Safe Multi-tenancy and Logical Partitioning
by Hu Yoshida on Jun 1, 2008
Safe multi-tenancy, is a term that few people seem to understand. I was observing a focus session recently, and when that term was used, no one in the four sessions that I observed seemed to know what it meant.
Multi-tenancy, means that multiple users can share the same resources.. A hotel provides beds for many users or tenants. Safe multi-tenancy would be a hotel where each tenant had their own room with a lock on the door, versus a youth hostel where tenants share a common room and safety is dependent on the good behavior of the tenants.
In the same way, safe multi-tenancy is required for storage users who share the same storage resources, like a SAN. Unlike DAS or Direct Attach Storage, where a user’s storage is directly attached to the user’s host server and is separated from other servers by an air gap, SAN’s create a network where any server can get to any storage that is connected to the same SAN. Safe multi-tenancy is provided by SAN zoning in the switch and LUN masking in the storage systems. This type of protection is limited and makes LUN address assignments difficult since one user may get access to LUN 0, 1, 3; and the next user would get LUN 4, 5, but not LUN 0 which is needed as a boot address.
Hitachi solved that problem by assigning each user its own virtual port address with its own address space (Host Storage Domain), so that each user could assign LUNs from LUN 0 on up, even if they shared the same physical storage port. Hitachi storage systems can assign up to 1024 virtual ports to each physical port. The address space associated with each port is separate unless it is specifically assigned to be shared by multiple virtual ports for alternate path redundancy.
Safe multi-tenancy becomes even more important when virtualization is layered on top of the SAN. While switch zoning still works, LUN masking is difficult since that is done in the storage controller and not in the SAN based virtualization appliance. Hitachi avoids this problem by implementing storage virtualization in the storage controller where Host Storage domains provide the protection for safe multi-tenancy.
While safe multi-tenancy can protect users from accessing each other’ data, it is not enough. There is still the danger that one user may dominate the use of shared resources and impact the performance of other users. For instance one user may kick off a data base reorganization which will suck up the shared cache, rippling through rows and tables, just as another user is trying to service a high performance transaction.
In order for users to get the right Quality of Service, QoS, when they need it, there must be a way to logically partition the use of common resources like cache and be able to change that partition dynamically based on policies that are triggered by time or events. Since Hitachi does storage virtualization in a storage controller, it has control of the storage cache, and other storage resources like storage spindles, in order to provide partitioning of these resources. Other storage virtualization systems that sit outside of the storage control unit are not able to provide partitioning of storage resources.
Logical partitioning goes hand in hand with safe multi-tenancy and is important when many users are sharing the same physical storage resources. This is true for a SAN, but is especially true when this sharing is done through a virtual abstraction. If you are considering storage virtualization, ask the vendor how they provide safe multi-tenancy and logical partitioning before you commit.
[...] Here’s a blog post Hu Yoshida wrote a couple years back on “safe” multi-tenancy that provides more technical details on a few of the features that enable secure multi-tenancy. [...]