blog.scottlowe.org

Here’s Virtualization Short Take #12, a collection of links I’ve gathered over the last week or so and my thoughts on them. Enjoy!

• For those that missed it in the Release Notes, VMware added support for Storage VMotion and 10Gb Ethernet with iSCSI SANs, as outlined in this VI Team blog entry. I went back and reviewed the Release Notes and didn’t see this listed anywhere, so this is news to me. Of course, I already knew that Storage VMotion worked just fine with iSCSI, but this added formal support for iSCSI.
• Virtualfuture.info published some good recommendations for running Citrix in a VI3 environment. If you run Citrix Presentation Server…er, XenApp…in a VI3 environment, these tuning tips may prove quite handy.
• VMware’s Virtual Reality blog posted an entry on some of the architectural advantages of VMware Infrastructure in comparison to the two leading competitors, Xen (any Xen-based solution) and Hyper-V. Many of the things listed as advantages by VMware are severe points of contention with the other vendors, such as the direct vs. indirect I/O model. Ultimately, time will tell which model was the best; I honestly don’t know enough about the deep dark internals to really state which is better. One thing I am glad to see pointed out is the true comparison of hypervisor sizes; Microsoft can say all they want that Hyper-V is only 600K in size and therefore is the “thinnest” hypervisor, but the truth of the matter is that Hyper-V can’t run without Windows Server 2008 in the parent partition. As a result, it doesn’t really matter how “thin” Hyper-V is, does it?
• Via Mike Laverick, I learned that Microsoft may have brought up the whole 64-bit hypervisor vs. 32-bit hypervisor argument yet again. Mike used a snippet from this Microsoft Virtualization Team Blog entry; in reading it myself, I don’t get quite the same 64-bit vs. 32-bit that Mike picked up. That’s good, because I didn’t want to have to go there again. Personally, the tone I picked up from the whole article was one of educating people far too accustomed to Virtual Server/VirtualPC and trying to educate them on how Hyper-V is different.
• Virtualization analyst Chris Wolf recently posted an entry in which he questioned if Apple would capitalize on the opportunity that virtualization is creating. It’s an interesting scenario, one that is similar to a scenario that I discussed a couple of years ago in a piece titled “Application Agnosticism.” In that article, I suggested that seamless host-guest interactions with virtualization software (now implemented by VMware as Unity and by Parallels as Coherence) would usher in a new wave of computing. I suggested that Mac OS X was ahead of the curve because of its ability to run native OS X applications, UNIX applications, X11 applications, Windows applications via WINE (or the commercial variant CrossOver Office), and applications from any other operating system via virtualization. Sounds like I may have been a bit ahead of my time!
• Chad continues discussing VMware HA with another post on some additional configuration options for HA. Also check out the comments with links to even more information on HA’s advanced configuration options.
• This VMware KB article has some good information on getting LUN identification information. The breakdown of the command-line output from esxcfg-mpath is particularly helpful (and for that reason I’ve added it to my del.icio.us bookmarks).
• Rich of VM /ETC shares with us a “Doh!” moment he had when he saw this simple method for identifying VMs with snapshots. Sometimes it’s the simplest solutions that evade us the longest. Here’s what I want to know: Aaron, what exactly does “/HEADDESK” mean, anyway?
• This article at SearchNetworking.com brings to light some of the challenges networking professionals face with server virtualization. I do agree with one point made in the article regarding the mapping of applications—what the end users really care about—to the networking infrastructure. VMware’s support for CDP in recent versions of VMware Infrastructure is a step in the right direction, but there is still more work to do for sure. I’m not so sure about the rest of the points in the article, but I may be an exception to the norm; I was a CCNA for a while (on track for CCNP) and have done my fair share of Cisco configurations, so I’m no stranger to the networking world. The use of VLANs to ease configuration in a server virtualization environment seems just second nature to me. Also, I did note that the author indicated that “server administrators sometimes inappropriately configure the switches to create a loop” (referring to vSwitches in ESX). How exactly does that happen? I’ve never seen a way to link two vSwitches together without using a VM.

