blog.scottlowe.org

Welcome to another installation of Virtualization Short Takes!

• For you Quicksilver lovers out there that also run VMware Fusion, here’s a handy trick to allow you to launch Windows apps to run under Fusion via Quicksilver.
• Duncan of Yellow Bricks points out this VMware Communities Forums thread discussing how to determine which host has a lock on a LUN. This thread also makes brief mention of the new VMFS version, version 3.31, that was released with ESX 3.5, which does a better job of handling SCSI reservations than previous versions. Good find, Duncan!
• Speaking of the new VMFS version, a summary of the information shared in the VMware Communities Forums threads can be found here.
• While we are on a bit of a storage kick, VMware has launched a new VMware Storage blog, and one of the early posts deals with VMFS. The post primarily attacks the notion of VMFS as a “proprietary” file system (which it is) by describing the advantages that VMFS provides. I’m hoping that the new storage blog will get more technical than marketing in the future, but the information is useful nevertheless.
• This link falls more into the “ironic” category than anything else. Do you suppose he got into trouble with Citrix for blogging about how to use a competitor’s product to test ICA performance?
• John Howard gives us an in-depth look at Hyper-V’s handling of virtual NICs in this article. This is particularly important for users who are interested in cloning VMs hosted on Hyper-V; I would assume that SCVMM 2008 will handle this correctly.
• This news emerged several weeks ago via VMblog.com. It’s good to see Leostream getting some recognition; their broker is actually quite good in many respects.
• Sven over at Virtualfuture.info recently blogged about XenServer’s HA functionality and how Marathon’s EverRun products play into that functionality. I actually had a conference call with the folks from Marathon several months ago about EverRun, but never got around to blogging about it. I do like the fact that you can control HA functionality on a per-VM basis, whereas VMware HA is applied to all VMs. (Well, I suppose you could disable HA for the VMs that you don’t want restarted, but it’s not quite the same.) I do agree with both Sven and PeterB’s comments regarding “Continuous Availability”; the sooner that VMware gets this functionality out door, the more of a leg up they’ll have on the competition.
• As has been reported elsewhere as well, Reflex Security has released the Reflex Virtual Security Center (VSC). The full press release is here. Based on what I’ve read thus far, it appears that the idea behind the VSC is to combine the information from multiple instances of their Virtual Security Appliance (VSA) so that users get the “full view” of what’s occurring across the virtual infrastructure. In this regard, it is remarkably similar to Altor Networks’ Virtual Network Security Analyzer (VNSA), which is also designed to provide visibility across the entire virtual infrastructure.

As always, feel free to share other interesting links and news in the comments below. Thank you!

Here’s the latest installation of Virtualization Short Takes, my occasionally-weekly view on various virtualization news, reviews, and other happenings. Hopefully I can share something interesting with you!

