Home > Blogs > VMTN Blog > Monthly Archives: June 2008

Monthly Archives: June 2008

VMware Infrastructure Earns Common Criteria EAL4+ Certification | VMware Security Blog

From Eric Betts at the VMware Security Blog — something we’re very proud of.

Link: VMware: VMware Security Blog: VMware Infrastructure Earns Common Criteria EAL4+ Certification.

On May 20, 2008, VMware VI3
(ESX Server 3.0.2 & VirtualCenter 2.0.2) achieved Common Criteria
certification at EAL4+ under the Canadian Common Criteria Evaluation and
Certification Scheme (CCS).  EAL4+ is the
highest assurance level that is recognized globally by all signatories under
the Common Criteria Recognition Agreement (CCRA). …

VMware is the first and only
virtualization vendor for industry standard x86 hardware to successfully
complete the rigorous Common Criteria certification process. Although several operating system vendors
bundle virtualization technologies as part of their products, to
date, none have included virtualization technology as part of their Common
Criteria security certifications.

Storage VMotion and 10Gb Ethernet support for iSCSI SAN’s | VI Team Blog

Link: VMware: VI Team Blog: Storage VMotion and 10Gb Ethernet support for iSCSI SAN’s.

What is the new news?

In VMware Infrastructure version 3.5 we introduced Storage
VMotion, which does a live migration of virtual machine disk files from one
storage location to another without any disruption or downtime to virtual
machines and applications. Although Storage
VMotion is designed to work with any type of storage, it was initially supported
only with Fibre Channel SANs. As of Update 1, Storage VMotion is supported with
iSCSI SAN’s for moving virtual machine disk files in the following scenarios:

– From iSCSI SANs to other iSCSI SANs

– From iSCSI SANs to FibreChannel SANs

– From FibreChannel SANs to iSCSI SANs
In addition, we now support the use of 10Gb Ethernet for
iSCSI in a VMware Infrastructure environment.

PowerShell and Plugins: Communities Roundtable #6

We had a great call this morning on the sixth episode of the little podcast we like to call "VMware Communities Roundtable." Our focus was on automation and scripting of VMware Virtual Infrastructure. Joining us were Carter Shanklin, product manager for the VI Toolkit (for Windows) that uses PowerShell and a very useful set of commands to make a new tool that should be in every VI admin’s toolbox. Also joining us was Andrew Kutz, VI programmer, plugin-maker, and toolkit maker extraordinaire. As always, listen by clicking over to the right or download the mp3 directly. (49:56 duration)


That’s it for this week — see you next Wednesday.

A Look at Some VMware Infrastructure Architectural Advantages | Virtual Reality

If you’ve been wondering what the real differences are between VMware and other architectures and how that difference translates into benefits, read on. (For a slightly deeper dive, check out this 13-page white paper: VMware Infrastructure Architecture Overview.)

Link: VMware: Virtual Reality: A Look at Some VMware Infrastructure Architectural Advantages.

Our customers have been asking us for an explanation of the key
differences between the VMware ESX hypervisor architecture and the
Windows-based Hyper-V architecture they’ve been hearing about recently
from Microsoft.  We put together this summary explaining the elements
of the ESX architecture that we believe set it apart from Hyper-V and
Xen and the reasons behind some of our design decisions.  We thought it
would be interesting material for the readers of this blog, so take a
look and tell us what you think…

Complete Virtual Infrastructure


VMware ESXi – The Most Advanced Hypervisor

VMware ESXi 3.5
is the latest generation of the bare-metal x86 hypervisor that VMware
pioneered and introduced over seven years ago. The industry’s thinnest
hypervisor, ESXi is built on the same technology as VMware ESX,
so it is powerful enough to run even the most resource-intensive
applications; however, it is only 32 MB in size and runs independently
of a general-purpose OS.

The following table shows just how much smaller the VMware EXSi
installed footprint is compared to other hypervisors. These are results
from installing each product and measuring disk space consumed, less
memory swap files.

Comparative Hypervisor Sizes (including management OS)

VMware ESX 3.5 2GB
VMware ESXi 32MB
Microsoft Hyper-V with Windows Server 2008 10GB
Microsoft Hyper-V with Windows Server Core 2.6GB
Citrix XenServer v4 1.8GB

As the numbers show, ESXi has a far smaller footprint than competing
hypervisors from vendors that like to label ESX as "monolithic."

