LinuxONE: disturbing continuous operations, extreme performance and pervasive security paradigms

LinuxONE: disturbing continuous operations, extreme performance and pervasive security paradigms– Published 03 February 2020 – ID PM00020 – 15 min read

Introduction

Digital Transformation requires firms to effectively and efficiently combine platforms, processes, governance, and talent to gather deep and timely insights from data and actuate these insights to optimize operations, accelerate innovation, and transform their customers engagement.

The new digital economy and the dependence on cloud services has increased risks for most companies, complicating the attainment of business agility and cost reduction. Firms need to move away from their traditional company-centric product view to that of an omnichannel customer experience focused on delivering customer value quickly and seamlessly.

Moreover, companies need to be able to move mission critical workloads to a more cloud-like model to take advantage of agile and DevOps processes. The challenge lies in safeguarding those mission critical workloads to enable the qualities of service (security, availability, resiliency) required to ensure businesses operate at peak performance and in compliance with SLAs , the national law and regulations, and vendors licences rules.

My personal assessment when having discussion with my customers is that they are still confused about the right infrastructure paradigm to adopt: converged infrastructure, hyper converged infrastructure, system expert, traditionnel infrastructure,…this is true for their existing core systems and for their cloud ready and natives applications.

Also the technological landscape is constantly changing and improving as each day passes – change is the only constant making the pace of change too fast: traditional J2EE applications become legacy systems, application performance management without IA become inefficient, contrainerization become the new way of software delivery,…

By the end of the day , most of customers are still purchasing HCI with different flavors, System Expert , hypervisors, security appliances,…, all based on commodity hardware.

This adoption fit the customers needs in a very short term but often leads to huge challenges : software compliance, data protection and privacy issues, datacenter requirements, continuous operations and always on constraints, extending security boundaries, limited portability between infrastructures, raised integration , locked-in and sunk costs, hybrid cloud readiness,…

In this article i tried to address some of those challenges by presenting a new approach for designing continuous operations, extreme performance and pervasive security systems based on IBM LinuxONE.

IBM LinuxONE positioning : the Linux Monster= The best of Linux + The best of Enterprise Computing

The IBM LinuxONE offers a highly secure, flexible, scalable, and reliable enterprise platform for hybrid cloud, data serving, and other mission-critical Linux workloads.

LinuxONE servers offer the same inherit capabilities for IBM Z servers for organizations who want to run Linux in a scale-up architecture.It’s an enterprise server that is designed for large and complexe data serving and transactional applications.

The LinuxONE server has as its foundation the Integrated Facility for Linux (IFL) processor. IFLs are specialized central processors that are designed to run Linux, z/VM, and KVM only.

With up to 190 configurable cores and 40 TB of real memory, the LinuxONE open opportunities such as in-memory data marts, large buffer pools for data access, in-memory analytics while providing the necessary room to tune applications for optimal throughput , performance and scaling advantages over the capacity to do the work of thousands of x86 servers in a single footprint.

LinuxMonster

Security, Data protection and privacy on LinuxONE

The security capabilities of LinuxONE are unprecedented. The LinuxONE platform provides the hardware infrastructure, in a balanced system design, with the encryption capabilities that make it possible to create a fortified perimeter around critical business data. Security is built into the LinuxONE hardware, enabling fast hardware encryption of all data, whether it is in use, in flight, or at rest.

IBM LinuxONE provides customers with protection of data, encryption keys, software deployment, multi-tenant Cloud environment, by providing the following features:

  • Protect all of application and database data according to enterprise security policy using encryption that’s transparent to applications and doesn’t impact SLAs.
  • Protect data from security breaches, whether it’s in memory, stored on the disk, on its way to the disk, being sent across your private network or public networks to other computers. 
  • Provide the highest level of security (FIPS 140-2 Level 4, EAL 5+ certification) in alignment with regulatory initiatives.
  • Maintain the trust of the customers by keeping their personal information secure.
  • Lower data management costs, both CAPEX and OPEX, by simplifying the infrastructure, networking and security.

LinuxONE provides a unique security features :

  • The IBM Secure Service Container (SSC) is a solution that hosts container-based applications for hybrid and private cloud workloads that uses LinuxONE’s EAL5+ certification for vertical isolation of workloads and achieves horizontal isolation that separates the running application from the underlying host environment.
  • Extend DCAP (Data Centric Audit and Protection) by providing smart, secure data movement application transparent protection for data leaving LinuxONE.
  • IBM Data Privacy Passports, provides transparent, end-to-end, data-level protection and privacy.
  • IBM Secure Boot for Linux : a complete chain of trust from trusted power-on to a started boot loader.

IBM LinuxONE : Reliability and Availability

Docker on LinuxONE

VM sprawl phenomenon and scale out strategy
All discussions i had with my customers when reviewing their virtualization solutions lead us to make the light on the VM sprawl phenomenon :the uncontrolled proliferation of virtual machines without adequate IT control can cause enormous challenges in designing an efficient and cost-effective infrastructure.