• Via VMblog.com, I saw that Transitive Corporation is supporting the use of QuickTransit within Hyper-V virtual machines. This is interesting because it extends the ability of Hyper-V to help customers consolidate applications. QuickTransit, in case you aren’t aware, allows applications written for Solaris/SPARC environments to run in Linux/x86 environments. It was also the technology behind Apple’s Rosetta, which allowed Mac users to run PowerPC apps on Intel Macs. Does anyone know if QuickTransit is supported within VMware VMs, or is this specific to Hyper-V?
• This one was quite interesting to me. Question #2 is particularly applicable: why is a reboot required, anyway? (Yes, yes, I know—there is a workaround that does not require a reboot. It’s the principle of the matter.)
• Via various sources on the Internet, I learned about the release of ESX Manager. This looks like quite an interesting tool, although I have not yet had the opportunity to install or try it yet. Anyone out there tried this and have some feedback for us?
• Every now and then, something comes up about Citrix XenServer and Xen and it makes me wonder about the relationship between Citrix and the open source Xen community. The latest thing is what appears to be an offhand comment by Simon Crosby of Citrix where he says, “Because we own the hypervisor, we can do much more integration and development around it” (read it in context here). What does that mean? What does “ownership” of the Xen hypervisor mean? And if the Xen hypervisor is licensed under an open source license (GNU GPL v2, according to this page), how can Citrix make proprietary extensions to the hypervisor without being forced to release those extensions back to the community? I guess I just don’t understand the relationship there and how it works. This is where the murky waters of a commercial entity “owning” an open source project come into play, in my mind.
• I ran across this very useful tip for creating a vSwitch with a specific number of ports. It looks like Dwight Hubbard, the maintainer of the site, also has some other interesting posts. Might be worth adding his feed to your RSS reader.
• Nick Triantos discusses NetApp’s Site Recovery Adapter (SRA) and its role with VMware Site Recovery Manager (SRM). Anyone have any links to similar discussions of the SRAs for other storage vendors?
• John Howard provides a great breakdown of how Hyper-V generates dynamic MAC addresses and how Hyper-V attempts to protect against MAC collisions in some circumstances.
• The VI3 Security Hardening Guide has been updated, which is good because some people felt it just didn’t go far enough.
• VMware re-iterated their stance on being storage protocol agnostic, and in the article included a very useful table that summarizes the various products and technologies and which are supported with which storage protocols. While the rest of the post is helpful, that summary of supported features is probably the most helpful.
• Interesting in trying out Hyper-V, but don’t have shared storage? Take a look at this blog post. I think you’ll find it helpful.

I’m always on the lookout for other interesting or useful virtualization news, tips, and tricks, so feel free to share with me and other readers in the comments.

This session couldn’t be published live because I had no wireless signal and no cellular signal in the breakout room. However, I did want to capture the information and publish it at the next available opportunity for the benefit of the readers.

This session was hosted by Luis Camara Manoel, Satish Mathew, and Jay Sauls (he was also one of the presenters in the session prior to this one). The focus of the session, quite obviously, is the Offline Virtual Machine Servicing Tool, which is designed to help in the maintenance and patching of offline VMs. Offline VMs are typically cited as one of the major security concerns with virtualization projects, in that they likely will not as up-to-date with patches and malware protection as online VMs; thus, when they finally do come online they could present a security risk to the organization.

The session starts off with an overview of the various Solutions Accelerators that are available from Microsoft, and then Jay Sauls takes over and begins to talk about the MAP toolkit again. Of course, I’ve just finished an extensive session on the MAP toolkit, so this is completely redundant and absolutely useless for me. I tuned him out until the session changed focus again to the Offline VM Servicing Tool.

When the session switches focus back to the Servicing Tool, the question is asked: Why are offline VMs such a problem? Many attendees in the session indicate that they have sizable numbers of offline VMs sitting in a library. The typical problem, as I mentioned earlier, is that the offline VMs miss patches, miss compliance scans, and miss other updates.

The solution to this problem is the Offline Virtual Machine Servicing Tool. This tool is designed to automate the application of OS patches as well as application patches. This is accomplished by integrating with existing System Center products like System Center Virtual Machine Manager (SCVMM) and System Center Configuration Manager (SCCM) or Windows Server Update Services (WSUS). I appreciate the fact that Configuration Manager is not required; otherwise, this tool would be far less useful.

Note that “true offline” patching will be available in the next version of Configuration Manager, but it will only service VMs running Windows Vista and Windows Server 2008.

The Offline VM Servicing Tool takes four steps in its operation:

1. Identify
2. Assess
3. Patch
4. Report

The overall process of how the Offline VM Servicing Tool works looks something like this:

1. The tool reads the SCVMM library and gets a list of VMs
2. A VM group is created
3. The user must select a group of maintenance hosts; these maintenance hosts will be where the offline VMs will be moved to be patched
4. It will schedule a job on these maintenance hosts
5. The VMs will be moved from the library to the maintenance hosts and started
6. The VMs will be patched using Configuration Manager or WSUS (see below)
7. Upon confirmation of the patching of the VMs, they will be shut down and moved back to the SCVMM library

The tool works by utilizing PowerShell to automate a series of tasks like starting the VM, moving the VM, applying patches, etc. The UI screens for the tool were developed to match the SCVMM UI screens. Windows Server 2003, Windows XP, and Windows Vista are currently supported; Windows Server 2008 is not yet supported.

