VMTN Blog

From Eric Betts at the VMware Security Blog -- something we're very proud of.

Link: VMware: VMware Security Blog: VMware Infrastructure Earns Common Criteria EAL4+ Certification.

On May 20, 2008, VMware VI3 (ESX Server 3.0.2 & VirtualCenter 2.0.2) achieved Common Criteria certification at EAL4+ under the Canadian Common Criteria Evaluation and Certification Scheme (CCS).  EAL4+ is the highest assurance level that is recognized globally by all signatories under the Common Criteria Recognition Agreement (CCRA). ...

VMware is the first and only virtualization vendor for industry standard x86 hardware to successfully complete the rigorous Common Criteria certification process. Although several operating system vendors bundle virtualization technologies as part of their products, to date, none have included virtualization technology as part of their Common Criteria security certifications.

Link: VMware: VI Team Blog: Storage VMotion and 10Gb Ethernet support for iSCSI SAN's.

What is the new news?

In VMware Infrastructure version 3.5 we introduced Storage VMotion, which does a live migration of virtual machine disk files from one storage location to another without any disruption or downtime to virtual machines and applications. Although Storage VMotion is designed to work with any type of storage, it was initially supported only with Fibre Channel SANs. As of Update 1, Storage VMotion is supported with iSCSI SAN’s for moving virtual machine disk files in the following scenarios:

- From iSCSI SANs to other iSCSI SANs

- From iSCSI SANs to FibreChannel SANs

- From FibreChannel SANs to iSCSI SANs
 
In addition, we now support the use of 10Gb Ethernet for iSCSI in a VMware Infrastructure environment.

We had a great call this morning on the sixth episode of the little podcast we like to call "VMware Communities Roundtable." Our focus was on automation and scripting of VMware Virtual Infrastructure. Joining us were Carter Shanklin, product manager for the VI Toolkit (for Windows) that uses PowerShell and a very useful set of commands to make a new tool that should be in every VI admin's toolbox. Also joining us was Andrew Kutz, VI programmer, plugin-maker, and toolkit maker extraordinaire. As always, listen by clicking over to the right or download the mp3 directly. (49:56 duration)

Links:

• www.vmware.com/go/powershell  - the home page for the VI Toolkit (for Windows) (aka PowerShell toolkit) on the VMware site
• blogs.vmware.com/vipowershell  - the blog for said toolkit. I talked about Carter's two blog entries using spreadsheets and PowerShell, but if you're interested in this at all, just go read the all the posts. You'll get the hang of it by the time you've skimmed them.
• communities.vmware.com/community/developer/windows_toolkit - the developer community
• we talked about several PowerShell books.
  • Good intro book: free Windows PowerShell workshop book
  • More advanced stuff: Windows PowerShell v1.0: TFM, 2nd Edition
  • Very advanced: Windows PowerShell in Action
• Fun with PowerShell and VMware from Mike Laverick
• vip-svmotion.sourceforge.net - SVMotion plugin
• vitfordotnet.sourceforge.net - VI toolkit for .NET
• vijava.sourceforge.net - VI Java
• akutz.wordpress.com - Andrew Kutz's blog
• a profile of Andrew at the VMware Developer Center blog
• Andrew's articles at SearchServerVirtualization.com

That's it for this week -- see you next Wednesday.

If you've been wondering what the real differences are between VMware and other architectures and how that difference translates into benefits, read on. (For a slightly deeper dive, check out this 13-page white paper: VMware Infrastructure Architecture Overview.)

Link: VMware: Virtual Reality: A Look at Some VMware Infrastructure Architectural Advantages.

Our customers have been asking us for an explanation of the key differences between the VMware ESX hypervisor architecture and the Windows-based Hyper-V architecture they've been hearing about recently from Microsoft.  We put together this summary explaining the elements of the ESX architecture that we believe set it apart from Hyper-V and Xen and the reasons behind some of our design decisions.  We thought it would be interesting material for the readers of this blog, so take a look and tell us what you think...

Complete Virtual Infrastructure

...

VMware ESXi – The Most Advanced Hypervisor

VMware ESXi 3.5 is the latest generation of the bare-metal x86 hypervisor that VMware pioneered and introduced over seven years ago. The industry’s thinnest hypervisor, ESXi is built on the same technology as VMware ESX, so it is powerful enough to run even the most resource-intensive applications; however, it is only 32 MB in size and runs independently of a general-purpose OS.

The following table shows just how much smaller the VMware EXSi installed footprint is compared to other hypervisors. These are results from installing each product and measuring disk space consumed, less memory swap files.

Comparative Hypervisor Sizes (including management OS)

VMware ESX 3.5	2GB
VMware ESXi	32MB
Microsoft Hyper-V with Windows Server 2008	10GB
Microsoft Hyper-V with Windows Server Core	2.6GB
Citrix XenServer v4	1.8GB

As the numbers show, ESXi has a far smaller footprint than competing hypervisors from vendors that like to label ESX as "monolithic."

