Quarantine

Definition

Signature

quarantine(s : set<server>)

• s : an non-empty set of servers for a meaningful constraint. Servers not in the Online state are ignored.

The quarantine constraint disallows any VM running on servers other than those in s to be relocated into a server in s. In addition, every VM running on a server in s cannot be relocated to another server. This constraint only restricts the placement of running VMs with regards to a previous placement. As a result, it is not possible to state for the satisfaction of one quarantine constraint before a reconfiguration occurred.

Classification

• Primary users: datacenter administrator
• Manipulated elements: VM placement
• Concerns: VM-to-server placement, Partitioning, Maintenance

Usage

A quarantine constraint may be use by the datacenter administrator for isolation purpose. When a server appears to be compromised, a first step to avoid to propagate the situation is to isolate it from the datacenter (put it into quarantine). Using one quarantine constraint, the datacenter administrator is ensured that no running VMs may enter or leave the quarantine zone.

This constraint may also be used to prepare the servers for a software maintenance operation when it is not possible to relocate the VMs it runs. To prepare a software maintenance, the datacenter administrator must be sure the server does not host any running VMs to prevent a misconfiguration from altering them. As their relocation is not possible in this setting, the only solution to tend to have a server ready for the maintenance is to wait for its VMs termination while disallowing other VMs to be running on the server. The datacenter administrator may then use a quarantine constraint for that purpose.

Example

Figure 4 depicts a sample reconfiguration between a source and a destination configuration. In this example, the following quarantine constraints were considered:

• quarantine({N2}). This constraint is satisfied as VM3 was not relocated while no VMs were moved or launched to N2.

• quarantine({N1,N4}). This constraint is satisfied as VM2 is terminated

• quarantine({N3}). This constraint is not satisfied as VM5 was launched on N3 which is in the quarantine zone.

N1: VM1 VM2

N2: VM3

N3: VM4

(N4):

?: VM5

N1: VM1

N2: VM3

N3: VM4 VM5

(N4):

?:

Figure 4: A reconfiguration motivated by quarantine constraints.

See also

Related Constraints

• ban: When it is possible to relocate the VMs, a ban constraint may be use to prepare servers for a software maintenance operation. In this setting, the server will be ready for the maintenance sooner as the VMs will be immediately relocated while the datacenter administrator has to wait for their termination when a quarantine constraint is used.

• fence + root. This composition of constraints emulates a lonely constraint. One fence constraint will disallow the VMs outside the quarantine zone to enter it while one root constraint will prevent the relocation of the VMs running into the quarantine zone.

• lonely. A partitioning constraint to isolate VMs rather than servers.

Reformulation(s)

• Using fence+root: quarantine(s) ↔ root(↑s), fence(↑s, s)