VIOS for IBM i Blog
New tool to work with WWNN/WWPN
Monitoring vNIC on Power
As I discussed in my previous post Introduction to SR-IOV and vNIC for IBM i, vNIC is a powerful feature built on top of SR-IOV and VIOS that virtualizes Ethernet connections to your IBM i, AIX, or Linux partitions with high performance and automatic failover to alternative ports (backing devices).
One problem with creating a vNIC with multiple backing
devices in a failover configuration is you might not notice when it
automatically switches to a backup device because a higher priority device
fails. If you don’t notice, you could
end up running in a reduced redundancy situation because the problem that
caused the switch never gets resolved.
The solution for that problem is monitoring. To that end, I’m publishing a Python script I
wrote to monitor your vNIC configuration for several conditions that could
indicate a problem.
Best practices
When creating a vNIC configuration, there are a few practices that will help ensure you get the best possible redundancy to protect your self from failures in various parts of your infrastructure.
- Use multiple backing devices. Each vNIC should have at least one backing device to failover to in case the primary device encounters a problem. It is common to see configurations with 3 or 4 total backing devices. As of this writing, up to 16 are supported.
- Spread backing devices across points of failure. Separate them to different VIOS, different adapters, and different network switches.
- Spread active devices across all VIOS and physical adapters to statically load balance the work. Don’t put all your active devices on one VIOS and all your backup devices on the other or you’ll be looking a big processor/memory spike when you take the primary VIOS down. Likewise, it makes little sense to squeeze all your traffic through some of your adapters/ports and leave others idle. Using all of your ports also makes it possible to detect port failures that are related to switching and routing that would otherwise go undetected until they are your only option when primary ports fail.
- Assign each backing device a unique failover priority so the backup sequence is deterministic. For vNIC, the lowest priority number is the highest priority, and it defaults to 50. Typically, I would assign 50 to the desired active device, 60 to the first backup, 70 to the second backup, etc. You can use any numbers you wish, but keep them unique for a given vNIC, and leave some space in the numbering to change it around if you need to.
- Use the HMC GUI to activate backup ports if you need to move traffic proactively. Select a specific LPAR from the HMC screen, then select Virtual NICs from the left-hand menu to display/edit the vNICs for a partition. To switch to a different backing device, select the desired device and select Action-Make the backing device active. You will notice that when you do this, the “Auto Priority Failover” setting will change to “Disabled”. That will prevent the vNIC from switching based on priority unless the active port fails.
Installing the Monitor code
The vnic-check.py script is written in Python. It will run on any platform that has
Python3.6 or above, including the IBM i.
As this is an IBM i centric blog, I include the instructions to install,
configure and run it on IBM I using the PASE environment, but it will run an
pretty much anywhere.
Prerequisites
You must have the PASE environment (5733-SC1 Base), and
OpenSSH installed (5733-SC1 Opt 1).
Installing Open Source packages and python3
See https://www.ibm.com/support/pages/getting-started-open-source-package-management-ibm-i-acs
for details of this process.
Start the SSH server on the IBMi partition with the STRTCPSVR
*SSHD command if it is not already started.
Using IBM Access Client Solutions (ACS), Select a system for the LPAR where you wish
to install the monitoring tool. From the
menu, select Tools->Open Source Package Management
On the “Connect to SSH” window that is displayed, enter a
user ID and password with sufficient authority to install the open source
packages (see link above for details)
If your IBMi partition does not have the ability to connect
to the Internet, use the radio button under “Proxy Mode” to select “SSH
Tunneling” This will allow the packages to be downloaded via your workstation.
If you get a message box that the Open Source Environment is
not installed, click “Yes” to install it.
When the open-source environment install is complete, it
will display a window with the list of installed packages. If python3 is in that list, you are
done. If not, switch to the “available
packages” tab, click “python3” and click Install. If no available packages display, you may
need to close the open source management window and reopen it.
Verify python3 is installed by opening a QShell session (QSH
command) and running “/QOpensys/pkgs/bin/python3 -V” It should show a Python version number of 3.6
or higher. F3 to exit back to your
command line.
Create an HMC Monitoring account
This script runs query commands on the HMC using a private
key with no passphrase. Since it is a
very bad security idea to have that kind of access to your HMC hscroot account,
you’ll want to create an account that can only run monitoring commands. Seriously, DO NOT create private keys as
described here using hscroot or any other HMC account that can make
changes. If you’re not going to use a
restricted account, don’t use this script.
Connect to the HMC using a SSH client like Putty as user
hscroot (or another user with the authority to create user accounts).
