Get ready for virtualization to affect you, too

SAN FRANCISCO--If the average person has heard of virtualization at all, the idea probably left little impression beyond something to do with running corporate data centers packed with computing hardware.

But the era in which virtualization directly affects ordinary folks, too, is on its way.

The company in the forefront of the technology, an EMC subsidiary called VMware, drew 12,488 people to its VMworld conference here this week, and one theme of the show was the growing push to move the technology beyond the server realm. Initially that means PCs, but the company demonstrated its technology on mobile phones, too.

What is virtualization? Simply put, it lets a single computer run multiple operating systems at the same time in compartments called virtual machines. Each instance of an operating system runs on a virtualization layer rather than on the actual computer hardware. The company in charge of that foundational layer has tremendous power in the computing industry.

VMware CTO Stephen Herrod

(Credit: Screenshot by Stephen Shankland/CNET)

VMware has competition from Citrix, Red Hat, Microsoft, and others, but for now its head start, corporate alliances, and solid technology give it a lead in the market. Most of VMware's business comes from virtualizing servers, which lets companies replace a host of largely idle machines with one that's running full tilt, but the company is working to expand into many new markets.

Employee-owned IT
Before it met its present success in the server market, VMware got its start on PCs. Virtualization proved useful, for example, for developers who wanted to switch rapidly among different versions of an operating system to test their software or different versions of a browser to test their Web pages. VMware also can help people run Windows, Linux, and Mac OS X on the same machine--but again, that's not a mainstream need.

But as VMware sees it--and I think there's some merit to this belief--virtualization could become more widely used as a way to smooth the differences between people's own computer preferences and their employers' needs.

In the "employee-owned IT" vision, virtualization could let people put a corporate-managed virtual machine on an personal computer. The corporate partition would run only company-approved applications and could connect to the company network; the personal half could run the chaos of other programs that cause corporate IT folks to grind their teeth.

VMware has a technology--formerly called Virtual Desktop Infrastructure and now sporting the more palatable name of VMware View--that also could fit into this idea. With it, the brains of a PC actually run on a central server, with a person's local machine serving as a mechanism to show the display and capture mouse clicks and keystrokes. So an employee's corporate PC could actually be housed at the corporate and piped over the Net to wherever the employee happens to be.

VMware's View demonstration featured graphics acceleration using Microsoft's DirectX 3D graphics and full-motion video--albeit a with some jerkiness. Hardware support in newer Intel and AMD processors also speeds virtualization performance.

VMware View is latest twist on a technology called thin client computing. That approach has found a solid niche in some large businesses but that never has caught on widely. In my opinion, though, the greater challenge comes from an entirely different way of attaining the same centralized goals: cloud computing.

Cloud computing, in which applications run over the Web in Web browsers rather than natively on PCs, provides another way to provide access to corporate resources. It can't do everything, but it's gradually maturing as a way to run software. And it has the advantage of requiring only a modern browser rather than VMware's software.

VMware showed Google's Android system running on a Windows CE mobile phone through VMware virtualization software.

(Credit: Stephen Shankland/CNET)

Virtual phones
At VMworld, Chief Technology Officer Stephen Herrod and Srinivas Krishnamurti, director of emerging markets, also demonstrated virtualization on a mobile phone. Specifically, they showed a mobile phone using Windows CE 6.0 run Google's Android operating system, too.

"Why not virtualize the phone itself?" Herrod asked. "It's really becoming more of a mobile personal computer."

Why bother? VMware has two arguments.

Wyse Pocket Cloud and VMware View means people can get to their PC desktops with an iPhone.

(Credit: Screenshot by Stephen Shankland/CNET)

First is a mobile-phone version of the employee-owned IT vision, where a mobile phone could run corporate programs and access corporate resources in one mode and be used for personal tasks in the other. VMware touts two basic approaches--one in which the second operating system runs at the same time and one in which the phone could switch between the two modes.

The second is programming. Coders face a minefield of complexity when it comes to writing software that can work on many phones. Visa, which demonstrated a mobile application for checking credit card transactions running with VMware's mobile virtualization technology, expressed support for VMware's help in this domain.