The ESXi architecture contrasts sharply with the designs of Microsoft Hyper-V and Xen, which both rely on a general-purpose management OS – Windows Server 2008 for Hyper-V and Linux for Xen – that handles all management and I/O for the virtual machines.

           

The VMware ESX direct driver architecture avoids reliance on a heavyweight Windows or Linux management partition OS.

Read the whole thing, as they say...

VAssert is a new API, debuting in Workstation 6.5, that uses the Record and Replay functionality that we've been talking about for some time now. As you can tell by its name, VAssert is a relative of your standing programming ASSERT debugging tool, but by delaying assert-checking until later when the exact machine instructions are replayed, it can be very fast. That's some virtualization Deep Magic.

VMware engineers Weiming Zeng and Min Xu give us this guest post on demonstrating VAssert within Apache, and include the Apache patches they used so you can give this a try at home.

A Virtual Buffer-overflow Checker for Apache

by Weiming Zeng & Min Xu

1 Overview

The Record and Replay feature in workstation 6.5 introduces a new guest programming API – VAssert (Virtual Assertions). It is intended that software developers can use it to move expensive program error checking, such as buffer-overflow, to the deterministic replay phase. But does VAssert live up to its promise? As an experiment, we applied VAssert to Apache httpd and wrote a simple buffer-overflow checker by modifying the memory manager in Apache Portable Runtime (APR). Comparing with the same buffer-overflow checker implemented using traditional assertions, the virtual assertions incur 78.77% less runtime overhead.

2 The idea

Our idea to detect buffer-overflow is simple. When allocating memory, append a byte of magic number (the guard) to the end of the memory block; during execution, we frequently check whether the guard is changed. If so, a buffer-overflow is detected.

One of the benefits of this detector is that it is simple to implement. There is no need to intercept all (or most) memory accesses, as other detectors require. But this detector can cause a huge program slowdown if the guard bytes are checked frequently. The slowdown might alter a program's behavior so that bugs disappear when the detector is activated. With a “virtual” detector, however, the slowdown happens mostly during replay time. Since the replay is deterministic, the detector can find bugs without altering a program's behavior.

(Because we include lots of screen shots in this video, I recommend hitting the little rectangular "full-screen" icon above and avoid straining your eyes.)

• Ask questions at the VProbes Expert Session
• VProbe Toolkit at Sourceforge
• VProbes Reference Guide (pdf)

I asked VMware engineer Keith Adams to tell me about the new VProbes functionality first available in Workstation 6.5 and we made this little video together. If you're familiar with DTrace, you will get the idea, but now imagine it from outside the VM and independent of the OS (both things we here at VMware specialize in).

Keith talked about VProbes last year in this blog post:

VProbes attempts to provide a set of tools for answering the question, "What the heck is this computer doing?" It's an open-ended question, so vprobes is accordingly open-ended, as well. In its current form, it provides an interactive, safe way of instrumenting a running VM at any level: from user-level processes down to the kernel, and even into VMware's VMM and hypervisor, if need be.

I'm not sure if VProbes is useful out of the box for VI admins yet, but it's a powerful tool if you're interested in instrumenting your virtual machine.

As a simple trick, in this video Keith shows off a top replacement that is almost non-impactful to the VM it's monitoring and works on either Windows or Linux. He also can look at what your OS is doing from the machine instruction of its birth to its final shutdown. Pretty powerful and cool stuff to build on.

If you're interested in talking with Keith or learning more about VProbes, head on over the VProbes Expert Session at the Workstation 6.5 beta site.

From our newest blog. Link: Deploying VI with Cisco | VMware Networking Blog.

Anyway, so what better time is there to announce the publication of an in-depth deployment paper jointly authored by Cisco and VMware. We posted this paper about a week ago on the vmware.com/go/networking site. It's around 90 pages, so no short read; but it delves into many of the considerations, architectures, etc in deploying VI with Cisco switches.

Link: Scaling real-life Web server workloads

Most real life web server workloads suffer from scalability issues such as those observed in our tests. In order to circumvent these issues, lots of businesses choose to deploy web server workloads on a multitude of one-CPU or dual-CPU machines. However, such approach leads to proliferation of servers in a data center environment resulting in higher costs in both power and space usage. Virtualization offers an easier alternative to avoid software scaling issues as well as provide efficiency in power and space usage. This is because, virtualization enables several complex operating environments that are not easily scalable to run concurrently on a single physical machine and exploit the vast compute resources offered by today’s power and space efficient multi-core systems. To quantify the effectiveness of this approach we measured SPECweb2005 performance by deploying multiple Apache/PHP configurations in a virtual environment. ...

