What’s new in Hyper-V in Windows Server 2016?
Nested virtualisation to shielded virtual machines: Lots to chew on here
Microsoft is busy reshaping Windows server for the cloud era, and the Hyper-V hypervisor is changing accordingly.
The first release of Hyper-V was with Windows Server 2008. It was a solid and reliable product from the beginning, but with limited features compared to its competition, especially VMware.
The technology is strategic for Microsoft though, and each new edition of Windows Server has brought significant improvements, including, amongst others:
- Live Migration
- Hot add and remove of virtual SCSI storage
- Dynamic memory
- Hyper-V Replica for easily configured resilience
- A PowerShell module for command-line and scripted administration
- Shared virtual hard drives to enable clustered virtual machines (VMs)
Server 2012 R2 introduced Generation 2 VMs, which remove legacy hardware emulation such as BIOS, PCI bus and IDE controllers to improve performance and enable features like UEFI (Unified Extensible Firmware Interface) Secure Boot.
The scalability of Hyper-V VMs has also improved, so that since Server 2012 R2 you can now configure up to 64 virtual processors, 1TB of RAM, 64 TB virtual hard drives, and up to 256 virtual SCSI disks.
In Windows Server 2016 Microsoft is adding more features, and the changes are significant. Many of the changes are already available in Windows 10, for development and testing. The goal of Windows Server architect Jeffrey Snover is to make Windows a “cloud OS”, which includes the notion of on-demand compute resources, VMs that spin up or down as needed.
Improvements in Hyper-V are an immediate benefit to Microsoft’s Azure cloud platform and its users, as well as to those deploying Azure Stack, which offers a subset of Azure features for deployment on premises.
Two complementary Server 2016 features are also worth noting. The first is Nano Server, a stripped-down edition of Windows Server optimized for hosting Hyper-V, running in a VM, or running a single application. There is no desktop or even a local log-on, since it is designed to be automated with PowerShell.
The benefits include faster restarts, lower attack surface, and the ability to run more VMs on the same physical hardware. Fewer features also mean fewer patches, and fewer forced reboots. In Server 2016, Microsoft recommends Nano Server as the default host for Hyper-V.
The second feature is containers. Using containers, both the application and its resources and dependencies are packaged, so that deployment is automated. Containers go hand in hand with microservices, the concept of decomposing applications into small units each of which runs separately.
Microsoft’s new operating system supports both Windows Server Containers, which use shared OS files and memory, and Hyper-V containers, which have their own OS kernel files and memory. The idea is that Hyper-V containers have greater isolation and security, at the expense of efficiency.
Top of the what’s new list is nested virtualisation, the ability to run VMs in VMs. This is a catch-up with competing hypervisors that already have this feature, but an essential one, since it allows Hyper-V to be used even when your server infrastructure is virtualised on the Azure cloud or elsewhere.
Hyper-V depends on CPU extensions, Intel VT-x or AMD-V, and nested virtualisation includes these extensions in the virtual CPU presented to the guest OS, enabling guests to run their own hardware-based hypervisor. The feature could also help developers working in a VM, since device emulators which use these extensions may work.
Nested Virtualisation works in the latest preview of Windows Server 2016 (currently Technical Preview 4) and in recent builds of Windows 10. You have to run PowerShell scripts to enable the feature in both the host and a VM. There are currently some limitations. Dynamic memory, live migration and checkpoints do not work on VMs which have the feature enabled, though they do work in the innermost guest VMs.
One of the disadvantages of cloud computing is that physical access to your infrastructure is in the hands of a third-party, with obvious security implications. The idea of Shielded VMs is to mitigate that by having VMs that cannot be accessed by host administrators.
Shielded VMs use Microsoft’s Bitlocker encryption, Secure Boot and virtual TPM (Trusted Platform Module), and require a new feature called the Host Guardian Service. Once configured, a Shielded VM will only run on designated hosts. The VM is encrypted, as is network traffic for features like Live Migration.
Running a Shielded VM has annoyances. You cannot access the VM from the Hyper-V manager, and you cannot mount its virtual disk drive from outside the VM. There is also, according to Microsoft, up to a 10 per cent performance impact because of the encryption.
