The Virtual Data Center

Dan Kusnetzky, over at his Virtually Speaking blog, has an excellent post this morning on requirements for the next generation data center. For me, I was jumping up and down on my couch Tom Cruise style with excitement because Dan has just described the exact foundations to the Virtual Data Center. The Next Gen DC is the VDC; they’re one in the same. I routinely have to boil down the VDC message down to the “elevator pitch”: a 30-second overview of the VDC that anyone can understand and digest. While the verbiage is obviously different, Dan has the critical components:

• Forget this piecemeal land grab that’s going on in the DC for virtual real estate right now and let’s start thinking about the VDC as a single, unified system for delivering applications. Everything works together as a Service (not a platform, however…the ADC has more to say about that on her blog). Buy today what’s going to work together tomorrow.
• All systems are managed as one cohesive unit, again with the singular goal of delivering applications. Dynamic provisioning (both turning up and turning down), providing both proactive and reactive orchestration, will be a necessity.
• Don’t forget the users: the same VDC that can apply application policies must also provide the ability to understand and manage user access policies. These policies govern both security and application behavior policies; the VDC must know when Alice is accessing Microsoft Exchange from her office desk, her home office, and her mobile device, and deliver Exchange in an appropriate manner for each of those circumstances.

So in summary, thank you Dan for your NGDC, er VDC, requirement list. Consider me someone who thinks you are on to something, and pardon me while I wipe a single tear of joy and happiness from my keyboard.

Another vacation reference: you know how it is, it takes a few days to stop thinking about work when you start a vacation and takes a few days to stop thinking about relaxing when you get back to work. A recent article in the American Way magazine had a great column about Post Vacation Depression…but once again, I digress.

When I visit family, I always arrive to find a “technology punch-list” waiting for me. I don’t mind; as my wife reminds me, they raised me, the least I can do is fix their laptops. This time it was building a new wireless network for one familial set and installing a Blu-Ray DVD player and optimizing their audio/video setup for another. Excellent! Both jobs were handled w/in two days and the rest of the week was pool time.

But while I was floating around basking in the warm Florida sun, my mind drifted back to the VDC, and it occurred to me that technology has become way too complicated for people who don’t live and breath it every day. The Wi-Fi family doesn’t understand SSIDs and why I chose WPA+PSK over WEP for security; the DVD family doesn’t understand the difference between HDMI and RCA or why routing audio through their TV pre-amp before their surround system dropped that sweet Blu-Ray 7.1 PCM stream down to 4.1. And they shouldn’t have to. They simply want to surf the net from their porch and have a movie theater at home, respectively. They’ve earned it, they deserve to enjoy it w/o spending 2 weeks deciphering user manuals.

It’s the same thing for the Data Center and CIO. CIOs shouldn’t have to worry about what they’re using for OS virtualization, or how the software switches in their VDI pass VLAN data to their downstream application delivery controller. They just want to have a data center that hosts Exchange and have email available to users from their desks or over their SSL VPN connection from Singapore. Why should the CIO have to decide between 1Gb and 10Gb Ethernet? Who cares, as long as Exchange is available. Why should someone ever have to ask a sales person if a particular HDMI cable is v1.3? Why should they even know that there is a 1.3, much less the difference between 1.3a, 1.3, 1.2, etc?

So once again, it all comes down to “We want a service.” Regardless of if that service is Exchange, recliner surfing, or “3:10 To Yuma” in mind-blowing clarity at home. The VDC should become a service, where application data requests are passed in and application data responses are sent out. The CIO wants to turn up a new Exchange service in Dallas? Done. OS image copies kick off; network configurations and routing data are passed down to the data center provisioning platform; mailboxes are synced; 4 hours later, Dallas is passing packets. Worry about turning up the service, not the cogs that churn the machine. That’s where the VDC should be headed. Otherwise, we’re destined to a life of Wikipedia’ing sub-woofer crossover frequencies until we’re old and gray.

Ok, so this was a rant that really went nowhere, but at least it’s helping get past that Post Vacation Depression.

I’ve been asked a few times recently what does the term “OS container” cover. In this day and age of virtualization terms being tossed around like pancakes (I’m assuming, of course, that you’ve been to a pancake toss and can visualize the chaos that this activity brings), it’s a fair question. Here’s how it breaks down:

On one side of the equation you have OS virtualization, where a complete OS install is virtualized to run on top of a software hypervisor. Think VMware Workstation or Server where you’re running Windows 2003 in VMware on a Linux box. The OS thinks it’s installed on real hardware, and the hypervisor takes care of emulating the guest hardware while running as software on the host. Applications running in this virtualized guest also think they’re running on hardware; actually, they don’t really care either way with modern operating systems because they just ask for hardware resources from the drivers and the kernel takes care of the rest.