As always, readers’ thoughts are welcome in the comments!

No, this posting isn’t about me; I switched to the Mac years ago. Instead, this posting is about a story that I’d seen quite a while ago, but just hadn’t gotten around to discussing here on the blog.

Quite some time ago, Computerworld ran some articles about an enterprise company that was switching entirely to Macs. The articles are here:

Mac Attack! An enterprise PC shop switches to Apple
Mac switch revisited: An enterprise PC shop’s move to Apple isn’t as easy as expected

It’s an interesting pair of articles that help to highlight the attention that Apple and Mac OS X are getting these days. In this particular case, I found this statement particularly compelling:

Frantz says AWC had calculated “significant savings” associated with migrating to Apple software during the proof-of-concept testing last summer. “We knew we would have sufficient ROI for the change based on some broad generalizations, and the savings were enough to green-light the project,” he says.

Everyone likes to talk about how expensive Macs are, and yet here is a company that has found “significant savings” upon switching to Apple hardware running Mac OS X. Interesting.

To be fair, the company in the article—AWC—isn’t going completely Mac; they are keeping SQL Server on Windows and a few other applications as well. That’s fine; I’ve long advocated to use the best tool for the job. If SQL Server is the best tool for the job for them, then they should use it. I’m just glad to see that companies are increasingly recognizing that Windows on the desktop isn’t always the best tool for the job anymore.

Apple has just given me one more reason to possibly switch to an iPhone…

iPhone opens to Exchange e-mail

I’m currently using a Samsung BlackJack II, a Windows Mobile 6-based device with 3G connectivity. The e-mail functionality is great, but not having an easy way to keep my Address Book contacts in sync with my phone is a major hassle. It looks like using an iPhone would help address that.

Now all we need is 3G (UMTS/HSDPA) functionality and a price drop…OK, at least the first is an actual possibility.

In part 2 of my informal discussion about getting things done with my Mac, I mentioned that I needed a way to invoke an AppleScript from within NetNewsWire. I was already using Mail Act-On and an AppleScript to easily move information from Mail.app into OmniFocus, and had a similar AppleScript for NNW but no easy way to invoke it.

It wasn’t until late last night that I realized I already had a solution for the problem I’d been describing. I’d been searching for some way to quickly and easily invoke an AppleScript from within NetNewsWire—why not just use a Quicksilver Trigger?

I already use Quicksilver for tons of other things: accessing my Camino bookmarks (would love to be able to get to my Camino history…hint, hint); launching applications; getting information on a contact in the Address Book; even launching other scripts for various tasks. Why not leverage Quicksilver for this as well?

Just a few minutes later—the process only took a few minutes in the Quicksilver Preferences pane to configure the trigger—and I was quickly and easily moving information from NetNewsWire to OmniFocus.

Thank goodness for Quicksilver!

So I upgraded my laptop this past weekend to Mac OS X version 10.5, aka “Leopard”.  I’ve been reasonably pleased with the upgrade so far.

I keep most of my applications up to date, so I didn’t have too many applications that weren’t already Leopard compatible.  That’s an advantage of being a slightly later adopter as opposed to being one of those guys waiting in line when the new OS was released.  In addition, I gain the benefit of the Mac OS X 10.5.1 update, which addressed a number of issues with the initial Leopard release.

So far I’ve only run into a couple of issues, both of them very minor:

• Mail.app 3.1 complains about the self-signed SSL certificate that my hosting provider uses with IMAP-TLS and SMTP-TLS.  This occurred with Tiger as well, but some instructions I’d seen before the upgrade indicated that I might be able to bypass those warnings by setting the certificate to “Always Trust”.  This doesn’t seem to work.  Admittedly, a very minor issue.
• My blogging application, ecto, was supposedly not Leopard compatible with the version I was using (version 2.4.2, Intel build).  (I left the older version installed side-by-side with the newer version and the old version seems to run fine, though.)  So I switched to a beta build of ecto3, which is a complete rewrite of the blogging application, and I’ve run into a few little issues there.  Those are directly related to the ecto3 upgrade, though, and not necessarily to the Leopard upgrade itself.

