There has been a lot of traffic on the DLs on this issue today, so I thought a discussion topic on the subject of Oracle licensing on VMware would be appropriate again.
My good friend Dave Welch from House of Brick and I have a friendly disagreement over this one: Dave maintains that the DRS / HA cluster host affinity rules combined with VMware VMotion logging is adequate to provide an audit trail of what server a VM has run on, and this should suffice for Oracle licensing purposes. Not that I disagree that this would be highly desirable. As an attorney, however, I am a bit more conservative: So far Oracle has maintained (at least from what my customers are telling me) that all ESX servers in any DRS / HA cluster must be fully licensed if there is a single Oracle VM on that cluster regardless of where that VM has run.
Thus, Sam and I have established our position which is reflected in our VMworld 2011 presentation: The customer is fully protected if he / she maintains an isolated, dedicated DRS / HA cluster on which only Oracle VMs are allowed to run. This also eliminates any potential for performance issues from non-Oracle VMs interfering with Oracle VMs, as Sam has pointed out today. While this configuration undoubtedly increases costs in terms of hardware and VMware-related software, those costs are minute (I really like the Chad-ism "mice nuts") compared to the potential increased costs for Oracle license and maintenance fees.
Hence my discussion: Who out there believes that DRS / HA cluster host affinity is good enough for Oracle licensing? Are there any customers who have broached this issue with Oracle? What has been the result? Inquiring minds really, really want to know.
I agree with Dave. DRS host affinity is a clear, auditable method of partitioning your ESX cluster. VMware has officially come out in support of this. Read their statement here: Understanding Oracle Certification, Support and Licensing for VMware Environments
In terms of auditing the real question boils down to, "Does Oracle recognize the extensive APIs and vmware.log file(s) as provided by VMware vSphere?” It’s been my experience (somewhat dated) that Oracle bases licensing audits, in the most part, on the database audit tables. I did a quick Google search trying to answer the question “Does Oracle recognizes VMware API & logs” as a validated means of auditing?” Unfortunately, I didn’t find any useful information one way or the other!
So let me ask the million dollar question: Is there a public statement by Oracle recognizing any third party APIs or logs as a means for auditing?
On another note I don’t see the advantages of using DRS, host affinity, in are large cluster as compared with a narrow Oracle centric cluster with the exception of some minor uptick in management. A narrow Oracle centric cluster has these benefits:
What do you think?
True, for large organizations, it makes perfect sense to have dedicated clusters. For Organizations that have less than 20 databases, it eases the burden of having many ESX clusters.
I'm not sure that Oracle will recognize DRS host affinity as a valid means of partitioning Oracle. This Oracle document, which provides Oracle's guidance on partitioning, would seem to clearly state that DRS Host Affinity, VMware CPU Pinning, or anything else is not a valid a means to partition the server for the purposes of Oracle licensing. Like Sam says, during an audit, they'll use Oracle audit logs to determine where Oracle is running.
You misunderstand the question. I am not suggesting that DRS host affinity would work as a form of host partitioning. That has to do with what CPUs have to be licensed on a given server, which is different from my question.
Rather, I am suggesting that entire servers be licensed, but that VMware auditing logs be used to determine on what servers Oracle software has run. Please let me know if this distinction is clear.
Jeff, I understand - but I think I'm agreeing with you: DRS/Host Affinity would likely not be recognized by Oracle as a valid means of partitioning your HA cluster to limit licensing. I've heard Dave at HOB contend the same thing you've heard, which is essentially: "DRS/Host Affinity SHOULD be fine" and as a purely theoretical and ethical point, I would agree: it really should be fine. The VMware logs should be recognized as a valid means of determining where Oracle ran and for how long. However, I'm not sure that's something I would hang my hat on if I were a CIO - what with such big $$'s at stake.
For my understanding, how are the Oracle auditing tools capable of finding out on which physical server or CPU the database has been running? Consider Cisco UCS or probably any other blade system where the physical servers are stateless (i.e. no CPU id, no fixed MAC address etc).
If I run Oracle on a UCS blade, then shut it down (including the OS), then via UCS tooling make the same OS run on a different (but equally configured) blade, then I guess Oracle has no means of finding out about the move.
Equally, in a VMware landscape, if you have, say, 4 ESX servers and you use host affinity to run Oracle only on host 1 and 2, but you have performance issues on host 1 for a few days and decide to change the affinity settings to allow the same Oracle DB vm's to run on host 3 for a while, then after a few days you change the settings back... then how is the Oracle tooling capable of detecting the physical underlying hardware change?
I bet the only way to find out is using the VMware audit files and, if they are plain ASCII files they can be tampered with. So probably they are no good as licencing audit trail !?
My methodology would use the VMware logs, not the Oracle logs. ESX maintains logs However, you make an interesting point. I don't think the Oracle logs would contain this. When an instance starts up, the only thing that is contained in the logs is the fully qualified domain name, which would not change in any event. Do you know of a way that Oracle logs could be made to work in this manner? That might be an interesting challenge.
You hit upon Oracle's point: They have no method to audit host affinity, cpu affinity or similar therefor they don't support or have no statement on the technologies (Licensing Lmbo). I've been around some Oracle audits, while consulting for Oracle, (more than a few years ago), and its been my experience that audits and auditors are very agreesive. Narrow Oracle centric clusters are a strategy wraps more control around the Oracle infrastructure and doesn’t limit the customer in their use of Oracle with VMware. Win, Win.
To everyone else on this thread: please jump in, legal experience or not, as this discussion is all about share different viewpoints.