On the other side we have two technologies: 1) application virtualization, like Citrix XenApp (previously Presentation Server, previously Metaframe) and Microsoft Softgrid (previously Softricity), where full applications are hosted on a server and streamed down to the user; and 2) application hypervisors (which also fall into the app virtualization category), which are apps that don’t need a base OS to run and carry with them an environment to run locally on a desktop. Examples include JVM and LiquidVM. These two technologies are similar in that they focus on virtualizating the application environments and not their OS, they differ in their delivery mechanism.

OS Containers are a compromise between full OS virtualization and application virtualization/hypervisors. OS containers virtualize the bare minimum requirements for the guest and share running resources with the host, and by design are much more portable than virtual OS images and more feature-rich than application hypervisors. Stated more technically, OS containers are paravirtualized images designed to be compact and highly portable. They are also considered (atleast right now anyway) to be more secure than virtual OS images because they don’t include the excess OS junk that usually gets people in trouble, like open SMB ports, and they can run sandboxed. I’ll avoid the discussion of if it’s even possible to run both paravirtualized and sandboxed for now. Maybe I’ll leave that for another post.

Cisco announced today…or maybe hinted is a better term…it’s intention to release a new 40-core CPU.  For what, well, we’re still waiting for a few days.  $100M does seem like a decent chunk of change to drop on R&D for some type of (what I assume will be a) general purpose computing chip instead of a more network-centric FPGA or ASIC, or using other general purpose available technology (ala AMD, Intel, etc).  If I had to venture a guess, I would assume that this CPU will be used to create completely isolated and sandboxed virtual environments while giving them control all the way down to the silicon.  Something like combining what they do today with hardware virtualization on ACE and what they’re doing tomorrow with hardware and software virtualization on Nexus.  “Carve your IOS box into 40 routers/switches.”  And if you think about the work they’re doing with software switches and their investment in VMware (who obviously does a tremendous amount of work with software switching and virtual networks), could prove rather interesting.

I’m looking forward to Cisco’s post-teaser CPU announcement.

Ahhh…back from a nice 1.5 week vacation in sunny Florida (hence the silence on the blog ). I’m relaxed, refreshed, and playing catch-up.

Being a frequent business traveler myself, I realize that planes are mostly occupied with people who are traveling to and from work related events; not filled with people like me flying to find a swimming pool. When I travel for business, however, I have a rule about working on planes. I don’t do it. Now sure there are exceptions, but I try to stick to this rule religiously. There are a number of reasons I’m so adamant about this rule:

1. There’s no room to work in coach. No room to open the laptop, no room to move my elbows, no room to pull out my accompanying notebook, etc.
2. Too many distractions, even with things like noise-canceling headphones. When I work, I like to focus. Building a new presentation isn’t like recreational reading to me, where I can drop in and out as people need to get up to use the restroom or the flight attendant brings more coffee. It would be like trying to write a paper while riding a bicycle in downtown traffic.
3. …and most importantly, no privacy. The same reason I don’t do analyst calls in an airport. In a city where there are so many technical travelers, I’m bound to end up next to someone that understands my business if not straight out does what I do. The last two times I’ve full-on worked on a plane I sat right next to one person that ended up being a customer (I was working on confidential roadmap data) and then the next time a woman who did my exact job but for a competitor. No kidding. It’s just too risky for the business I do, IMO.

So on my relaxing flight back home from Florida, I happened to sit diagonally behind a person, sitting in an aisle seat, writing a Powerpoint presentation on the frequency and severity of helicopter “incidents” for an aviation company. And this wasn’t something I happened to catch while staring over his shoulder; this guy was working on the data for this one slide between Excel and PPT for well over an hour. How could I not look? Unfortunately for him, it was an aviation company I recognized, and you better believe I’m going to think twice about my next helicopter flight.

And that’s why I don’t work on planes.

