Sie sind auf Seite 1von 31

FusionSphere 6.

0
Presales Technical FAQs (Cloud Data Center)

This document is intended for Huawei technical engineers and


internal product personnel only.
For promotion data and policies, refer to the latest promotion data
and sales guide.
This document is not a commitment to customers.

HUAWEI TECHNOLOGIES CO., LTD.


Copyright Huawei Technologies Co., Ltd. 2016. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer.
All or part of the products, services and features described in this document may not be within the purchase scope or
the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this
document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or
implied.
The information in this document is subject to change without notice. Every effort has been made in the preparation
of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this
document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.


Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://enterprise.huawei.com
Email: support@huawei.com

Issue 01 (2016-04-26) Huawei Proprietary and Confidential i


Copyright Huawei Technologies Co., Ltd
About This Document

Intended Audience
This document applies to the FusionCloud Data Center Virtualization solution that uses the
OpenStack+FusionCompute (VRM) architecture. It is intended for Huawei technical
engineers and internal product personnel only.
Do not send this document to any persons other than Huawei internal personnel.
For promotion data and policies, refer to the latest promotion data and sales guide.
This document is not a commitment to customers.

Symbol Conventions
The symbols that may be found in this document are defined as follows:

Symbol Remarks
Alerts you to a high risk hazard that could, if not avoided,
result in serious injury or death.
DANGER
Alerts you to a medium or low risk hazard that could, if not
avoided, result in moderate or minor injury.
WARNING
Alerts you to a potentially hazardous situation that could, if
not avoided, result in equipment damage, data loss,
CAUTION performance deterioration, or unanticipated results.

Provides a tip that may help you solve a problem or save time.
Provides additional information to emphasize or supplement
important points of the main text.
"(From the Desktop Cloud Indicates that this FAQ is from the desktop cloud FAQs.
FAQs)" in titles

Issue 01 (2016-04-26) Huawei Proprietary and Confidential i


Copyright Huawei Technologies Co., Ltd
Change History

Date Issue Description Author


2016-04-26 V1.0.5 Ni Tao (145819)

Issue 01 (2016-04-26) Huawei Proprietary and Confidential i


Copyright Huawei Technologies Co., Ltd
Contents

About This Document .................................................................................................................... i


1 OpenStack Key Questions.......................................................................................................... 5
1.1 Why Deploy FusionSphere OpenStack Controller Nodes on Physical Servers? ....................................................... 5
1.2 Can FusionSphere OpenStack Controller Nodes be Deployed on the Huawei Virtualization Environment?.............. 5
1.3 Does the Virtualization Antivirus Feature Supported in the Cloud DC Scenario? ..................................................... 5
1.4 Can the FusionSphere OpenStack System be Smoothly Upgraded from FusionSphere 5.1 to FusionSphere 6.0? ..... 6
1.5 Can Legacy VRM Resource Pools of FusionSphere 5.1 Be Smoothly Added to the FusionSphere OpenStack System?
................................................................................................................................................................................... 6
1.6 What Are the Network Capabilities of Managed VRM Resource Pool? ................................................................... 6
1.7 What Are the VM-related Operations That Can Be Performed in the Huawei FusionSphere Cloud DC Scenario? .... 6
1.1 Does FusionSphere 6.0 Support Heterogeneous KVM? .......................................................................................... 6
1.9 How Are Storage Resources Connected to the FusionSphere OpenStack System? What Are the Main Concerns? .... 7
1.10 Does the Ironic Service in FusionSphere 6.0 Support Physical Server Management Across Azs? ........................... 8
1.11 Are Services Interrupted When Existing VMware Virtual Resource Pools on the Live Network Are Added to the
FusionSphere OpenStack System? ............................................................................................................................... 8
1.12 Do the Bare Metal Servers Support Automatic Deployment of Applications (Oracle Databases, Hadoop)? ............ 8
1.13 Is One Set or Two Sets of ManageOne ServiceCenter Used to Manage the Active and Standby Sites in the DR
Scenario? .................................................................................................................................................................... 9
1.14 Do ManageOne Must Be Used in the Converged Resource Pool Solution? ........................................................... 9
1.15 What Are the Precautions When Configuring the FusonSphere OpenStack Controller Nodes? ............................... 9
1.16 What Are the Constraints for the Bare Metal Servers? .......................................................................................... 9
1.17 What Are the Constraints for the Backup and DR Solution? .................................................................................10
1.18 What Are the Constraints for the Projects Involving the Existing Resource Pool Management? ............................10
1.19 Is WMware vSAN Supported in the Managed VMware Resource Pools in the Converged Resource Pool Solution?
.................................................................................................................................................................................. 11
1.20 What Are the Precautions When Using the VIMS Storage Virtualization? ............................................................ 11
1.21 What Are the Integration Strategies for the F5 Load Balancer to Support the vLB Service? .................................. 11
1.22 What Are Host Aggregates in FusionShere OpenStack? Does FusionSphere OpenStack Have Clusters? ............... 11
1.23 Does NUMA Supported in the Cloud DC Scenario? ............................................................................................ 11
1.24 Which Layer Does the VM HA Work? ................................................................................................................12
1.25 Is the CPU Overcommitment Supported in the Cloud DC Scenario? ....................................................................12
1.26 How Are Storage Resources Connected to the FusionSphere OpenStack System in Cloud DC Scenarios? ............12
1.27 What Functions Does a Cinder QoS Policy Provide? What Is the Difference Between Front-end and Backend
Controlling? ...............................................................................................................................................................12