Run the command:
mkhmcusr -i "name=monitor,taskrole=hmcviewer,description=For
restricted monitoring
scripts,pwage=99999,resourcerole=ALL:,authentication_type=local,remote_webui_access=0,remote_ssh_access=1,min_pwage=0,session_timeout=0,verify_timeout=15,idle_timeout=120,inactivity_expiration=0"
It will prompt for a password. Assign it something secure. This will create an account named “monitor”
that can only be used by the SSH interface.
It will not be able to use the Web GUI, and it will be restricted in the
commands it can run.
Repeat this account creation on each HMC that will be monitored.
Create a key to access the monitor account
You will be running the monitoring script from one of your
IBMi partitions, with a specific user id that will have an SSH key to access
the HMC using the monitor account you just created.
Pick the User-Id that will be running the command. I’m not going to go into detail on creating
this account since if you’re an IBMi administrator, you already know how to
create accounts and create job schedule entries that use a specific account. Of course, you can use an existing account
for this as well.
The account you choose will need to have a home directory
where you can create an ssh private key that you will authorize to connect to
the HMC monitor account.
Start QShell (QSH) from the account you will use and run the
following:
# on all of the following commands, replace 1.2.3.4 with the
IP address of the HMC you want to monitor. Repeat for each HMC if you are monitoring more than one.
mkdir -p $HOME # make sure there is a home directory
cd $HOME # change to the home directory
ssh-keygen
# press enter three times to accept the default file /home/MONITOR/.ssh/id_rsa
and use an empty passphrase
ssh monitor@1.2.3.4 mkauthkeys -a \"`cat
~/.ssh/id_rsa.pub`\"
# answer ‘yes’ to the authenticity prompt
# Enter the HMC Monitor account password when prompted for
Password:
# finally test the SSH key access with:
ssh monitor@1.2.3.4 lssyscfg -r sys -F name
# you should get a list of the system names managed by that
HMC without any password prompting
Use F3 to leave the QShell prompt.
Now you’ll need to download and edit the top of the
vnic-check.py file to set your parameters.
You can find the open source script vnic-check.py in the
public repository at: https://github.com/IBM/blog-vios4i
Download directly with: https://github.com/IBM/blog-vios4i/raw/main/src/vnic-check.py
smtphost: Set to the name (or address) of a SMTP relay in
your organization where you can send mail.
On the IBMi, if the current partition is running a mail server locally,
you can use 127.0.0.1 here. Set this to
None if you just want to get a printed result to the screen (or a spooled file
in batch). Using None is useful to
ensure the command is working properly before setting up email.
sender: If using
email, this needs to be a valid email address that can send mail in your
organization.
toaddrs: This is a
list of email addresses that should get messages when the check finds any
conditions that need fixing. You can use
a comma separated list of addresses between the brackets where each address is
enclosed in quotes.
hmcs: this should be a list of the SSH address of the
monitor account on your HMC in the format monitor@ipaddress. You can also use a DNS name instead of the ip
address if DNS is properly configured for your PASE environment (verify by using the host command in a PASE shell). The entire list should be surrounded by []
characters, and each hmc address should be surrounded by single quote
characters and separated by commas. It
is okay to only have one hmc in the list.
You will need to do the same key setup described above on each HMC if you use more than one.
minopercount: this should be the lowest number of backing
devices that is acceptable in your environment.
Any vNIC with less than this number of operational devices will be
reported as a problem.
When you have set your parameters, transfer the script to
the home directory of the user that will be running the command.
Finally, make sure it works by opening QShell (QSH command)
and running the script:
/QOpensys/pkgs/bin/python3
vnic-check.py
If all goes well, you’ll get no email or output (indicating
all of the vNICs found are without problems), or a list of the problems
found. If you get no output and want to
make sure it is finding your vNICs,
Change the minopercount variable to a high number (999) and rerun to
report all of your vNICs are lower than the desired count.
When you have verified all is well, reset the variables as
needed and schedule a job to run:
QSH CMD('/QOpensys/pkgs/bin/python3 vnic-check.py')
as the selected user on the desired schedule.
Need help?
If you need help implementing best practices for your vNICs,
the IBM i Technology Services team (formerly known as Lab Services) is
available to help with implementation planning, execution, and knowledge
transfer. See https://www.ibm.com/it-infrastructure/services/lab-services
for contact information or speak to your IBM Sales Representative or Business
Partner. If you are planning a new
hardware purchase, you can include implementation services by the Technology
Services team in your purchase.
Disclaimer
I am an employee of IBM on the IBM i Technology Services
team (formerly known as Lab Services). The
opinions in this post are my own and don't necessarily represent IBM's
positions, strategies, or opinions.
