VMware disables inter VM Transparent Page Sharing (TPS) for security reasons
This morning I discovered a tweet from Derek Seaman in my timeline, that caught my attention.
Doing a #VCDX design? Take note of TPS being disabled in all future ESXi releases. http://t.co/qRXlABIJSs
— DΞRΞK SΞAMAN (@vDerekS) October 17, 2014
TPS stands for Transparent Page Sharing and it’s one of VMware memory management technologies. VMware ESX(i) uses four different technologies to manage host and guest memory resources (check VMware KB2017642 for more information). The preference increases from TPS to swapping.
- Transparent page sharing (TPS)
- Ballooning
- Memory Compression
- Swapping
TPS is a technology by which redundant copies of memory pages are eliminated. You can understand TPS like some kind of memory deduplication. The hypervisor scans the memory periodically for memory pages that could be possibly shared. For each candidate memory page a hash is calculated and it’s saved in a hash table. If a second candidate page has the same hash, a full bit-by-bit comparison for both pages is triggered. If both memory pages are identical, only one page is saved and the other memory page is reclaimed. TPS is enabled by default and shows good results, especially if you were running a lot VMs with the same OS, like in VDI or terminal server environments.
With the advent of hardware-assisted memory virtualization systems, like Intel EPT or AMD RVI, VMware changed the behaviour of TPS and how guest memory is backed to physical memory. Guest memory was now backed with larger memory pages (2MB instead of 4KB ) for better performance. But 4 KB pages were still used if there were no 2 MB continuous memory, e.g. in case of memory overcommitment or memory fragmentation. Using 2 MB memory pages has advantages, for sure, but in perspective of TPS it has two disadvantage:
- small chance to find two identical memory pages
- the expense of a bit-by-bit comparison is at 2 MB pages incredibly much higher than with 4 KB pages
The punchline is, that with hardware-assisted memory virtualization systems, TPS is only actively used if the host is under memory pressure. But it is still there and working.
Safety over performance
Yesterday VMware published KB2080735 (Security considerations and disallowing inter-Virtual Machine Transparent Page Sharing). The purpose of this KB:
This article acknowledges the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMware’s precautionary measure of no longer enabling TPS in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.
Because of this, TPS will be disabled by default with the release of:
- ESXi 5.5 Update release (Q1/ 2015)
- ESXi 5.1 Update release (Q4/ 2014)
- ESXi 5.0 Update release (Q1/ 2015)
- The next major version of ESXi (ESXi 6.0)
Prior these updates VMware will release patches that introduce additional TPS management capabilities and that WILL NOT change the existing settings for inter VM TPS (check KB2091682). As stated in KB2080735, the planned ESXi patch releases are:
- ESXi 5.5 Patch 3
- ESXi 5.1
- ESXi 5.0
The patches for ESXi 5.0 and 5.1 are planned for Q4/ 2014. For ESXi 5.5 a patch the patch is already available (ESXi550-201410401-BG).
My 2 cents
Several years ago, the deactivation of TPS would have been fatal. Today, and in consideration of “safety over performance”, I think it was the right decision. If your design heavily relies on TPS, then you maybe have a bad design. ;)
Also a good read:
| Frank Denneman | Future direction of disabling TPS by default and its impact on capacity planning |
|---|---|
| Magnus Andersson | Changes in ESXi Transparent Page Sharing (TPS) behaviour |
| Kenneth van Surksum | VMware decides to disable TPS in future ESXi releases by default |
| Marcel van den Berg | VMware wil disable Transparant Page Sharing by default in future ESXi releases |
| Andrea Mauro | Bye bye Transparent Page Sharing |
| Chris Wahl | Transparent Page Sharing Vulnerable, Yet Largely Irrelevant |
More will follow, ping me on Twitter if you found a good one!