18장. Virtualization
KVM virtualization on IBM Z
KVM virtualization is now supported on IBM Z. However, this feature is only available in the newly introduced user space based on kernel version 4.14, provided by the kernel-alt packages.
Also note that due to hardware differences, certain features and functionalities of KVM virtualization differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on IBM Z, see the Virtualization Deployment and Administration Guide. (BZ#1400070, BZ#1379517, BZ#1479525, BZ#1479526, BZ#1471761)
KVM virtualization supported on IBM POWER9
With this update, KVM virtualization is supported on IBM POWER9 systems, which makes it possible to use KVM virtualization on IBM POWER9 machines. However, this feature is only available in the newly introduced user space based on kernel version 4.14, provided by the kernel-alt packages.
Also note that due to hardware differences, certain features and functionalities of KVM virtualization on IBM POWER9 differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on POWER9 systems, see the Virtualization Deployment and Administration Guide. (BZ#1465503, BZ#1478482, BZ#1478478)
KVM virtualization supported on IBM POWER8
With this update, KVM virtualization is supported on IBM POWER8 systems, which makes it possible to use KVM virtualization on IBM POWER8 machines.
Note that due to hardware differences, certain features and functionalities of KVM virtualization on IBM POWER8 differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on POWER8 systems, see the Virtualization Deployment and Administration Guide. (BZ#1531672)
NVIDIA GPU devices can now be used by multiple guests simultaneously
The NVIDIA vGPU feature is now supported on Red Hat Enterprise Linux 7. This enables dividing a vGPU-compatible NVIDIA GPU into multiple virtual devices referred to as
mediated devices
. By assigning mediated devices to guest virtual machines, these guests are able to share the performance of a single physical GPU.
To configure this feature, manually create a mediated device for the libvirt service to be able to use it as a vGPU. For details, see the Virtualization Deployment and Administration Guide. (BZ#1292451)
KASLR for KVM guests
Red Hat Enteprise Linux 7.5 introduces the Kernel Address Space Randomization (KASLR) feature for KVM guest virtual machines. KASLR enables randomizing the physical and virtual address at which the kernel image is decompressed, and thus prevents guest security exploits based on the location of kernel objects.
KASLR is activated by default, but can be deactivated on a specific guest by adding the
nokaslr
string to the guest's kernel command line.
Note that kernel crash dumps of guests with KASLR activated cannot be analyzed using the
crash
utility. To fix this, add the <vmcoreinfo/>
element to the <features>
section of the XML configuration files of your guests. However, KVM guests with <vmcoreinfo/>
cannot be migrated to a host system that does not support this element. This includes hosts that use Red Hat Enterprise Linux 7.4 and earlier (BZ#1411490, BZ#1395248)
Parallel decompression of OVA
files supported
With this release, the
pigz
and pxz
decompression utilities are supported by the virt-v2v
utility.
These utilities speed up extraction of
OVA
files compressed with the gzip
and xz
utilities on multi-processor machines. In addition, the command-line interfaces for pigz
and pxz
are fully compatible with the command-line interfaces for gzip
and xz
.
If
pigz
and pxz
are installed, they are used by default. If pigz
and pxz
are not installed, there is no change to the extraction behavior. (BZ#1448739)
SMAP now supported on Cannonlake guests
With this update, the Superior Mode Access Prevention (SMAP) feature is supported on guests that use the 7th Generation Intel Processors codenamed Cannonlake. This prevents malicious programs from forcing the kernel to use data from a user-space program, and thus increases the security of the guests.
To verify that your host CPU can provide SMAP for your guest, use the
virsh capabilities
command and look for the <feature name='smap'/>
string. (BZ#1465223)
libvirt rebased to 3.9.0
The libvirt packages have been upgraded to version 3.9.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- Sparse files are now preserved after moving them to or from another host.
- Response limits for remote procedure calls (RPCs) have been increased.
- Virtualized IBM POWER9 CPUs are now supported.
- Attaching devices to running guest virtual machines, also known as device hot plug, now supports more device types, such as input devices.
- The libvirt library has been secured against the CVE-2017-1000256 and CVE-2017-5715 security issues.
