blog.scottlowe.org

A friend of mine at Network Appliance was one of the presenters last year at VMworld 2007 for the now-famous presentation that showed a solution from Network Appliance where 100 VMs are created in just a couple of minutes. It’s great technology that is extremely useful in exactly those kinds of situations. I love it.

The video is so popular that it’s even been posted to YouTube. (By the way, did you know I’m on YouTube? My kids think that’s the greatest thing in the world, but I’m not so convinced.)

And, according to Manlio, it appears that they are showing off this kind of thing again at VMworld Europe 2008.

But it’s technology that’s not available yet.

Yep, that’s right. It’s not available yet. It’s based on new functionality, related to their existing FlexClone functionality (which I’ve blogged about before), that is due to be released very soon. Combine this new functionality with NFS on a NetApp storage system and you’ll be able to do exactly what NetApp is demonstrating. But not today…not until these new features are made available to the public.

That bothers me. I suppose it shouldn’t; I mean, you’ve got all sorts of vendors talking about their products and what their products can do when those products aren’t yet available. Microsoft Hyper-V is one example—it’s not available yet, won’t be until later this year, and yet Microsoft is showing it off. VMware is doing the same thing with the Continuous HA stuff they demo’ed at VMworld 2007. Likewise, VMware’s done the same thing this year with offline VDI and scalable virtual image technology.

So, if you’re thinking about a huge VDI deployment and planning on putting that on NetApp storage, that’s fine because there are plenty of other reasons to use Network Appliance—deduplication, anyone? But don’t plan on being able to take advantage of some of this highly touted functionality until it is publicly released.

UPDATE: Another colleague of mine at NetApp wrote me to clarify that the file-level cloning functionality demonstrated in the video is not, technically speaking, related to FlexClone functionality since FlexClone operates on a per-volume basis. I might argue that they both appear to exploit the same underlying functionality in WAFL, but I don’t know that for certain and at that point we’re splitting hairs anyway.

It’s only natural, I suppose.  When wireless networking started to become popular, it was decried as insecure and everyone was warned against using it.  When mobile computing started to take off, it was proclaimed a terrible security risk, and organizations were warned against it.  And now it’s happening with server virtualization.  Of course, since VMware is the lead player in this realm, they are the ones with the target on their back.

The latest volley comes from a “one-two” punch over the past couple of weeks. First, there was a vulnerability discovered in some of the VMware hosted client products (VMware Workstation and VMware Player); specifically, when using the Shared Folders feature. This feature allows host-to-guest interaction. The press went crazy with this one:

• Critical VMware bug lets attackers zap ‘real’ Windows
• New VMware vulnerability without a patch

Fortunately, some level of clarity has started to prevail about this flaw:

• VMWare Security Crumbling: Not Really
• VMWare getting a lot of bad press

The other “flaw” that’s gotten a fair amount of attention—and hype—is the exploit that can affect VMs during a live migration. Of course, this assumes that necessary steps weren’t taken to protect and isolate the live migration network, as recommended by VMware. I won’t spend a great deal of time on this, since Chris Hoff already said pretty much everything that needs to be said.

So what’s the takeaway from all this? Basically, exactly what Chris Hoff said: Don’t be surprised that your installation is insecure when you haven’t taken the time to implement the correct security controls. If you configure guest-to-host connectivity, then of course you open a channel for some sort of exploit. Best practices would recommend not to configure guest-to-host connectivity. Likewise, if you run the VMotion (or XenMotion) network shared with other traffic, you run the risk of VM state being exposed.

Let’s move past the hype. Just take the time to do your due diligence, pay attention to the security risks of the choices you’re making, and don’t blame the vendor when you don’t follow the vendor’s security recommendations and get an insecure result.

How many readers out there have ever found themselves at a dinner with some professional colleagues? Probably quite a few of you. I had dinner with some SEs from various other resellers and some vendor representatives tonight. It’s a fairly common occurrence, right?

Well, in how many of those situations did you feel you had to mask or withhold your beliefs or your opinions? This could be on any level; perhaps you couldn’t speak your mind about a particular product because you were having dinner with the vendor that makes that product. (No, this doesn’t have anything to do with any recent events.) More to my interest, for those readers who are also Christians, how many of you felt like you couldn’t fully express your Christian values or beliefs at one of these functions?

Now, this may not have been due to any person in particular, or because anyone said anything out loud. But in today’s society, where people are encouraged to be “politically correct” so as not to offend someone, it’s become increasingly rare to see people willing to show their beliefs, their values, their faith in public. It’s increasingly rare to see people willing to “nail their colours to the mast.”

That saying dates from English maritime history (more information here), basically meaning to openly display one’s beliefs. It can also mean a refusal to surrender or submit. My interest lies primarily with the first meaning, although both meanings can be helpful.

