Virtual machines, containers, functions. Market knowledge for IT decision makers since 2003
virtualization.info Editors I will talk at DevLeap Conference 2006 taking place in Milan, Italy, from 16th to 18th May.
The event is for italian audience only (so my speech will be in italian language only) and is targeted to architects/developers.
I’ll present a session about virtualization applied to development lifecycle.
VMware has released a very interesting paper about Storage Attached Networks (SANs) security:
VMware ESX Server provides strong security and performance isolation for virtual machine storage. Each virtual machine sees only the virtual disks that have been presented to its virtual SCSI adapters. Virtual machines cannot see the physical Fibre Channel HBAs on the ESX Server host on which they run. Nor, in typical use cases, do they see the LUNs on which their virtual
disks reside. Emerging mechanisms for LUN security in a virtual environment from Fibre Channel HBA vendors provide an alternative for accomplishing the same goals.In a physical Fibre Channel SAN environment, LUN security is typically accomplished through a combination of LUN masking and zoning. Using these approaches in a vendor-recommended
way ensures that a given LUN can be accessed only by a single host, as identified by the world wide names (WWN) of its HBAs.In a virtual environment, this situation changes slightly. It is now possible to have multiple virtual machines on a single physical host. Furthermore, to facilitate the use of advanced technologies
such as VMotion, multiple ESX Server hosts may have their LUN masking and zoning set up to allow for broad access, with control being maintained by VMFS, the distributed file system that is
included as part of ESX Server.As this document explains in greater detail:
- Virtual machines can see and access only specific units of storage that the ESX Server administrator explicitly allows. This is true whether the virtual machine is using virtual disks on a VMFS file system or raw device mappings.
- The operating system within the virtual machine cannot change its own storage access nor interrogate a unit of storage in a way that allows it to discover any other storage units not defined by the ESX Server administrator.
- Special mechanisms are built in so concurrent access by multiple ESX Server systems to storage can take place safely. This protection enables advanced functionality such as VMotion.
Download it here.
After years of stalling a renewed effort on physical to virtual (P2V) solutions has surfaced.
After January release of Ultimate-P2V, here another free P2V solution, this time open source, based on System Rescue CD and partimage: P2PI2V.
Quoting from ComputerWorld:
As founder and chief scientist at VMware Inc., Mendel Rosenblum has been in the thick of the development of virtualization technologies. He recently spoke with Computerworld’s Robert L. Mitchell and discussed how virtualization is changing the IT landscape.
…
CW: Ten years from now, how will virtualization have changed the PC and server landscape?MR: Virtualization will provide all the computation, all of the disks and all of the networks in your organization. You’ll have decisions to make about when I buy more storage bricks or compute bricks based on scheduling of the workload I need to do. It might give me hints that I might need to buy more of this resource or the other, but it’s all totally anonymous to me.
That’s fundamentally different from the way we work today. Right now, people bring up a server and give it some name so they can personalize it. That will be gone in 10 years. You’ll no longer think of a server as being something other than how you think of a disk in a disk array today.
Today, you put the world’s most general-purpose operating system on [a server] so you can multipurpose it for anything you want. In a virtual world, you build virtual machines and just customize what you want to do. That’ a pretty different way of thinking about how computing goes on.
Read the whole article at source.
Thanks to VMTN Blog for the news.
Juergen Winkelmann (probably hearing me praying since months…) released an unofficial VMware Tools set for Workstation 5.5.1 and ESX Server 2.5.1.
The package has following features:
Missing features are:
Download them here.
If you are going to try this package you could find interesting my guide on How to install Sun Solaris 10 inside VMware Workstation 5.5.
IBM Redbook department released a book about the IBM Virtualization Engine 2.0:
This IBM Redbook provides foils and technical information presented as speaker notes that describe all the existing virtualization features and products included in the IBM Virtualization Engine Version 2. The IBM Virtualization Engine is the IBM delivery vehicle of the virtualization concepts; it includes innovations in resource virtualization as well as management, performance, modelling and visualization services for the infrastructure components in an heterogeneous environment. A new version of the Virtualization Engine has been detailed in November 2005. The Virtualization Engine platform provides the foundation to build an infrastructure more simple to manage; it is based on open interfaces and industry standards. It provides a set of blocks for progressively building business oriented solutions, allowing clients to start where they want and to evolve at their own pace. This new version is made of Virtual Resources which are integrated into the IBM systems and Virtual Management and Access components which are a multi-platform offering of system tools for a variety of operating system environments. Some of the components are available since December 2005; other components will be made available early in 2006.
This redbook is suitable for IT architects and for IT specialists who want to understand how the virtualization components fit into the Service Oriented Architecture, to understand the products offerings in detail or to plan a project that includes the use of these features and products.
Table of Contents
Download it here.