Thus, while the performance of each single-VCPU virtual machine is slightly lower than that of a one-CPU native machine (because of virtualization overhead), the cumulative performance of the multiple virtual machines well exceeds the performance of a large SMP native machine (because serialization penalties are reduced).

This upcoming customer webcast series is targeted at folks who administer Windows and are relatively new to VMware so if you are already a VI expert, feel free to tell others about this event! Here is the webcast description:

Windows environments are ripe for virtualization. Lack of simple and effective high availability tools, complex management tools and server sprawl create a huge management burden for Windows administrators. VMware Infrastructure offers Windows administrators a better way to run Windows, delivering improvements in reliability, availability and manageability for Windows applications.

Learn from your peers the rewards and challenges of running Windows applications on VMware Infrastructure. During this informative webcast series, you'll hear directly from customers how they are using VMware Infrastructure to consolidate servers, simplify management tasks and bring high availability and disaster recovery to their mission-critical Windows applications like SQL, Exchange, or Citrix. You will also have the opportunity to ask questions so don't miss this opportunity!

• Webcast 1: Optimize Your Windows Environment with VMware July 10, 9 a.m. PST
  Learn how HelioVolt uses VMware Infrastructure to increase efficiency and availability of their Windows environment.

• Webcast 2: Consolidate Your Windows Workloads with VMware August 12, 9 a.m. PST
  Hear how Johnson Controls virtualized mission-critical Windows applications with VMware, including SQL, Citrix and their Java applications.

• Webcast 3: Increase Availability of Your Windows Environment with VMware September 25, 9 a.m. PST Join us as ViaHealth shares its experience with using VMware Infrastructure to provide high availability and disaster recovery to their Windows applications.

• Webcast 4: Simplify Management of Your Windows Environment with VMware October 9, 9 a.m. PST Find out how T-Systems uses key features of VMware Infrastructure — like VMware DRS and VMware Update Manager — to increase productivity and improve overall business agility within its Windows environment.

Sign up today!

Bernd Harzog over at Doug Brown's place (DABCC.com) has a great deep dive with B-hive's CEO and CTO. Link: Virtualization Management: VMware B-hive Detailed Product Review.

Why the Old Way No Longer Works
Before I get into how the product works, I want to spend a moment on why it is important to do things in the way that B-hive does it. There is a right way and a wrong way to do Applications Performance Management in virtualized environments. The reason for this is that when you stick a piece of software in a VM, the Windows OS (assume Windows for a moment) no longer owns the clock (the hypervisor does). This means that anything that counts time inside of a VM will do so incorrectly. This includes management agents from systems management vendors and APM vendors. This in turn means that you cannot collect resource usage information or response times from within a guest and try to use that information to infer anything about the performance of the application running in the guest. Time based metrics include CPU utilization, Page Faults per Second, Context Switches per Second, Disk I/O Reads/Writes per Second, Network Bytes Send/Received per Second, and most importantly any measure of the time elapsed between Event A (start of a transaction) and Event B (end of transaction). So, neither resource based metrics nor applications response time metrics collected from inside of a guest VM are valid. All of this is described in a VMware Whitepaper on the subject if you do not believe me. Bottom line - products that install agents to measure resource utilization and/or response time in virtualized guests do not work. So once you virtualize, a new way to do APM is needed. ...

Conclusion
By buying B-hive, VMware did not just acquire yet another product that watched resource utilization on servers. B-hive moved the ball forward in terms of how to measure performance the right way (response time), with IT Operations as the target audience. This will be a highly valuable tool to VMware customers with virtualized servers, and will significantly enhance the value of the VMware platform relative to competing platforms from Microsoft and Citrix, neither of whom have anything like this in their portfolios.

Grid Today also talks to VMware CTO Steve Herrod on the importance of this acquisition. Link: Does B-hive Acquisition Make VMware a Cloud Vendor?. [via]

To put it simply, Herrod says that Conductor is able to “think at the level that applications that at,” as opposed to thinking at an infrastructure level. Whereas most of VMware's measurement tools focus on machine metrics like CPU MHz or RAM usage, B-hive’s tool is able to, for example, recognize what it looks like to report a Web page and what it looks like when a Web page is returned to a user, and can then report on the average time to provide a page. And it is just as proficient looking into more complex, multi-tier applications, says Herrod.

This application-level insight is increasingly vital to VMware users, many of whom are implementing “VMware first” initiatives. Large companies in particular, says Herrod, are putting all of their apps in virtual environments, and they are not hesitant about requesting more support in terms of performance tracking when they migrate mission-critical applications to VMware. “From our standpoint,” he says, “we saw a way to do performance better than it’s done on physical systems, so we see it as another driver for people to bring new applications into their systems.”

“We’re 100 percent serious about making VMware the best place to run mission-critical applications,” Staten stated. “And to the extent we make those easier to manage and more available and more secure than when they’re running natively, that’s absolutely our strategy -- and this is one of the pillars in doing that.”