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 2


Copyright Huawei Technologies Co., Ltd
1.28 Is eBackup Used in FusionSphere 6.0? How Does eBackup Work? ......................................................................12
1.29 What Is the Difference Between CPS and CBS Installation? ................................................................................12
1.30 Are All Nodes in the FusionSphere OpenStack System Automatically or Manually Installed? ..............................13
1.31 How Long Will It Take to Compute Nodes to the FusionSphere OpenStack System? ...........................................13
1.32 Does the Heterogeneous Virtualization Platform Must Be Deployed in an Independent AZ in the FusionSphere
OpenStack System? ....................................................................................................................................................13
1.33 What Are the Native OpenStack Version Huawei Employs and What Are the Follow-up Plan?.............................13
1.34 What Are Enhanced Features of Huawei FusionSphere OpenStack Beyond the Open-source OpenStack? ............13
1.35 Does FusionSphere Support the Commercial Use of Elastic IP Address (EIP) in Cloud DC Scenario? ..................15
1.36 Does FusionSphere OpenStack Support the Physical Server Provisioning? ..........................................................15
1.37 Does FusionSphere OpenStack Support Hardware Monitoring and How Is the Monitoring Capability? ................15
1.38 Why Both MangoDB and GuassDB Are Required in FusionSphere OpenStack? ..................................................15
1.39 How Can Huawei FusionSphere OpenStack Connect to VMware vSphere? For Example, How to Connect the
Network, Through VSS or VDS? Or Huawei Provides the Specific Method? ...............................................................15
1.40 Why MangoDB Rather Than Other Databases Is Used in OpenStack? .................................................................15
1.41 Does FusionSphere OpenStack Support a Sonfigurator? Does It Need to Be Manually Configured? .....................16
2.1 What OS Is Installed at the Underlying Layer of Servers?......................................................................................17
2.2 What's New in FusionCompute Compared with Xen? ............................................................................................17
2.3 What is the Space Size Needed for Deploying the Virtualization Software? ...........................................................18
2.4 What is the Clock Rate of a vCPU? .......................................................................................................................18
2.5 Can vCPUs Be Automatically Assigned to VMs? ..................................................................................................18
2.6 Can Memory Be Automatically Assigned to VMs? ................................................................................................18
2.7 Will All VMs Become Unavailable Due to a Memory Sharing Fault? ....................................................................19
2.8 Can CPU and Memory Capacities Be Expanded Online? .......................................................................................20
2.9 Does FusionSphere 6.0 Support Fine-grained QoS Migration Control Based on Network Traffic, CPU Usage,
Memory Usage, and I/O Throughput? .........................................................................................................................20
2.10 Does FusionSphere 6.0 Support Fault Tolerance (FT)? ........................................................................................20
2.11 Does FusionSphere 6.0 Support Link Cloning?....................................................................................................21
2.12 Does FusionSphere 6.0 Support Incremental Snapshots? .....................................................................................21
2.13 Does FusionSphere 6.0 Virtualization Support Local Storage? .............................................................................21
2.14 Can the Size of a System Disk Be Specified When Using Images or Templates to Create a VM? ..........................21
2.15 Do the Windows-based VMss Share the Same SIDs?...........................................................................................21
2.16 How Does a VM Implements HA? ......................................................................................................................21
2.17 Does Virtualization Support USB Encryption Devices? .......................................................................................22
2.18 Does the Black Box Record VM Logs and the Behaviors? ...................................................................................22
2.19 How Does the Information Recorded by the Black Box Become Available When a Fault Occurs in the System? ..22
2.20 How Does Virtualization Support Service Clusters? ............................................................................................23
2.21 How Is Virtual Load Balancing Implemented? ....................................................................................................23
2.22 Can Multiple Associated VMs Be Automatically Distributed on Different Physical Servers? ................................23
2.23 Are Service VMs Distributed on Physical Servers Regularly or Randomly? .........................................................23
2.24 How Is the CPU Performance Optimized by the Huawei Virtualization Software? ...............................................24
2.25 How Is the Memory Performance Optimized by the Huawei Virtualization Software? ..........................................24

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 3


Copyright Huawei Technologies Co., Ltd
2.26 How Is the I/O Performance Optimized by the Huawei Virtualization Software?..................................................24
2.27 What Features Does the Huawei Virtualization Security Solution Offer? ..............................................................25
2.28 What Is the Huawei Infrastructure Security Solution? ..........................................................................................25
2.29 How Are Services Isolated on VMs? ...................................................................................................................25
2.30 How Can I Prevent Mutual Attacks Among VMs in the Same Security Group or in Different Security Groups? ...26
2.31 Are API Interfaces of a VM Encrypted? ..............................................................................................................26
2.32 Is the Data of a VM Cleared After the VM Is Deleted? ........................................................................................27
2.33 How Can I Guarantee the User Data Security? ....................................................................................................27
2.34 How Can I Achieve Storage Data Isolation? ........................................................................................................27
2.35 How Does the Cloud Technology Centralize Different Domains? ........................................................................27
2.36 How Does Security Isolation Requirements of Different Domain IT Systems Affect the Networking of Cloud
Computing Environments? How Can I Guarantee Security While Maintaining the Cloud Computing Flexibility? ........28
2.37 What Is Plane-based Network Communication? ..................................................................................................28
2.38 What Are Security Hardening Measures for the VM Operating System? And How Do They Defend Against Viruses?
..................................................................................................................................................................................28

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 4


Copyright Huawei Technologies Co., Ltd
1 OpenStack Key Questions

1.1 Why Deploy FusionSphere OpenStack Controller Nodes


on Physical Servers?
The main reasons are as follows:
For low-cost, small-scale projects, you can deploy controller nodes on VMs. However, to
meet system management requirements and achieve high I/O performance in large-scale
projects, deploy controller nodes on physical servers.
The FusionSphere Cloud Data Center (Cloud DC) scenario is provided for key customers and
industries as well as commercial projects of a certain scale. These projects with an initially
small capacity will grow to be large-scale cloud platforms in the long term due to its
continuous scalability. Generally, they require sustainable expandability. In this case, to avoid
the performance bottleneck that may be caused by capacity expansion, you are advised to
deploy controller nodes on physical servers.

1.2 Can FusionSphere OpenStack Controller Nodes be


Deployed on the Huawei Virtualization Environment?
In FusionSphere 6.0, controller nodes can be deployed on VMs created based on the VMware
hypervisor. The virtual deployment of controller nodes on Huawei hypervisor is planned in
later versions.

1.3 Does the Virtualization Antivirus Feature Supported in the


Cloud DC Scenario?
The Cloud DC scenario supports the virtualization antivirus feature. At present, the Trend
antivirus software has been tested and is supported, whereas, the Rising antivirus software is
still under testing.
The Rising antivirus solution has been under test and is not supported by Cloud DC.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 5


Copyright Huawei Technologies Co., Ltd
1.4 Can the FusionSphere OpenStack System be Smoothly
Upgraded from FusionSphere 5.1 to FusionSphere 6.0?
The FusionSphere OpenStack system can be smoothly upgraded from FusionSphere 5.1 to
FusionSphere 6.0.

1.5 Can Legacy VRM Resource Pools of FusionSphere 5.1 Be


Smoothly Added to the FusionSphere OpenStack System?
A Service may be interrupted when legacy VRM resource pools of FusionSphere 5.1 are
added to the FusionSphere OpenStack system of FusionSphere 6.0 due to the network data
migration. The interruption duration varies depending on the scale of the resource pools and
will be reduced in future versions. This operation will be optimized in later versions.

1.6 What Are the Network Capabilities of Managed VRM


Resource Pool?
The network of the VRM resource pools before and after being managed is based on VLAN.
The VXLAN network is not supported in managed VRM resource pools.