The variety of "handset manufacturers, infrastructure, and telco restrictions...makes the mobile space--while exciting--very daunting," said Peter Ciurea, Visa's global head of product development. "Anything that opens the possibility of easy portability we're very excited about."

But here, too, VMware's ideas face complications. Offering a simplified foundation to programmers doesn't mean complexity vanishes--it just means VMware has to shoulder the burden through its software. And virtualization takes computing horsepower.

Of course, hardware steadily improves. Krishnamurti's demonstration used a phone with 256MB of memory, but he said in an interview VMware's technology works with 128MB, too.

VMware also showed Wyse Pocket Cloud software running on an iPhone in conjunction with VMware View to give a view of a Windows PC desktop--though the demonstration showed nothing more than panning around the desktop view.

More expansion
So VMware won't have a simple time conquering clients, though it has a credible shot at it. Fortunately for the company, it's also got many other irons in the fire.

Many of these are closer to VMware's core server virtualization business. The company is gradually expanding from its initial phase of adoption, in which virtualization was used to increase server efficiency, to a more elaborate idea in which the technology leads to a more flexible data center.

For example, virtual machines can be moved off busy servers to idle ones during peak ours of activity, then they can be moved back and the idle ones can be shut down when demand slackens. Increasingly, that sort of optimization is an automated process governed by policies set up in advance.

Srinivas Krishnamurti, VMware's director of emerging markets

(Credit: Stephen Shankland/CNET)

VMware also is trying to stake a claim on another facet of cloud computing, in which companies can shift workload from their own data center's virtualization foundation to one housed at a remote data center operated by a third party. At VMworld, the company announced that AT&T, Savvis, Terremark, and Verizon Business all are offering that cloud service. VMware also said it's trying to standardize its cloud-foundation interfaces through a standards group called the Distributed Management Task Force.

All of this means VMware is competing more than ever with Microsoft. That's not just because Microsoft offers virtualization software, but because Microsoft is accustomed to being one of the primary software foundations of the computing industry.

VMware is usurping Microsoft's position with many of its products. It has relationships with those who make computer hardware for computers, storage, and networking, and it's building ever-stronger relationships with corporate IT administration staff. Windows and management tools for it hardly are being relegated to the sidelines, but VMware's approach can make them more peripheral.

The company has plenty of work to make its full vision a reality. But it's working from a position of some strength.

[Maclover1]

Wow you can officially run OS X on VMware, as a VM? That would be news to me.

[chrisx1]

That not what it said. It said you can run them all on the same machine. It didn't say OS X would be running as a VM.

[Shankland]

With VMware's Fusion package, you can run Windows and Linux on an Intel-based Mac OS X system, but you can't run Mac OS X on a VMware virtual machine. http://bit.ly/14Bpgm

[ferricoxide]

You can only run OSX server edition within a VM. Given the sites, out there, that help with running OSX on generic Intel hardware, there's a decent chance you could run the workstation version as a VM, too, with enough cajoling.

[DesktopIntegration]

On Citrix, you have the ability to view just an "application" view running virtualized and not the entire desktop. This is VERY cool as the user thinks the app is still running locally and doesn't even realize virtualization of that app is occurring. It can even be "launched" with the click of a desktop ICON (or link on Iphone). I like that a lot because there of hundreds of 1000's of apps that could delivered in the "cloud" this way immediately.

My question is, isn't this a better direction? After all, we've had to bend the "browser" for too long now in an attempt to deliver RICH client applications as Web/SAAS/Cloud apps. If we just build rich apps as we always have (which is pretty darn easy) and deliver the app, virtualized to any user, anywhere in the world, you could all the benefits of a Rich app with all the benefits of the cloud, zero deployment, etc etc.,

The only issue is scalability but that's here now, or just around the corner. Running 10,000 VM's or 100,000 vm's is a walk-in-the-park.

Thoughts?

[Stormspace]

Virtualbox has a similar function that allows the user to run the virtualized OS in a seemless mode giving you a second set of menu's on your host OS to launch apps from. The apps run in virtual windows that can be displayed side by side with the host OS's applications. I haven't seen anything that allows the guest OS application to launch this way from an icon on the desktop however.