One of the first “tweaks” I reached for was the tweak to return the menu bar to a more opaque status.  There are a number of sites out there providing instructions; here’s the Terminal command I used:

sudo defaults write /System/Library/LaunchDaemons/
com.apple.WindowServer ‘EnvironmentVariables’ -dict ‘CI_NO_BACKGROUND_IMAGE’ 0.62

The command worked like a champ, and my menu bar was restored to some sense of normalcy.  I initially also switched the Dock to a 2-D smoked glass look, but then switched back to the default 3-D appearance.  I figured I’d give the new Dock appearance a chance before just banishing it to the ether.

I haven’t been back to the office or at a customer’s site since the upgrade, obviously, so I don’t have any feedback yet on interoperability with Windows-based networks, Kerberos support, etc.  I do need to look up the information on Leopard’s built-in support for SSH keys, since I relied upon SSHKeyChain before the Leopard upgrade.  If anyone has any pointers on that one, please let me know.

One huge missing piece so far are the Leopard-compatible versions of MailTags and Mail Act-On.  I have the beta versions of both, but I’m a bit hesitant to use them—I don’t want to take any chances with my mail, if you know what I mean.  Anyone out there using the beta versions of these on Leopard and have some feedback for me?  Are they safe yet, or should I wait just a bit longer yet?

Spaces is pretty cool; it’s nice to have virtual desktops back with Mac OS X again.  I’d used a pretty fair number of virtual desktop applications on my Mac, eventually settling on VirtueDesktops (then just called Virtue) and then discontinuing my use of virtual desktops after my Tiger upgrade.  VirtueDesktops went through various stages of support and non-support during the Tiger upgrade and the migration to the Intel platform, eventually ending development due to the expected introduction of Spaces.  While Spaces doesn’t have all the features that VirtueDesktops had, it is at least fully supported.  In addition, the former developer of VirtueDesktops is working on something called Hyperspaces, which will—as the name suggests—extend Spaces to include features that VirtueDesktops used to have.  In any case, Spaces seems to work fine so far.

I’ll post more information as I continue to get accustomed to Leopard; in the meantime, I’d love to hear any feedback from other Leopard users on your experiences.  Feel free to put your feedback in the comments below!

Apparently, a bug similar to one fixed by Apple in March 2006 has appeared in Leopard.  More information is available from the heise Security and Dark Reading web sites.

The flaw allows attackers to create e-mail attachments that appear to be harmless—say, like a JPEG image—but are actually executables that run malicious code.  In Mac OS X 10.4, users were warned that the attachment is actually an executable file.  It’s doubtful that this new bug is the same bug as was fixed in earlier versions of the OS, although the end result is the same.

I have not seen any information as to a workaround for this flaw, other than to avoid opening e-mail attachments.  It is my understanding that this flaw was made public right around the same time as the release of the latest security updates for Panther and Tiger and the first major update for Leopard, 10.5.1, so I don’t think that a patch for this flaw has yet been made available.

I hope that the emergence of a flaw similar to one corrected in earlier versions of the OS does not indicate a more severe security problem within Leopard or even within Apple.  As it currently stands, I have concerns that Apple is not taking security seriously enough and is “resting on the laurels” that Mac OS X is already secure enough because of its UNIX underpinnings.  It would be a shame for a great OS such as Mac OS X to be tarnished because Apple wasn’t willing to put forth the effort to make it as secure as it needs to be in today’s environments.  Don’t get me wrong; I love the Mac, and I love Mac OS X.  This kind of mistake, however, would get someone like Microsoft tarred and feathered.  Why aren’t we holding Apple to the same standards?  Is Apple really doing enough for Mac security?