1.7 What Are the VM-related Operations That Can Be


Performed in the Huawei FusionSphere Cloud DC Scenario?
Managed resource pools cannot provide network services, including vRouter, virtual load
balancer (vLB), virtual firewall (vFW), and virtual private network (VPN), because network
services from L3 to L7 base on VXLAN networks.

1.1 Does FusionSphere 6.0 Support Heterogeneous KVM?


FusionSphere 6.0 does not support heterogeneous KVM provided by other vendors. Managing
heterogeneous KVM is not planned in the future versions either.
As a cloud platform provider, Huawei has to guarantee the commercial capabilities of its
delivered cloud platforms. If heterogeneous KVMs, which do not pass compatibility tests, are
used in Huawei FusionSphere OpenStack systems, technical risks may occur. Once an issue
occurred, it is difficult to demarcate the fault, and Huawei cannot provide technical support.
Therefore, heterogeneous KVMs are not supported in FusionSphere 6.0. For detailed
technical risks, see the followings.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 6


Copyright Huawei Technologies Co., Ltd
Libvirt driver is connected to Libvirt at the virtualization layer so that FusionSphere
OpenStack can manage and schedule resources at the virtualization layer. The key points in
the connection are as follows:
Libvirt that matched with KVMs incorporated in different Linux OS may be optimized,
hardened, and extended. In addition, the Libvirt version in use may also differ.
Libvirt drivers used in the OpenStack systems provided by various vendors are also
different and are optimized, hardened, and extended by vendors.
Connecting heterogeneous KVM means that Huawei's Libvirt driver is connected to the
Libvirt of customer's hypervisor. Because capability tests are not performed, issues may
occur and certain functions may become unavailable. Once an issue occurred, it is
difficult to determine whether the issue is caused by Huawei's Libvirt driver or the
third-party's Libvirt. Therefore, disagreements may also occur during maintenance.
In conclusion, Huawei FusionSphere OpenStack does not support heterogeneous KVM. If the
customer insists, they need to provide the heterogeneous Libvirt driver.

1.9 How Are Storage Resources Connected to the


FusionSphere OpenStack System? What Are the Main
Concerns?
Currently, storage resources are connected to the FusionSphere OpenStack system using the
hypervisor. The reasons are as follows:
The OpenStack+VRM architecture retains the openness and compatibility of OpenStack. The
Cinder service is used to manage and schedule storage resources. The northbound standard
APIs are used to schedule resources.
The southbound storage interfaces are compatible with mainstream storage devices. With a
long period of commercial use, Huawei's hypervisor is compatible with mainstream storage
devices. Therefore, the Huawei hypervisor is used to connect storage resources to the
FusionSphere OpenStack system, implementing better system compatibility and stability.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 7


Copyright Huawei Technologies Co., Ltd
In addition, advanced storage virtualization features, such as, virtual file systems,
thin-provisioning volumes, and volume expansion are also supported in the FusionSphere
OpenStack system.
Therefore, connecting storage resource to the FusionSphere OpenStack system using the
hypervisor is reliable and cost-effective.

1.10 Does the Ironic Service in FusionSphere 6.0 Support


Physical Server Management Across Azs?
Not supported. FusionSphere employs the native Ironic service, which is deployed in the same
AZ with KVM. (In open source community, each AZ is configured with one OpenStack
system). VRM and WMware virtualization resources can be deployed in multiple Azs.

1.11 Are Services Interrupted When Existing VMware Virtual


Resource Pools on the Live Network Are Added to the
FusionSphere OpenStack System?
Services are not interrupted when existing VMware virtual resource pools on the live network
are added to the FusionSphere OpenStack system. After the network information of the
VMware virtual resource pools is rebuilt in the FusionSphere OpenStack system (including
the database cutover and Neutron information update), the Neutron service will take over the
VM network data. For details, see the FusionSphere 6.0 Management Technical White Paper.

1.12 Do the Bare Metal Servers Support Automatic Deployment


of Applications (Oracle Databases, Hadoop)?
FusionSphere 6.0 provides only hardware resources for such applications, and the deployment
mode varies depending on their capabilities.
The ManageOne+FusionSphere architecture provides the following application deployment
modes:
Applications Applications are included in the image file, deployed with the image file,
and stored in the host OS after deployment.
Applications are deployed through Heat interfaces provided by the ServiceCenter.
FusionSphere 6.0 provides the native Heat service for service orchestration and requires
users to be familiar with Heat programming basics.
Applications are automatically deployed after physical resources are provisioned and key
information, such as IP addresses, is obtained. All the preceding modes must be tested
case by case in actual projects. FusionSphere 6.0 baseline capabilities do not contain the
automatic deployment of applications on physical servers.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 8


Copyright Huawei Technologies Co., Ltd
1.13 Is One Set or Two Sets of ManageOne ServiceCenter Used to
Manage the Active and Standby Sites in the DR Scenario?
You can use either one set or two sets of ManageOne ServiceCenter to manage the active and
standby sites. If two sets of ManageOne ServiceCenter are configured, the DR scheme for
controller nodes is provided by itself.

1.14 Do ManageOne Must Be Used in the Converged Resource


Pool Solution?
In principle, ManageOne ServiceCenter must be installed. ManageOne ServiceCenter instead
of FusionSphere OpenStack OM is used to provision services because in the
OpenStack+VRM architecture.
If the customer insists to connect the FusionSphere OpenStack system to a third-party cloud
service platform and uses such service platform to provision services, ManageOne
ServiceCenter is not required.

1.15 What Are the Precautions When Configuring the


FusonSphere OpenStack Controller Nodes?
The FusionSphere OpenStack controller nodes must be deployed on at least three physical
servers, and these servers must meet certain requirements. For details, see the FusionSphere
6.0 Configuration Manual. Before the configuration manual is released, you can contact the
cloud computing solution architect (SA) for detailed configuration.
Because the MongoDB database deployed on the FusionSphere OpenStack controller nodes is
used to store monitoring information and requires high IOPS, solid state disks (SSDs) must be
configured on the controller nodes. For details see the FusionSphere 6.0 Configuration
Manual. Before the configuration manual is released, you can contact the cloud computing
solution architect (SA) for detailed configuration.

1.16 What Are the Constraints for the Bare Metal Servers?
FusionSphere OpenStack supports the following OSs:
SUSE Linux Enterprise Server 11 SP 2
SUSE Linux Enterprise Server 11 SP 3
SUSE Linux Enterprise Server 11 SP 4
RedHat Enterprise Linux 6.3
RedHat Enterprise Linux 6.5
If other OSs are required in certain projects, the R&D engineers must carry out capability
tests.
FusionSphere OpenStack only supports Huawei servers including Huawei RH2285 V2
servers

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 9


Copyright Huawei Technologies Co., Ltd
Huawei RH2288H V3 servers
Huawei RH5885 V3 servers
If other OSs are required in certain projects, the R&D engineers must carry out capability
tests.
When shared storage resources are connected to bare metal servers, only the FC SAN storage
is supported.