There have been two really interesting pieces of news in the past few days regarding Citrix plans to move further into the Virtual Data Center arena:

CDC Helps Customers Transform Datacenter into Delivery Centers

Citrix integrates delivery tools

While I think there was some initial reservations when Citrix purchased Xen (at least from those of us that live in the hypervisor world), their re-branding of Presentation Server to XenApp coupled with XenDesktop is an extremely powerful combination, especially since virtual environments* are bridging the gap between the OS and application hypervisors (ala Parallels and VMware’s acquisition of Thinstall). Seems like a logical step.

But the coolest part of this info is the announcement of Citrix Workflow Studio. From best I can tell, this is the same Workflow Studio that’s (or maybe that was?) built by Full Armor and was demoed at VMWorld 2007. Assuming it’s the same, this is one of the coolest products I’ve used in a long time. And truth be told, this one product is probably the straw that broke me out of my security silo. Sure, Powershell is cool and powerful, but it is a scripting environment. And in the .Net/Visual Studio world we live in, we really need an intelligent Powershell GUI manager to integrate into existing management solutions.

Just thinking about Workflow Studio (regardless of who owns it) puts a smile on my face, and I’m not typically a product nor a very happy guy. So for me to smile about a product, it’s got to be life-changing. And in my mind, a product that integrates into existing management systems and provides an intelligent Powershell manager…oh yeah, that’s Data Center life changing. Just think about the possibilities when MS releases 2008 on Hyper-V, System Center OpsMan, and GUI-based Powershell management. Dynamic data center here I come! We’ll have to wait and see if it’s the same product and if/how Citrix is able to bring this to market wrt their complete CDC vision.

*While these types are technologies are typically referred to as “virtual appliances”, I believe that term is a complete misnomer, since “appliances” has a very specific definition in the data center world, and pushing down barebones operating systems and a hypervisor ain’t the same thing. I prefer to use the phrase “virtual environments”, ala OpenVZ, for these types of portable images. Who’s with me?

Ben Armstrong posted two disturbing posts over at his Virtual PC Guy’s blog a few days ago (ok, longer than a few days…things have been busy, what can I say? ;). Not that the content is disturbing; quite the opposite, the content is excellent. It’s the implications of his posts that are disturbing. When coupled together, “When you have to run MS Virtual PC as admin” and “Running Virtual PC on top of Hyper-V” perfectly demonstrate the security risks of running an OS on a paravirtualized hypervisor.

So why is this bad? Let’s say that I have a hypervisor exploit that attacks Virtual PC running Windows 98 (the author ran 98 so seems like an easy target for me ;). I trick the author into loading my exploit in his 98 guest and I go about attacking his Virtual PC hypervisor. He has to run Virtual PC as admin b/c he needs to allow his guests to ping each other (yep, ping requires admin over software switching). So I “own” (I hate that term, but it works here) his VirtualPC with admin privileges to his 2003 kernel. His 2003 kernel is running paravirtualized on Hyper-V, so I can now target attacking Hyper-V without an escalation payload, making life much, much easier for me as an attacker. Once I “own” Hyper-V, I can start poking around and 1) manipulate any other guests running on the same hypervisor, and 2) start looking at ways to propagate my exploit to other Hyper-V installs via the virtual infrastructure.

Awesome!

I’m not saying paravirtualization is bad per se, but it does bring up more awareness issues for security. Like many things in technology, paravirtualization is an extremely powerful tool in the data center, if it’s implemented correctly.

-Alan

With all the exciting announcements in the last couple weeks of all the new gear available you would think there would be entries all over the place.  But many of the new data center switch announcements from Juniper and Cisco were met with a sort of “what’s the big deal” attitude.  I think no one was too excited because customers have way too many options when they look to basic enterprise networks infrastructure components. Of course when we talk about advanced enterprise a network infrastructure component that’s a different story and there are some announcements people can get excited about, but I didn’t want to discuss today. I do, however, have to ask, is there anyone else out there thinking that the new Nexus 7000 operating system NX-OS name is an acronym for noxious? According to Merriam Webster’s definition we can include “constituting a harmful influence on mind or behavior…” Ok, I’m bending the definition a little bit because I dislike harmful influences on my mind.  But, wouldn’t you would think that Cisco could have stuck with an operating system that thousands of certified engineers already know.  Some of the discussions regarding the reasoning for a new OS and its origins can be found at a Cisco blog site. The arguments for creating NX-OS are well reasoned and I supposed the individuals commenting here have argued this many time before.  Omar S. in his comments says. “We gave you an internal architecture that you can build upon for the next decade, but wrapped it in familiar, comfortable packaging.” Let’s hope what he said is true, otherwise we’d all need to learn yet another syntax!