References
Getting started with Open Source Package Management in IBM i
ACS
https://www.ibm.com/support/pages/getting-started-open-source-package-management-ibm-i-acs
IBM i ACS Open Source Package Management Auth Fail Error
https://www.ibm.com/support/pages/node/1167988
Please Stop Changing Partition Profiles
The Enhanced HMC interface is here to stay. If you are still changing partition profiles on
your Power HMC, you really need to start using the new functionality instead,
or you risk getting out of sync and losing changes. It is painful to create a bunch of new
virtual fiber channel adapters, and then have them magically disappear with
your next reboot. It’s even worse when
you reboot a VIOS and choose an out of date partition profile and suddenly some
of your client disks go away. Ask me how
I know.
I normally try to write articles focused on IBM i, but in
this case, there really isn’t any difference between IBM i, AIX, and Linux. All partitions (especially VIOS) should
follow the same rules.
First a bit of history
IBM made the Enhanced HMC interface available as an option
with version 8.1.0.1. If you were an administrator like me, you
just looked at it once or twice, figured it didn’t make any sense compared to
what you were used to, and just selected “Classic” from the menu when you
logged in.
Version V8R8.7.0 officially eliminated the Classic interface,
but some enterprising users found and published a backdoor approach to access
the classic interface even at that level (see Bart’s Blog -
Enable classic HMC GUI on release V9R1 – referenced below) That unofficial
approach was then shut down for good in May of 2020.
Why? Because IBM is
focusing development on a single easy to use interface that leverages DLPAR
operations for all the new features like vNIC (see my previous blog post if
that’s new to you).
Making the Move
First and foremost, make sure that your partition profiles
are in sync with the running profile.
There is an excellent blog post in
the IBM Community that explains this in much more detail.
If you are using VIOS, DON’T FORGET THE VIOS! There is far more risk of lost configuration
on VIOS than any other partition, because when you are using the Enhanced GUI,
you are often making dynamic changes to VIOS you may not even be aware of.
The gist of it is that you should be running with the “Save
configuration changes to profile” setting at “Enabled”. If it is not currently set to enabled, you
need to get it set that way.
If the setting is currently “disabled”, start by saving your
current configuration to the default partition profile. Select the partition view for the desired
partition from the GUI, select Partition Actions->Profiles->Save Current
Configuration and select the default profile name. Most users only have one profile per
partition. If you are one of the few
that has more than one, pick a name for the profile that you will use from now
on. The default name used for newly
created partitions is “default_profile”, so that is pretty good choice for a
name. Save the configuration with the
desired name. If you created a new name,
go into “Manage Profiles” for your last time and change it your newly saved
profile as the default. Now is also a
good time to delete all those profiles you will not be using any more.
Now you can change the “Save configuration changes to profile” setting to
“Enabled”.
Doing it the Enhanced way
Once you have this setting enabled, just stay away from
“Manage Profiles” and make all of your changes using the Enhanced GUI dynamic menu
operations available from the left-hand menu of the partition view.
When you need to activate a partition that you previously
shutdown, make sure you use the “Current Configuration” option rather than picking
a partition profile.
The biggest difference between changing partition profiles
and restarting with a different profile is that in the Enhanced GUI, it will
make the changes dynamically on a running partition. It will also make the corresponding changes
on the VIOS, if necessary. The days of
keeping track of virtual port numbers can be gone, if you let them.
You’ll find that when you Google the procedure to do anything
on the HMC, you will often find articles and screen shots that point you to modify
the profile. If at any point, one of
these articles suggests using the Manage Profiles option or tells you to select
a specific profile when activating a partition, keep looking for a new
procedure. You can often get good basic
information from these articles, but the specific procedures are likely to get
you into trouble.
Enhanced HMC changes are typically dynamic on a running
partition. This requires communication
between the HMC and the running partition, which you will typically see
referred to as an RMC connection. One
difference for the IBM i world is that IBM i uses a LIC connection rather than
the RMC connections that are used by AIX and Linux. This all means that you won’t see an RMC
active flag on an IBM i partition. I
mention this for two reasons. First,
much of the documentation you will run into will mention the need for an active
RMC connection for various procedures. That
is not true for IBM i. Second, the O/S
on an IBM i does need to be operating to make some dynamic changes. The error message you’ll get while attempting
to make some changes on an activated IBM i partition with refer to RMC, but it
really means its not booted to a DLpar capable state.
You may notice that there are things you cannot change using
the Enhanced interface while the partition is active. Some examples are max processor, max memory,
max virtual adapters, and processor compatibility mode. All these options require a shutdown and
restart. You will be permitted to make
the changes while the partition is shutdown.