The requirements for using the tool:

• All VMs must be under SCVMM control
• It’s strongly recommended to setup a separate VLAN for the maintenance hosts
• If using Configuration Manager, all VMs must have the Configuration Manager client
• If using WSUS, all clients must be configured to use WSUS
• The server running the Offline VM Servicing Tool must be dual homed to talk to both SCVMM and Configuration Manager/WSUS

At this point Satish, one of the presenters, took over with a demo of the tool. As mentioned earlier, the tool looks and acts a lot like SCVMM.

The presentation consistently referenced SCVMM 2007, the currently shipping version; support for SCVMM 2008 will be included in the next version of the tool. Also slated to inclusion in the next version is support for Windows Server 2008, Hyper-V, Configuration Manager 2007 SP1, and WSUS 3.0 SP1. Unfortunately, this next version isn’t due until 2009, leaving quite a sizable gap in time between the availability of Windows Server 2008 and Hyper-V and the ability of the tool to work with those products. It seems to me that the Offline VM Servicing Tool, while useful right now, will become much less relevant and much less useful once Hyper-V and SCVMM 2008 go RTM.

At this point, Stephen Anderson with Compellent took the stage and began to discuss his company’s products. I’m not really clear why Compellent was given time to advertise their products, unless it was by virtue of the fact that Compellent provided Microsoft with some tools and equipment to assist in the development of the Offline VM Servicing Tool. In any event, I found this to be completely inappropriate and left the session.

Those of you that reviewed my Tech-Ed schedule saw a session called “Do These 10 Things Now or Get 0wn3d!”. This was an entertaining session by Steve Riley on security. I’m sorry, but there’s no liveblog for that session. I had to eat lunch, and I haven’t yet figured out how to eat lunch, liveblog, and pay attention to the session at the same time. Tips for doing all three are welcome in the comments.

My first breakout session of Tech-Ed 2008 is a session led by Jeff Woolsey, Senior Program Manager for Hyper-V, and the session is about Hyper-V security and best practices. I’ve met Jeff before at VMworld 2007, although he probably doesn’t remember me. I’ll have more information from Jeff this afternoon, as I have a meeting scheduled with him. I’ll republish what I can from that conversation here this afternoon or this evening. I’ll do my best to liveblog this session, but the wireless signal is really weak in here, and I suspect that as soon as they close the doors to the room the wireless signal will drop off completely. We’ll see.

The Wi-Fi connection has pretty much dropped off the map, and my cellular signal rapidly deteriorated from 3G to GPRS. Ouch. No liveblogging of this session.

Jeff starts out the session with a list of virtualization requirements, which are basic requirements for any virtualization solution: scheduler, memory management, VM state machine, virtualized devices, storage stack, network stack, ring compression (optional), drivers, and a management API. Jeff speaks in a bit more detail about synthetic devices (”ripping fast”), which I understand to be the same as the PV drivers that other solutions use.

We next see a brief overview of Virtual Server’s architecture, and Jeff went into a bit of detail as to why ring compression (which he described as “software gymnastics”) was no longer necessary with Hyper-V and hardware assists from Intel and AMD. In addition, Jeff discussed in a little more detail about the I/O problems with Virtual Server.

In the new architecture for Hyper-V, Ring 1 (the “software gymnastics” or ring compression referenced earlier) is gone. This is made possible by hardware assists. Instead of all VMs threading in a single process, each VM with Hyper-V gets its own VM worker process in the parent partition. I/O is improved by the use of synthetic devices. Synthetic devices talk to VMBus, which is a high-speed interconnect between partitions, which then use Virtualization Service Providers (VSPs). The VSPs talk to device drivers in the parent partition and then to the underlying hardware.

