Get started Bring yourself up to speed with our introductory content.

The life, death and resurrection of transparent page sharing

TPS was a useful memory management feature until VMware turned it off over security concerns. Fortunately, you can restore its full functionality with a few simple steps.

Transparent page sharing is a VMware feature designed to provide administrators with a more efficient means of...

managing memory on a host.

Transparent page sharing (TPS) looks across all the VMs on the host and identifies identical pages of memory. For example, if you are running a dozen copies of Windows Server 2012 on a host, there will likely be many duplicate memory pages with identical information, such as duplicate code. This duplication is wasteful, and to fix this issue, TPS uses the hypervisor to locate duplicate blocks of memory across the VM host, keeping only one. The remaining duplicate blocks are replaced with a pointer to the first block, and then released and reused by other VMs.

When the VM needs to find that block, the genuine block -- which contains a copy of the real data -- points to it. The underlying OS never finds out what happened, thanks to VMware Tools covering for the hypervisor. Imagine doing this with a large virtual desktop infrastructure (VDI) estate -- the savings can be quite significant. To make TPS work with VMs, you need VMware Tools.

TPS' funerary march

This method of managing memory worked well, that is, until VMware decided to effectively turn off TPS in vSphere 5.5 update 2, making it little more than window dressing. The crippling of the transparent page sharing feature was the result of a group of academics obtaining the encryption key for other VMs on the host in highly specific and contrived circumstances. In the real world, this wouldn't be an issue.

This method of managing memory worked well, that is, until VMware decided to effectively turn off TPS in vSphere 5.5 update 2, making it little more than window dressing.

VMware is understandably a bit cagey about the exact what and where regarding this situation, but the company's response was to effectively kill the golden egg that is TPS out of the box. This was born out of the desire to ship "secure as default."

Transparent page sharing still exists, but it has new functionality built into it -- namely, a salting function to restrict TPS usage to certain VMs that share the same salt value. By limiting TPS to groups of virtual servers that share the same salt, VMware drastically restricted the functionality of the TPS feature.

Restoring transparent page sharing

Fortunately, TPS can be re-enabled. The process is a bit of a chore, as you need to reconfigure each host within the advanced settings, but well worth the effort.

First, open the VM host in the vSphere Client and select the Configuration tab, as shown in Figure 1.

Select the Configuration tab.
Figure 1. Selecting the Configuration tab in VMware ESXi 6.0.0.

Next, change the salting value by selecting the Menu option from the advanced menu. Choose the "Mem.ShareForceSalting" entry and set it to "0," as shown in Figure 2. New hosts will be set to "2" by default; a value of "2" means salting is enabled.

Figure 2. Changing salting values.

Once you've changed the salting values, save your changes and reboot. Once the reboot is complete, double check the settings you've saved.

To make the process of restoring TPS to its full functionality easier, I have created a very simple script that reports the host name and the Mem.ShareForceSalting for the entire vCenter. In order to use this, you must first log into vCenter, replacing vc_fqdn with the IP or domain name system name for the vCenter.

Note that Get-AdvancedSetting should be on one line; otherwise, you will get errors.

Connect-VIServer vc_fqdn

$hostlist = Get-vmHost

foreach ($hostserver in $hostlist) {

  Get-AdvancedSetting -Entity $hostserver -Name mem.shareForceSalting | select Entity, Value

  }

Reporting host name with script
Figure 3. A script that reports host name

You could update each host by modifying the script shown in Figure 3, but it's much easier and safer to use Set-AdvancedSetting with updated arguments, rather than Get-AdvancedSetting.

VMware disabled transparent page sharing to ensure a very obscure, niche security risk would not be exposed. However, this security risk doesn't affect the vast majority of users; the benefits of re-enabling TPS outweigh the risks, especially in VDI environments where VM density is much higher.

Next Steps

Memory management techniques to commit to memory

Test your knowledge of memory management

Update your virtual memory management strategy

This was last published in October 2016

Dig Deeper on Using monitoring and performance tools with VMware

Join the conversation

2 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

In what circumstances might using TPS be a security risk?
Cancel
I thought I'd read somewhere that current OS's encrypt memory which essentially nullifies the benefit of using inter-VM TPS on a host.  True?  Not true?
Cancel

-ADS BY GOOGLE

SearchServerVirtualization

SearchVirtualDesktop

SearchDataCenter

SearchCloudComputing

Close