1.17 What Are the Constraints for the Backup and DR Solution?
FusionSphere 6.0 supports administrator-based site DR instead of the tenant-based
self-service DR.
FusionSphere 6.0 only supports OceanStor V3 advanced SAN storage of VRM in DR,
does not support active-active disaster recovery.
FusionSphere 6.0 supports the backup of volumes instead of VMs.
In backup scenarios, only FusionStorage and OceanStor V3 advanced SAN storage can
be connected to the system at the production site, and OceanStor V3 NAS storage can be
connected to the system at the backup site.

1.18 What Are the Constraints for the Projects Involving the
Existing Resource Pool Management?
Only the VLAN network can be used to manage the existing VMware or VRM resource
pools.
Peripheral features, such as USB, GPU, and SR-IOV, are not supported for the managed
VMware or VRM resource pools.
Advanced features, such as VPN, vFW, and vRouter, are not supported for the managed
VMware or VRM resource pools.
Because FusionSphere OpenStack does not provide the corresponding service models and
interfaces, features such as, VM snapshot, vAPP, and logical resource pool management, are
not supported for the managed VMware or VRM resource pools.
FusionSphere 6.0 supports the management of VMware resource pools only when vSphere
5.1 Enterprise Plus, vSphere 5.5 Enterprise Plus, or vSphere 6.0 Enterprise Plus is used.
FusionSphere 6.0 supports only the VDS networking for managing VMware resource pools.
For small-scale VMware resource pools, you can guide the customer to migrate service VMs
running on the VMware virtualzation system to the FusionSphere OpenStack system.
FusionSphere 6.0 supports the management of the existing VMware and VRM resource pools.
However, the resource pool management technical details are complex and have lots of
constraints. In this case, have the cloud computing SA and engineers to evaluate the actual
projects before respond to the customer.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 10


Copyright Huawei Technologies Co., Ltd
1.19 Is WMware vSAN Supported in the Managed VMware
Resource Pools in the Converged Resource Pool Solution?
In the converged resource pool solution, FusionSphere 6.0 does not support the vSAN storage
used in the VMware resource pools. This is because when the vSAN storage is connected to
the VMware virtualization environment, the northbound interfaces of vCenter are changed.
VMware does not open such changes. Therefore, FusionSphere OpenStack cannot invoke
these interfaces. In this case, guide the customer to use Huawei FusionStorage or the standard
SAN storage.

1.20 What Are the Precautions When Using the VIMS Storage
Virtualization?

If the Virtual Image Management System (VIMS) storage virtualization is used, configure two
additional GE ports on the compute nodes for management of the virtual storage file system.
For details, see the requirements for compute nodes provided in the FusionSphere 6.0
Configuration Manual.

1.21 What Are the Integration Strategies for the F5 Load Balancer
to Support the vLB Service?
The F5 load balancer is required to provide the vLB service. However, as an external
component, F5 load balancer is not included in the FusionSphere 6.0 baseline capabilities, and
the integration of the F5 load balancer is determined based on projects.

1.22 What Are Host Aggregates in FusionShere OpenStack?


Does FusionSphere OpenStack Have Clusters?
FusionSphere OpenStack has host aggregates. In the FusionSphere OpenStack system, host
aggregates are a group of compute nodes tagged with specific attributes or features. When you
create a VM, the tag of the extra_specs extension parameter in the VM flavor must match
with the tag of the host aggregate. In this case, the VM can be created on a host in the host
aggregate.
This process is carried out if upper-layer applications use the SLA service. For example, if
you create a VM with high-performance SLA specification, this VM will bed created on a
host tagged with high-performance service level agreement (SLA).
The FusionSphere OpenStack system does not have clusters.

1.23 Does NUMA Supported in the Cloud DC Scenario?


In cloud DC scenarios, FusionSphere supports host non-uniform memory access (NUMA).

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 11


Copyright Huawei Technologies Co., Ltd
1.24 Which Layer Does the VM HA Work?
The VM HA function works at the VRM layer.

1.25 Is the CPU Overcommitment Supported in the Cloud DC


Scenario?
In cloud DC scenarios, FusionSphere supports CPU overcommitment.

1.26 How Are Storage Resources Connected to the


FusionSphere OpenStack System in Cloud DC Scenarios?
In cloud DC scenarios, storage resourced are first added to FusionCompute, and then VRM
resource pools are connected to the Cinder module through the driver. Therefore, storage
resource, whatever tradition SAN storage and FusionStorage, are not directly added to the
Cinder module.

1.27 What Functions Does a Cinder QoS Policy Provide?


What Is the Difference Between Front-end and Backend
Controlling?
You can control the upper limits of the IOPS and the read, write, and total throughput of
storage I/Os using the cinder QoS policy. The front-end mode controls I/Os using the
hypervisor, whereas, the backend mode controls storage I/Os with storage devices using the
cinder driver.

1.28 Is eBackup Used in FusionSphere 6.0? How Does


eBackup Work?
Instead of swift and tsm backup drivers, FusionSphere 6.0 uses eBackup driver to associate
eBackup to back up the data to the NAS storage. Data is backed up to the storage media (V3
NAS) through eBackup driver and its backup software.

1.29 What Is the Difference Between CPS and CBS


Installation?
CBS is used to install OSs on physical servers, whereas, CPS is used to install the service
software on physical servers.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 12


Copyright Huawei Technologies Co., Ltd
1.30 Are All Nodes in the FusionSphere OpenStack System
Automatically or Manually Installed?
All the FusionSphere OpenStack nodes can be automatically installed using preboot execution
environment (PXE).

1.31 How Long Will It Take to Compute Nodes to the


FusionSphere OpenStack System?
The FusionSphere OpenStack system takes about 15 minutes to add new compute nodes to
the system.

1.32 Does the Heterogeneous Virtualization Platform Must Be


Deployed in an Independent AZ in the FusionSphere
OpenStack System?
When heterogeneous virtualization platforms are connected to the FusionSphere system, each
virtualization platform forms an independent availability zone (AZ).

1.33 What Are the Native OpenStack Version Huawei


Employs and What Are the Follow-up Plan?
Huawei FusionSphere 6.0 is developed based on the OpenStack Juno release, and
FusionSphere OpenStack 6.1 is planned to develop based on the OpenStack Liberty release.
Huawei FusionSphere is capable of the smooth upgrade.