With regards to security, Microsoft has tried to model every possible avenue of attack from the VM to the parent partition. With regards to VMBus, it is a point-to-point interconnect connecting a child partition to the parent partition. OK, this prevents inter-VM communication, but how does it secure child-to-parent communication? The VM worker processes that run in the parent partition run in user mode (Ring 3), run in separate processes, and run with stripped-down privileges. This again is done in an attempt to protect the parent partition and the hypervisor from attack.

The “parent partition” is a privileged partition. It’s the only partition that is allowed to see all the physical hardware. Jeff discusses the need for the parent partition. In reviewing the components required for virtualization, dropping the parent partition means that all these components (see above) must be integrated into the hypervisor itself. According to Jeff, this is analogous to plugging your core network into the Internet with no firewall. No “defense in depth.” Instead, using a parent partition allows the hypervisor to be as thin as possible and provides “defense in depth” by running stuff like the management API and the VM state machine (the VM worker processes) in user mode.

What security assumptions were made when designing Hyper-V?

• All guests are untrusted
• The parent is trusted by the hypervisor, and the parent is trusted by all the children
• Code in guests can run in all modes, rings, and segments
• The hypercall interface will be widely documented and available, and will be available to attackers
• All hypercalls can be attempted by guests
• Guests can detect they are running on a hypervisor
• The design of Hyper-V will be well understood

What were the security goals for Hyper-V?

• Strong isolation between partitions
• Guest confidentiality and integrity
• Separation using unique hypervisor resource pools, separate worker processes, unique child-to-parent communications channels (VMBus)
• Non-interference to prevent any guest from affecting the contents or computations of other guests or the parent, and there is no guest-to-guest VM interface communications

Coming back to the idea of isolation again, Jeff reinforces the steps taken to ensure VM isolation. Separate virtual devices, separate VMBus per VM to the parent, no memory sharing, no guest-to-guest VM communications except by virtual networks, no guest DMA attacks because physical devices are not available, and neither the guests nor the parent are capable of writing to the hypervisor.

Hyper-V went through the Microsoft Secure Development Lifecycle (SDL), like other products, to get features like Address Space Layout Randomization (ASLR), support for NX/XD, etc. As a side note, NX/XD must be enabled in order for Hyper-V to even work. If NX/XD is disabled, Hyper-V won’t start or run.

Hyper-V’s security model uses Authorization Manager to provide fine-grained authorization and access control. This allows users to define specific roles and functions. For example, VM administrators don’t have to be administrators of the parent partition. This functionality appears to bring delegated access with Hyper-V on par with VirtualCenter with regards to role-based access. Again, it’s not an apples-to-apples comparison, since you also need SCVMM to do some things that VirtualCenter does, but you get the idea. At least with the Hyper-V MMC, we appear to get delegated access on the host without the separate management server; if this is the case, this is an advantage for Microsoft.

Server Core is recommended for use with Hyper-V. Server Core is the CLI-only version of Windows Server 2008; the idea is that by removing stuff like Internet Explorer, the shell, etc., we can reduce the attack surface and reduce the need to patch the host. Enabling Hyper-V with Server Core is a bit complicated. The key thing is “ocsetup Microsoft-Hyper-V”; this is the command line that will install Hyper-V on Server Core. Once Hyper-V is installed and enabled, you can use MMC to manage it remotely. (Note that the MMC doesn’t include any support for P2V, V2V, PowerShell, etc. It’s very basic.)

Jeff next moves into a discussion of his “dream virtualization environment”. He describes a “pie in the sky” and “money is no object” environment. I don’t know that I actually find this particular exercise useful, since most organizations have a limited budget and can’t design the “dream environment.” They have to design the “real environment.” Still, it’s interesting to see Jeff’s suggestions on the ideal virtualization farm.

(Note to VMware: By the way, Jeff indicates that you recommend turning off memory page sharing and idle page reclamation in production environments. I thought you might want to know that.)