Why is it so slow? (Spoiler - it's not)
You might not believe me here, but it isn’t slow. It just feels that way because it is doing
everything dynamically right now when you are used to delaying all that
processing to partition activation.
Making changes to profiles is blazing fast because they are
not actually changing any real resources, but you will pay the price during
activation of that profile. On the
contrary, when you make a change to a running partition with a dynamic HMC
change, all that processing that happens in the hypervisor and O/S to add that
resource will happen immediately -- while you wait. That’s right, while you wait means, well...
you will be waiting.
I’ve actually done some benchmarks on new system setups to
compare dynamic operations with HMC commands (chhwres - equivalent to the
Enhanced HMC GUI) to HMC profile change
commands (chsyscfg commands) that get applied via the “chsyscfg -o apply”
command. The chhwres commands on either
a running or inactive partition, tend to be slow to operate, while the
equivalent profile changes are very fast until they are either applied via apply
command or profile activation. In the
end, it comes down to when you are going to wait. You can wait now, or you can wait later, but
you are always going to wait for the actual resource creation in the
hypervisor.
To be completely honest, I’m a command line guy. Sure, I’ll use the HMC GUI to create small
test partitions and add a few virtual network or virtual fiber channel
connections when I must. I’m much more
likely to create a command script to do it all for anything more than a couple
resources. I don’t have the patience to
create hundreds of virtual fiber channel connections on a giant Power 1080 one
by one in a GUI. That said, most IBM i
admins don’t create a lot of resources except during hardware refreshes and
migrations, so using the GUI is right way to learn – it’s also safer.
I’ll post some more details of the command line way of
creating and configuring partitions and partition resources in the future for
those that are interested in that approach.
Need Help?
If you need help fixing a profile problem, or with a hardware
refresh or migration and don’t want to go it alone, the IBM i Technology
Services team (formerly known as Lab Services) is available to help with
implementation planning, execution, and knowledge transfer. See https://www.ibm.com/it-infrastructure/services/lab-services
for contact information or speak to your IBM Sales Representative or Business
Partner. If you are planning a new
hardware purchase, you can include implementation services by the Technology
Services team in your purchase.
Disclaimer
I am an employee of IBM on the IBM i Technology Services
team (formerly known as Lab Services). The
opinions in this post are my own and don't necessarily represent IBM's
positions, strategies, or opinions.
References
Synchronize Current Configuration and configuration change
on inactive partition in HMC Enhanced UI
Bart’s Blog - Enable classic HMC GUI on release
V9R1
https://theibmi.org/2019/09/11/enable-classic-hmc-gui-on-release-v9r1/
IBM Support - Saving Configuration Changes To Profile
https://www.ibm.com/support/pages/saving-configuration-changes-profile
How to create Shared Ethernet Adapater without touching VIOS
https://theibmi.org/2016/03/26/how-to-create-sea-with-no-touch-vio/
HMC – Enhanced+ interface tricks
https://theibmi.org/2020/11/15/hmc-enhanced-interface-tricks/
PowerVM VIOS for IBM i
In this post, I will discuss the pros and cons of creating a
completely virtualized IBM i environment with redundant VIOS (Virtual I/O Server). You can just look at the name of this website
to understand where I stand on that issue.
Many IBM i administrators try to avoid VIOS for several reasons. To be completely honest, a LONG time ago I
was even one of them. That was a mistake. I want to make the case for why you should
consider VIOS for I/O virtualization on your next system.
In the present day, there are many options for virtualizing
the workload on an IBM Power server. The
options range from absolutely no virtualization (a non-partitioned system), to
all Input/Output and processor completely virtualized and mobile. According to the 2022 Fortra (formerly
HelpSystems) survey, 22% of you have a single partition, and 25% have two
partitions. If that’s you, you probably
don’t need VIOS... yet.
It is also common to find particularly critical partitions
with dedicated processors and dedicated I/O resources on the same Power servers
as fully virtualized partitions that are sharing resources.
I’m a big fan of virtualizing everything, but I understand
that is not always optimal. Fortunately,
PowerVM has the flexibility provide the right choice for you on a
partition-by-partition basis.
Why should you virtualize I/O?
Ask yourself a question:
If you have more than one partition, why don’t you buy a separate Power
system for each partition?
Your business probably requires multiple partitions for a
reason: workload splitting, different applications, development/testing
environments, etc. You also have good
reasons to consolidate your separate workloads onto a smaller number of more
powerful systems. Usually, those reasons
relate to things like cost, allowance for growth, limited floor space, power,
or cooling requirements.
The same reasons apply to why you should virtualize your I/O
resources. Ethernet infrastructure
(especially 10G) is a limited resource.
