In-Depth
Living in a Virtual World
Virtualization is here to stay, so make sure you're using the right tool.
Desktop virtualization software has long been a staple for savvy Windows administrators who use it for software testing, pilot projects, training and so on. Virtualization is proving to have much broader appeal throughout the general IT community, though. One increasingly widespread use for virtualization tools is executing desktop applications.
Rather than installing individual applications on your Windows machines, you can install each one onto a dedicated virtual machine. The idea is to segment each major application into a unique workspace. This way you avoid "DLL hell" and "registry rot" by keeping your base Windows system pristine.
Virtualization software is well-suited for getting around such conflicts, avoiding security issues and preserving a safe operating system state on your network. Your Windows XP or Windows 2000 desktop system can "become" several computers. You can also run any of several operating systems: Linux, Windows 95, Windows Vista--nearly any x86-based operating system.
For example, when you run Internet Explorer, you could do so exclusively within a virtual machine (VM). The issues IE has with security or spyware would no longer matter, because they would only affect the VM. Virtualization software lets you quickly and easily "roll back" a VM, so if it's compromised in any way, you could simply click on a button to go back to the VM's original "clean" state.
Go Virtual
Virtualization software runs on top of your computer's host operating
system. For example, VMware, Virtual PC and Altiris SVS all run on the latest
versions of Windows. There is also virtualization software for Linux, Mac and
other host operating systems.
Virtualization software lets you create one or more VMs, which are self-contained
"sandboxes." Each VM has its own virtual hard drive, virtual CD-ROM, virtual
network adapter and all the other hardware a physical computer would have--even
a virtual BIOS. Each VM runs a guest operating system, which can be completely
different from your physical computer's host operating system.
[Click on image for larger view.] |
Every VM is allocated resources like memory, since they all share time on your
system's CPU(s). You can start, stop or even pause operations (similar to hibernating
a physical computer) on a VM. This gives you the flexibility to run what you
want, whenever you want.
Some virtualization software provides tight integration with your host computer. For example, your VM might be able to map a "network drive" to a folder on your host computer. This would make it easier to share files between the two, or even let you drag files from your host computer into the VM. These various integration features often require that you install helper software within the VM itself.
VMware Workstation 5.5
VMware is the most mature of the major virtualization packages for Windows
hosts. It includes a varied menu of features, including tight integration between
the guest and host operating systems using "additions" from VMware that you install
on each VM. The advanced integration lets you drag-and-drop between guest and
host, share folders between guest and host, capture smooth mouse pointer movement
when using a VM and so on.
It also gives you much greater flexibility in how you organize your virtual workspace. You can set your VM windows to an arbitrary size. The VM software then resizes the VM's screen resolution to match the window size. That means your VM windows aren't restricted to standard resolution levels like 800 x 600.
Like most virtualization software, Workstation lets you "roll back" the VM
to an earlier state. You do this by taking snapshots of a VM that is currently
running or that has been shut down. A snapshot manager lets you enter descriptive
comments for each snapshot so you can keep better track of them. Then at any
time, you can roll back the current VM to an earlier snapshot state.
[Click on image for larger view.] |
Figure 1. VMware Workstation
lets you keep track of the status of system state snapshots so you don't
inadvertently roll back too far. |
You can also use a snapshot of a shut-down VM as the source of a clone, which
can either be complete or linked. A complete clone is simply a new virtual hard
disk that contains everything in the cloned snapshot. A linked clone is also
a copy of the snapshot, but it's based on the snapshot itself, meaning it won't
use as much disk space to create the clone.
You can then use clones as the basis for new VMs. One practical example is to create a VM, then install an OS and the latest service packs. Clone that VM five times to produce five brand-new VMs with the OS and service packs installed. In their starting condition, the five new VMs will only occupy a few kilobytes of disk space each beyond what the original VM is using).
The latest version of Workstation supports x64 guest operating systems and has experimental support for two-way symmetric multiprocessing (SMP) for guests. This means you can assign two virtual processors to an individual guest. It can also convert Microsoft Virtual PC VMs and Symantec LiveState images into Workstation VMs. This is a hugely compelling feature that has major ramifications for backup and disaster recovery. If you use LiveState to perform system backups, any backup can become a "live" virtual machine.
VMware also offers a free Player application--a unique option. The Player lets anyone execute the VMs that you've created with VMware Workstation. However, the Player won't let them create new VMs or modify a VM's configuration.