1.34 What Are Enhanced Features of Huawei FusionSphere


OpenStack Beyond the Open-source OpenStack?
HA framework
HA framework has resolved single points of failure that may occur on a single instance in the
OpenStack management process that may occur in the OpenStack management process. In
addition, HA framework supports OpenStack service deployment on multiple instances in
load sharing mode, so OpenStack functions will not be affected if a single physical server is
faulty.
Auto Deployment
All physical servers in a data center can be automatically installed and added to the cloud
resource pool for central management. The auto deployment service automatically installs the
required cloud platform software packages, such as hypervisor and OpenStack software
packages, on physical servers in PXE mode according to the configuration plan. In this way,
the entire cloud platform can be rapidly installed and expanded.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 13


Copyright Huawei Technologies Co., Ltd
Smooth upgrade
Huawei provides an upgrade tool that uses a user interface (UI) to achieve smooth system
upgrade. During the upgrade of a node, VMs on the node are migrated to other nodes to
ensure that VM services are not interrupted.
Log & Monitor
FusionSphere provides system operation logging and performance monitoring functions,
tracing all operations and therefore improving user operation security. FusionSphere
OpenStack monitors physical server and VM performance data in order to allow users to
easily discover system performance bottlenecks.
API proxy
FusionSphere uses the API proxy to isolate OpenStack internal management networks from
external networks. This function prevents OpenStack service interfaces from being directly
accessed from the external network and improves OpenStack network security.
Health check and information collection
FusionSphere provides one-click health check and information collection based on WebUI.
The check period and items can be customized. In addition, one-click fault diagnoses and
remote fault locating are supported. This significantly optimizes FusionSphere OpenStack
O&M capabilities, improves the system O&M efficiency, and reduces customers' O&M costs.
Management data reliability enhancement
Using the peculiar dual partitions technology, the server local storage is divided into two
partitions, between which the data are synchronized in real time. If the active partition is
faulty, the standby partition takes over the services from the active one. In addition, it backs
up all OpenStack management data and transmits it to a third-party storage system through
FTP/S3/HTTPS to enhance the data security. If required, the system can be restored using the
data backups.

T he standby partition takes over services w hen D aily backup


R eal-tim e backup
the data is dam aged.
S tandby A ctive
m anagem ent m anagem ent
A ctive paritition S tandby partition node node

T he local storage on physical servers

U nique dual-partition technology A utom atic data backup

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 14


Copyright Huawei Technologies Co., Ltd
1.35 Does FusionSphere Support the Commercial Use of
Elastic IP Address (EIP) in Cloud DC Scenario?
FusionSphere supports the commercial use of elastic IP address (EIP) in Cloud DC
scenario.

1.36 Does FusionSphere OpenStack Support the Physical


Server Provisioning?
FusionSphere OpenStack provisions the physical server using OpenStack Ironic module.

1.37 Does FusionSphere OpenStack Support Hardware


Monitoring and How Is the Monitoring Capability?
FusionSphere OpenStack 6.0 provides the basic but not strong hardware monitoring
services. For a professional hardware monitoring, use eSight.

1.38 Why Both MangoDB and GuassDB Are Required in


FusionSphere OpenStack?
MangoDB stores Ceilometer monitoring data and GuassDB stores other OpenStack
components information concerning compute, store, network, and VM.

1.39 How Can Huawei FusionSphere OpenStack Connect to


VMware vSphere? For Example, How to Connect the
Network, Through VSS or VDS? Or Huawei Provides the
Specific Method?
The network connection is provided by VMware VDS.

1.40 Why MangoDB Rather Than Other Databases Is Used in


OpenStack?
MangoDB is able to store the huge amount of data produced by Ceilometer monitoring
service and has the high IOPS capability. Therefore, the OpenStack community chooses it
and Huawei FusionSphere OpenStack inherits this choice.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 15


Copyright Huawei Technologies Co., Ltd
1.41 Does FusionSphere OpenStack Support a Sonfigurator?
Does It Need to Be Manually Configured?
FusionSphere OpenStack does not support a configurator. Configure it manually under
the guide of FusionSphere 6.0 Configuration Manual if needed. Contact the cloud
computing SA for the final review and evaluation.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 16


Copyright Huawei Technologies Co., Ltd
2 Related Isues of Virtualization

2.1 What OS Is Installed at the Underlying Layer of


Servers?
The virtualization software FusionCompute is installed on the underlying layer of servers.
FusionCompute is a tailored, customized, and enhanced operating system developed by
Huawei based on SUSE Linux.

2.2 What's New in FusionCompute Compared with Xen?


FusionCompute performs enhancements on reliability, and usability, performance based on
the Xen 4.0. It also makes improvements on performance, user experience, and usability.

Table 1-1 Improvements FusionCompute made based on Xen


Competitiveness Key Point
High performance iNIC queue pass-through

Para-virtualization (PV) forward & backward enhancements

VT-d/SR-IOV

Low cost Memory sharing

Memory swapping

Linked cloning

Thin deployment mode

Excellent user experience Dom 0 automatic scalability

CPU QoS

Storage QoS

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 17


Copyright Huawei Technologies Co., Ltd
Competitiveness Key Point
Network QoS

Keyboard and mouse acceleration

HA VM fault tolerance

VM snapshot

VM probe

Black box

2.3 What is the Space Size Needed for Deploying the


Virtualization Software?
The size of files used for installing FusionSphere CNA compute nodes is about 324 MB, and
about 1 GB disk space is occupied after the installation. The size of files for installing VRM
controller nodes is 596 MB, and about 2 GB disk space is occupied after the installation.
The suggested hard disk partition is greater than 50 GB.

2.4 What is the Clock Rate of a vCPU?


The processing capability of each vCPU is related to the number of vCPUs that can be
provided by a physical CPU and the CPU clock rate.
For example, if the CPU clock rate is 2.4 GHz and each CPU can provide 32 vCPUs, the
processing capability of each vCPU is 0.075 GHz. However, if a CPU functions as a vCPU,
the maximum processing capability of the vCPU equals that of the CPU, which is 2.4 GHz.

2.5 Can vCPUs Be Automatically Assigned to VMs?


VMs on the same physical server share the CPU processing capability. In FusionCompute, the
minimum and the maximum CPU processing capability are configured for each VM. Within
this range, the processing capability is automatically assigned to each VM based on service
requirements.

2.6 Can Memory Be Automatically Assigned to VMs?


Question:
Can VM memory that is not in use be assigned to other VMs if the maximum memory and
reserved memory have been set for a VM? What should we do if the VM requires more
memory after its memory has been assigned to other VMs and cannot be reclaimed?