Switches, cabling and SFPs all add to expenses and complexity.
Sharing fiber channel ports for storage also reduces the
number of ports needed on SAN switches, as well as reducing cable needs. This saves money and time.
If you use external (SAN) storage, you can even use Live
Partition Mobility (LPM) to move running partitions between physical
servers. This is a very common practice
in the AIX world, but fairly rare for IBM i.
More to come on that.
External Storage also allows you to leverage technologies
such as FlashCopy to create backups with almost zero downtime or create test or
reporting copies practically instantly.
It will also greatly simplify server migrations and enable storage-based
replication for High Availability and Disaster Recovery solutions. I’ll write a future article that delves
deeper into the benefits of external storage, as it is a technology that
deserves a deep dive.
When you have a fully virtualized PowerVM infrastructure in
place, creating a new partition becomes a very simple thing. There is no longer any need to assign any
physical resources. Just create new
virtual resources with the HMC GUI and your partition (IBM i, AIX, or Linux) is
ready to go. Okay, you might need to do
some zoning and maybe assign some storage before you can use it, but the
partition will be ready to go.
Redundancy is critical
Proper virtualization leverages redundancy to improve
reliability. Ideally, all your
virtualized resources should have backup.
Virtual Ethernet connections should be based on vNIC with
multiple backing adapters for automatic failover, or Shared Ethernet Adapters
backed by multiple physical adapters in multiple VIOS. Each adapter should connect to the network
via separate network switches. Eliminate
all single points of failure and you will eliminate many potential problems
before they happen.
Storage should have multiple paths via multiple fiber
channel cards owned by multiple VIOS partitions connected through multiple SAN
switches (fabrics) to multiple storage ports.
Again, eliminate those single points of failure.
A properly implemented virtual infrastructure is more
reliable than individual physical adapters directly mapped to partitions.
Don’t fear the VIOS
If I had any musical talent, I’d make a version of the
classic “Don’t Fear the Reaper” song as “Don’t Fear the VIOS”. I don’t, so I’ll just stick with text. Trust me.
It’s better this way.
Many IBM i administrators want to avoid VIOS because it is
based on AIX, which is an unfamiliar technology. As I mentioned before, I was one of those
until I spent a few years at a company which used VIOS extensively.
Let me be very clear about this. AIX guys are NOT smarter than IBM i
guys. They just understand a different
command syntax. They might be smarter
than Windows guys, but who isn’t, right?
AIX users should NOT be the only ones that benefit from VIOS
in their environments. VIOS is intended
to be implemented as an appliance, similar to the HMC, but exclusively in
software. There is a connection to the
HMC that is the primary means of configuration.
There is also a command line environment that is subset of simplified
AIX commands and some commands that are specific to VIOS. It is well documented with both online help
and manuals, but you will rarely need to use it.
The fact is, once you have done the basic install of VIOS, all
your ongoing monitoring and configuration can be completed from the modern Enhanced
HMC GUI interface. If you want to add a partition,
map a new fiber channel port , configure a new vNIC, etc. You do it all with
clicks on a web interface. The only time
you MUST use the command line on the VIOS is for a few commands during an install,
and to install software updates.
Software updates are usually a painless process that involves an install
to an alternate boot disk and a simple reboot to activate. The alternate disk install also means the
upgrades are completely reversible in case of problems. Remember that you want to have redundant
connections to multiple VIOS, so that reboot will not be disruptive to your
environment.
I should mention that just because you usually don’t have to
use the command line interface doesn’t mean you won’t want to use the command
line interface. There is a massive
amount of information to be had from those simple commands. Watch for a future post where I publish and explain
some of my favorite information gathering VIOS commands.
The benefits of VIOS outweigh the costs, especially if you
are using external storage.
Licensing topics
Fun fact, you are probably already licensed for VIOS. PowerVM is required for partitioning, and all
editions include VIOS. If have PowerVM
licenses for your server, you are already entitled to install VIOS. You can get it from IBM Entitled System
Support by going to “My Entitled Software”, “By Product” and select
5765-VE3.
Another important consideration for those of you with extra
processors not licensed for IBM i, VIOS is not IBM i, so you do not need those
licenses for the processors running VIOS.
That means the processor overhead related to handling the I/O
virtualization does not have a premium beyond the cost to activate the
processor. You can make sure you are in
compliance by using HMC processor pools to limit the IBM i partitions to the
number of licensed processors, and putting your VIOS (and Linux) in an uncapped
pool.
Another virtualization topic specific to IBM i is the way
the O/S and most applications are licensed.