Jeff continues his description of the “dream environment” by building out the extra components:

• System Center Configuration Manager to provide bare metal provisioning for the hosts themselves, patching (host or guest), and compliance
• System Center Virtual Machine Manager to provide VM provisioning and VM management
• System Center Operations Manager to provide workload management and monitoring
• System Center Data Protection Manager to provide VM backups and VSS integration and provide WAN-based replication

My question is this: how many additional servers are required to provide all this extra functionality? And how much does all this extra software cost? And how complicated is it to get all these components running together as intended? This is all good stuff, yes, but you can’t compare a fully fleshed out System Center infrastructure and Hyper-V with a traditional VI3 implementation. (More on that later.)

Jeff provides some tips and tricks for Hyper-V:

• Minimize the risk to the parent partition. This means run Server Core, and don’t run anything in the parent that doesn’t absolutely have to be there.
• When moving VMs from Virtual Server to Hyper-V, uninstall the VM Additions first.
• Use at least two physical adapters in the host. One must be dedicated to host management. When using iSCSI, use dedicated NICs for iSCSI.
• Connect the host to “back-end” management networks, but connect the guests to “front-end” production networks.

With regards to clustering, the setup of clusters in Windows Server 2008 has been greatly simplified. This helps provide high availability for virtual machines via the use of Failover Clustering with Hyper-V. I won’t go into any more detail on that as it’s been discussed extensively elsewhere in the Quick Migration vs. Live Migration threads.

The Hyper-V Integration Components are the equivalent of the PV drivers that XenServer and VMware also use; the idea is to provide vastly superior performance over emulated hardware devices.

Hyper-V is or will be localized in all server languages.

If you are going to run antivirus (AV) software on the parent partition, be sure to exclude the .VHD files. Be sure to run AV within the guest VMs; this will help ensure that unpatched offline VMs won’t inadvertently spread malware. On one slide, Jeff indicates that BitLocker is not yet fully supported with Hyper-V; Microsoft is still performing testing; on the next slide, he says that you can run BitLocker together with Hyper-V. I’m not sure which stance is correct. Can anyone clarify?

Next, Jeff moved into a discussion of various items. Mitigating bottlenecks is pretty straightforward and simple; same rules apply here as with other technologies. VHD Expansion/Compaction, especially compaction, is not recommended on a production system. Use ISOs wherever possible. Use the SCVMM library (think VirtualCenter templates) to simplify VM provisioning. Jeff recommends creating 2-way VMs so that the MP HAL is used; the MP HAL will work with single CPU VMs as well as multi-CPU VMs, but not vice versa.

At this point, Jeff concluded the session with a brief demo of Windows Server 2008 and Hyper-V.

In The Four Horsemen of the Virtualization Security Apocalypse, Chris Hoff shines a great big spotlight on the dark side of virtualization security (or virtsec, as its increasingly being known). To quote from Hoff’s article:

Short of the notions I’ve discussed previously regarding instantiating the vSwitches into hardware and loading physical servers with accelerators and offloaders for security functions, there aren’t a lot of people talking about this impending set of challenges or the solutions in the short or long term.

This should be cause for alarm.

These issues are nasty. Combined with the organizational issues of who actually owns and manages “security” in the virtualized context, this stuff makes me want to curl up in a fetal position.

I agree with what Hoff has to say and I’m glad he’s taking the time to boil down the issues so that non-security-minded IT pros can really understand the problems. However, Hoff, I have to take you to task for one thing in your article: the kitten thing was just too much. Poor little kitten…

I particularly agree with Hoff’s #1 point (”Virtualized Security Screws the Capacity Planning Pooch”). The idea behind VMsafe and all these virtsec appliances is a great idea and all, but what about the overhead? At what point does having all this “extra” security so greatly bog down our virtualization engine that it’s no longer worth it to virtualize? And how do we actually, realistically begin to address this issue? Do we move the security functions into the hypervisor itself? And while this might address the performance concerns—although I don’t think so—isn’t this just instantiating Hoff’s vUTM?

One of the interesting things that I hope to be able to do soon is try to measure the overhead of some of the virtsec appliances that are currently available on the market. Not to publish any results or hit any vendors over the head with the information, but just to have a better idea for myself and my customers about how this stuff actually behaves in the real world. If anyone has already done that sort of thing and is willing to share their information with me, I’d be mighty appreciative.

