Living in a Virtual World

Virtualization is here to stay, so make sure you're using the right tool.

Desktop virtualization software has long been a staple for savvy Windows administrators who use it for software testing, pilot projects, training and so on. Virtualization is proving to have much broader appeal throughout the general IT community, though. One increasingly widespread use for virtualization tools is executing desktop applications.

Rather than installing individual applications on your Windows machines, you can install each one onto a dedicated virtual machine. The idea is to segment each major application into a unique workspace. This way you avoid "DLL hell" and "registry rot" by keeping your base Windows system pristine.

Virtualization software is well-suited for getting around such conflicts, avoiding security issues and preserving a safe operating system state on your network. Your Windows XP or Windows 2000 desktop system can "become" several computers. You can also run any of several operating systems: Linux, Windows 95, Windows Vista--nearly any x86-based operating system.

For example, when you run Internet Explorer, you could do so exclusively within a virtual machine (VM). The issues IE has with security or spyware would no longer matter, because they would only affect the VM. Virtualization software lets you quickly and easily "roll back" a VM, so if it's compromised in any way, you could simply click on a button to go back to the VM's original "clean" state.

Go Virtual
Virtualization software runs on top of your computer's host operating system. For example, VMware, Virtual PC and Altiris SVS all run on the latest versions of Windows. There is also virtualization software for Linux, Mac and other host operating systems.

Virtualization software lets you create one or more VMs, which are self-contained "sandboxes." Each VM has its own virtual hard drive, virtual CD-ROM, virtual network adapter and all the other hardware a physical computer would have--even a virtual BIOS. Each VM runs a guest operating system, which can be completely different from your physical computer's host operating system.

Redmond Roundup Ratings
[Click on image for larger view.]

Every VM is allocated resources like memory, since they all share time on your system's CPU(s). You can start, stop or even pause operations (similar to hibernating a physical computer) on a VM. This gives you the flexibility to run what you want, whenever you want.

Some virtualization software provides tight integration with your host computer. For example, your VM might be able to map a "network drive" to a folder on your host computer. This would make it easier to share files between the two, or even let you drag files from your host computer into the VM. These various integration features often require that you install helper software within the VM itself.

VMware Workstation 5.5
VMware is the most mature of the major virtualization packages for Windows hosts. It includes a varied menu of features, including tight integration between the guest and host operating systems using "additions" from VMware that you install on each VM. The advanced integration lets you drag-and-drop between guest and host, share folders between guest and host, capture smooth mouse pointer movement when using a VM and so on.

It also gives you much greater flexibility in how you organize your virtual workspace. You can set your VM windows to an arbitrary size. The VM software then resizes the VM's screen resolution to match the window size. That means your VM windows aren't restricted to standard resolution levels like 800 x 600.

Like most virtualization software, Workstation lets you "roll back" the VM to an earlier state. You do this by taking snapshots of a VM that is currently running or that has been shut down. A snapshot manager lets you enter descriptive comments for each snapshot so you can keep better track of them. Then at any time, you can roll back the current VM to an earlier snapshot state.

Say cheese!
[Click on image for larger view.]
Figure 1. VMware Workstation lets you keep track of the status of system state snapshots so you don't inadvertently roll back too far.

You can also use a snapshot of a shut-down VM as the source of a clone, which can either be complete or linked. A complete clone is simply a new virtual hard disk that contains everything in the cloned snapshot. A linked clone is also a copy of the snapshot, but it's based on the snapshot itself, meaning it won't use as much disk space to create the clone.

You can then use clones as the basis for new VMs. One practical example is to create a VM, then install an OS and the latest service packs. Clone that VM five times to produce five brand-new VMs with the OS and service packs installed. In their starting condition, the five new VMs will only occupy a few kilobytes of disk space each beyond what the original VM is using).

The latest version of Workstation supports x64 guest operating systems and has experimental support for two-way symmetric multiprocessing (SMP) for guests. This means you can assign two virtual processors to an individual guest. It can also convert Microsoft Virtual PC VMs and Symantec LiveState images into Workstation VMs. This is a hugely compelling feature that has major ramifications for backup and disaster recovery. If you use LiveState to perform system backups, any backup can become a "live" virtual machine.

VMware also offers a free Player application--a unique option. The Player lets anyone execute the VMs that you've created with VMware Workstation. However, the Player won't let them create new VMs or modify a VM's configuration.