I think its time that we put political correctness aside and started taking a stand for our beliefs. And I say that not just from a Christian perspective, but from a professional perspective as well because these two perspectives are connected. They are linked. How? Being honest about who we are and what we believe—again, in a way that is courteous and professional—builds integrity. Integrity creates respect. Your colleagues won’t respect you if you aren’t honest, and if you aren’t being honest about who you are or what you believe then you aren’t being honest at all, IMHO.

Some might say that “transparency” is a good word to use here—we should be transparent and allow our character to be seen by others. Continuing the maritime flag theme, your true colors will come out sooner or later anyway.

If we don’t like a particular product because we don’t agree with the way it works, let’s just say so. We should be honest, because honesty is a Christian trait. Of course, we can do so in a way that is not offensive or rude, but we can and should be honest.

When we’re out at dinner with vendors or colleagues, we shouldn’t be afraid to say a prayer over our meal before eating. Again, we’re allowing the truth of who we are to be seen, and that honesty will generate respect. I believe people will respect you for not being afraid to be who you are.

Personally, I would rather see someone take a stand for something, even if it’s something I don’t agree with, then be wishy-washy and variable. Wouldn’t you? Maybe it’s time we nail our colours to the mast.

Back in 2006, I speculated that one day VMware would allow hosted virtual desktops to be “checked out” and used offline. Lo and behold, one of the announcements that has come out of VMworld Europe 2008 is just that very thing (quoting from VMware’s web site):

Offline Virtual Desktop Infrastructure previews how a single virtual desktop infrastructure platform may be able to support all enterprise PCs in the future. Let end users “check out” personalized virtual desktops running on VMware virtual desktop infrastructure to a notebook computer for use offline and then “check back in” to the same desktop running in their virtual desktop infrastructure environment.

Also coming out of VMworld Europe 2008 is the announcement of linked clones technology on the VI platform:

Scalable Virtual Image technology delivers lower operational costs through simple and scalable desktop image management and reduces storage requirements up to 90 percent for virtual desktop infrastructure environments. Quickly deploy, update, and publish desktop images to thousands of virtual machines.

This is powerful stuff. The offline VDI stuff really enables an entirely new way of thinking about VDI; it’s no longer about just hosting desktops at the datacenter. Now it’s about providing a “golden image” that users can run on the local machine when they’re not in the office and on the server farm when they are in the office.

Likewise, the scalable virtual image stuff addresses what is, in my mind, the #1 problem with VDI deployments: storage requirements. Vendors like Network Appliance have attempted to address this through their technologies like FlexClone (like described here); competitors such as Citrix have attempted to address this problem through technologies like Citrix Provisioning Server (formerly Ardence).

With these announcements, it’s now much clearer that VMware sees the desktop virtualization market is a very strategic market, and they are taking the steps to control that market.

In early January, I wrote an article about how unimpressed I was with VMware’s Remote CLI, the tool released along with ESX Server 3i and—at the time—the only way to perform a Storage VMotion operation. Since that time, of course, a Storage VMotion plugin for the VI Client has been released.

About a month later, I joined with Bob Plankers of LoneSysAdmin in expressing some disappointment about VMware Infrastructure 3.5. I also vented some frustration about issues trying to import the Remote CLI appliance into VirtualCenter from an OVF file, and problems with jumbo frames and iSCSI/NFS.

Of course, this isn’t the first time I’ve expressed concerns about VMware’s products, despite claims that I am a VMware fanboy. (I do admit to being a Mac fanboy. I’m currently receiving professional help.)

The point of this story—and yes, there is a point—is what happened after those posts. Within just a few days, VMware contacted me. No, not to hound me for speaking out against them, but to thank me for “keeping them honest” (their words) and to offer assistance in working with me to resolve these issues. Since that time, I’ve spoken with several Product Managers and Sr. Product Managers within VMware, all of whom seem genuine in their desire to make sure that the issues I experienced aren’t the results of bugs in the product or, if they are bugs, to identify them and fix them.

I have to say that’s pretty impressive. It’s highly doubtful that VMware can or does respond to every customer in the same fashion, although I wish they did, but it does occur to me that at least they’re trying. I suppose I could be cynical and say that they’re only behaving this way because they don’t want to look bad, but who am I to question their motivations? I’ve said before there’s nothing wrong with a company that’s out to make money—it does make the economy run, after all—but what really matters is the means by which the company seeks that goal.

In his work developing VI plugins, Andrew Kutz discovered a potential security flaw. Quoting from the e-mail he sent me:

It troubles me that the VI client will allow any plugin to be loaded regardless of whether or not it may contain dangerous code. During the development of the Console plugin I had to register a message filter on the primary message loop to capture input for the SSH “terminal.” I was not sure if the VI client would allow me to do this, as the ability to so has nasty implications. Well, it does, and it does.