The ESXi architecture contrasts sharply with the designs of
Microsoft Hyper-V and Xen, which both rely on a general-purpose
management OS – Windows Server 2008 for Hyper-V and Linux for Xen –
that handles all management and I/O for the virtual machines.

Indirect_arch        Indirect_arch   

The VMware ESX direct driver architecture avoids reliance on a heavyweight Windows or Linux management partition OS.

Read the whole thing, as they say…

Introducing VAssert

VAssert is a new API, debuting in Workstation 6.5, that uses the Record and Replay functionality that we’ve been talking about for some time now. As you can tell by its name, VAssert is a relative of your standing programming ASSERT debugging tool, but by delaying assert-checking until later when the exact machine instructions are replayed, it can be very fast. That’s some virtualization Deep Magic.

VMware engineers Weiming Zeng and Min Xu give us this guest post on demonstrating VAssert within Apache, and include the Apache patches they used so you can give this a try at home.

A Virtual Buffer-overflow Checker for Apache

by Weiming Zeng & Min Xu

1 Overview

The Record and Replay feature in workstation 6.5 introduces a new guest programming API – VAssert (Virtual Assertions). It is intended that software developers can use it to move expensive program error checking, such as buffer-overflow, to the deterministic replay phase. But does VAssert live up to its promise? As an experiment, we applied VAssert to Apache httpd and wrote a simple buffer-overflow checker by modifying the memory manager in Apache Portable Runtime (APR). Comparing with the same buffer-overflow checker implemented using traditional assertions, the virtual assertions incur 78.77% less runtime overhead.

2 The idea

Our idea to detect buffer-overflow is simple. When allocating memory, append a byte of magic number (the guard) to the end of the memory block; during execution, we frequently check whether the guard is changed. If so, a buffer-overflow is detected.


One of the benefits of this detector is that it is simple to implement. There is no need to intercept all (or most) memory accesses, as other detectors require. But this detector can cause a huge program slowdown if the guard bytes are checked frequently. The slowdown might alter a program’s behavior so that bugs disappear when the detector is activated. With a “virtual” detector, however, the slowdown happens mostly during replay time. Since the replay is deterministic, the detector can find bugs without altering a program’s behavior.

Continue reading

Introducing VProbes: a stethoscope for your VM

(Because we include lots of screen shots in this video, I recommend hitting the little rectangular "full-screen" icon above and avoid straining your eyes.)

I asked VMware engineer Keith Adams to tell me about the new VProbes functionality first available in Workstation 6.5 and we made this little video together. If you’re familiar with DTrace, you will get the idea, but now imagine it from outside the VM and independent of the OS (both things we here at VMware specialize in).

Keith talked about VProbes last year in this blog post:

VProbes attempts to provide a set of tools for answering the question,
"What the heck is this computer doing?" It’s an open-ended question, so
vprobes is accordingly open-ended, as well. In its current form, it
provides an interactive, safe way of instrumenting a running VM at any
level: from user-level processes down to the kernel, and even into
VMware’s VMM and hypervisor, if need be.

I’m not sure if VProbes is useful out of the box for VI admins yet, but it’s a powerful tool if you’re interested in instrumenting your virtual machine.

As a simple trick, in this video Keith shows off a top replacement that is almost non-impactful to the VM it’s monitoring and works on either Windows or Linux. He also can look at what your OS is doing from the machine instruction of its birth to its final shutdown. Pretty powerful and cool stuff to build on.

If you’re interested in talking with Keith or learning more about VProbes, head on over the VProbes Expert Session at the Workstation 6.5 beta site.

Deploying VI with Cisco | VMware Networking Blog

From our newest blog. Link: Deploying VI with Cisco | VMware Networking Blog.

Anyway, so what better time is there to announce the publication of an in-depth deployment paper jointly authored by Cisco and VMware. We posted this paper about a week ago on the vmware.com/go/networking site. It’s around 90 pages, so no short read; but it delves into many of the considerations, architectures, etc in deploying VI with Cisco switches.

Virtual web servers scale better than native

Link: Scaling real-life Web server workloads

Most real life web server workloads suffer from scalability issues such as those observed in our tests. In order to circumvent these issues, lots of businesses choose to deploy web server workloads on a multitude of one-CPU or dual-CPU machines. However, such approach leads to proliferation of servers in a data center environment resulting in higher costs in both power and space usage. Virtualization offers an easier alternative to avoid software scaling issues as well as provide efficiency in power and space usage. This is because, virtualization enables several complex operating environments that are not easily scalable to run concurrently on a single physical machine and exploit the vast compute resources offered by today’s power and space efficient multi-core systems. To quantify the effectiveness of this approach we measured SPECweb2005 performance by deploying multiple Apache/PHP configurations in a virtual environment. …

Thus, while the performance of each single-VCPU virtual machine is slightly lower than that of a one-CPU native machine (because of virtualization overhead), the cumulative performance of the multiple virtual machines well exceeds the performance of a large SMP native machine (because serialization penalties are reduced).

