Xen users - Feb 2011 - What makes live migration so slow?

Hello,

I have now shfited to Centos 5.5, and I am testing live migration between 2
physical hosts with XEN 3.1.2. XEN 3.1.2 (virtualization) is included in
centOS 5.5 during the installation phase, so everything is handled by
default. A third host with Ubuntu OS serves as the network file system. The
three hosts are connected by one D-link gigabit switch (DGS-2205).

The downtime of live migration is still very long. If we measure the
downtime by Ping command,  one migration event of a guest VM (domU) gives a
loss of 30-50 packets. (should be over half a minute).

Could anyone know the potential problem? Thank you in advance!


The xend-config.sxp is attached as follows, and the firewall has been
disabled on port 8000, 8002 (both tcp & udp).

# -*- sh -*-

#
# Xend configuration file.
#

# This example configuration is appropriate for an installation that
# utilizes a bridged network configuration. Access to xend via http
# is disabled.

# Commented out entries show the default for that entry, unless otherwise
# specified.

#(logfile /var/log/xen/xend.log)
#(loglevel DEBUG)

#(xend-http-server no)
(xend-http-server yes)
(xend-unix-server yes)
#(xend-tcp-xmlrpc-server no)
#(xend-unix-xmlrpc-server yes)
(xend-relocation-server yes)
# The relocation server should be kept desactivated unless using a trusted
# network, the domain virtual memory will be exchanged in raw form without
# encryption of the communication. See also xend-relocation-hosts-allow
option

(xend-unix-path /var/lib/xend/xend-socket)

# Port xend should use for the HTTP interface, if xend-http-server is set.
(xend-port            8000)

# Port xend should use for the relocation interface, if
xend-relocation-server
# is set.
(xend-relocation-port 8002)

# Address xend should listen on for HTTP connections, if xend-http-server is
# set.
# Specifying ''localhost'' prevents remote connections.
# Specifying the empty string '''' (the default) allows all
connections.
(xend-address '''')
#(xend-address localhost)

# Address xend should listen on for relocation-socket connections, if
# xend-relocation-server is set.
# Meaning and default as for xend-address above.
(xend-relocation-address '''')

# The hosts allowed to talk to the relocation port.  If this is empty (the
# default), then all connections are allowed (assuming that the connection
# arrives on a port and interface on which we are listening; see
# xend-relocation-port and xend-relocation-address above).  Otherwise, this
# should be a space-separated sequence of regular expressions.  Any host
with
# a fully-qualified domain name or an IP address that matches one of these
# regular expressions will be accepted.
#
# For example:
#  (xend-relocation-hosts-allow ''^localhost$
^.*\.example\.org$'')
#
(xend-relocation-hosts-allow '''')
#(xend-relocation-hosts-allow ''^localhost$
^localhost\\.localdomain$'')

# The limit (in kilobytes) on the size of the console buffer
#(console-limit 1024)

##
# To bridge network traffic, like this:
#
# dom0: fake eth0 -> vif0.0 -+
#                            |
#                          bridge -> real eth0 -> the network
#                            |
# domU: fake eth0 -> vifN.0 -+
#
# use
#
# (network-script network-bridge)
#
# Your default ethernet device is used as the outgoing interface, by
default.
# To use a different one (e.g. eth1) use
#
# (network-script ''network-bridge netdev=eth1'')
#
# The bridge is named xenbr0, by default.  To rename the bridge, use
#
# (network-script ''network-bridge bridge=<name>'')
#
# It is possible to use the network-bridge script in more complicated
# scenarios, such as having two outgoing interfaces, with two bridges, and
# two fake interfaces per guest domain.  To do things like this, write
# yourself a wrapper script, and call network-bridge from it, as
appropriate.
#
(network-script network-bridge)

# The script used to control virtual interfaces.  This can be overridden on
a
# per-vif basis when creating a domain or a configuring a new vif.  The
# vif-bridge script is designed for use with the network-bridge script, or
# similar configurations.
#
# If you have overridden the bridge name using
# (network-script ''network-bridge bridge=<name>'') then
you may wish to do
the
# same here.  The bridge name can also be set when creating a domain or
# configuring a new vif, but a value specified here would act as a default.
#
# If you are using only one bridge, the vif-bridge script will discover
that,
# so there is no need to specify it explicitly.
#
(vif-script vif-bridge)


## Use the following if network traffic is routed, as an alternative to the
# settings for bridged networking given above.
#(network-script network-route)
#(vif-script     vif-route)


