Transparent Page Sharing and Address Space Layout Randomization

I recently had a customer ask, “How is VMware’s Transparent Page Sharing impacted by Windows’ “new” Address Space Layout Randomization?”  Here is my response and some other interesting tidbits about what the other hypervisors are doing (or not doing) to increase consolidation ratios.

Microsoft’s Address Space Layout Randomization (ASLR) has little to no impact on VMware’s Transparent Page Sharing (TPS).  The intention of ASLR is to protect physical memory from things such as viruses by placing dll’s and executables in a virtual address space.  This virtual address space is then translated into the physical address by the operating system kernel.  Therefore, only the kernel has knowledge of the location of the physical mappings.

When a hypervisor like ESX/ESXi sits between the physical memory and the operating system, it takes the “physical mappings” from the OS and places then in true physical RAM.  Because the hypervisor controls the RAM, it can still perform TPS operations on this memory by identifying redundant memory pages and sharing them rather than duplicating them in memory.

Note that to-date, Hyper-V and XenServer do not offer any form of transparent page sharing.  Both XenServer and Hyper-V have implemented a memory ballooning technology (Dynamic Memory Control  and Dynamic Memory respectively) which VMware pioneered many years ago (~10 years).  These technologies utilize a driver in the guest operating system that intelligently “borrows” memory from the guest by essentially reducing the memory available to applications and the operating system without actually changing what is visibly shown in Windows.  Microsoft’s Dynamic Memory is only available with Hyper-V Server 2008 R2 Service Pack 1 which is currently only a release candidate.  It is supported in most server guest OS’s from 2003 through 2008 with particular Service Pack levels but it is only supported on client OS’s from Vista through Windows 7.  This means, VDI implementations that require XP will not benefit from the ballooning.

To summarize, no, TPS is not negatively impacted by ASLR.  Hyper-V and XenServer do not do any level of page sharing.  Actually, a year ago, Citrix and Microsoft strongly believed customers did not have a need to overcommit memory but it seems they are changing their stance on this because customers achieve far greater consolidation ratios on VMware vSphere.

My View – Design documents, photos, image editing

Today was a documentation day. Yippee! Oh Visio, how you manage to manipulate the simplest lines into complex, tangled webs, one will never know.

What I do know is that PCoIP provided an excellent user experience when working with graphics in Visio. One of the great features of PCoIP is that it builds the image to full quality over time unlike some other protocols that will generate a fuzzy image when bandwidth is unavailable. Indeed, a nice feature when working with graphics and attempting to read the small print on drawings. Dragging objects, working with text, connecting devices, and editing images were all accomplished from within the virtual desktop with no frustrating waiting while the image is redrawn as in RDP. Keep in mind I am accessing a virtual desktop in Steelhead Data’s cloud in Sacramento, CA from my home office in Portland, OR.

Scott Davis, VMware View CTO, does a great job of describing the PCoIP technology in his blog

More importantly, by transmitting compressed bitmaps or frames, we can adjust the protocol in real time to account for the available bandwidth and latency of the communications channel. On a WAN connection with typically less bandwidth and higher latency, a less crisp image is produced quickly, typically with 0.2-0.5 bits/pixel producing a grainy, but still recognizable image. Kind of like an analog TV… This rapidly sharpens with increasing clarity and detail visibility with each succeeding frame until the image is perceptually lossless. This is a high quality image at a total of approximately 1-3 bits/pixel. Think of it as now Digital HD to stick with our TV analogy. On a higher performance LAN, the images become sharp instantly and will build to complete lossless at 5-15 bits per pixel. Think of it as Blu-Ray!

After completing some documentation, I shifted over to responding to customer requests in our managed services platform where we host VMware View desktops for businesses. Pros to using a View desktop: My desktop is located in the datacenter with the managed environment so connectivity to the infrastructure is fast and easy. Running tools such as the vSphere client to access the console of VMs from within the View desktop provides a better experience than if I run the same tool over a VPN connection on my local client. In the past I would have made a similar connection into a terminal server or Citrix environment where I could then access these tools. The difference here is that I have my own dedicated desktop where I get to install the tools that are useful to me like the great automation tool from thevesi.org for performing tasks in a vSphere environment. Or maybe I want to use the Webex one-click application. This is not something that I would want to install on a shared terminal server but it’s my desktop and I’ll do as I please! If an application decides to misbehave, I have the option of rolling back to a snapshot or refreshing my desktop to a point where it is running like a well oiled machine. Try doing that on a terminal server or traditional desktop.

This post is part of a project I am undertaking where I will be using a VMware View desktop for - hopefully - all of my work computing.  See more by clicking the "myview" tag.

Secure Multi-Tenancy from VMware, Cisco, and NetApp

NetApp, Cisco, and VMware held a joint webinar to discuss a collaborative solution to provide a secure multi-tenant platform for solution providers.  The goal is to provide the benefits of shared infrastructure, particularly converting IT assets from expenses to strategic business opportunities, while at the same time maintaining the isolation, security, predictability, and quality of service that IT came to expect from their independent silos in traditional environments.

Before I get into a breakdown of what was discussed and how this solution can help offer the best of both worlds, I want to discuss how we got to this point and it all starts with virtualization and the need or want to consolidate infrastructure.  In the past, resources (compute, storage, network) were spun up when needed for a new application which led to each application existing in an independent, predictable silo of resources.  The advantage of the silo is that the application owners knew what to expect from the resources.  This unfortunately leads to inefficient utilization of those resources.  Businesses flocked to virtualization solutions because of the cost savings derived from less servers, storage, and networking equipment in the datacenter – less to manage, less to power and cool, higher utilization.  Then, solution providers in the cloud realized they could take this to the next level and host low-cost, shared infrastructure for their customers.  Virtualization promised to increase the utilization while still maintaining this separation but in reality we’ve come to understand that multi-tenancy needs further separation than just the fact that each customer has independent VMs.  Each customer feels a bit funny about having their VMs running on the same hosts, network, and underlying storage.  They want their silos.

Enter Secure Multi-Tenancy architecture from NetApp, Cisco, and VMware.  This solution combines the features of their solutions – Multistore, VN-Link, and vShields respectively – to allow cloud solution providers to offer the benefits of virtualization and the advantages of the traditional silos by segmenting the shared resources into discrete independently manageable resources.  For example, a provider can allocate separate logical storage systems or virtual storage appliances on a single NetApp system similar to how we create logical virtual machines on a single server.  Management access to these vFilers can even be granted to the customer to provision as they wish.  From the validated solution guide produced by Cisco:

“Providers can leverage NetApp MultiStore to enable multiple customers to share the same storage resources with minimal compromise in privacy or security, and even delegate administrative control of the virtual storage container directly to the customer.”

At first I began thinking that we are in this nasty circular back and forth between sharing virtualized infrastructure and the “siloing” of resources.  When indeed there needs to be a balance between the two and this appears to be a good start by these major players at achieving this balance.  There truly is a need to collaborate to make sure all layers of the stack are represented and operate well together.  Virtualization-aware solutions continue to open our eyes to new use cases and will continue to do so.  I just can’t wait for desktop virtualization to become as mature as server virtualization at which point we will see some remarkable capabilities.  Just think… shared virtual desktops that grant significant efficiencies to the solution providers and the security, segregation, and reliability demanded by the customers.