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 18


Copyright Huawei Technologies Co., Ltd
Answer:
VMs on the same physical serer share the memory resources. Memory overcommitment,
memory over-allocation, on-demand automatic scheduling between maximum and maximum
VM memory can be implemented through memory ballooning, zero page sharing, and
memory swapping technologies.
VM memory can be adjusted within configured memory range. For example, if the
maximum memory configured for a VM is 2 GB, the system automatically assign
required memory for the VM within 2 GB.
If memory over-allocation is enabled for a VM with the maximum memory of 2 GB
configured, the system automatically assigns 2.5 GB memory to the VM when the VM
requires more memory. So far, this function is not supported. Instead, you can configure
more memory for a VM. For example, configure 4 GB for the VM if a VM may consume
a maximum of 3.8 GB memory. However, the memory is automatically assigned to the
VM based on the actually required memory, which maximally leverages the memory
resources.
Memory ballooning enables a hypervisor to release the idle memory of a VM to a VM
whose memory usage is high. The display value on Guest OS remains the same, and the
memory usage increase, which is caused by memory ballooning and is not related to
Guest OS.
The maximum VM memory hot swap has special requirements for Guest OS. The OS
running on the VM must support memory reclaiming.
Windows XP and Windows 2003 server OSsdo not support the memory hot swap
function.
OSs, including Windows Server 2008, Red Hat Enterprise Linux 5.5, and SUSE Linux
Enterprise Server 11 SP1, support the memory hot swap function.
Occupy the reserved memory as well as use zero page sharing and memory swapping function
to ensure the memory resources if the extreme circumstances occur. To solve this problem
radically, you need to record service load for a long term before migration and to ensure that
enough memory is planned for the servers and VMs after migration.

2.7 Will All VMs Become Unavailable Due to a Memory


Sharing Fault?
The virtualization memory sharing feature is the memory management at the operating system
(OS)-level. If VMs on a physical server have the same OS, they can share the memory, which
is read-only. In this case, the memory issue rarely occurs.
There are two situations in terms of hardware memory on a server:
Recoverable fault: FusionCompute Domin 0 isolates the faulty memory module and
copy the original memory to the new memory allocated. The system functions properly.
Unrecoverable fault: If the memory module is faulty, the system runs abnormally. The
blue screen of death BSOD may occur on a Windows-based VM. The VM exception
occurs on the Linux-based VM and the VM HA is automatically enabled.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 19


Copyright Huawei Technologies Co., Ltd
2.8 Can CPU and Memory Capacities Be Expanded Online?
FusionSphere 6.0 supports the static CPU and memory capacity expansion.
The hot-add memory and hot-plug vCPU of VMware are not as practical as they claimed to
be.
Restart the VM if the CPU and memory capacity online expansion is not enabled.
The OS running on the VM must support CPU and memory capacity online expansion.
Generally, all the OSs do not support CPU and memory capacity online reduce, and few
OS supports CPU and memory capacity online expansion. For details, see 2.5 "Can
vCPUs be Automatically Assigned to VMs?"
The application on the VM must support CPU and memory capacity online expansion.
Not all the applications running on the VM are able to use new vCPUs and memory
added.
The CPU and memory capacity online expansion conflicts with the faulty tolerance
function. (The faulty tolerance function does not support multiple vCPU)

2.9 Does FusionSphere 6.0 Support Fine-grained QoS


Migration Control Based on Network Traffic, CPU Usage,
Memory Usage, and I/O Throughput?
When the CPU usage of a computing blade is high, the system can automatically migrate some VMs running
on the blade to other blades whose CPU usage is low. When the CPU usage of multiple computing nodes is
low, the system can also migrate VMs running on these blades on a few blades and power off the idle blades.
The system can automatically migrate VMs at the user-specified time. The system can set a speed limit of
1000 Mbit/s or 100 Mbit/s for vNICs. The system cannot automatically migrate VMs based on network
traffic or storage I/O throughput.

2.10 Does FusionSphere 6.0 Support Fault Tolerance (FT)?


The official version does not support this function.
The competitive test version does not support this function.
The FT function of VMware requires double resources, and scenarios that require zero service
interruption seldom exist. In addition, Huawei virtualization supports HA. Therefore, services
are only interrupted for a short time taken for the VMs to restart, which meets the basic
requirements.
The FT function requires that the active and standby copies run at the same time,
resulting in high costs.
The FT function can only be implemented on VMs with single vCPU configured. In
most cases, virtual servers are configured with multiple vCPU. Therefore, customers
cannot benefit from the FT function.
The active and standby VM hardware CPUs must be of the same mode, making the
deployment more difficult.
The mainstream virtualization vendors provide HA function to achieve high availability
of virtual servers.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 20


Copyright Huawei Technologies Co., Ltd
2.11 Does FusionSphere 6.0 Support Link Cloning?
FusionSphere 6.0 supports link cloning. You are advised to use this function in a desktop
cloud scenario, and not to use this function in a server consolidation scenario.
The link cloning is a technology that maps the combination of base volume and delta volume
to reduces VM creation duration and disk space occupation.

2.12 Does FusionSphere 6.0 Support Incremental Snapshots?


FusionSphere 6.0 supports incremental snapshots.

2.13 Does FusionSphere 6.0 Virtualization Support Local


Storage?
FusionSphere 6.0 virtualization supports local storage.

2.14 Can the Size of a System Disk Be Specified When Using


Images or Templates to Create a VM?
If you use an image or template to create a VM, the system disk size must be the same as that
of the original VM from which the image is created.

2.15 Do the Windows-based VMss Share the Same SIDs?


The Security Identifiers (SID) remains the same if you use Huawei VM management
interfaces. Manually change the SID if you want to join a domain.

2.16 How Does a VM Implements HA?


To implement VM high availability (HA), the VM virtualization environment must use shared
storage. Disk lock, the key technology of the HA, is used to prevent the split-brain. When the
cloud platform detects the compute node or VM failures, FusionSphere automatically starts
the failed VM on a functional compute node.
HA trigger conditions:
A server becomes faulty.
A VM fault occurs including blue screen of death (BSOD), Linux panic, BUG_ON, and
Oops.
The HA is not triggered when processes on a compute node becomes faulty, the service NIC
fails, and I/O suspends.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 21


Copyright Huawei Technologies Co., Ltd
Fault detecting duration: If a cluster has 20 VMs, the VM fault detecting process requires 8
seconds, and the VRM spends 5 seconds detecting the CNA fault and will time out if the
detecting process takes more than 15 seconds. If the number of VMs in the cluster increases,
the fault detecting process requires more time, about 30 seconds.
The fault rectification duration is as long as the time taken for the VMs to restart.