Microsoft’s Resilient File System (ReFS) was introduced in Windows Server 2012, but its visibility has been limited since installations still use NTFS by default. However, according to Microsoft Program Manager Ben Armstrong, ReFS is recommended for Hyper-V hosts in Server 2016.
It is much faster for certain operations used by Hyper-V, including creating a fixed-size VHDX (Virtual Hard Drive) and performing a file merge, used by Hyper-V checkpoints and Hyper-V Replica. In Armstrong’s demonstration at a TechDay in Sweden, a merge performed in NTFS took 29 seconds, versus two seconds for ReFS.
Checkpoints let you take a snapshot of a VM, with the ability to reset the VM back to that snapshot later. They are ideal for safe experimentation, or for troubleshooting, but Microsoft has never recommended them for production use, because of reliability issues. Microsoft has now introduced Production Checkpoints, which are supported. The difference is that Production Checkpoints use backup technology inside the guest rather than saving the state. Production Checkpoints do not save application state. Both types of checkpoint remain available.
New VM binary configuration file format
Microsoft fell in love with XML some years back, and used it everywhere it could, including for VM configuration files. While its plain-text readability sounds a good idea, performance has turned out to be poor, because of the bloat of XML libraries invoked to parse the files. A new binary format with a .VMCX extension is used in Server 2016.
Compatibility between Hyper-V versions
In this release of Hyper-V, you can run VMs created with the previous release in compatibility mode, so you have the flexibility of moving both ways between old and new hosts. A VM is not upgraded until you specifically choose “Upgrade Configuration Version” or run the appropriate PowerShell command. This makes gradual migration between releases much easier.
Online configuration improvements
Hyper-V in Server 2016 supports more configuration changes while a VM is running than before. You can now add and remove network adapters, add and remove memory when dynamic memory is not configured, and add or remove drives from VMs that are replicated.
Rolling Hyper-V cluster upgrade
If you run Hyper-V on a failover cluster, you can upgrade to Server 2016 without downtime thanks to a feature called Rolling Hyper-V Cluster upgrade. You begin by adding a node running Server 2016, then gradually upgrade each node, moving VMs between nodes to avoid downtime. Finally, when all nodes are upgraded, you can upgrade the functionality of the cluster to the 2016 level.
Hyper-V VMs typically access storage on a SAN (Storage Area Network). If there is an intermittent network failure, and storage stops responding, then VMs on previous versions of Hyper-V crash. In Server 2016, VMs are paused instead, and will unpause when storage returns.
Guest Cluster improvements
A Guest Cluster is a failover cluster composed of two or more VMs. Microsoft intends that Guest Clusters will eventually have the same functionality as a standalone VM. A new feature in Server 2016 is the ability to resize a shared VHDX while online.
New backup infrastructure
One of the advantages of virtualisation is you can backup a VM from the host. In current versions of Hyper-V, this uses VSS (Volume Shadow Copy Service) to ensure data consistency. Server 2016 introduces a new “native change block API” that does not require VSS, or snapshots of SAN storage. Since backup failures are often caused by VSS failures, this should improve reliability.
In Server 2016, Hyper-V administrators can open a PowerShell session inside a VM from the host operating system, without requiring a network or any remote management configuration. It is the same kind of direct connection that enables you to interact with the desktop or copy files to and from a VM, using only the Hyper-V administration tools. PowerShell Direct does require Windows 10 or Windows Server 2016 in the guest VM. You also need user credentials for the VM, and the feature will not work with Shielded VMs.
Hyper-V is an integral part of Windows Server and critical to Microsoft’s strategy, so the company’s efforts to improve it are welcome. It is an excellent hypervisor, though issues remain when it comes to management and deployment tools. The standalone Hyper-V administrator works well, especially the latest version which allows you to connect as another user, but this is designed for small-scale use.
If you are managing large numbers of hosts and VMs, or deploying a private cloud with self-service provisioning, Microsoft’s solution is the intricacies or System Center, or the emerging Azure Stack, which is now in preview.
Of the two, Azure Stack looks more like the long-term direction since it uses the same portal and APIs (though with cut-down features) as Microsoft’s public cloud.
“Cloud isn’t a place, it’s a model … to move forward in the cloud-first world, you need to be able to get that model running in your own datacenter,” says Snover. Azure Stack is a long way from being ready, though, and the journey from System Center is unlikely to be easy. ®