- VFIO-mediated devices now function more reliably. (BZ#1472263)
virt-manager rebased to 1.4.3
The virt-manager packages have been upgraded to version 1.4.3, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
- The virt-manager interface now displays the correct CPU models when creating a guest virtual machine that does not use the AMD64 and Intel 64 architectures.
- The default device selection has been optimized for guests using the IBM POWER, IBM Z, or the 64-bit ARM architectures.
- If an installed network card on the host system is compatible with single root I/O virtualization (SR-IOV), it is now possible to create a virtual network that lists a pool of available virtual functions of the selected SR-IOV-capable card.
- The selection of OS types and versions for a newly created guest has been expanded. (BZ#1472271)
virt-what rebased to version 1.18
The virt-what packages have been updated to upstream version 1.18, which provides a number of bug fixes and enhancements over the previous version. Notably, the
virt-what
utility can now detect the following guest virtual machine types:
- Guests running on an 64-bit ARM host and booted using the Advanced Configuration and Power Interfaces.
- Guests running on the oVirt or Red Hat Virtualization hypervisor.
- Guests running on an IBM POWER7 host that uses logical partitioning (LPAR).
- Guests running on the FreeBSD bhyve hypervisor.
- Guests running on an IBM Z host that uses the KVM hypervisor.
- Guests emulated using the QEMU Tiny Code Generator (TCG).
- Guests running on the OpenBSD virtual machine monitor (VMM) service.
- Guests running on the Amazon Web Services (AWS) platform.
- Guests running on the Oracle VM Server for SPARC platform.
In addition, the following bugs have been fixed:
- The
virt-what
utility no longer fails on platforms that do not use the System Managemement BIOS (SMBIOS). virt-what
now works correctly even if the $PATH variable is not set. (BZ#1476878)
tboot rebased to version 1.96
The tboot packages have been upgraded to upstream version 1.96, which fixes several bugs and adds various enhancements. Notable changes include:
- The OpenSSL library versions 1.1.0 and later are now supported for RSA key manipulation and ECDSA signature verification.
- Support has been added for event logs of Trusted Computing Group (TCG) trusted platform modules (TPMs).
- The x2APIC series of Advanced Programmable Interrupt Controller (APICs) is now supported.
- Additional checks have been added to prevent kernel images from being overwritten unintentionally.
- The
tboot
utility can no longer overwrite modules while moving them. - A bug has been fixed that caused sealing and unsealing Amazon Simple Storage Service (S3) secrets to fail.
- Several null pointer dereference bugs have been fixed. (BZ#1457529)
virt-v2v
can convert VMware guests with snapshots
The
virt-v2v
utility has been enhanced to convert VMware guest virtual machines that have snapshots. Note that after the conversion, the status of such a guest is set to the top-most snapshot and the other snapshots are removed. (BZ#1172425)
virt-rescue
enhanced
This release of the
virt-rescue
utility includes the following enhancements:
- Ctrl+character sequences now act on commands run in
virt-rescue
and not onvirt-rescue
itself. - The
-i
option allows users to mount all disks after inspecting the guest. (BZ#1438710)
virt-v2v
now converts Linux guests encrypted with LUKS
With this update, the
virt-v2v
utility can convert Linux guests installed with full-disk LUKS encryption, that is when all the partitions other than the /boot
partition are encrypted.
Notes:
- The
virt-v2v
utility does not support conversion of Linux guests on partitions with other types of encryption schemes. - The
virt-p2v
utility does not support conversion of Linux machines installed with full-disk LUKS encryption. (BZ#1451665)
CAT support added to libvirt
on specific CPU models
The
libvirt
service now supports Cache Allocation Technology (CAT) on specific CPU models. This enables guest virtual machines to have part of their host's CPU cache allocated for their vCPU threads.
For details on configuring this feature, see https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/virtualization_tuning_and_optimization_guide/index.html#sect_VTOG-vCPU_cache_reservation. (BZ#1289368)
PTP device added to improve time synchronization of KVM guests
The PTP device has been added for KVM guest virtual machines. It enhances the
kvmclocks
service by preventing clock divergence between the host and the guest due to NTP adjustment. As a result, the PTP device ensures more reliable time synchronization between the KVM host and its guests.
For details on setting up the PTP device, see the Virtualization Deployment and Administration Guide. (BZ#1379822)