2.17 Does Virtualization Support USB Encryption Devices?


Some applications can only be identified by VMs after a USB encryption device has been
connected to the server. VMware provisions the USB over IP solution which supports VM
migration.
FusionCompute supports USB devices for VMs if the USB devices have been connected to
the hardware server in either of the following modes:
USB device emulation
USB device passthrough
Encryption of special USB devices first requires USB passthrough configured with commands
by the base layer, and then identification from the OS or applications.
The USB encryption device is only responsible for identifying USB devices. The USB
encryption device requires dedicated drivers to work on a WM.
If the VM is migrated, the connected USB device is invalid.

2.18 Does the Black Box Record VM Logs and the Behaviors?
No.
VM logs, user behaviors, and operations are recorded by the upper-layer cloud management
system.
A black box collects and stores the system running information of a physical machine
equipped with FusionCompute (including Domain0 and XEN) before the physical machine
exits abnormally. The information is mainly the OS-level information:
Kernel log
Screen output before abnormal exits
Diagnosis information of the diagnosis tool (kernel module)

2.19 How Does the Information Recorded by the Black Box


Become Available When a Fault Occurs in the System?
The black box is installed in the kernel of the FusionCompute Dom0 as a kernel module.
When the black box host is restarted unexpectedly, exception messages are reported based on
exception types and network availabilities with following requirements:
FusionCompute has been installed on the host.
NICs support the netpoll function.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 22


Copyright Huawei Technologies Co., Ltd
The IPMI interface is available for communication between boards and BMC.
The syslog, network, IPMI, and boot.kdump services have been enabled.
The black box provides the following storage modes and selects one of the storage modes
based on exception types and network availabilities:
Network output: Exception messages are exported to the root directory of the FTP server.
If the OS is corrupted, the Mini OS (BMC board) delivered with the black box host
uploads the exception messages. To read fault messages, log in to the FTP server and
obtain log files.
Local Storage: The default storage path is a directory on the black box host.
System logs: It is also in a directory on the black box host.

2.20 How Does Virtualization Support Service Clusters?


A service cluster is composed of several servers to provide the same applications, such as
Window Exchange, Active Directory, and SQL Server.
A user can attach a shared disk simultaneously to a maximum of four VMs (generally two) to
form a cluster. The cluster software controls service assess to disks.
The VM snapshot function is unavailable in service clusters.
Virtualization is not recommended for shared disk-based service clusters.

2.21 How Is Virtual Load Balancing Implemented?


The cloud platform does not support the virtual load balancing currently.
You can configure load balancers to meet customers' requirements for load balancing. There
are hardware and software load balancers, and hardware load balancers are preferred. The
cloud platform supports only F5 devices currently, which can be used based on service traffic
and reliability requirements. Choose a load balancer with enough capacity, because the
capacity expansion is complex and inconvenient.

2.22 Can Multiple Associated VMs Be Automatically


Distributed on Different Physical Servers?
You can configure location affinity and anti-affinity functions to distribute multiple associated
VMs onto different physical servers.

2.23 Are Service VMs Distributed on Physical Servers


Regularly or Randomly?
Virtualization is highlighted by live migration. If VMs are fixed on physical servers,
virtualization will lose a highlight.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 23


Copyright Huawei Technologies Co., Ltd
When you create a VM, the system selects an appropriate server with sufficient idle resources
in the cluster to accommodate the VM. A service VM can be manually migrated to a planned
physical server, and be fixed there afterwards. VMs can be migrated to other physical servers
automatically when:
trigger conditions of resource scheduling policies are met.
their original servers are faulty.
VM HA is triggered due to VM faults.

2.24 How Is the CPU Performance Optimized by the Huawei


Virtualization Software?
The Huawei virtualization software supports hardware-assisted virtualization. The Intel VT-X
and AMD-V technologies implement the CPU virtualization without changing the kernel of
the guest OS or processing the instructions of the guest OS using the binary conversion
technique. This significantly improves CPU performance.

2.25 How Is the Memory Performance Optimized by the


Huawei Virtualization Software?
The Huawei virtualization software supports memory overcommitment techniques, including
intelligent memory overcommitment policies, memory ballooning, memory swapping, and
memory sharing, which reduces memory procurement costs and prolongs the memory service
time of physical servers.
The Huawei virtualization software supports the Intel extended page table (EPT) technology,
which simplifies the mapping of memory addresses between the guest OS and the physical
server. This reduces the overheads in memory virtualization.
The Huawei virtualization software supports huge memory pages so that the guest OS and
applications can access the memory more quickly.

2.26 How Is the I/O Performance Optimized by the Huawei


Virtualization Software?
The Huawei virtualization software supports the virtual machine device queues (VMDq)
technology, which enables data sorting to be performed by physical network interface cards
(NICs) instead of the virtualization software, and forwards the data to the destination VMs in
a receive queue. In this case, VMs can still be the live migrated.
The Huawei virtualization software supports the single-root I/O virtualization (SR-IOV)
technology, which enables routing to be implemented by physical NICs instead of virtual
switches.
The Huawei virtualization software supports the front-end and back-end device simulation
technology, which raises the I/O performance by over 40% compared with that of the system
uses the traditional QEMU device simulation technology.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 24


Copyright Huawei Technologies Co., Ltd
2.27 What Features Does the Huawei Virtualization Security
Solution Offer?
VM isolation: includes CPU scheduling isolation, internal network isolation, and
memory isolation and hard disk isolation of different VMs.
Protection against malicious VMs.
Security groups.
Tailoring and reinforcement of the cloud platform OS.
Virtualization antivirus.

2.28 What Is the Huawei Infrastructure Security Solution?


OS security hardening: includes security hardening of compute nodes, storage nodes,
management nodes, and application components.
Database security hardening: Install OS data files and database data files on different
NTFS partitions; install database programs and files on non-system volumes; adhere to
the minimum installation principle; restrict the protocols that can be used by database
clients to connect to database servers (for example, only TCP/IP is allowed), and ensure
the protocols' security; restrict the ports that can be used by database clients to connect to
database servers, and disable the default port; set a strong password for users and change
the password periodically; adhere to the minimum authorization principle, and assign
permissions by user group.
Antivirus: Take the third-party antivirus solution. Deploy antivirus servers (for example,
the Office Scan 8.0 server) in cloud computing systems to manage the antivirus software;
and install OfficeScan 8.0 client to protect the antivirus servers.
Security patch.