You can use the Player to create
and distribute a VM set up to run a specific application, for example
(perhaps an application that requires
a legacy OS like Windows 9x). This
is another enormously compelling
feature that sets Workstation apart and opens a number of new possibilities for using and distributing VMs. The only downside to the Player application is that, like Workstation, it's available for both Windows
and Linux.
Why is that a downside? In order to maintain parity between platforms, VMware doesn't build in many Windows-specific features, like centralized management through Group Policy. The ability to centrally control and configure the Player through Group Policy, for example, would make the Workstation/Player combination a killer for many organizations.
Microsoft Virtual PC 2004
Microsoft's Virtual PC is one of the original virtualization tools. It
was first released in 2004, and has since had a single service pack released that
introduced a few functional changes.
Microsoft's documentation for
Virtual PC 2004 is clear and easy to follow. The software includes most of the same features as VMware, but notably lacks a tabbed environment to make it easier to work with multiple VMs. For some reason, Microsoft seems shy about adding tabs (think of Internet Explorer). Instead, each VM simply opens in a new, independent window. This is definitely less functional than VMware's interface.
Microsoft provides "Virtual PC Additions" software to install within each VM. This provides tighter host integration, such as dragging and dropping files, sharing folders with the host and so on.
Any of the virtualization software discussed here can run any x86-based guest operating system. In the past, Microsoft's support policy made this confusing. Microsoft wouldn't provide technical support for non-Microsoft operating systems. (That seems reasonable enough. Would you call Microsoft about a Linux issue?) However, that didn't mean Virtual PC couldn't run Linux. Microsoft's current support policies are more broad-based with regard to guest OS support.
Virtual PC provides undo or rollback features similar to VMware, although it uses different terminology. For example, Virtual PC lets you install Windows inside a VM. You can then create a differencing drive on that VM's virtual hard disk. The differencing drive, which is initially just a few kilobytes in size, seems to contain the exact same data--the Windows OS install--as the virtual hard disk on which it was based.
You can then create a new VM that uses the differencing drive as its virtual hard disk, meaning the new VM starts off looking like a clone of the original VM. Any activity you perform within the new VM, however, won't affect the underlying Windows OS install. This way, it also preserves a safe or original state.
You can create multiple differencing drives from a single virtual hard disk. Practically speaking, this means you can install Windows once in a "base" installation and then generate multiple VMs from that install. The base Windows install will only occupy disk space on your host computer once, even though multiple VMs are using it. VMware provides this functionality as well, but through a clearer interface.
There are very few major functional differences between Virtual PC and its
competition, so performance becomes the major point of comparison. Virtual PC
was often the slowest, particularly with disk-intensive operations like OS or
application installations. In timed trials of an unattended Windows XP Professional
installation, Virtual PC took about 10 minutes longer to load than either VMware
or Altiris (see "It's All About the Apps"). There was a similar lag when installing
Office 2003 Professional. Disk-intensive operations aside, Virtual PC performed
on par.
It's
All About the Apps |
[Direct comparisons with VMware and Virtual
PC would not be accurate. Consequently, we are presenting
Altiris SVS here, rated independently.--Ed.]
A relative newcomer to the virtualization space, Altiris
Software Virtualization Solution (SVS) easily takes the cake
when it comes to application virtualization and isolation.
That's its primary purpose.
SVS also has centralized management features to make broad
deployment much more feasible. But unlike Virtual PC or VMware,
SVS isn't a whole-system virtualization product. You can't
use it to run Windows 95 or Linux on your Windows XP box.
[Click on image for larger view.] |
The whole concept of application virtualization is excellent.
It will doubtless have further reach in the long term than
full-system virtualization. Rather than building VMs, you
build what Altiris calls Virtual Software Packages (VSPs).
This places the focus more on applications than on entire
operating systems. It pushes virtualization to the application
level.
A VSP captures an application's files, registry settings
and data. The VSP lives in a special area of your hard disk.
Thanks to some file system shenanigans, the application files
look like they're part of your base computer's file system--but
they're not.
Each VSP acts as a set of layers over your base OS. For
example, while Firefox's VSP might be in C:\fslrdr\1\PROGRAMFILES\
Mozilla Firefox\firefox.exe, you'll actually see it in C:\Program
Files\Mozilla Firefox\firefox.exe. It would look as if it
were installed on your base OS.
Deactivate the Firefox VSP, however, and it "disappears"
from your computer since it is not longer running. Any changes
made to Firefox while it's running, like adding bookmarks,
are added to its VSP layer, not the base file system. This
makes the VSP portable, completely self-contained and easy
to secure.
This virtualization technique is obviously a marked change
from what VMware and Microsoft are doing, but it doesn't work
with everything. You can't virtualize device drivers, virus
checkers, Windows patches and some other software within SVS.