I am curious about something—how many organizations are using a single physical host with VMs across different security zones? See, this is something that I would never recommend, and to me it seems like physically segregating your security zones into different virtualization environments solves a fair number of the concerns about the “dynamic data centers” created by VMotion, VMware DRS, and VMware HA. Or am I overlooking a critical aspect?

Here’s some thoughts on a variety of links that passed by me over the last couple of weeks. (Yes, I’ve been a bit lax in getting another Short Take published. Sorry.)

• Colleague Colin McNamara has written a good article about some of the challenges in integrating VMware into a Cisco network. He highlights something I’ve been saying for a while: a VMware implementation is more than just server virtualization; it affects servers, storage, networking, and security, and a good implementation requires addressing all of these areas as well as addressing things like staff organization and change management.
• Christofer Hoff started a good conversation about the performance implications of virtual security initiatives. It’s something many people are probably overlooking. After all, have you stopped to consider the additional processing power that running security products either inside the VMs, or at the hypervisor level, or both, will take from your CPU pool? I have a feeling that those high server consolidation ratios may not be so applicable when you factor in the security overhead.
• Per Duncan and Thomas, ESX Server 3.5 Update 1 will provide support for Microsoft Cluster Server (MSCS). Duncan also broke the news about the incorrect links for the update ESX ISOs.
• Massimo has initiated a discussion, picked up by the VMTN Blog, about the current state of high availability. I’m not a clustering expert, although I’ve setup my share of Microsoft clusters for SQL Server and Exchange Server. In my simplistic view, MSCS and VMware HA don’t really solve the same problem; MSCS is stateful (or mostly so), and VMware HA is stateless. Would you rather have a reasonably stateful failover for your Exchange Server, or would you rather have it rebooted? Stateful failover is not something that can be easily achieved in the virtual world right now, unless you bring MSCS into the virtual world; that, in turn, creates its own set of challenges. Continuous Availability, as demonstrated at VMworld 2007, will bring stateful failover to the virtual infrastructure.
• In the comments for the VMTN post about clustering vs. HA, reader “Matt” questions the use of NFS for VMware. In his linked article, he asks for a good white paper on why NFS instead of Fibre Channel. Well, I can’t provide a good white paper, but I can provide a couple useful articles, like this one or this one, to get started.
• David Marshall at VMblog has published parts one, two, and three of a three-part series on best practices for securing virtual networks. I haven’t had the opportunity to finish reading all three articles yet, but it looks like it’s avoided becoming an advertisement for Reflex Security.

Well, that wraps it up this time. Thanks for reading!

Reader Jeffrey Spear contacted me a while back with some problems he was experiencing in trying to integrate some Linux systems into Active Directory. Basically, Kerberos was working but LDAP wasn’t. He was able to use “kinit <AD username>” to generate a Kerberos ticket, but using the “getent passwd <AD username>” was not working. No error messages, nothing; it just didn’t work.

We traded e-mails back and forth for a while, and eventually he found the solution himself:

We work with a locked down version of OSs and in this case a domain policy on the Windows server was preventing the RHEL machines from accessing account info.  The policy was “Domain controller: LDAP server signing requirements” which was set to “Require signature.”  When I changed this setting to “None” it worked great.

This is good information and important to keep in mind; I’ll be sure to incorporate this into the next revision of the Linux-AD integration instructions. (No, I don’t have a timeframe on when that will be!)

In the meantime, if anyone has a workaround for this problem that will allow LDAP to work with signatures enabled or required, I’d love to hear it. Speak up in the comments below!

Once again, here’s my take a few virtualization-related stories that have passed through my computer in the last few days:

• OK, this first one isn’t technically related to virtualization, but it was too good to pass up. Is there anyone besides me and The Register who thinks NetApp’s new logo is…um…well, not as good as the previous one?
• A new blog war is brewing between VMware and Citrix, and this time I had nothing to do with it: VMware apparently launched the first volley in discussing the value of ESX Server’s memory overcommitment and page sharing functionality; Citrix’s Roger Klorese then responded and Simon Crosby chimed in as well. I would completely agree with Roger’s and Simon’s comments, except for this one statement in Eric’s original post:
  

  We created and powered on 512MB Windows XP VMs running a light workload [emphasis mine] and kept adding them until the server couldn’t take any more.

