Red Hat Training

A Red Hat training course is available for Red Hat Linux

Chapter 18. Virtualization

KVM virtualization on IBM z Systems

KVM virtualization is now supported on IBM z Systems. However, this feature is only available in the newly introduced user space based on kernel version 4.14, provided by the kernel-alt packages.
Also note that due to hardware differences, certain features and functionalities of KVM virtualization differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on IBM z Systems, see the Virtualization Deployment and Administration Guide. (BZ#1400070, BZ#1379517, BZ#1479525, BZ#1479526, BZ#1471761)

KVM virtualization supported on IBM POWER9

With this update, KVM virtualization is supported on IBM POWER9 systems, which makes it possible to use KVM virtualization on IBM POWER9 machines. However, this feature is only available in the newly introduced user space based on kernel version 4.14, provided by the kernel-alt packages.
Also note that due to hardware differences, certain features and functionalities of KVM virtualization on IBM POWER9 differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on POWER9 systems, see the Virtualization Deployment and Administration Guide. (BZ#1465503, BZ#1478482, BZ#1478478)

KVM virtualization supported on IBM POWER8

With this update, KVM virtualization is supported on IBM POWER8 systems, which makes it possible to use KVM virtualization on IBM POWER8 machines.
Note that due to hardware differences, certain features and functionalities of KVM virtualization on IBM POWER8 differ from what is supported on AMD64 and Intel 64 systems.
For details on installing and using KVM virtualization on POWER8 systems, see the Virtualization Deployment and Administration Guide. (BZ#1531672)

NVIDIA GPU devices can now be used by multiple guests simultaneously

The NVIDIA vGPU feature is now supported on Red Hat Enterprise Linux 7. This enables dividing a vGPU-compatible NVIDIA GPU into multiple virtual devices referred to as mediated devices. By assigning mediated devices to guest virtual machines, these guests are able to share the performance of a single physical GPU.
To configure this feature, manually create a mediated device for the libvirt service to be able to use it as a vGPU. For details, see the Virtualization Deployment and Administration Guide. (BZ#1292451)

KASLR for KVM guests

Red Hat Enteprise Linux 7.5 introduces the Kernel Address Space Randomization (KASLR) feature for KVM guest virtual machines. KASLR enables randomizing the physical and virtual address at which the kernel image is decompressed, and thus prevents guest security exploits based on the location of kernel objects.
KASLR is activated by default, but can be deactivated on a specific guest by adding the nokaslr string to the guest's kernel command line.
Note that kernel crash dumps of guests with KASLR activated cannot be analyzed using the crash utility. To fix this, add the <vmcoreinfo/> element to the <features> section of the XML configuration files of your guests. However, KVM guests with <vmcoreinfo/> cannot be migrated to a host system that does not support this element. This includes hosts that use Red Hat Enterprise Linux 7.4 and earlier (BZ#1411490, BZ#1395248)

Parallel decompression of OVA files supported

With this release, the pigz and pxz decompression utilities are supported by the virt-v2v utility.
These utilities speed up extraction of OVA files compressed with the gzip and xz utilities on multi-processor machines. In addition, the command-line interfaces for pigz and pxz are fully compatible with the command-line interfaces for gzip and xz.
If pigz and pxz are installed, they are used by default. If pigz and pxz are not installed, there is no change to the extraction behavior. (BZ#1448739)

SMAP now supported on Cannonlake guests

With this update, the Superior Mode Access Prevention (SMAP) feature is supported on guests that use the 7th Generation Intel Processors codenamed Cannonlake. This prevents malicious programs from forcing the kernel to use data from a user-space program, and thus increases the security of the guests.
To verify that your host CPU can provide SMAP for your guest, use the virsh capabilities command and look for the <feature name='smap'/> string. (BZ#1465223)

libvirt rebased to 3.9.0

The libvirt packages have been upgraded to version 3.9.0, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • Sparse files are now preserved after moving them to or from another host.
  • Response limits for remote procedure calls (RPCs) have been increased.
  • Virtualized IBM POWER9 CPUs are now supported.
  • Attaching devices to running guest virtual machines, also known as device hot plug, now supports more device types, such as input devices.
  • The libvirt library has been secured against the CVE-2017-1000256 and CVE-2017-5715 security issues.
  • VFIO-mediated devices now function more reliably. (BZ#1472263)