Customer webcast series: optimize your Windows environment with VMware

This upcoming customer webcast series is targeted at folks who administer Windows and are
relatively new to VMware so if you are already a VI expert, feel free
to tell others about this event! Here is the webcast description:

Windows environments are ripe for virtualization. Lack of simple and
effective high availability tools, complex management tools and server
sprawl create a huge management burden for Windows administrators.
VMware Infrastructure offers Windows administrators a better way to run
Windows, delivering improvements in reliability, availability and
manageability for Windows applications.

Learn from your peers the rewards and challenges of running Windows
applications on VMware Infrastructure. During this informative webcast
series, you’ll hear directly from customers how they are using VMware
Infrastructure to consolidate servers, simplify management tasks and
bring high availability and disaster recovery to their mission-critical
Windows applications like SQL, Exchange, or Citrix. You will also have
the opportunity to ask questions so don’t miss this opportunity!

Sign up today!

Deep dive on B-hive

Bernd Harzog over at Doug Brown’s place (DABCC.com) has a great deep dive with B-hive’s CEO and CTO. Link: Virtualization Management: VMware B-hive Detailed Product Review.

Why the Old Way No Longer Works
I get into how the product works, I want to spend a moment on why it is
important to do things in the way that B-hive does it. There is a right
way and a wrong way to do Applications Performance Management in
virtualized environments. The reason for this is that when you stick a
piece of software in a VM, the Windows OS (assume Windows for a moment)
no longer owns the clock (the hypervisor does). This means that
anything that counts time inside of a VM will do so incorrectly. This
includes management agents from systems management vendors and APM
vendors. This in turn means that you cannot collect resource usage
information or response times from within a guest and try to use that
information to infer anything about the performance of the application
running in the guest. Time based metrics include CPU utilization, Page
Faults per Second, Context Switches per Second, Disk I/O Reads/Writes
per Second, Network Bytes Send/Received per Second, and most
importantly any measure of the time elapsed between Event A (start of a
transaction) and Event B (end of transaction). So, neither resource
based metrics nor applications response time metrics collected from
inside of a guest VM are valid. All of this is described in a VMware Whitepaper
on the subject if you do not believe me. Bottom line – products that
install agents to measure resource utilization and/or response time in
virtualized guests do not work. So once you virtualize, a new way to do
APM is needed. …

By buying B-hive,
VMware did not just acquire yet another product that watched resource
utilization on servers. B-hive moved the ball forward in terms of how
to measure performance the right way (response time), with IT
Operations as the target audience. This will be a highly valuable tool
to VMware customers with virtualized servers, and will significantly
enhance the value of the VMware platform relative to competing
platforms from Microsoft and Citrix, neither of whom have anything like
this in their portfolios.

Grid Today also talks to VMware CTO Steve Herrod on the importance of this acquisition. Link: Does B-hive Acquisition Make VMware a Cloud Vendor?. [via]

To put it simply, Herrod says that Conductor is able to “think at
the level that applications that at,” as opposed to thinking at an
infrastructure level. Whereas most of VMware’s measurement tools focus
on machine metrics like CPU MHz or RAM usage, B-hive’s tool is able to,
for example, recognize what it looks like to report a Web page and what
it looks like when a Web page is returned to a user, and can then
report on the average time to provide a page. And it is just as
proficient looking into more complex, multi-tier applications, says

This application-level insight is increasingly vital to
VMware users, many of whom are implementing “VMware first” initiatives.
Large companies in particular, says Herrod, are putting all of their
apps in virtual environments, and they are not hesitant about
requesting more support in terms of performance tracking when they
migrate mission-critical applications to VMware. “From our standpoint,”
he says, “we saw a way to do performance better than it’s done on
physical systems, so we see it as another driver for people to bring
new applications into their systems.”

“We’re 100 percent serious
about making VMware the best place to run mission-critical
applications,” Staten stated. “And to the extent we make those easier
to manage and more available and more secure than when they’re running
natively, that’s absolutely our strategy — and this is one of the
pillars in doing that.”