Sunday, August 13, 2006

The Case For Virtualization

Part I

I read yesterday an article, EMC Becomes 'Virtual' Target by our old "frenemy" Bill Snyder of "" about Virtualization that inspired me to keep developing the subject for the blog.

Before getting into Snyder's article, I would like to restate some of the reasons why the topic of Virtualization is gaining relevance among technology investors and technologists. The reader may like to know that I have previously dealt with the subject in "Pacífica versus Vanderpool" and "AMD64 Practical with XP64 + VMWare Server", but I guess that I failed to justify why it is so important. Thus, if you are new to the subject, begin here. Mind you that I am not an expert in the subject, just an enthusiastic user.

What is virtualization?: A modern computer may "multiply" itself as many different computers running concurrently in the same hardware, that is, the same hardware may host different computers, so different, that they may be running different operating systems such as Mac OS X, Windows, and Linux and all. In VMWare's classic terminology, there is one computer running either Windows or Linux in which you install VMWare and convert it into the "host" of as many virtual computers (guests) as you choose. To accomplish this, VMWare is an application that simulates the different computers.

The top two providers of Virtualization technologies are the company VMWare, who offers free of charge an hypervisor (application that hosts the guests), VMWare Server, that may be installed on either Linux or Windows; and the Xen project, Open Source (and free of charge, of course) that runs on top of Linux. To ease and deepen the reach of virtualization, both Intel and AMD have developed extensions to their microprocessor architectures, AMD did "Pacífica", a more complete solution, and Intel "Vanderpool", which is harmed by the non-existence of an integrated memory controller. I don't know so well about Vanderpool, but if you want to take my anecdotical word for it, I fail to perceive performance differences between virtual computers running on top of my AM2 processor and the native "bare hardware" real computer. Microsoft is also getting into the fray preparing a repertoire of technologies relating to Virtualization.

From the perspective of a common day-to-day user, Virtualization is a really helpful technique:

1) Allows to run old operating systems (legacy) with those very old applications that don't work anymore in Windows XP and the like.

2) Allows to incredibly toughen the security of your Windows OS. Most friends I have are utterly unaware of how easy is to contaminate with malware a Windows computer and also are utterly misled on the impression that antivirus software, personal firewall, or even the Microsoft Updates will really help them protect their configuration and privacy. With regards to antiviruses and firewalls, they don't correct at all the problems, sometimes they just obfuscate the system making it harder to detect activated malware, and they stupidly deccelerate the computer for nothing. Regarding Windows Updates, nowadays they are so concerned with piracy that some actually send information about the computer to Microsoft, that is, they are spyware themselves, only that "officially sanctioned" by Microsoft. Question: Who's computer is your computer, Microsoft's or yours?...

A ColanderSeriously, Microsoft Windowzes have more security holes than a colander because there are many reasons, including Microsoft business reasons, for those holes. That is subject for many posts, but follow this lead if you want to know more about the subject.

What can be done, then? A clean windows system is relatively protectable. This can actually be done if you reduce your host computer to the bare minimum needed to host the virtual computers at top speed, eliminating the great mamajority of the hooks that malware exploits to infect your system, and then defer the work to virtual computers. In my host computers I tend to do the following:

  • To only install the Operating System,
  • the bare minimum of services,
  • to break the Internet Explorer on purpose,
  • not run nor install an antivirus, nor any non-open source software, including not installing printer or scanner drivers; with the exception of VMWare,
  • and never run on user accounts of adminitrative privileges but to really do administration.
Then, on VMWare, I create virtual machines to do these kinds of tasks:
  • Web Surfing
  • Video, Audio and Photographs editing and transcoding
  • Software Development
  • Network Administration
  • Printing, Scanning, and installing other device handlers
  • Nasty stuff such as software trials and dangerous experiments such as resizing an NTFS partition in KDE's QTParted.
All in different operating systems, working simultaneously in the same hardware.

Then, if any of these VMs is compromised by an operating system problem, a mistake, a virus, or whatever, the Virtual Machine acts as a sandbox in which the problem keeps contained without damaging the rest of my whole system. With the help of the host and other virtual machines, I can audit very deeply what may be wrong in any particular virtual computer, and learn a lot about misbehaving applications, viruses/worms/spyware in incubation, etc. In the worst case scenario, I simply go back to the latest known safe snapshot of the compromised virtual computer and keep doing business as usual in five minutes.

3) With that palette of VMs available, in any given moment, I fire up, "awake", the configuration for the task I want to do. Since it is possible to have open, "alive", as many virtuals as desired, I don't experience limitations on the tasks that I can do. Moreover, since the virtual machines are ultimately files in a harddrive, I can, through my 1GBps network, fire up a virtual machine in any of my hosts; thus, it really doesn't matter which physical computer I am using, I do the work exactly the way I like in the environment that I customized to my tiniest desire with the same virtual machine but running on a different host. This is "portability", and also reliability: If a catastrophe happens to a host, it is trivial to make its VMs to run in another.

4) It helps to consolidate: A large organization that provides many different services may need to multiply by every service its hardware and maintenance budgets. But since you can put toghether in the same computer partitioned through virtualization all of those services, configured to the exact specification that the application providers recommend, you slash the proliferating expenses of many computers to the expenses of only one powerful server. For AMD investors this issue is key, because Virtualization is by far the best excuse to go up the scale of the server: One dual processor to do the work it takes two single processor servers, one 8-way machine (with 16 or soon 32 cores) to do the work of 8 single processor servers. Intel, since quite frankly doesn't scale at all, and can't possibly be up to the robustness of the Pacífica (AMD-V) virtualization, is totally excluded of this market in fast growth.

5) It helps with efficiency too: Having many emulated different computers each with an operating system may seem redundant and inefficient, but in the end I have seen the opposite: For instance, since security, and other services are provided by the host and other VMs, I tend to install very thin and specific VMs. I install things like a mere Windows 98 Se stripped of everything non-essential to do web browsing, multiple computers who share a virtual read-only harddrive with the same configuration for applications (especially useful for Linux guests).

In the Windows world most applications assume too much about the computer. Some are as abusive as to demand administrative priveledges not only for installation, but for mundane usage. That's why most users introduce security risks in their computers without even knowing. Have you heard of the Sony rootkit scandal discovered by Mark Russinovich (see this article)?, well, that rootkit got installed when the user put one of the music CDs infested by Sony, regardless of whether the user didn't accept the terms of use (of course that the rootkit required the user to be running on admin privileges, but that's a digression on a digression). But some applications do not work if you don't completely disarm the security of the computer. For those applications, the sandboxing that VMs provide is ideal. Also, some applications, perhaps legitimately, prefer to have a very specific computer configuration, there the VMs also are ideal.

I have an example, my VM for video transcoding: I install there any codec that may do the job with total disregard for the security, in the end, I won't have viruses in the resulting XVid videos, but I couldn't do that with a "real" computer with other applications; thus I see a lot of *synergy* that improves efficiency. Don't tell anybody this secret, but I guess that you can install trial software in computers that "go back in time" and never expire the trial, especially if the computer doesn't have a way to connect to the internet... because it is virtual...

Like I was saying in #4, Virtualization demonstrates that the market is as performance-insatiable as it ever was, because it makes it practical, easy, to do "megatasking". My friends laugh when I tell them about the setups I have at home, they say that most of it is overkill. Then, one day they get to my place, and experience firsthand all the comfort and productivity that I get from my setups; then the next step is to ask me to help them do the same at their places. One of the primary reasons for my HW expenses is to get the most of virtualization.

See at the bottom of this article the "links to this post section" that provides the forward link for the Part II.