I mentioned earlier that Live Partition Mobility, moving a running partition
to a different server, is a common practice for AIX shops. It is pretty rare for IBM i. I think one of the key reasons that has been
true historically is that AIX O/S and applications are not generally licensed
to a processor while IBM i O/S and applications are pretty much always licensed
to a processor serial number. That means
moving an active IBM i partition to another Power server can result in license
problems. Fortunately, IBM recently
announced Virtual Serial Numbers that can be attached to a partition and
migrate with it. If Live Partition
Mobility appeals to you, look into getting a Virtual Serial Number.
I should mention that since LPM moves memory over a network
to the other server, LPM on IBM i may require a much more robust network
environment than the equivalent AIX resources.
IBM i uses single level storage, so it uses large amounts of very active
memory. There are certainly memory size
and activity limits that could preclude the use of LPM for very large
environments. As always, your
environment matters, and your results may vary.
iVirtualization (AKA i hosting i)
There is another option for virtualizing I/O and disk
resources for a client partition by using the iVirtualization functionality
built into IBM i since V6.1. This
functionality allows you to virtualize ethernet adapters owned by the parent
partition and to create virtual disk objects that are shared to another client
partition as virtual SCSI disks.
The *NWS* commands to support this are all native IBM
commands that will look familiar to IBM i administrators. Don’t kid yourself. They are no less complex than the
corresponding VIOS commands to someone that has never used them.
In some limited situations, iVirtualization might be a
viable option. For example, on a small
system with internal NVMe on a single backplane such that it is not possible to
split between multiple VIOS for redundancy.
Another case where iVirtualization might be preferred is for
a small linux test partition hosted from an existing IBM i partition with
internal disk and no VIOS infrastructure.
I would not use it with external storage in any case as it
would lose all of the benefit of multipathing.
Now here are the primary reasons I would recommend VIOS over
iVirtualization:
-
License costs. Hosting on IBM i means paying for an IBM i
license for work that could be free.
-
Performance. The numbers I have seen have consistently
shown the client partitions do not perform as well as an equivalent VIOS
configuration. This is especially
problematic with an IBM i client as performance is related to number of disks,
which results in more objects and more overhead.
-
Completely manual configuration. The HMC GUI configuration that is available
with VIOS does not work with iVirtualization, so it needs to be configured
completely with commands.
-
No Redundancy. When the host is down, the clients are
down. To be fair, you could use multiple host partitions and mirror disks in
the client, but you can do that with VIOS also.
-
No LPM.
Live Partition Mobility is not supported for clients of iVirtualization.
-
No development. If you look at the table of changes in the IBM
i Virtualization Summary referenced below, you will see that there has been
only one change to iVirtualization since 2015, compared to constant development
and improvements for VIOS.
What if you need help implementing VIOS with IBM i?
Whether you have a large environment or small, implementing
new technologies can be challenging. If
you need help beyond the available documentation, the IBM i Technology Services
team (formerly known as Lab Services) is available to help with implementation
planning, execution, and knowledge transfer.
See https://www.ibm.com/it-infrastructure/services/lab-services
for contact information or speak to your IBM Sales Representative or Business
Partner. If you are planning a new
hardware purchase, you can include implementation services by the Technology
Services team in your purchase.
Disclaimer
I am an employee of IBM on the IBM i Technology Services
team (formerly known as Lab Services). The
opinions in this post are mine and don't necessarily represent IBM's positions,
strategies, or opinions.
References:
2022 IBM i Marketplace Survey Results - Fortra
https://www.fortra.com/resources/guides/ibm-i-marketplace-survey-results
IBM i Virtualization Summary
https://www.ibm.com/support/pages/node/1135420
Introduction to SR-IOV and vNIC for IBM i
This is the first in a series of articles on frequently
overlooked Power systems features that highlight the value for IBM i customers,
starting with sharing Ethernet adapters with SR-IOV, and the added benefits
that can be achieved with vNIC technology on top of SR-IOV.
Whether you have an existing system that is already capable
of these features, or you are considering migrating to new hardware, you can
only benefit from knowing what your options are.
What Is SR-IOV?
SR-IOV (Single Root Input/Output Virtualization) is a hardware
specification that allows multiple operating systems to simultaneously use a
single I/O adapter in a virtualized environment. It is not unique to the Power Hypervisor
(PHYP). You can find SR-IOV being used
heavily in x86 based virtualization, such as VMWare or Hyper-V – a fact that
just serves to complicate searches for information related to IBM i.
More to the point for the IBM i administrator, it allows a
single SR-IOV capable adapter to be shared by multiple LPARs. You can split a single adapter with two
ports, dedicating each port to a separate lpar, or you can go more granular and
share different percentages of the bandwidth of a single physical port between
multiple partitions. When sharing a
single physical port, you get to specify the minimum percentage of outgoing
bandwidth each partition gets, allowing each partition to use available
bandwidth to burst higher when necessary.