2.29 How Are Services Isolated on VMs?


VM services are isolated in the following ways:
VMs isolation
The hypervisor isolates VMs running on a physical server to prevent data theft and
attacks, and accordingly ensures independent running environment for each VM. Users
can only use VMs to access resources belonging to their own VMs, such as hardware and
software resources and data, to ensure the VM isolation security.
Isolation between physical and virtual resources
The hypervisor centrally manages physical resources to ensure that each VM obtains
independent physical resources; the hypervisor also shields VM faults to ensure that the
crash of one VM does not affect the hypervisor and other VMs.
vCPU scheduling isolation
The Huawei cloud computing platform uses x86 architecture servers to protect the
command running. The x86 architecture offers 4 privilege levels ranging from Ring 0,
which is the most privilege, to Ring 3, which is the least privileged. Ring 0 is used for
the OS kernel, Ring 1 and Ring 2 for the OS service, and Ring 3 for applications. The
privilege level separately restricts the commands that can be run. The hypervisor
schedules the vCPU context switch. The VM OS runs in Ring 1 to prevent the guest OS

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 25


Copyright Huawei Technologies Co., Ltd
from executing all privileged instructions. The applications run in Ring 3. In this way,
the OS and applications are isolated.
Virtual memory isolation
The VM uses the memory virtualization technology to virtualize the physical memory
and isolate the virtual memory. This technology introduces a new address space called
physical address for clients based on the existing mapping between the virtual address
and the machine address. The VM OS translates the virtual address into a physical
address. Then, the hypervisor translates the physical address into a machine address and
sends the machine address to the physical server.

A virtual address (VA) is provided by the client OS for its applications.


A physical address (PA) is abstracted by the hypervisor for a VM.
A machine address (MA), the real address of a machine, is the address signal on the address bus.
Internal network isolation
The hypervisor provides the virtual firewall-router (VFR) function. Each VM has one or
more virtual interfaces (VIFs) logically associated with the VFR. Data packets sent from
a VM first reach domain 0. Domain 0 filters the data packets, checks the integrity of the
data packets, adds or deletes rules, contains certificates after authentication, and sends
the data packets to the destination VM. Then the destination VM checks the certificates
to determine whether to accept the data packets.
Disk I/O isolation
The hypervisor intercepts and processes all I/O operations of a VM to ensure that the
VM only visits the allocated hard disks.
Network isolation
Achieve network isolation through the firewall configuration and VLAN allocation.

2.30 How Can I Prevent Mutual Attacks Among VMs in the


Same Security Group or in Different Security Groups?
The security group feature allows users to control the interconnection and isolation between
VMs to enhance VM security, and default security group rules are as follows:
VMs in the same security group can communicate with each other by default.
VMs in different security groups are isolated from each other by default.
Only requests allowed by a security group can access VMs in the security group.
Requests not allowed by a security group cannot access VMs in the security group.
Users can configure security group rules as follows:
Specify the security groups which can access a specific security group.
Specify peer network devices that can access a specific VM.

2.31 Are API Interfaces of a VM Encrypted?


Yes, the API interface of a VM is encrypted using Secure Sockets Layer (SSL).

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 26


Copyright Huawei Technologies Co., Ltd
2.32 Is the Data of a VM Cleared After the VM Is Deleted?
The first 10MB data of a VM volume is cleared, and other data is retained. Clear all the data
forcibly if necessary.

2.33 How Can I Guarantee the User Data Security?


Username and password
All passwords are encrypted and of high complexity.
Data transmission uses certificates for authentication.
Transmission security
Data transmission may be interrupted, and data may be replicated, modified, forged,
intercepted, and monitored during the transmission. Therefore, it is necessary to ensure the
integrity, confidentiality, and validity of data during the network transmission:
Administrators access management systems using hypertext transmission protocol secure
(HTTPS), and data transmission channels are encrypted using secure socket layer (SSL).
Users access VMs using HTTPS, and data transfer channels are encrypted using SSL.
HTTPS provides encrypted data transmission and identity authentication. It encrypts data
using SSL, which provides the following functions:
Authenticates users and servers and ensures that data is sent to the correct clients and
servers.
Encrypts data to prevent it from being intercepted during the transfer.
Ensures the data integrity during the transmission.

2.34 How Can I Achieve Storage Data Isolation?


Isolate data of different users using the user access rights control and network isolation.

2.35 How Does the Cloud Technology Centralize Different


Domains?
Huawei provides strict logical isolation, even physical isolation, for different management
platforms in the cloud system, such as management, service, and storage platforms. Huawei
provides a VM security group solution for isolation of different domain systems in service
planes; it also provides self-service security management measures for domains'
administrators, who can meet isolation and communication requirements of different domain
systems by customizing security policies.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 27


Copyright Huawei Technologies Co., Ltd
2.36 How Does Security Isolation Requirements of Different
Domain IT Systems Affect the Networking of Cloud
Computing Environments? How Can I Guarantee Security
While Maintaining the Cloud Computing Flexibility?
Cloud management and storage systems are required to be deployed in the same data center
network because the systems are used by the administrator of the data center network rather
than end users. Huawei provides the virtual private cloud (VPC) solution, which allows a
VPN network to extend into the data center, for different domain systems in the service plane
requiring different VPN networks. Set up a new VPN network consisting of some VMs in the
cloud system and the original VPN network of the enterprise. In this way, the original VPN
network is deployed in the cloud computing data center. This VPN network maintains the
user's network architecture and is completely isolated from other networks in the cloud
computing data center to ensure security. Enterprises can securely create VPCs in cloud
computing environments as required and form VPN networks with existing networks.

2.37 What Is Plane-based Network Communication?


The cloud computing system is divided into the management plane, storage plane, and service
plane. To ensure data reliability of various network planes, the Huawei cloud computing
solution isolates different planes using the virtual local area network (VLAN), and therefore
the other two planes can keep on working even if one plane malfunctions. For example, when
a fault occurs on the management plane, the service plane still can work properly and provide
services to cloud end users. In addition, the system supports VLAN-based priority settings.
By setting the highest priority for internal management and control packets, the administrator
and other users can manage and control the system at any time.

2.38 What Are Security Hardening Measures for the VM


Operating System? And How Do They Defend Against
Viruses?
The system loophole risks, insecure accounts and passwords, improper configurations and
operations, and insecure services make the system easily attack by viruses, hackers, worms,
and Trojan horses, which bring security risks for the system. To reduce these risks, the
infrastructure security configurations are required to be configured. According to a survey
conducted by the Center for Internet Security (CIS), 80% to 90% known vulnerabilities can be
eliminated by basic infrastructure security configurations. In addition, the OS hardening is
more effective than antivirus software or patches.
Huawei formulates a series of development and security regulations for OSs, databases, and
web applications. It also develops related tools with functions of system security
customization and check to meet benchmark requirements in the industry of the best practices.

Issue 01 (2016-04-26) Huawei Proprietary and Confidential 28


Copyright Huawei Technologies Co., Ltd