[ferricoxide]

Fusion/Workstation have "Unity mode". Basically, you run the apps without displaying the full desktop. You can even launch individual apps via icons and associate virtualized apps with specific filetypes.

[Ronlap]

Probably more Macintosh owners than PC owners are using desktop virtualization software on their systems. Like it or not, sometimes we need to live in a PC world, and Parallels, VMWare Fusion, and Apple?s Boot Camp allow us to run Microsoft Windows along side or instead of MacOS on our machines. At this point in time, Apple does not allow MacOS to be virtualized. Microsoft Virtual PC allows Windows XP and Windows Vista to be virtualized on the same or the other OS.

In addition to the ?convenience? of being able to run Windows on our systems we can gain a substantial amount of security. But let me back up for just a moment to describe an idea that?s been gaining popularity amongst workers while causing CIO heartburn.

Like it or not, many employees are using their own hardware for work. It starts with smart phones but soon extends to using their own desktops at home and finally ends up with employees bringing their favorite high-powered laptop into the office so that they don?t have to put up with that five pound two-year-old dinosaur that the IT department issued to them when they joined.

Some companies, most notably Citrix Systems, have embraced employees bringing their own systems to work calling it something like ?Bring Your Own Computer.? The company specifies some minimum capabilities and requirements but lets the employee choose whatever computing device they want. Minimum requirements might include buying a maintenance contract, locking down the USB ports, running antivirus software, and encrypting the hard drive.

Whether employee or company owned, home and work use tend to get mixed. How many of you can say that you never check your personal email or visit ebay at work or on a business trip? Wouldn?t it be better if you could separate home and work 100% without losing convenience?

Home and work can be kept separated through different accounts on the same OS, but a number of issues arise. For example, file permissions can be altered under one account to allow access from another account, and if the system is infected while using one account then all accounts are infected.

Running completely separate virtualized OS instances guarantees total separation. This can be done today on Mac or PC by using one of the hosted hypervisors listed above. As of the date this was written, if you want one OS to be MacOS then the other OS instance needs to be Windows because the MacOS license does not allow it to be virtualized. Another issue is that any virtualized OS needs to run as a guest on the another OS until a workstation class native hypervisor shows up. This means that if the host OS crashes, the guest crashes with it. Citrix and Intel have announced cooperation to develop a native hypervisor which will prevent this problem. I would assume that WMWare is going to do the same, because that's where all of the excitement is.

[Random_Walk]

Just three problems with the concept of users bringing their own computer into the workplace...

* legal liability. The acronyms BSA, RIAA, MPAA, and the like are ugly enough when it comes to enforcing legal compliance on hardware that the IT department owns and bought. Now you want to open 'em up to the can o' worms that come with Joe Sixpack bringing his laptop to work after his 'l33t hacker-wannabe kid got done parking warez on it the night before? Not seeing that one happen.

* security. Yes, virtual machines are quite secure... but the less chance of bleed-through, the better. Home and personal devices are usually far less secure than work ones.

* "...what do you mean I have to buy a laptop just to keep my job!?" I couldn't count the number of companies that would happily abuse the idea and force employees to supply and maintain their own laptops (or worse, they'd stretch their refresh cycles even longer than they are now to push the users into doing it).

[shootfirst]

I think Random_Walk makes the most sense.

It is better to have a separation of work and home devices period. No employee should be letting their kid on a machine that needs to be used for work. I had it happen at my last job and the kid broke the laptop since it had an external DVD drive and he was using it and broke off the USB connection when he was done causing the motherboard to not function correctly.

My current job at a college, grad students are being asked to furnish computers to use since the department doesn't want to give them updated computers. This is a disaster coming because the college doesn't have the technology and teaching them to use virtual machines is a nightmare since the students and faculty can barely manage to keep their data backed up, don't even want to have to explain how another version of their computer would work.