It is also possible to limit the maximum outgoing bandwidth a given
partition will use, although this is only possible via the HMC CLI, not the HMC
GUI.
What is vNIC?
vNIC is a Power virtualization technology built into PowerVM
that leverages the combination of VIOS (Virtual I/O Server) virtualization with
SR-IOV adapters to get the performance and flexibility of SR-IOV with the
additional flexibility and redundancy of a fully virtualized solution. I expect to expand on VIOS in much more
detail in future article. For now, I’ll
just say that vNIC provides an automated active/passive failover ability and supports the use
of Live Partition Mobility. If you
already use VIOS, you should strongly consider SR-IOV adapters with vNIC rather
than Shared Ethernet Adapters (SEA) unless you need the active/active load sharing configuration that is only available with SEA. If
you don’t use VIOS, watch out for a future article for why you should.
Why SR-IOV?
-
Better use of limited resources. 10G ethernet adapters have become common in
enterprise configurations. Most of these
adapters have multiple ports. Without SR-IOV,
each adapter is usually dedicated to a single partition, often leaving the
extra ports unused while additional adapters are dedicated to other partitions,
leaving even more ports unused. How many
of these ports are utilized to their full capacity? Not as many as you might think (seriously,
collect some performance stats and see for yourself). More adapters used at a fraction of their
capacity means more cabling and more network switch ports, all used at a
fraction of their capacity. That gets
costly, for both the server and network budgets, especially when working with
10G ports.
-
More flexibility. Once you have connected ports to network
switches, you can add partitions that use those ports without any additional
cabling or network configuration. This
is especially true if you configure those ports as trunks and use VLAN tagging
at the IBM i TCP/IP configuration to access different networks and IP address
ranges.
-
Better Performance than other shared
configurations. Compared to
traditional server-based networking configurations (VIOS Shared Ethernet
Adapters or IBM i NWS Virtual Ethernet), SR-IOV connections perform much
better. Virtual ethernet connections
have processor overhead, and many tuning parameters that limit performance. SR-IOV establishes a hypervisor managed path
to the hardware that is second only to a dedicated adapter. In the real world, SR-IOV will perform
effectively the same as a dedicated adapter, and better than any server
virtualized adapter.
Who should use SR-IOV?
-
Large Enterprises should consider SR-IOV
and vNIC technology to achieve high bandwidth connectivity to enterprise scale
10G (and up) infrastructure . Automatic
failover (vNIC) to redundant connections ensures connectivity that leverages
the highly redundant network infrastructures that exist in high-end
enterprises.
-
Small businesses should consider SR-IOV
and vNIC technology to get the maximum capacity out of the investment in
network connectivity. Fewer adapters,
less cabling and a smaller number of network ports is easier on the budget,
while still providing the ability to adapt to changing business needs. SR-IOV adapters provide the ability to share
adapters between partitions without any server based virtualization, resulting
in a simple to maintain shared configuration when other virtualization
functions are not required.
What else do I need to know?
-
For all of the following, see the SR-IOV FAQ for
details. It can be found at: https://community.ibm.com/community/user/power/viewdocument/sr-iov-vnic-and-hnv-information
- You must have an SR-IOV supported adapter, so make sure your IBM Sales Representative or Business Partner knows you want SR-IOV when ordering a new system.
- SR-IOV adapters must be placed in specific slots. On Power 9 and Power 10 hardware, this includes most of the slots in the system.
- There are limits on the number of SR-IOV enabled adapters per system. As of November 2022, the maximum number of SR-IOV shared adapters is lower of 32 or the number of SR-IOV slots in the system. This is not really limiting for most customers.
- There are limits on how many shared (logical) ports can be assigned to a physical port, depending on the specific adapter (Ranging from 4 to 60)
- There are limits on how many shared (logical) ports can be assigned per adapter (ranging from 48 to 120)
- SR-IOV adapters in shared mode require Hypervisor memory (see FAQ)
- Pay particular attention to limitations for 1G ports on supported adapters, especially 1G SFP+ in 10G+ adapters as these may not be supported for SR-IOV.
- HMC is required for SR-IOV support.
- VIOS is required for vNIC. VIOS is NOT required for SR-IOV.