## Use the following if network traffic is routed with NAT, as an
alternative
# to the settings for bridged networking given above.
#(network-script network-nat)
#(vif-script     vif-nat)


# Dom0 will balloon out when needed to free memory for domU.
# dom0-min-mem is the lowest memory level (in MB) dom0 will get down to.
# If dom0-min-mem=0, dom0 will never balloon out.
(dom0-min-mem 256)

# In SMP system, dom0 will use dom0-cpus # of CPUS
# If dom0-cpus = 0, dom0 will take all cpus available
(dom0-cpus 0)

# Whether to enable core-dumps when domains crash.
#(enable-dump no)

# The tool used for initiating virtual TPM migration
#(external-migration-tool '''')

# The interface for VNC servers to listen on. Defaults
# to 127.0.0.1  To restore old ''listen everywhere'' behaviour
# set this to 0.0.0.0
#(vnc-listen ''127.0.0.1'')

# The default password for VNC console on HVM domain.
# Empty string is no authentication.
(vncpasswd '''')

# The default keymap to use for the VM''s virtual keyboard
# when not specified in VM''s configuration
(keymap ''en-us'')

# The VNC server can be told to negotiate a TLS session
# to encryption all traffic, and provide x509 cert to
# clients enalbing them to verify server identity. The
# GTK-VNC widget, virt-viewer, virt-manager and VeNCrypt
# all support the VNC extension for TLS used in QEMU. The
# TightVNC/RealVNC/UltraVNC clients do not.
#
# To enable this create x509 certificates / keys in the
# directory /etc/xen/vnc
#
#  ca-cert.pem       - The CA certificate
#  server-cert.pem   - The Server certificate signed by the CA
#  server-key.pem    - The server private key
#
# and then uncomment this next line
# (vnc-tls 1)
#
# The certificate dir can be pointed elsewhere..
#
# (vnc-x509-cert-dir /etc/xen/vnc)
#
# The server can be told to request & validate an x509
# certificate from the client. Only clients with a cert
# signed by the trusted CA will be able to connect. This
# is more secure the password auth alone. Passwd auth can
# used at the same time if desired. To enable client cert
# checking uncomment this:
#
# (vnc-x509-verify 1)

# Allow probing of disk image file format.  This is insecure!  It lets
# a malicious domU read any file in dom0.  Applies only to fully
# virtual domUs.  Required for using formats other than raw.
#(enable-image-format-probing no)

# Number of seconds xend will wait for device creation
#(device-create-timeout 100)

# Strict checking when doing PCI passthrough; enabled by default
#(pci-dev-assign-strict-check yes)


-- 
Cheers,

Wenda Ni, Ph.D.
Dept. of Computer Science and Engineering
State University of New York (SUNY) at Buffalo


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Wenda Ni wrote:
>I have now shfited to Centos 5.5, and I am testing live migration 
>between 2 physical hosts with XEN 3.1.2. XEN 3.1.2 (virtualization) 
>is included in centOS 5.5 during the installation phase, so 
>everything is handled by default. A third host with Ubuntu OS serves 
>as the network file system. The three hosts are connected by one 
>D-link gigabit switch (DGS-2205).
>
>The downtime of live migration is still very long. If we measure the 
>downtime by Ping command,  one migration event of a guest VM (domU) 
>gives a loss of 30-50 packets. (should be over half a minute).
>
>Could anyone know the potential problem? Thank you in advance!
I would suggest you try with something like arping and see if you get 
any different results. I can think of one thing that would make the 
VM "disappear" from the network for a while during/after migration 
apart from the downtime while the migration actually happens :

Every switch (bridge) on the network will have learned the port to 
which the node is attached and cached it in it''s MAC <-> Port
table.
When you move a machine, these switches will continue to forward 
unicast packets via the port it has in it''s tables UNTIL it has 
reason to update the table entry. Thus packets may get sent to the 
wrong place for a while - and so the migrated machine just doesn''t 
get any traffic.

Most switches will update the table as soon as it sees a packet from 
the device arrive on a different port. Depending on what''s going on, 
that may take a second, or minutes.
Arping uses ARP request packets to probe a device rather than unicast 
ICP-Ping packets. These being broadcast will be flooded to the entire 
network and so will reach the device even though it''s now on a 
different port. When it replies, the intermediate switches will 
update their MAC table accordingly.

Also, I''ve found some switches can be slow to update. We''ve
some HP
1800-24G switches at work, and they seem to have a 5 minute timeout 
before they''ll update the MAC table. I guess it''s probably 
configurable via CLI - but I haven''t looked.
-- 
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users