More reactions about the VMsafe program introduced at Wednesday’s VMworld Europe keynote. The reactions are good, especially considering most people haven’t seen the actual technology yet. I think everyone is very conscious that opening up access to the hypervisor layer must be done very, very carefully — but at the same time everyone seems to be hoping that this opens the door to innovative new functionality only possible through virtualization. Who will deliver the "VMotion" of virtual security?

Alessandro Perilli gives a good introduction. Link: virtualization.info: VMware announces VMsafe APIs.

While security products like antivirus will still have to install
inside a dedicated VM, they will be able to monitor what’s happening
inside other virtual machines from a completely new perspective: the
hypervisor level.

This will allow checking which traffic is entering or leaving a VM,
or even which data is being executed inside it (looking at CPU states,
memory pages and OS processes list). All done in a transparent way.

The revolutionary approach has two remarkable benefits: first of all
it saves precious physical resources and management efforts without
duplicating the same security agent inside each guest OS, secondarily
it prevents the security agents from being directly attacked and
possibly disabled.

Christofer Hoff likes what he sees so far.  Link: Rational Survivability: VMware’s VMsafe: The Good, the Bad, the Bubbly….

…it’s a little early to opine on the extensibility of VMsafe, but I
am encouraged by the fact that we will have some more tools in the
arsenal, even if they are, in essence, re-branded versions of many that
we already have.

However, engineering better isolation combined with brokered
visibility and specific authorized/controlled access to the VMM is both
a worthy endeavor that yields all sorts of opportunities, but given my
original ramblings, makes me a bit nervous. …

I am sure we will see more claims surface soon suggesting with
technology such as this will produce virtualized environments that are
"more secure" than their non-virtualized counterparts.  The proof is in
the pudding, as they say.  At this point, what we have is a very
tantalizing recipe.

John Peterson has seen the APIs, and he does like what he’s seen. Link: Security In The Virtual World: VMSafe = A Safer More Secure VMWare Environment.

My educated guess though, is that most security vendors will just be
offering their existing security products that are in many cases
physical firewalls, anti-virus, UTM, etc. The real value will be from
solutions that bring unique value to the virtual environment vs.
network designs that dictate routing traffic out of the Virtual
Environment to a physical security appliance and back in.  The other
question is ; will the software vendors just be installing their
software on the operating systems of Virtual Machines vs. Physical
Machines? …

I’ve had the privileged of reading the API documents as the CTO of
Montego Networks which is also part of the VMSafe program that was just
announced and am very excited about the future possibilities of the
program.

Pete Lindstrom compares VMsafe to the history of kernel access in Windows. Link: Spire Security Viewpoint: VMware vs. Vista – Hooking the Kernel.

This is a timely announcement that should serve its purpose of
allowing some "authorized" access to kernel operations of the
hypervisor.

I say "authorized" because this approach stands in stark contrast to the challenges Microsoft had when it implemented Kernel Patch Protection,
which had an API to allow security products access to kernel
operations, also in an "authorized" manner. (I would enjoy hearing
about specific functional differences between Vista’s KPP API and
VMsafe).

Of course, the big difference is that it was essentially a time-honored custom to hook Microsoft’s kernel
in all sorts of unauthorized ways …

So VMware is doing what is widely seen as "the right thing" out of the gate.

And let’s give Alessandro the last word:

With VMsafe VMware has the unique chance to improve the efficiency and effectiveness of security products like never before. If the company will release the interface soon enough and its partners
will execute properly, VMsafe alone will be a reason valid enough to
adopt VMware Infrastructure.

VMworld Europe party photo: mikkahoo

Two bloggers just posted their detailed session notes from VMworld Europe 2008.

Mike Laverick @ RTFM Education:

• VMworld Europe 2008: Day Three: Breakout Session: VDI and “High” Performance Printing
• VMworld Europe 2008: Day Three:  Breakout Session: Software Licensing Exposed
• VMworld Europe 2008: Day Three:  Breakout Session (SP23) Virtualizing SQL
• VMworld Europe 2008: Day Two: Breakout Session: ThinInstall
• VMworld 2008 Europe: Day Two: Key Note
• VMworld 2008 Europe:  Day One: In the Solutions Exchange
• VMworld 2008 Europe:  Day One: Breakout Session:  Site Recovery Manager
• VMworld Europe 2008: Day One: Breakout Session: Introduction to Stage Manager
• VMworld Europe 2008: Day One: Breakout Session: Lifecycle Manage Technical Deep Dive
• VMworld Europe 2008: Day One: Key Note

Manlio Frizzi @ Virtual Aleph:

• Running SAP ERP on Vmware – a customer example
• VI3 networking – Advanced Configuration and troubleshooting
• Optimizing Storage for VDI
• Technical Track – What’s new in VI 3.5
• Technical Track – Honeypotting with VmWare (Basics)
• Technical Track – VI3 Networking Best Practice
• Technical Track – Vmware Stage Manager
• Technical Track – Vmware Lifecycle Manager
• Technical Track – Vmware Site Recovery Manager

Tarry Singh (normally blogging at Virtualization for Everyone), here representing the newly-refurbished virtualization.com, continues his series of video interviews from VMworld Europe 2008.