It becomes more expensive and requires more efforts from support staff to track which servers should be updated, and the way to handle security standards.It is easier to spin up a VM to test a new application release, upgrade, or deploy a new software package. However, it can produce VM sprawl.

The only way to mitigate exhausted capacity is to adopt the scale-out strategy,implement chargeback, metering solutions and use VM LifeCycle management tools. This strategy leads also to server sprawl, which uses more environmental factors, such as data center floor space, power and cooling resources and adds more complexity  and cost to monitor ressources properly and help business understand the true cost of VMs.

Docker on LinuxONE

Docker provides plenty of advantages :no need to run a full copy of an operating system, versioning of images, agility to deploy new applications while transitioning from monolithic applications to distributed microservices, isolation, better resource utilization, application portability,…

IBM LinuxONE provide two unique features for Docker:

  • Overcomes VM/server scale-out strategy by providing the ability to physically install 190 processors and up to 40 TB of addressable memory in a single-server footprint.
  • Provides Secure Service Containers: a new, specialized type of partition that provides for the highly secure, fast deployment, and management of approved, pre-packaged applications, such as blockchain in an appliance model of deployment (isolation based on EAL5+ level of protection)

This Secure Service Container doesn’t include direct operating system access by way of SSH or otherwise. Only remote APIs (RESTful) are permitted access to the appliance, which restricts administrator access to workload and particularly data.

In addition, memory access is disabled, and disk access is encrypted by default and cannot be disabled. Debugging data in the form of system dumps is also encrypted, which implies that support groups can view only the application instructions within the dump, not any data that’s included within the dump.

The architecture also provides strong isolation between Secure Service Container instances. This isolation relies on the EAL5+ level of protection and does require dedicated hardware. An application thats running in one Secure Service Container cannot access an application that’s running in another Secure Service Container apart from through remote APIs.

Java workloads on LinuxONE

“stop the world” phenomenon

The Java runtime supports a built-in memory manager that tracks an application’s usage of the Java heap. Garbage Collection (GC) is a process that is triggered when the heap becomes exhausted. During the GC process, the application is stalled in “stop-the-world” phases, to allow GC to identify and reclaim memory from Java objects that are no longer referenced. Untuned, such “stop-the-world” GC phases can have a detrimental impact to your application’s throughput and response time.Because of resulting lengthy garbage collection pauses, Java applications quickly reach scalability barriers.

Java on LinuxONE

IBM LinuxONE provide plenty of features for Java and BPM applications:

  • Improved Pause-Less Garbage Collection for response time sensitive applications
  • Delivers industry-leading Java performance because of the use of Java Pause-Less Garbage Collection, which enables applications to run up to 2.5 x faster than on x86 alternatives. Also, along with its improved cryptographic acceleration exploitation, the LinuxONE allows for a much greater vertical scalability of Java workloads when compared to its x86 counterpart.

  • Industry-leading secure Java performance via TLS (2-3x faster than x86)
  • Provides up to 2 x better throughput per core processing business rules than x86
  • Provides up to 100 x better average  compression throughput than x86

Databases workloads on LinuxONE

Fact 1: All of the top 10 DBMSs that run on Linux can run on LinuxONE

Fact 2: Open source databases are the actual leaders for time series DBMS, wide columns store, document store, key value stores, search engine and graph DBMS and the future leaders for relational and object oriented DBMS in the short term.

Fact 3: LinuxONE provides the highest level of protection for DbaaS in the industry

IBM LinuxONE Secure Service Container (SSC) provides workload isolation, restricted administrator access and tamper protection against internal threats.

  • No system admin access
    • Once the appliance image is built, OS access (ssh) is not possible
    • Only remote API access available
  • Signed docker images
    • Docker-base stack inherits security without any code changes
    • Trusted and attested images prevent access to data

Fact 4: Faster data means better analytics

  • IBM HiperSockets technology eliminates the network latency for collocated VMs
  • Up to 3x more analytics performed with Spark
  • More than 50% faster response time by co-locating Node.js with the data
  • No ETL needed — critical enterprise data never have to leave the LinuxONE

Fact 5: Extreme performance

  • Start with as few as 1 core and grow to the equivalent of over 2,000 x86 cores in a single LinuxONE system
  • Scale-up a single unsharded 17 TB instance of MongoDB
  • Process up to billions transactions per day with Node.js and MongoDB on a single LinuxONE system<

Fact 6:The enterprise-grade Linux on LinuxONE solution is designed to add value to Oracle Database solutions

  • Provides high levels of security with the industry highest EAL5+ and virtualization ratings, and high quality of service
  • Optimizes performance by deploying powerful database hardware engines
  • Achieves greater flexibility through the LinuxONE workload management capability by allowing the Oracle Database environment to dynamically adjust to user demand
  • Reduces TCO by using the specialized LinuxONE cores that run the Oracle Database and management of the environment (average 10:1 consolidation ratio)

Redhat OpenShift and IBM CloudPak on LinuxONE

IBM CloudPak is a faster, more secure way to move your core business applications to any cloud through enterprise-ready containerized software solutions:

  • Unified UX and consumption based  pay for what you use and use the capabilities you want
  • IBM certified: Certified, up-to-date software that secures the entire stack, from hardware to applications
  • Run anywhere: Portable, running on-premises, on public clouds, or in a pre-integrated system

The foundation for IBM approach is an open hybrid cloud fabric to securely develop and manage applications, workloads and data across any cloud environments and vendor.  Because it’s based on RedHat’s open container and Kubernetes technology, RH OpenShift, you gain portability, choice and access to any cloud infrastructure, on or off prem all with a consistent set of common services (access and identity, monitoring, etc.)