virt-manager rebased to 1.4.3

The virt-manager packages have been upgraded to version 1.4.3, which provides a number of bug fixes and enhancements over the previous version. Notable changes include:
  • The virt-manager interface now displays the correct CPU models when creating a guest virtual machine that does not use the AMD64 and Intel 64 architectures.
  • The default device selection has been optimized for guests using the IBM POWER, IBM z Systems, or the 64-bit ARM architectures.
  • If an installed network card on the host system is compatible with single root I/O virtualization (SR-IOV), it is now possible to create a virtual network that lists a pool of available virtual functions of the selected SR-IOV-capable card.
  • The selection of OS types and versions for a newly created guest has been expanded. (BZ#1472271)

virt-what rebased to version 1.18

The virt-what packages have been updated to upstream version 1.18, which provides a number of bug fixes and enhancements over the previous version. Notably, the virt-what utility can now detect the following guest virtual machine types:
  • Guests running on an 64-bit ARM host and booted using the Advanced Configuration and Power Interfaces.
  • Guests running on the oVirt or Red Hat Virtualization hypervisor.
  • Guests running on an IBM POWER7 host that uses logical partitioning (LPAR).
  • Guests running on the FreeBSD bhyve hypervisor.
  • Guests running on an IBM z Systems host that uses the KVM hypervisor.
  • Guests emulated using the QEMU Tiny Code Generator (TCG).
  • Guests running on the OpenBSD virtual machine monitor (VMM) service.
  • Guests running on the Amazon Web Services (AWS) platform.
  • Guests running on the Oracle VM Server for SPARC platform.
In addition, the following bugs have been fixed:
  • The virt-what utility no longer fails on platforms that do not use the System Managemement BIOS (SMBIOS).
  • virt-what now works correctly even if the $PATH variable is not set. (BZ#1476878)

tboot rebased to version 1.96

The tboot packages have been upgraded to upstream version 1.96, which fixes several bugs and adds various enhancements. Notable changes include:
  • The OpenSSL library versions 1.1.0 and later are now supported for RSA key manipulation and ECDSA signature verification.
  • Support has been added for event logs of Trusted Computing Group (TCG) trusted platform modules (TPMs).
  • The x2APIC series of Advanced Programmable Interrupt Controller (APICs) is now supported.
  • Additional checks have been added to prevent kernel images from being overwritten unintentionally.
  • The tboot utility can no longer overwrite modules while moving them.
  • A bug has been fixed that caused sealing and unsealing Amazon Simple Storage Service (S3) secrets to fail.
  • Several null pointer dereference bugs have been fixed. (BZ#1457529)

virt-v2v can convert VMware guests with snapshots

The virt-v2v utility has been enhanced to convert VMware guest virtual machines that have snapshots. Note that after the conversion, the status of such a guest is set to the top-most snapshot and the other snapshots are removed. (BZ#1172425)

virt-rescue enhanced

This release of the virt-rescue utility includes the following enhancements:
  • Ctrl+character sequences now act on commands run in virt-rescue and not on virt-rescue itself.
  • The -i option allows users to mount all disks after inspecting the guest. (BZ#1438710)

virt-v2v now converts Linux guests encrypted with LUKS

With this update, the virt-v2v utility can convert Linux guests installed with full-disk LUKS encryption, that is when all the partitions other than the /boot partition are encrypted.
Notes:
  • The virt-v2v utility does not support conversion of Linux guests on partitions with other types of encryption schemes.
  • The virt-p2v utility does not support conversion of Linux machines installed with full-disk LUKS encryption. (BZ#1451665)

CAT support added to libvirt on specific CPU models

The libvirt service now supports Cache Allocation Technology (CAT) on specific CPU models. This enables guest virtual machines to have part of their host's CPU cache allocated for their vCPU threads.

PTP device added to improve time synchronization of KVM guests

The PTP device has been added for KVM guest virtual machines. It enhances the kvmclocks service by preventing clock divergence between the host and the guest due to NTP adjustment. As a result, the PTP device ensures more reliable time synchronization between the KVM host and its guests.
For details on setting up the PTP device, see the Virtualization Deployment and Administration Guide. (BZ#1379822)