You can use the Player to create and distribute a VM set up to run a specific application, for example (perhaps an application that requires a legacy OS like Windows 9x). This is another enormously compelling feature that sets Workstation apart and opens a number of new possibilities for using and distributing VMs. The only downside to the Player application is that, like Workstation, it's available for both Windows and Linux.

Why is that a downside? In order to maintain parity between platforms, VMware doesn't build in many Windows-specific features, like centralized management through Group Policy. The ability to centrally control and configure the Player through Group Policy, for example, would make the Workstation/Player combination a killer for many organizations.

Microsoft Virtual PC 2004
Microsoft's Virtual PC is one of the original virtualization tools. It was first released in 2004, and has since had a single service pack released that introduced a few functional changes.

Microsoft's documentation for Virtual PC 2004 is clear and easy to follow. The software includes most of the same features as VMware, but notably lacks a tabbed environment to make it easier to work with multiple VMs. For some reason, Microsoft seems shy about adding tabs (think of Internet Explorer). Instead, each VM simply opens in a new, independent window. This is definitely less functional than VMware's interface.

Microsoft provides "Virtual PC Additions" software to install within each VM. This provides tighter host integration, such as dragging and dropping files, sharing folders with the host and so on.

Any of the virtualization software discussed here can run any x86-based guest operating system. In the past, Microsoft's support policy made this confusing. Microsoft wouldn't provide technical support for non-Microsoft operating systems. (That seems reasonable enough. Would you call Microsoft about a Linux issue?) However, that didn't mean Virtual PC couldn't run Linux. Microsoft's current support policies are more broad-based with regard to guest OS support.

Virtual PC provides undo or rollback features similar to VMware, although it uses different terminology. For example, Virtual PC lets you install Windows inside a VM. You can then create a differencing drive on that VM's virtual hard disk. The differencing drive, which is initially just a few kilobytes in size, seems to contain the exact same data--the Windows OS install--as the virtual hard disk on which it was based.

You can then create a new VM that uses the differencing drive as its virtual hard disk, meaning the new VM starts off looking like a clone of the original VM. Any activity you perform within the new VM, however, won't affect the underlying Windows OS install. This way, it also preserves a safe or original state.

You can create multiple differencing drives from a single virtual hard disk. Practically speaking, this means you can install Windows once in a "base" installation and then generate multiple VMs from that install. The base Windows install will only occupy disk space on your host computer once, even though multiple VMs are using it. VMware provides this functionality as well, but through a clearer interface.

There are very few major functional differences between Virtual PC and its competition, so performance becomes the major point of comparison. Virtual PC was often the slowest, particularly with disk-intensive operations like OS or application installations. In timed trials of an unattended Windows XP Professional installation, Virtual PC took about 10 minutes longer to load than either VMware or Altiris (see "It's All About the Apps"). There was a similar lag when installing Office 2003 Professional. Disk-intensive operations aside, Virtual PC performed on par.

It's All About the Apps

[Direct comparisons with VMware and Virtual PC would not be accurate. Consequently, we are presenting Altiris SVS here, rated independently.--Ed.]

A relative newcomer to the virtualization space, Altiris Software Virtualization Solution (SVS) easily takes the cake when it comes to application virtualization and isolation. That's its primary purpose.

SVS also has centralized management features to make broad deployment much more feasible. But unlike Virtual PC or VMware, SVS isn't a whole-system virtualization product. You can't use it to run Windows 95 or Linux on your Windows XP box.

Redmond Roundup Rating
[Click on image for larger view.]

The whole concept of application virtualization is excellent. It will doubtless have further reach in the long term than full-system virtualization. Rather than building VMs, you build what Altiris calls Virtual Software Packages (VSPs). This places the focus more on applications than on entire operating systems. It pushes virtualization to the application level.

A VSP captures an application's files, registry settings and data. The VSP lives in a special area of your hard disk. Thanks to some file system shenanigans, the application files look like they're part of your base computer's file system--but they're not.

Each VSP acts as a set of layers over your base OS. For example, while Firefox's VSP might be in C:\fslrdr\1\PROGRAMFILES\ Mozilla Firefox\firefox.exe, you'll actually see it in C:\Program Files\Mozilla Firefox\firefox.exe. It would look as if it were installed on your base OS.

Deactivate the Firefox VSP, however, and it "disappears" from your computer since it is not longer running. Any changes made to Firefox while it's running, like adding bookmarks, are added to its VSP layer, not the base file system. This makes the VSP portable, completely self-contained and easy to secure.