Be sure and check out Bogomil at about 9:00 minutes in where he answers the burning question: is the hypervisor becoming commodified? (I’ll give you a hint: he says no.  Bogomil spends a lot of time talking with customers, so he has some very interesting observations on what people find important in their virtual infrastructure and a reliable, proven platform is not something you can just pick up at the corner store.)

From the description: Virtualization.com bloggers Tarry Singh and Nicolas ‘Charbax’
Charbonnier sit down with Bogomil Balansky, VMware’s Senior Director of
Product Marketing at the VMWorld Europe 2008 Summit in Cannes. An open
discussion about VMware’s product line, a review of the role of a
hypervisor and commoditization and the competition VMware faces from
Microsoft and Citrix.

Many many many more video interviews from Tarry, Nicolas, and Robin at virtualization.com’s video blog.

VMware VP Steve Herrod on why our announcements about OEM shipments of ESX Server 3i are important.  Link: VMware Everywhere from Virtually There: Steve Herrod’s Blog.

A hardware-centric
philosophy

VMware has always believed that virtualization should be
integrated into hardware, always there to enable the computing resources’ full
power and capabilities. This hardware-centric philosophy differs from other
virtualization vendors that think of it as just another feature in a
traditional (and large) operating system. For this critical layer of your
datacenter, you should absolutely expect and receive the rock-solid
reliability, security, and performance that you are used to from hardware.
Expectations of modern operating systems are, shall we say, lower.

Size matters

Key to this vision is the new architecture that ESX Server
3i introduces. This architecture provides all the performance and reliability
features of ESX Server in a small, 32MB footprint. This is 1/50^th
the size of a typical Windows or Linux OS deployment! ESX Server 3i is the only hypervisor
that does not depend on a large, general purpose operating system to
function. This small footprint reduces
the amount of code that can have bugs in it, streamlines performance, and
minimizes the interfaces and code “surface area” that are the target of
security attacks. It is this new architecture that makes us confident that ESX
Server 3i will be the most reliable, highest performance, and most secure
virtualization platform around.

I had a hard time excerpting, because it’s all good. Read the whole thing.

Jae Ellers is excited, especially for the ease of deployment to remote sites and branch offices. Link: Mister VM: ESX 3i Embedded Availability Imminent.

VMware ESX 3i Embedded will be available from at least 4 major vendors
"real soon now". At least that’s the word on the street. I’ve
definitely heard similar things from my vendor contacts.

I’m
very excited about this since it will be great to use in some of our
regional sites. It’s tough to get disparate hardware in and have to
juggle configs around to get on that new hardware remotely. This should
really smooth things out.

Updated:

• Mauricio Freitas thinks we’re on a roll.
• More context and some quotes from Bridget Botelho at SearchServerVirtualization: Link: VMware ESX 3i server shipments imminent, HP, Dell say. Bridget quotes Andrew Kutz as not seeing the technical advantage of flash vs disk, but I think that’s a red herring. Two of the real differentiators are 32MB vs a full OS attached to the hypervisor and the ease of deployment because it’s all preconfigured and part of the hardware you just bought.

The VMworld.com crew’s take on Day 2, with a trip through the VMworld labs and ending with a peaceful shot of the beach. If you can’t be in Cannes, stay tuned for more news, reactions, and more.

Photo: fraposelli

You can check out VMworld Europe 2008 Wednesday keynote the same ways you did yesterday.

• Lode Vermeiren’s Twitter feed
• Alessandro Perilli’s liveblog at virtualization.info
• VMworld Europe keynote webcast

Neil Hallworth thought VMsafe was the most interesting. Link: VMWORLD EUROPE 2008: Wednesday Keynote.

Most significant (at least from a financial services perspective) is
the announcement of the VMSafe API. This allows hypervisor level
security protection of the VMs – encompassing the main elements of
isolation, introspection and interposition to provide protection in one
place. APIs to be published so that the security vendors can plug into
and exploit this new functionality. McAfee were up on stage to support
the announcement. It will be interesting to see if this pans out as a
replacement for guest level protection or if it is seen as an
additional layer of defence in depth. Great concept though.

More about VMsafe: press release, website

Adrian Bridgwater gives his rundown of the keynote.

vServices (and OVF) are actually also pretty cool technologies which haven’t been given much attention yet. I’ll see if we can get more information out there after the show.