Another unique aspect of Altiris SVS is that it's centrally
manageable. Altiris promotes the product as an end-user application--suitable
for improving desktop security and stability--and not a professional-level
tool. VMware also recognizes this use (its Player application
supports the scenario pretty well), but doesn't provide the
centralized management features.
Altiris also provides plug-ins so you can use Microsoft
SMS to deploy and manage SVS virtual applications. -- D.J. |
|
|
There are no centralized management capabilities for Virtual PC. You can't
use a Group Policy object to configure Virtual PC settings, prevent Virtual
PC from running and so on. This is a notable oversight, and something that Microsoft
will hopefully correct in the future. While Virtual PC's original target audience
may have been the IT professional, the expanding uses of virtualization demand
strong centralized management.
The biggest advantage of Virtual PC is its inclusion in Microsoft's MSDN Universal
subscriptions. This means many organizations already have a limited number of
licenses for the software. That alone could make the choice to use Virtual PC
a no-brainer, since it won't necessarily cost you anything extra. Even if you
do have to buy it, Virtual PC is less expensive than VMware Workstation.
Virtualization
on the CPU |
These days, all virtualization software
runs entirely under your host operating system. In the near
future, however, we'll start seeing virtualization based on
the CPU.
Intel is calling theirs "Vanderpool." AMD's is called
"Pacifica." You can think of these technologies as the virtualization
version of Intel's "MMX" multimedia extensions. They're processor
enhancements specifically designed to make virtualization
faster.
As with any processor-level enhancement, both the host
operating system and the virtualization software have to be
written to specifically leverage the processors' capabilities.
Intel started shipping Vanderpool-equipped CPUs in late 2005.
The Itanium family will pick up the enhancements in late 2006,
essentially putting Vanderpool in the entire product line.
AMD's technology became broadly available in early 2006, and
will be available across their product line by mid-2006.
One of the main components of these technologies is incorporated
in computer's I/O bridges. This lets the virtualization software
direct VM I/O access (which has long been a virtualization
bottleneck) to I/O resources more quickly, without relying
entirely on the host operating system to run the show. The
practical upshot is faster-running VMs.
It is a testament to the growing popularity of virtualization
that both Intel and AMD have jumped on board with processor-level
optimizations and capabilities to support the technology.
-- D.J. |
|
|
The Real Word on Virtualization
There are a number of other less-popular virtualization choices that
use other host operating systems, including Parallels Workstation and open-source
projects like Xen, Bochs and PearPC. Xen and Bochs are both written for Linux
and Unix platforms, and PearPC emulates the legacy Mac PowerPC environment,
rather than an x86 environment (which is why none of those were included in
this roundup). If you're evaluating virtualization software and Windows isn't
the only host platform you need, check out some of these other options.
Although it's more expensive than Virtual PC, VMware Workstation is my pick for full-on, hardware-style virtualization software. It has a superior user interface, snappy performance and VMware has a proven track record for rapid updates (initial support for Windows Vista, for example, is already in the product).
For application-level virtualization, VMware Workstation is a player--thanks
to the Player application--but Altiris SVS has this segment nailed (see "It's
All About the Apps"). The landscape of virtualization solutions continues
to change and evolve as major players like Microsoft, Intel and AMD create new
technologies. Keep your eyes open because it will be an exciting category to
watch.
More Information
Microsoft's Virtual Direction
Although Microsoft hasn't made many significant changes to Virtual PC since
acquiring the software from Connectix, it hasn't been sitting on its hands when
it comes to desktop virtualization.
In mid-2005, Microsoft senior vice president Bob Muglia announced that the
forthcoming "hypervisor" software (the new catch-all name for virtualization
software) would eventually be "built directly into Windows and will allow
companies to virtualize multiple operating systems."
The plan originally called for this to be delivered in 2007, after Longhorn
Server. It's more likely that the delivery date will be 2008 at this point.
The new, built-in hypervisor capabilities will take advantage of Intel and AMD
virtualization optimizations (see "Virtualization on
the CPU").
Building virtualization into Windows has significant impact. The software will
definitely run faster, since it can be built into a very low level of Windows'
kernel for better hardware access. It also means that the virtualization can
be much more transparent.
For example, you could launch an application in a VM simply by checking a checkbox
in Windows Explorer, in much the same way you use RunAs today. Whatever Microsoft
decides to do with its hypervisor software, as the 800-pound gorilla of the
OS market, its decision will significantly change the landscape of desktop virtualization
as we know it.
-- D.J.