  Since Eric stated the parameters of the test involved lightly loaded workstations, Roger’s comments about heavy workloads don’t apply. Besides, any engineer worth his/her weight isn’t going to overcommit a production workload like that, and this analysis shows that some overcommitment can produce notable financial results.

• CIO Magazine recently published a list of 10 virtualization risks hiding in your company. It’s a pretty interesting list, although it’s worthwhile to note that this list was produced by a VP of Marketing for Embotics and therefore is heavily slanted toward the risks that his company’s products can help mitigate.
• This is interesting and novel, but that’s about it. (UPDATE: The creator of the 37migrations VI plugin, Schley Andrew Kutz, wrote me to state that there is no point in 37migrations; it’s just for fun. So stop trying to find a deeper meaning in it, OK?)
• There’s apparently a problem with using Sysprep in VirtualCenter 2.5 with Windows Server 2003 SP2. A Microsoft hotfix is available.
• Speaking of NetApp, they’ve been generating some buzz around their SnapManager for Virtual Infrastructure (SMVI) product, yet another unreleased product. I echo Duncan’s thoughts about the VC plugin!
• Gabe shares some information he’s gathered about VMsafe, the recently announced security APIs from VMware.
• Alessandro shares his thoughts about Microsoft’s virtualization strategy following the announcement of Microsoft’s purchase of Kidaro. My question is this: was VMware’s announcement of offline VDI functionality at VMworld Europe 2008 because they had an inkling of Microsoft’s moves, or is Microsoft’s purchase a result of VMware’s announcement?

That’s it for today. Join in the discussion by adding your 2 cents in the comments below!

A recent post by Chris Wolf over at Data Center Strategies has highlighted the dangerous position of any market leader, although this post specifically discusses VMware and their leadership position in the x86 virtualization market.

The post discusses some of the backlash from storage vendors in response to the release of Storage VMotion by VMware. Storage VMotion, as you are probably already aware, offers VMware users the ability to move the storage for running virtual machines from one storage location to another storage location without downtime. It’s a pretty useful function, although the user interface isn’t too great. Apparently, the addition of this functionality to the VMware product offering has alienated some vendors who offered this feature within their own storage arrays. My personal view is that the vendors’ offering is probably faster, more robust, and more feature-rich than Storage VMotion, at least for now, and therefore storage vendors shouldn’t be so “up in arms” over this issue.

But this issue highlights the fine line that a market leader such as VMware has to walk. If they don’t add functionality to their products, then they lose the “innovation leadership” position in their market and run the risk of being overtaken by their competitors. After all, VMware needs to continue to distinguish itself from other virtualization competitors such as Citrix, Microsoft, and Virtual Iron. How else to distinguish themselves other than adding functionality that helps their customers improve their uptime?

On the other hand, as the market leader—VMware, in this case—adds functionality and features to their products, they run the ever-increasing risk that they are going to step on the toes of some of their partners. Consider the Determina acquisition, which has yet to yield publicly disclosed results. What’s going to happen when VMware unveils technology based on the Determina acquisition? They will be accused of isolating the security partners in the virtualization ecosystem. And yet, isn’t it natural that they would want to incorporate those security features within their own products?

It’s a difficult position. If VMware—or the market leader in other markets, like Microsoft with Windows in the OS market—strays too far one way or the other, they are accused of either a) failing to meet the needs of the customer for failing to add critical functionality; or b) being too aggressive in bundling functionality into the base product.

I certainly don’t envy VMware in their current position. With Citrix, Microsoft, and Virtual Iron all nipping at their heels, their stock taking a hit, and partner vendors complaining about the functionality they’re bundling into their products, it seems as if it’s coming from all sides.