Benefits of CloudPak over  Containers Alone (client creating containers or receiving software as standalone container(s)):

  • Runs anywhere
  • Vulnerability scanned
  • Red Hat container certification
  • Complete solution w/ container platform
  • Flexible & modular: Pay for what you use
  • IBM certified/orchestrated for production(Built for Kubernetes by experts; certified against 250+ criteria)
  • Multicloud validation
  • Integrated deployment experience
  • Full stack support by IBM (Base OS, software, and container platform)
  • License metering integration
  • Scalable and resilient
  • Encrypted secrets / limited privileges
  • Management and operations
  • Lifecycle Management

LinuxONE unique feature for IBM CloudPak and OpenShift: built on the security and reliability of the IBM LinuxONE platform, IBM Cloud Hyper Protect Virtual Servers protect business IP with data-at-rest and runtime encryption. It provide the capabilities to extend and consume on-premises resources in the cloud for faster development, testing and backup, without sacrificing security.

Untold story : the real Total Cost of Ownership analysis

In the article featured image, i put a snapshot from traditional customer datacenter and applications landscape:

  • An HCI plateforme hosting SAP ERP and a private cloud based
  • An Oracle Exadata 1/8 rack for mission critical databases
  • A frame of servers with the underlying storage hosting multiples VMs (applications servers, mediation servers, http, ldapd,…)
  • A standalone servers hosting open-source solutions for big data and analytics
  • A mobile and chatbot applications hosted on the Cloud
  • External HSM appliances

The real TCO analysis should take into consideration the following cost :

Middleware , hypervisors licences and operating system subscriptions :

  • Oracle Database Enterprise Edition + support for 96 cores
  • Oracle Database RAC + support for 96 cores
  • Oracle Options + support for 96 cores
  • Websphere Application Server Network deployment for 1280 PVU
  • Websphere MQ + support for 240 PVU
  • Websphere ESB + support for 240 PVU
  • Vmware VSphere Entreprise Plus with Operation Management for 12 CPU
  • Red hat Subscription Virtual Datacenter for 12 CPU
  • SUSE Linux Enterprise Server for SAP Applications for 2 CPU
  • Ubuntu Virtual Server Advanced for 200 virtual machines
  • SAP R/3 + support
  • Software LoadBalancers

Hardware :

  • HCI purchase and maintenance
  • Rack servers and storage purchase and maintenance
  • Oracle Exadata purchase and maintenance
  • HSM purchase and maintenance

Application Management:

  • Installation and configuration costs associated with software development and deployment projects
  • External system interface integration, support and testing costs
  • Performance tuning and monitoring of application server environment
  • Troubleshooting time for applications and development environments

Infrastructure Management:

  • Deployment, monitoring and routine maintenance of application software
  • Application of fix packs and patches to the OS, Database and Application Server
  • Upgrade of servers to newer versions
  • Backup and restoration of the OS, Database and Application Server

Risk of downtime:

  • Automated recovery from failures
  • Failover time
  • Consistency checks on configuration to prevent illegal settings
  • Security tools for separation of administrative roles
  • Auditing of administrative actions
  • Replication
  • Disaster recovery plan
  • Continuous operations

Next steps:

  • Ask for a customized presentation and TCO from PowerM and/or IBM team
  • Try LinuxONE on IBM LinuxONE Community Cloud
  • Ask for a POC for Java and Oracle consolidation from PowerM and/or team

References

  • Linux III Announcement letter IBM United States Hardware Announcement 119-012 September 12, 2019
  • Redbook Getting Started with Docker Enterprise Edition on IBM Z  SG24-8429-00 March 2019
  • Pause-less Garbage Collection with Java 8.0.5.0 and z14 IBM z Systems Developer Community December 7, 2017
  • Redpaper Scale up for Linux on LinuxONE  REDP-5540-00 July 2019
  • DB Engines January 2020
  • ITIC 2019 Global Server Hardware Server OS Reliability Report
  • Redbook Securing Your Cloud IBM Security for LinuxONE SG24-8447-00 July 2019

Disclaimer

This content was provided for informational purposes only. The opinions and insights discussed are mine and do not necessarily represent those of Power Maroc S.A.R.L. 

Nothing contained in this article is intended to, nor shall have the effect of, creating any warranties or representations from Power Maroc S.A.R.L or its Partners (particularly IBM, DELL Technologies, Vmware, Redhat and Oracle), or altering the terms and conditions of any agreement you have with Power Maroc S.A.R.L.