- Sharing a Link Aggregation (e.g. LACP) of multiple ports is not allowed. This is not as bad as it sounds as Link aggregation is effectively used as a redundancy measure in a VIOS SEA configuration rather than as a performance measure. SEA simply does not have the capacity to use more than a single link’s bandwidth. In practically all cases where Link Aggregation is used with VIOS, vNIC with failover is a better solution. In the rare case that it is necessary, Link Aggregation can be managed at the IBM i O/S level with the CRTLINETH RSRCNAME(*AGG) command if the SR-IOV physical ports are 100% dedicated to a single partition. See https://www.ibm.com/support/pages/configuring-ethernet-link-aggregation
- Changing the minimum capacity of a SR-IOV logical port is disruptive, so plan accordingly. Remember that the value is a minimum, and all logical ports can burst higher. This means that barring any specific continuous outgoing bandwidth requirements, you are better off estimating low.
- Bandwidth splitting on SR-IOV adapters is based on outgoing bandwidth only. There is no way to split incoming bandwidth, so consideration should be given to anticipated incoming bandwidth when deciding on how many partitions can share a port.
- SR-IOV cards are not owned by any partition, so typically adapter firmware updates are included in System firmware updates. If necessary, there is a separate procedure to install adapter firmware updates separately that you may need to use.
How to configure an SR-IOV port on IBM i
Rather than including a bunch of HMC screenshots that
duplicate existing resources, I’ll direct you to the excellent reference
material in the “Selected References” below, especially the Redpaper. These references will show you how to put an
SR-IOV adapter in shared or hypervisor mode and how to configure a logical port
for a partition. There is no difference
between doing this for AIX and IBM i.
The specific web interface may change a bit with each HMC release, but
the concepts remain the same.
Once the resource is created, the easiest way to determine
the resource name is to select the partition from the HMC and get the CMNxx
resource name from the “Hardware Virtualized I/O” page for SR-IOV, or the
“vNIC” page for a vNIC. It will also
show up along with all of the other resources in WRKHDWRSC *CMN, or
STRSST. Once the resource name is
located, configure it exactly as you would any other Ethernet resource by
creating a Line description, IP address, etc.
You can dynamically add and remove SR-IOV and vNIC resources
to/from a running partition. Make sure that if you remove one, there are not any configurations using that resource.
What if you need help implementing SR-IOV or vNIC on an IBM i?
Whether you have a large environment or small, implementing
new technologies can be challenging. If
you need help beyond the available documentation, the IBM i Technology Services
team (formerly known as Lab Services) is available to help with implementation
planning, execution, and knowledge transfer.
See https://www.ibm.com/it-infrastructure/services/lab-services
for contact information or speak to your IBM Sales Representative or Business
Partner. If you are planning a new
hardware purchase, you can include implementation services by the Technology
Services team in your purchase.
Disclaimer
I am an employee of IBM on the IBM i Technology Services
team (formerly known as Lab Services). The
opinions in this post are my own and don't necessarily represent IBM's
positions, strategies, or opinions.
Selected References
I often find that researching topics related to Power
Systems provides a wealth of information relating to AIX and VIOS, and
substantially less that relates directly to IBM i. Having spent a few years administering AIX
systems, I am familiar with the many excellent AIX blogs that are
available. Many of these references are
very AIX focused, but don’t let that dissuade you from reading them -- they are
also excellent resources for IBM i administrators.
IBM Power Systems SR-IOV Technical Overview and Introduction
Redpaper https://www.redbooks.ibm.com/abstracts/redp5065.html
IBM Support: Configuring Ethernet Link Aggregation
https://www.ibm.com/support/pages/configuring-ethernet-link-aggregation
IBM Community: SR-IOV FAQ
https://community.ibm.com/community/user/power/viewdocument/sr-iov-vnic-and-hnv-information
AIX for System Administrators – SR-IOV & vNIC summary
pages
http://aix4admins.blogspot.com/2016/01/sr-iov-vnic.html
http://aix4admins.blogspot.com/2017/03/vnic_20.html
YouTube – This is the replay from the May
28th, Power Systems Virtual User Group Webinar covering Single Root I/O
Virtualization (SR-IOV) presented by expert Chuck Graham
TL;DR
SR-IOV lets you share ethernet adapter cards across multiple IBM i partitions without using VIOS. vNIC adds the ability to include automatic active/passive failover if you also use VIOS.
New tool to work with WWNN/WWPN
Really quick post here. To be honest, I'm doing this as much for my own use and to make life a bit easier for my customers as we work t...
-
This is the first in a series of articles on frequently overlooked Power systems features that highlight the value for IBM i customers, st...
-
The Enhanced HMC interface is here to stay. If you are still changing partition profiles on your Power HMC, you really need to start u...
-
In this post, I will discuss the pros and cons of creating a completely virtualized IBM i environment with redundant VIOS (Virtual I/O Ser...