Image Management with VMware Mirage: The Wednesday Morning Cure for Patch Tuesday
You have all had that knot in the pit of your stomach. If you, like me, have ever managed an IT environment, you know what I mean. It happens every Wednesday morning after the 2nd Tuesday of the month. What patches did Microsoft release this time? How will it impact your environment? Will you be spending the next few days and nights testing and deploying patches, keeping your fingers crossed that the patches do not break anything?
What IT administrator would not want to manage only one or two Windows images? Everybody would like that, and let me tell you, it is possible!
Utilizing VMware Mirage, you can reduce the number of Windows images you need to manage, with an end goal of managing one image, or two at most (x32 and x64). Before you use Mirage, however, you have some work to do! You need clear processes, a well-defined management and update cycle, and people who can properly assess the level of urgency and relevance of those updates or patches. If you have those in place, then you are ready to implement a technology solution that will support a simplified image management solution.
How Would It Work?
First, let us take a step back and think of what comprises a Windows environment. You have the base operating system, drivers for the machine, applications deployed on the PC, and user data. Mirage has these components organized into logical layers, as you see in Figure 1.
Figure 1: Components of a Mirage Desktop Image
All of these independent layers come together to give the end user a working PC (physical or virtual). You can see that there are a lot of variables, and it is a complex environment any day of the week. What happens when an unplanned update or patch comes around, one that is critical enough to warrant immediate deployment? Well, usually most of the testing goes out the window, and the bare minimum is validated to ensure no major catastrophe happens and that you do not lose your job.
Mirage can help you reach your end goal of managing that single Windows image. It can also reduce user downtime when a crisis happens. The way Mirage works is that it captures the state of a reference machine. You decide what is included in that image, so you can rest assured that it is something that works and that has been tested, and that it will not have any unwanted applications (that is, rogue applications). After you have clearly defined what will be in the image (OS, drivers, and a common set of applications), you can build the centralized virtual desktop (CVD) of the Mirage reference machine.
Now, using Mirage, you are ready to deploy that base layer to your environment. Optionally, on top of the base layer, which includes the core common applications, you can go one step further and build an application layer specific to a department and install applications that are unique to that department. So, for example, on top of one common base layer, you add an application layer that might be relevant for the HR department or the Finance department. Then you push the base layer, plus an app layer and a driver library, to your machines (virtual or physical), as in Figure 2.
Figure 2: Customizing the Windows Image with Mirage
The Cure to the Patch Tuesday Blues
Now that you have a solid construct of your tested and approved corporate Windows image, let us discuss how you can minimize your risk and user downtime when critical unplanned updates or patches arrive.
Using vSphere is recommended for your test virtual machines. This allows you to leverage the vSphere snapshot technology to preserve images before and after an application or patch is applied. You can also leverage other benefits of vSphere virtual machines such as vMotion and easy virtual hardware updates.
Each vSphere test virtual machine has the Mirage Client installed. You can have multiple test virtual machines if needed. For example, you can have one test virtual machine per department, and each virtual machine contains the customized departmental applications. The traditional method that vSphere administrators prefer is to take vSphere snapshots of the virtual machines at a particular point in time. You take such a snapshot just before deploying the updates or patches on those virtual machine desktops.
Using Mirage snapshot technology is recommended for the Mirage-managed endpoints. Mirage comes with a built-in snapshot mechanism that takes the worry out of desktop backups. At regular, defined intervals, Mirage takes an incremental snapshot of each user desktop. In Figure 3, you see that the system is configured to make an incremental backup snapshot once a day and keep the last seven successful snapshots. You also see that the system is configured to keep the last successful three weekly snapshots and the last 11 monthly snapshots. Setting a policy like this for a desktop gives the Mirage administrator a full year of snapshots for each Mirage-managed desktop, with the ability to roll back at a granular level of up to a day.
Figure 3: Setting Mirage Snapshot Backup Intervals
It is important to note that you do not have to back up all the desktops that are deployed within your organization. Some desktops are more important than others, such as desktops of Vice-Presidents or of HR personnel. You can set snapshot frequency and retention policy per collection of Mirage-managed endpoints.
Going back to the Patch Tuesday situation, you now have a method to try out those updates or patches on your protected Mirage endpoints. After you have tested those updates or patches on your test virtual machines and are satisfied that the updates or patches will not cause any issues, you can safely deploy them to the rest of your environment, knowing that if something happens, you can always roll back to the last successful snapshot of any Mirage-managed endpoint. Rolling back to a previous known state is as easy as clicking a button in the Mirage console, as in Figure 4.
Figure 4: Rolling Back to a Previous Snapshot
In conclusion, VMware Mirage works well with Windows XP, Windows 7, and Windows 8 or 8.1. If you are an IT administrator and you have suffered some sleepless nights due to Patch Tuesday, I strongly encourage you to try it out. After you have rolled out Mirage in your environment and lived through a few update cycles, you will ask yourself how you lived without such a solution in the past.