Enter my KeySniffer plugin. KeySniffer? is an example of how VI 2.5 client plugins can be abused. This plugin sniffs all key strokes that occur within the VI 2.5 client and outputs them to C:\viclientkeystrokes.txt. KeySniffer works by registering a message filter on the VI client’s message loop and recording all input to aforementioned file.

Andrew’s advice? Be sure that you ABSOLUTELY trust the source of any plugins that you may load inside the VI Client. Otherwise, you could be exposing your information in a dangerous and unexpected way.

Andrew has also provided an executable that can check for this problem as well.

Thanks for pointing this out, Andrew.

Andrew Kutz is on a roll. He’s released yet another plugin for the VMware Infrastructure Client; this latest plugin adds a “Console” tab when an ESX Server is selected that allows the user to open an SSH session to the selected server directly from the VMware Infrastructure client. No more need to launch PuTTY and log in!

My final article in the virtual desktop infrastructure (VDI) series at SearchVMware.com has been published!

From the article, “Networks, host OSes strained by VMware VDI deployments”:

Deploying Virtual Desktop Infrastructure (VDI) on VMware Infrastructure 3 (VI3) can have a considerable impact on your network design and hosted operating system (OS) instances.

The article goes on to discuss specific ways in which the network and the guest operating systems have to be architected in a VDI deployment. I hope you find the information useful!

In Virtualization Short Take #2, I mentioned the announcement by Catbird of their HypervisorShield, and joined with Christofer Hoff in asking what it was, exactly, that Catbird was seeking to protect with this product.

Since that time, Christofer had the opportunity to speak with Michael Berman, CTO for Catbird, and get some additional information and clarification on what Catbird’s new product is and isn’t doing. This clarification is available here.

I’ll start this blog posting with the disclaimer that I am not a Xen expert (at least, not yet). That being said, I had some questions, thoughts, rants, etc., that I wanted to get out of my system after a lengthy meeting with some Citrix XenServer folks today.

For any readers out there that are intimately familiar with the Xen hypervisor and, specifically, Citrix XenServer, feel free to provide factual, relevant technical information in the comments. Salespeople and marketing drones, spare us all the advertisting and public relations drivel.

First, the XenServer folks had a lot to say about how their 64-bit hypervisor was better than VMware’s hypervisor because VMware’s product was “only” a 32-bit hypervisor. My main response to that statement is this: what key benefit do you derive from being a 64-bit hypervisor? Access to more system RAM? No, VMware Infrastructure 3.5 supports 256GB of RAM, while XenServer 4.0.1 supports 128GB of RAM. Do you gain the ability to run 64-bit guests? Well, VMware’s products can run 64-bit guests as long as the Intel VT/AMD V extensions are present. (Before you say that Xen doesn’t need the extensions to run 64-bit guests, better stop and think about the requirements to run unmodified guests of any bitness under Xen.) The ability to provide more RAM to guests? No, VMware beats Xen on that one, too—64GB versus 32GB. Hmmm…I’m stumped. So what does having a 64-bit hypervisor get you, then?

My second question centers around how the Xen hypervisor is so small and slim and petite versus VMware’s bloated 2GB hybrid OS-hypervisor (their description, not mine). Of course, it’s easy to make that distinction when you exclude the Linux-based Xen dom0 but include the Linux-based ESX Server Service Console. If want to compare hypervisor to hypervisor, fine; compare Xen itself with VMkernel. But don’t compare the Xen hypervisor with the whole ESX Server product; you’re not making an accurate comparison.

Third, let’s talk about paravirtualization. The Citrix XenServer folks loved to talk about paravirtualization and how Xen uses it but VMware doesn’t. What they seemed to omit, however, is the context in which we discuss paravirtualization. Does Xen use paravirtualization? Certainly—with guests that support paravirtualization, which does not include Windows. And they use paravirtualized drivers, to help optimize performance of the guest OS. Does VMware use paravirtualization? Yes, with guests that support paravirtualization, and that does not include Windows. Oh, and they do have paravirtualized drivers to help with guest OS performance. Where’s the difference? Feel free to tell me I’m missing something here.

Forgive me if it seems like I’m bashing Xen; that is most definitely not my intention. In fact, I’d love to get to know Xen much better than I do now. Products such as XenServer and Virtual Iron—both based on the open source Xen hypervisor—have the potential to make a huge splash in the market, and I for one want to be prepared to support these solutions when the time is right. I will tell you this, though: the wrong way to get to guys like me is with misinformation and marketing. Talk honestly and openly about your product’s strengths and weaknesses, and let your product stand, or fall, on its own merits.