Quoting from the Mellanox official announcement:
Mellanox Technologies Ltd, the leader in business and technical computing interconnects, announced the immediate availability of a 10Gb/s InfiniBand® adapter card priced at $125 for OEM volume purchase orders.
…
A single InfiniBand HCA card in each server and storage node is the only I/O adapter required to interconnect a highly scalable and reliable grid, as opposed to several multi-port Enterprise Gigabit Ethernet NICs and Fibre Channel HBAs. InfiniBand I/O consolidation simplifies cabling, eases system management, eliminates unnecessary fabric infrastructure equipment, reduces power, and delivers optimal total cost of ownership (TCO).
…
Virtual infrastructure solutions, like those from industry leader VMware, when deployed over InfiniBand will facilitate off-the-shelf data center applications such as CRM, ERP, order processing, financial, payroll, inventory management, and others to run transparently while realizing the inherent benefits of I/O consolidation and performance increase of a high bandwidth, low-latency interconnect. As part of the VMware Community Source program, Mellanox is taking a leadership position in cooperative development of high performance virtual infrastructure solutions based on VMware ESX Server.“InfiniBand’s ability to partition I/O to multiple end-points, and consolidate I/O across data center applications holds the promise for added flexibility and cost savings within VMware environments,” said Bernie Mills, senior director of developer programs at VMware. “Mellanox has a clear commitment to delivering cost-effective virtual infrastructure solutions and has been actively involved in the VMware Community Source program since its inception. We continue to look forward to working with them in concert with other InfiniBand vendors within the community.”
Here a very interesting topic both for virtualization.info and SECURITY ZERO, my blog about infosecurity.
Quoting from eWeek:
Lab rats at Microsoft Research and the University of Michigan have teamed up to create prototypes for virtual machine-based rootkits that significantly push the envelope for hiding malware and that can maintain control of a target operating system.
The proof-of-concept rootkit, called SubVirt, exploits known security flaws and drops a VMM (virtual machine monitor) underneath a Windows or Linux installation.
Once the target operating system is hosted into a virtual machine, the rootkit becomes impossible to detect because its state cannot be accessed by security software running in the target system, according to documentation seen by eWEEK.
The prototype, which will be presented at the IEEE Symposium on Security and Privacy later in 2006
…
The group said the SubVirt project implemented VM-based rootkits on two platforms — Linux/VMware and Windows/VirtualPC — and was able to write malicious services without detection.
…
The group used the prototype rootkits to develop four malicious services—a phishing Web server, a keystroke logger, a service that scans the target file system for sensitive information and a defense countermeasure to defeat existing VM-detection systems.The researchers also used the VM-based rootkits to control the way the target reboots. It could also be used to emulate system shutdowns and system sleep states.
Read the whole article at source.
My comments on this article at SECURITY ZERO.
On January Microsoft released a webcast Level 200 I missed:
This Support WebCast talks about Microsoft SQL Server 2005 and the many new clustering features that it offers. This session discusses these new features. It also provides step-by-step instructions about how to install SQL Server 2005 clustering on Microsoft Windows Server 2003. This WebCast demonstrates all the installation steps using Microsoft Virtual Server configured as a Windows Server 2003 cluster.
Take a look at presentation slides here, download the video here, or watch it in streaming here.
Thanks to Virtualserver.tv for the news.
Quoting from ZDNet:
…
“As we build future implementations, we’re making things perform better within the constraints of the architectural foundation, but without requiring software changes. Then we’re also extending the architecture,” Richard Uhlig, senior principal engineer at Intel, said during an interview at the Intel Developer Forum.
…
One planned improvement is a feature called extended page tables, an idea similar to an AMD virtualization technology called nested page tables. Both technologies speed up a facet of virtual machines dealing with memory.In a computer without virtual machines, the operating system expects memory addresses to start at zero and work their way upward. But with many virtual machines sharing a computer’s memory, zero isn’t the starting place, and memory addresses skip from one patch to another, Uhlig said.
Consequently, one important job of a hypervisor is “page table shadowing,” which translates a virtual machine’s memory addresses to the real ones used by the actual computer. The more translation is required, the slower the virtual machine runs, and with programs such as databases that constantly switch among different patches of memory, the performance penalty can be anywhere from 10 percent to 25 percent, Uhlig said.
New versions of VT will get a feature called the page table walker, in which the processor rather than the hypervisor keeps track of that memory issue, he said. The overhead imposed “doesn’t drop to zero,” but will be much faster than the software-based function, Uhlig said.
…
But more sophisticated changes to networking are farther off because they require changes to the PCI standard that network cards and many other add-on devices use. For example, one idea that Intel plans to support is the splitting of a network card’s capacity among different virtual machines.Work is under way at the PCI Special Interest Group to add features that will permit such splitting, said Rajesh Sankaran, an Intel senior staff researcher. The new specification is due later this year, and the first products supporting it are expected in 2007, he said.
Read the whole article at source.