Biggest thing with a personal machine is that people tend to buy machines with little to no warranty which is not a good idea when you need a machine to actually work. When you go laptops and so forth getting spare parts for one when a component dies: motherboard or the screen you are going to spend quite a bit of money and this if you can actually find the part. I always get grief when I demand computers that are bought come with at least a 3 year warranty and people who buy a computer for personal use, the walmart special or so forth aren't going to look at a warranty on their laptop as a must have feature over the 500GB drive so they can load on all the files they never back up.

I like virtual machines, but they need to be made completely transparent to the user and never be an excuse for the company to pass the buck to their employees.

[ferricoxide]

@random_walk:
Welcome modern IT realities. BYOC is already a reality, many places, particularly smaller companies.

* Legal liability: the whole point of a corporate sanctioned VM is that it is _locked_down_. The liability for the corporation is pretty much solely in that container. Outside that container is where the employee's liability kicks in.

* Security: there's really not that much chance of "bleed through". The virtual OSes really aren't sharing things that the guest OSes are going to be able to break out from. The hypervisor sees to this separation. It's kind of like the old IBM mainframes that that ran multiple OSes: essentially, the hypervisor presents "dedicated" resources to the client OS. The guest OS is really only aware of that which is presented by the hypervisor. It's really only if you get control of the hypervisor that the separation disappears. The hypervisors, however, don't really provide the kind of framework to hack the containerized guest OSes.

* MANY employers already "force" their workers to buy their own equipment - either directly or indirectly. They've been doing this for YEARS with both laptops and cell phones.

[Random_Walk]

"The liability for the corporation is pretty much solely in that container."

This has yet to be tested in court, let alone proven.

Re: Security: Nice claims, but while yes, you can lock down that VM nice and tight, it will only last for so long... until the users start complaining that they can no longer use the thing, and suddenly you have a largely unused VDI cluster + a horde CxOs demanding to know why you're continuing to waste money and time on the thing.

"The hypervisor sees to this separation."

Two words: "Blue Pill". The hypervisor is absolutely no guarantee of absolute security.

Also, what I meant by "bleed through" has more to do with the users going out of their collective way to insure it than by the efforts of the s'kiddies... which in turn opens the gates.

"MANY employers already "force" their workers to buy their own equipment - either directly or indirectly."

Indeed - but for now they're forced to sit just on the legal side of labor laws. Want to give 'em an excuse to stride right across it?

Furthermore, there is one other aspect that I neglected to mention... despite the fact that the laptop/computer is employee-owned, I'm willing to wager any sum of money that the moment said laptop breaks, IT will still be stuck with supporting that user. If they do not, the employee loses productivity, and IT gets the blame. If they do, then IT stands a solid chance of getting bogged down by supporting a wild array of non-standard equipment in various states of disrepair and patch level, and gets blamed for excess wastage.

Again, I'd rather pay for decent machinery up front, if for no other reason than the fact that I can point to ROI savings very quickly in help desk maintenance issues alone.

[zyxxy]

For phones, there is already a virtualized run time in the form of 'Brew'. Brew apps run on any Brew enabled phone. It is sort of like Java, but specialized for the mobile phone environment.

As far VMWare-View, how is that different from Microsoft Remote Desktop or VNC? I use those two environments every single day.

[Random_Walk]

VMWare View gives each user their own entire (albeit virtual) computer. When you use RDC or VNC, you're likely sharing the computer with others, or the IT department has to punch not-so-secure holes in their firewall to let you do it. (View has a DMZ "Security" server).

Also, unless you set up a VPN first, your RDC/VNC connection is likely unencrypted. ;)

[tech_crazy]

Exactly!
I was just about to post the same but read through the posts to make sure it wasn't covered already.

[zyxxy]

Microsoft has a server version that allows multiple instances of Windows running on "big iron", each accessible via RDP. And yes, we connect through the VPN, so it is all encrypted.

Given the above, is there any great advantage to VMWare View over Windows Server? If you use View, do you need one 'Windows' license per running instance? I am not trying to be derogatory, I am just unaware of the usage model.

Also, given identical loads, for example 1000 active Windows users, does anybody have a feeling for the server load for one implementation vs the other?

[ywmc]

zyxxy,

That's called server-based VDI (aka terminal server based) and client-based VDI. One put the computing power on server, one let the client hardware do more work.