I won’t bore you with all the details again, since no doubt by now you’ve probably already seen the news—or perhaps I should say hype—about how the End-User License Agreement (EULA) for Leopard Server (Mac OS X Server 10.5) has changed to apparently allow for virtualization of Mac OS X Server.

Quoting the EULA from the originating article:

This License allows you to install and use one copy of the Mac OS X Server software (the “Mac OS X Server Software”) on a single Apple-labeled computer. You may also install and use other copies of Mac OS X Server Software on the same Apple-labeled computer, provided that you acquire an individual and valid license from Apple for each of these other copies of Mac OS X Server Software.

Now, this isn’t quite what I had discussed in my last post about Apple and virtualization, but it is a step in the right direction.  Unfortunately, the current EULA limits these virtual instances to be a) version 10.5 only; and b) Mac OS X Server only.  Alas, no virtual instances of “regular” Mac OS X for geeks such as myself, and no earlier instances of Mac OS X either.

Of course, the other big question surrounds who will win the race to produce the first application to provide virtualized Mac OS X Server instances…will it be VMware or Parallels?  To be honest, I’m inclined to say Parallels, but maybe Ben, Regis, and others at VMware can prove me wrong.

Here are a few other links with related information:

http://www.tuaw.com/2007/10/31/will-leopard-allow-virtualization-of-os-x-server/

http://www.macnn.com/articles/07/10/31/os.x.server.on.vm/

http://apple.slashdot.org/article.pl?sid=07/10/31/1629236

For a company that wants their virtualization technology to be ubiquitous, it would seem to make sense that VMware needs it to run on every major host operating system.  Right now, VMware has Windows and Linux covered.  But what about OS X?  There is a tremendous amount of attention being paid to OS X right now, from many different sides, and Apple seems to be pushing OS X in a number of different directions (such as using OS X as the basis for the iPhone, and rumors of future OS X-based iPods circulating).  In my mind, it seems to make a lot of sense that both Apple and VMware could benefit from a closer relationship.

Think about it:  Extending VMware ACE to include Mac OS X would now mean that VMware could have secure VMs running on pretty much any significant x86-based operating system from any significant manufacturer.  The endpoint becomes irrelevant.  Have a contractor that runs OS X?  Not a problem, we can extend a secured, policy-controlled VM to his/her Mac laptop without any issues.  Pocket ACE in action with all three major x86 host operating systems covered means that you can truly take your computing environment anywhere.  It’s a powerful thought.

Similarly, bringing VMware Player to Mac OS X gives Mac users out there exposure to the same wide range of virtual appliances that Windows and Linux users can currently access.

Not to be left out, I’m sure there are Xserve users out there that would love to have VMware’s mature hosted virtualization technology running on their Mac OS X Server-based systems in the form of an OS X version of VMware Server.  Anyone care to run OS X Server, Windows Server, and Linux all on a single piece of hardware in your datacenter?

“Wait a minute, Scott,” you say. “Apple won’t let us virtualize Mac OS X.”

Who said anything about virtual OS X?  You’re right, of course; Apple has yet to budge on that front.  However, that thought does lead me to my next thought:  what will Apple do if VMware (or Parallels) doesn’t provide the virtualization technology for their platform?

Apple has a history of integrating open source projects into Mac OS X; consider the FreeBSD-based underpinnings, the Apache web server, the Postfix mail server, and so forth.  What’s to stop Apple from integrating the Xen hypervisor?

Sun is integrating Xen as xVM; Microsoft’s Windows Hypervisor (which is now available for public preview, by the way—I plan to have a look at it very soon) bears many architectural similarities to Xen, and of course Citrix will be using Xen in some significant way now that it’s purchased XenSource for $500M.  Why not Apple?  Why not integrate Xen into the Apple code base?  Apple can integrate Xen into their code base, release the open source bits as part of Darwin, and create their own virtualization solution.  Apple controls the hardware base, after all, so it wouldn’t be all that terribly difficult to write Xen-optimized drivers for alternate operating systems running under Mac OS X.  I would imagine it would also be much easier to control the virtualization of Mac OS X if it were occurring on a version of OS X with Xen integrated.