This virtualization technique is obviously a marked change from what VMware and Microsoft are doing, but it doesn't work with everything. You can't virtualize device drivers, virus checkers, Windows patches and some other software within SVS.

Another unique aspect of Altiris SVS is that it's centrally manageable. Altiris promotes the product as an end-user application--suitable for improving desktop security and stability--and not a professional-level tool. VMware also recognizes this use (its Player application supports the scenario pretty well), but doesn't provide the centralized management features.

Altiris also provides plug-ins so you can use Microsoft SMS to deploy and manage SVS virtual applications. -- D.J.

There are no centralized management capabilities for Virtual PC. You can't use a Group Policy object to configure Virtual PC settings, prevent Virtual PC from running and so on. This is a notable oversight, and something that Microsoft will hopefully correct in the future. While Virtual PC's original target audience may have been the IT professional, the expanding uses of virtualization demand strong centralized management.

The biggest advantage of Virtual PC is its inclusion in Microsoft's MSDN Universal subscriptions. This means many organizations already have a limited number of licenses for the software. That alone could make the choice to use Virtual PC a no-brainer, since it won't necessarily cost you anything extra. Even if you do have to buy it, Virtual PC is less expensive than VMware Workstation.

Virtualization on the CPU

These days, all virtualization software runs entirely under your host operating system. In the near future, however, we'll start seeing virtualization based on the CPU.

Intel is calling theirs "Vanderpool." AMD's is called "Pacifica." You can think of these technologies as the virtualization version of Intel's "MMX" multimedia extensions. They're processor enhancements specifically designed to make virtualization faster.

As with any processor-level enhancement, both the host operating system and the virtualization software have to be written to specifically leverage the processors' capabilities. Intel started shipping Vanderpool-equipped CPUs in late 2005. The Itanium family will pick up the enhancements in late 2006, essentially putting Vanderpool in the entire product line. AMD's technology became broadly available in early 2006, and will be available across their product line by mid-2006.

One of the main components of these technologies is incorporated in computer's I/O bridges. This lets the virtualization software direct VM I/O access (which has long been a virtualization bottleneck) to I/O resources more quickly, without relying entirely on the host operating system to run the show. The practical upshot is faster-running VMs.

It is a testament to the growing popularity of virtualization that both Intel and AMD have jumped on board with processor-level optimizations and capabilities to support the technology. -- D.J.

The Real Word on Virtualization
There are a number of other less-popular virtualization choices that use other host operating systems, including Parallels Workstation and open-source projects like Xen, Bochs and PearPC. Xen and Bochs are both written for Linux and Unix platforms, and PearPC emulates the legacy Mac PowerPC environment, rather than an x86 environment (which is why none of those were included in this roundup). If you're evaluating virtualization software and Windows isn't the only host platform you need, check out some of these other options.

Although it's more expensive than Virtual PC, VMware Workstation is my pick for full-on, hardware-style virtualization software. It has a superior user interface, snappy performance and VMware has a proven track record for rapid updates (initial support for Windows Vista, for example, is already in the product).

For application-level virtualization, VMware Workstation is a player--thanks to the Player application--but Altiris SVS has this segment nailed (see "It's All About the Apps"). The landscape of virtualization solutions continues to change and evolve as major players like Microsoft, Intel and AMD create new technologies. Keep your eyes open because it will be an exciting category to watch.

More Information

Microsoft's Virtual Direction
Although Microsoft hasn't made many significant changes to Virtual PC since acquiring the software from Connectix, it hasn't been sitting on its hands when it comes to desktop virtualization.

In mid-2005, Microsoft senior vice president Bob Muglia announced that the forthcoming "hypervisor" software (the new catch-all name for virtualization software) would eventually be "built directly into Windows and will allow companies to virtualize multiple operating systems."

The plan originally called for this to be delivered in 2007, after Longhorn Server. It's more likely that the delivery date will be 2008 at this point. The new, built-in hypervisor capabilities will take advantage of Intel and AMD virtualization optimizations (see "Virtualization on the CPU").

Building virtualization into Windows has significant impact. The software will definitely run faster, since it can be built into a very low level of Windows' kernel for better hardware access. It also means that the virtualization can be much more transparent.

For example, you could launch an application in a VM simply by checking a checkbox in Windows Explorer, in much the same way you use RunAs today. Whatever Microsoft decides to do with its hypervisor software, as the 800-pound gorilla of the OS market, its decision will significantly change the landscape of desktop virtualization as we know it.
-- D.J.


comments powered by Disqus

Subscribe on YouTube