a "swapiness" value. A higher value indicates more movement and a lower value indicates a memory does not move. To adjust this value, just add /etc/sysctl.conf "Vm.swappiness = ##", the restart after "##" is replaced by the value you want.
I like to replace the default value to a value lower than the numbers 60. At the same time using the operating system and the vSphere management swap your memory does not make sense. Moreover, depending on the application, but I usually set this value to 15-20.
I / O scheduler
ESXi play a great role in terms of memory management, when it belongs to the I / O scheduler and written to disk, it presents another state. In addition, Linux operating system, the internal repeat some of this functionality. 2.6 kernel, most distributions have been used as the default Completely Fair Queuing I / O scheduler. Other available is NOOP, Anticipatory and Deadline. VMware only explains how to change the value you want to change and why, scheduling two I / O does not make sense. In short, the transition to the grub kernel entry by additional machines using the Linux kernel by default I / O scheduler can be switched.
You do not need to re-arrange the operating system to schedule management program. I recommend using NOOP I / O scheduler, because it does not optimize disk I / O, and allows vSphere discretionary management.
Remove unused hardware and disable unnecessary services
In the past year, how many times you use the virtual floppy and internal computer speakers in a virtual machine do? If you do not intend to use these devices, put them pull into the blacklist. Remove the floppy command is as follows:
echo "blacklist floppy" | tee /etc/modprobe.d/blacklist-floppy.conf
There is no need to tangle unused hardware. If you are still using, you may disable any Virtual Console. This can be done in / etc / inittab in the following implementation:
1: 2345: respawn: / sbin / getty 38400 tty1
2: 23: respawn: / sbin / getty 38400 tty2
# 3: 23: respawn: / sbin / getty 38400 tty3
# 4: 23: respawn: / sbin / getty 38400 tty4
# 5: 23: respawn: / sbin / getty 38400 tty5
# 6: 23: respawn: / sbin / getty 38400 tty6
I suggest you remove the floppy disk. Remember that you must also remove the hardware configuration of the virtual machine, the virtual machine and disable it in the BIOS. For other services, you can be blacklisted them, including monitoring disk array configuration (mptctl), pcspker, snd_pcm, snd_page_alloc, snd_timer, snd, snd_soundcore, coretemp, parport and parport_pc.
Before you pull into the blacklist these services, you want to make sure that they are not used. At the same time, I always turn on several virtual consoles may be used, but a bit more open six.
This is some notes run Linux virtual machines. Taking into account the performance gains, everyone should be, as the case may be. Make some minor adjustments, you may see more performance improvement, and some performance degradation. As usual, before the change, to be tested in a lab environment. Technology is constantly changing, so the test can be achieved by advancing the best results. If you have any other tips or suggestions can be made in the comments.