So am I just crazy?  Tell me what you think.

I was on the road most of the day today, so I must have missed this news earlier.  Apparently, Sun Microsystems and Network Appliance have had a little spat over ZFS and WAFL, and now NetApp is suing Sun for patent infringement.

Dave Hitz explained the situation in a blog entry:

This morning, NetApp filed an IP (intellectual property) lawsuit against Sun. It has two parts. The first is a “declaratory judgment”, asking the court to decide whether we infringe a set of patents that Sun claims we do. The second says that Sun infringes several of our patents with its ZFS technology.

Dave Hitz goes on to attempt to differentiate NetApp’s actions from the IP lawsuit(s) of SCO infamy.  Personally, I wouldn’t place NetApp and SCO in the same situation, although I am strongly opposed to the current system of software patents.  Patent reform is desperately needed, before things get worse than they already are.

In any case, this turn of events is unfortunate.  I’m not technical enough to be able to provide any sort of opinion with regards to whether or not ZFS actually does infringe upon NetApp’s WAFL patents (or the other way around), but I do hope that Sun and NetApp can settle things amicably and move forward with more innovation, rather than getting stuck in an argument over who owns what.  That’s the last thing either company needs right now.  In addition, ZFS’ status needs to be settled quickly, before more companies decide to try to adopt a supposedly open sourced file system and incorporate it into their own products (as Apple reportedly did with ZFS and Leopard).

For more information on the lawsuit, see this eWeek article or this report from The Register.  I’d also be interested in hearing anyone else’s feedback on the situation.  What’s your take?

I’ll start out by saying that I am neither a security expert nor a statistician.  With that disclaimer in hand, I wanted to briefly share my thoughts on the “days of risk” assessment that has recently been used to compare the security of Windows, Linux (Red Hat and SuSE), Mac OS X, and Sun Solaris.  Before continuing, I encourage you to have a look at the actual report itself, along with a few related articles:

• Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows
• Days of Risk in 2006 : Client OS Products
• Recount: Windows Still Safest, Tops Mac OS X, Linux and Sun Solaris - But are statistics a true measure of security?
• Windows v Linux - Days of risk in 2006

In summary, the Days-of-Risk (DoR) assessment showed that Microsoft patched vulnerabilities in Windows more quickly than Red Hat, Novell, Apple, or Sun patched vulnerabilities in their products.  This is true even when only High Severity issues are taken into consideration, although the gap between Microsoft and the other vendors narrowed in that analysis (with the exception of Sun).

OK, that’s all well and good, but we all know statistics can be made to show just about anything.  I’m not saying that Mr. Jones deliberately limited his data to present a favorable outcome for Microsoft; Microsoft has done a very admirable job of improving their security responsiveness, and in that regard the other vendors would do well to improve their own responsiveness to the disclosure of security vulnerabilities.  No, my thoughts are more centered on the question: Is this data the right data to accurately and objectively represent the security profile of an operating system?

I would contend that, in addition to DoR, information on the following areas would also need to be included in order to more accurately depict an operating system’s security profile:

• Number and severity of exploits published or otherwise made available for vulnerabilities
• Number of viruses, trojans, rootkits, or other malware readily available or in active circulation

Now, before you say something like “Well, of course Windows is going to have more viruses and more exploits because it has a larger installed base!”, let me also say that these values should be correlated and weighted according to the installed base of the operating system as well.  This allows the values to account for the fact that Windows is in use by a much larger base of users than Linux, Solaris, or Mac OS X.

Again, I’m not a statistician, but surely there’s a way to correlate this data (including DoR) and start presenting some sort of objective guide, based on measurable facts, regarding the security of an operating system.  Then the vendors (Microsoft, Apple, Novell, Sun, Red Hat, and others) can stand on equal ground and be able to make some sort of reasonable comparison regarding the security of each product.  Isn’t that what we really need anyway?