Dave Marshall of VMblog talks with Brian Ducharme of Virtual Strategy Magazine with a podcast giving you a great overview of day one of VMworld Europe 2008. Dave has been around since first ESX Server beta test, so has a good perspective on the growth of the industry. Here he reports in a quick 8 minutes about the feel of the show (like VMworld US a few years ago), what he’s looking at (the new management and automation products), today’s keynote, and what he’s looking forward to tomorrow (co-founder Mendel Rosenblum’s keynote).

powered by ODEO

Photo: Wilbrand Schothuis

[Updated below.]

Alan Priestly @ Intel reports from VMworld Europe. Link: Thoughts from VMworld EMEA in Cannes.

Maybe it’s the free drinks of the welcome reception but 2 hours after
the breakout sessions have finished the show floor is still buzzing
with deep and serious conversations in every corner.

Yup, that’s what VMworld is like. Here’s a quote from VMworld 2006, but the vibe has stayed the same:

VMWorld
is a total buzz-o-rama, and I mean that in a very positive sense. …  I have to say that
VMWorld is more amped up than any show I’ve been to for a long time –
and almost everybody I met there that I knew said the same thing. … It was
head spinning. I haven’t had a big adrenaline rush like this at a trade
show – EVER.

Alan goes on to say:

Green is the overarching theme of this years EMEA VMworld in Cannes,
from the issues of data centre power all the way to the powerpoint
template used for every presentation thru to the shirts worn by VMware
staff.  … Walking the show floor key major themes are management, data backup
& security, Virtual desktop and of course Green IT with everyone
having their own spin on what this means. At previous VMware events in
EMEA around 50% of the exhibitors have been focused on Virtual desktop,
this year it feels that there is more of a bias towards management and
backup, but this may just be as a result of VMware expanding their
focus beyond their previous technical audience in EMEA. Either way VDI
is still a key element of many of the sessions and the show floor
booths.

Wilbrand Schothuis has a nice gallery of VMworld and Cannes pictures (including the one above), and I’d expect more to show up from Viktor van den Berg and rentgen as well.

[Update: Neil Hallword concurs. Link: VMWORLD EUROPE 2008: Solutions Exchange.

The whole atmosphere is lively and unremittingly positive – as in San
Fran in Sept 2007, all the attendees seem to be interested and
motiviated to get on with delivering on virtualistion opportunities.

]

Reaction to this morning’s VMworld Europe keynote are coming in.

Scott Lowe liked the desktop announcements, especially around offline VDI technology preview. Link: VDI
Announcements at VMworld Europe 2008

This is powerful stuff. The offline VDI stuff really enables an
entirely new way of thinking about VDI; it’s no longer about just
hosting desktops at the datacenter. Now it’s about providing a “golden
image” that users can run on the local machine when they’re not in the
office and on the server farm when they are in the office.

Lode Vermeiren on his "vmworld" Twitter channel during the keynote had this to say about our application virtualization technology (aka Thinstall): "Mark my words: This is fan-tas-tic technology!"

Adrian Bridgwater, blogging at ZDNet.co.uk, took notes on how Diane described the maturation of this virtualization. (We’ve been working on this for 10 years, and we think it shows.) Link: The evolution of virtualisation

1 – SEPARATION: the process of being able to test for all possible system configurations before deployment.

2 – CONSOLIDATION: after separation, the move to server consolidation can happen.

3 – AGGREGATION: this is the point at which a virtual data centre is
built to run services as per the requirements of the system. (British
Telecom was present to give a short presentation on its work building
11 data centres where it has apparently seen a 50% reduction in the
cost of physical servers.)

4 – AUTOMATION: this is the day-to-day operation of a self-managing data centre.

… and finally (and this is where we’re at today).

5 – LIBERATION: this is where data is utilised from the ‘greenest
available resource’ and workloads are moved around (globally) to make
sure this happens on the biggest and best scale possible. In Greene’s
own words this type of technology is an, “Early step towards cloud
computing.”

[Update: we’ll come back to desktops later, but I also wanted to call attention to this from Michel Roth: Link: Scalable Virtual Image – Thincomputing.net.

A relatively small engineering effort from VMware yielded an
announcement at VMworld Europe that could have a severe impact on VDI
implementations: the Scalable Virtual Image.

Why do I say "relatively small engineering effort"? Well, because
it’s based on the existing "linked clone" technology that you probably
already use today in VMware Workstation (6 and onwards).

Why do I say "could have a severe impact on VDI implementations"? Well,
because as of today, one of the drawbacks of implementation VDI still
is the storage requirement. Sure, there are lots of companies out there
that are jumping in to fill this void (streaming, other cloning
technologies) but the fact that these are other companies also implies additional costs.

Anyway, the technology is not available today but this is very interesting stuff to watch