At this moment, you can say server-based has larger market share, but client-based model is gaining more momentum these days. Citrix probally the only company offers both.

Both has advantages and disadvantages, but it depends on your business need. A salesman may find client-based VDI is better because of its ability to take VM offline, but server-bases TS probably better running on supermarket case registers.

[Random_Walk]

"Microsoft has a server version that allows multiple instances of Windows running on "big iron", each accessible via RDP."

...and when your developer goofs and causes a race condition, crashing the machine... the same big machine which your payroll department is simultaneously using like mad to process end-of-year tax records? Everyone gets screwed until you fix it.

With VDI, the dev crashes his VM, only he gets screwed, and everyone else carries on as usual. Even better, the dev can be fixed in less than a couple of minutes, max (that is, worst-case where you have to clone a whole new VM for 'im). By contrast, your "big iron" often has a boot time that lasts up to 10 minutes or more (see also the Dell R-900 as a very big ferinstance).

To top all that off, with VMotion, I have zero client downtime if the "big iron" develops hardware issues.

[foobaz]

Biggest need for virtualization/compartmentalization on mobile phone space I see at the moment don't really stem from user needs, but device manufacturer and developer needs. At this phase, the functionality is completely hidden to the users, although it can help pushing more features to phones for less cost.

How, you ask. Well, Maemo, the "new" phone OS of Nokia is my darling in this environment. Currently, it's completely open to modification, even if some parts of it are closed source - you can replace them with your own, if you want. Maybe this is not so typical to happen, but it gives the developers lots of hope and trust on the platform that you're not on grace of manufacturer and operator. It brings issues, though: completely open system has to have physically separated cellular network modem (changes to which have to be approved by kinds of FCC), and any DRM on a device that could be imagined to be not "trivially unbreakable" has to be implemented on hardware. Both of these functionalities have been widely implemented on software side on more advanced, mature mobile OSes, such as Symbian. The issue with this is that developer tinkering on these devices ranges from very limited to nonexistent, which causes them despair. And without virtualization, the limitations are exactly the way how necessary functionality for these parts can be achieved.

Things can change, though. There are not many developers that would question the need for FCC-approved, well behaving cellular modem implementation. Fundamentalist DRM struggles aside, neither people are so concerned about devices supporting DRM, as long as that's not the only alternative for doing things. These pieces can be implemented in software, if the software can be verified (for instance through cryptographic trust) to be from trustable source, and hardware mechanisms (hardware assist for virtualization) provide sufficient trust on execution environment.

Now, if you add the virtualization software, you can move these functionalities to closed, trusted operating system image that can be updated and accessed only in limited ways - and you can have whole, completely open platform aside, using these functions if it wants, and having all the rest of the hardware except critical parts like raw cellular interface accessible to it. Why do this, instead of hardware? The cost of manufacturing can be reduced. Making virtualization suitably "hard real time" for cellular radio control is a bit of a challenge, but it's not impossible. In the end, everybody wins - at least if you're one of the people that think that for most part, users should have freedom to choose how they use their devices. (US mobile operators obviously aren't great fans of this stance, but it's really the only way high-end mobile market keeps its developing vigor.)

User-level virtualization can come to phones eventually - but if trusted compartmentalization has still things to do, it certainly takes some more time for whole, general-purpose user-level environments. In this regard, it's still a hardware limitation.

[DesktopIntegration]

The next problem is, for a user, running an app in one VM and another app in another VM means at best, you can only "automate" across them with a manual copy paste. My company has built connectors to allow application->application functionality and automation across multiple apps in different VM's. Building and maintaining optimized user workflows through automation is 1000x more ROI than just copy/paste :)

[therealgeeves]

xen is faster - something about being in the kernel.

[servermaker]

Wrong.

[Random_Walk]

Actually, it is not.

I actually have the love for the FOSS version of Xen, but it has some problems:

1) performance still sucks compared to ESX.
2) Citrix will charge you a friggin' mint to use it if you want a feature set that even comes close to a typical VMWare VI/vSphere install, and it still won't even come close.