Slashdot Mirror
Experiences with Replacing Desktops w/ VMs?
E1ven asks: "After years of dealing with broken machines, HAL incompatibility, and other Windows frustrations, I'd like to investigate moving to an entirely VM-based solution. Essentially, when an employee comes in in the morning, have them log-in, and automatically download their VM from the server. This gives the benefits of network computing, in that they can sit anywhere, if their machine breaks, we can instantly replace it, etc, and the hope is that the VM will run at near-native speeds. We have gigabit to all of the desktops, so I'm not too worried about network bandwidth, if we keep the images small. Has anyone ever tried this on a large scale? How did it work out for you? What complications did you run of that I probably haven't thought of?"
There are a lot of complications using a VM - there's no 3D, no good audio etc.. Plus if your base computer does not fit into the HAL, you can't expect much out of the VM. I am actually surprised at this - a VM will give you the benifit of portability, but if that was your goal you'd be better off giving a laptop to all your employees.
Microsoft: "You've got questions. We've got dancing paperclips."
thin client be a cheaper and easier solution per seat?
Sounds like you want something like Citrix.
Although, what you could do is automagically have a standard WinXP workstation login on startup. Next, have VMWare in the startup folder so that it begins as soon as the computer logs in. Finally, have VMWare point to a disk image loaded on your server. The employees will then see a full-screen VMWare ready to authenticate on the network and begin their day.
If you really wanted to be fancy, have that image automagically map to a network drive on your SAN/NAS as the D:\ drive. Tell employees to use the D:\ drive to store all work-related documents.
It could work. But you'd be looking at maybe 5 minutes for the morning boot-up. Not to mention all the employees hammering the network for a 2~4gb image at 7am will really thrash the servers.
If you insist on doing this, go a bit further. Activate that WoL crap and autoboot the workstations at staggered times between 6am and 7am.
I'd rather you do it wrong, than for me to have to do it at all.
Well, you'd still be running Windows (if that's your poison), and so your users would still be subject to (say) all the Outlook or Explorer weaknesses and exploits. The main upsides I'd see are
(a) presumably all VMs have the same device model, so you'd be running the same image everywhere, and
(b) assuming you carfully partition out the users' data to a different volume, you can give them a "fresh" virtual machine (a fresh Windows registry!) every time.
Nice and useful, but still not bomb-proof.
Have you looked into thin clients? You're describing them. Doing it with Linux is simple, faster, easier on servers, etc. Novell put in a solution for us...10K users login to a few dozen servers every day across the US. SLED 10 workstations (thin clients) have some software on them and some on the server. User files are on the server. When we want to upgrade boxes we upgrade the servers and are done. User somehow breaks the box (not that malware and viruses are big issues at this point, but sometimes things happen with users who maliciously boot from CDs) and we push out a new thin client image to that workstation. No onsites as we use remote X sessions and VNC if needed.
:-)
I have a dream job and could really work from home for most of it except meetings w/my boss when he gives me my bonus.
http://www.vmware.com/products/enterprise_desktop. html.
Hmm. Your main issue is going to be switching machines. I see three ways of doing this:
Some virtual machines let you suspend to a file. This is nice if you must run Windows, or some other uncooperative OS. But, that still means suspend to a file, which will take some time. As for the disk, that would be fairly trivial -- your host OS would be Linux over NFS, so your disk image is an NFS file.
Issue to watch for here: Local cache. I don't care how fast your gigabit is, that server is going to feel some stress. I tried setting up gigabit just for file sharing, and it was never as fast as it should have been, yes I was using Jumbo Frames, and it's just a crossover cable, yes it was cat6. And even if that's flawless, there's the server at the other end. You probably want good local caching, probably local disk caching. InterMezzo would have been good, but they've pretty much died. You might try simply throwing tons of RAM at the problem, or you might try cachefs (never got it working, but maybe...) or maybe one of the FUSE things.
Second way: Don't use VMs. VMs will never be as fast as a native OS. But "native OS" can still work roughly the way the VM image does above, if your hardware is identical. With Linux and Suspend2, you can suspend and resume from pretty much anything you can see as a block/swap device. So, all of the above caching issues apply, but just run it as a network OS, have one range of IPs for machines still booting and logging in, and another for fully functional machines. Here, when the user logs in, the bootstrap OS tells itself to resume the OS image from the network.
You could also do this with Windows by copying a local disk image around -- after you hibernate, boot a small Linux which rsyncs the whole disk across the network, including hiberfile.sys. Everything besides the OS itself would be stored over the network already anyway (samba).
I don't know if this will work -- after all, no hardware is truly identical. But it may be worth a shot.
Advantage: Both Linux and Windows XP know to trim the image a bit on suspend, so it won't be a whole memory image, just relevant stuff. Truly native speed.
Disadvantage: If I'm wrong, then you won't be able to properly resume on a different box.
Finally, you could stick to software which supports saving sessions and resuming them. I know Gnome at least, and maybe KDE, had this idea of saving your session when you log out -- and telling all applications to do so -- so that when you log back in after a fresh boot, it's like resuming from a hibernate.
Advantages: Fastest and most space-efficient out of all of them. Least administrative overhead -- in the event of a crash, there isn't nearly as much chance for bad stuff to happen. Easily works cross-platform, native speed on any supported platform. Simplest to implement, in theory.
Disadvantage: Not really implemented. 99% of all software may remember useless things like window size and position, but very few actually store a session. If you mostly roll your own software, this may be acceptible.
And of course, you could always do web apps, but those won't be anywhere near native speed -- yet.
All approaches share one flaw, though -- bad things happen when a box goes down. With a VM image (or a suspend image), if you crash, you'll obviously want to restore from a working image -- but what about the files? If they're on a fileserver, does your working image properly reconnect to the fileserver, or does it assume it's still connected (thus having weird things cached)? The third option (saving sessions) is the safest here, because in the event of a crash, programs behave the same way they would on a single-user desktop. But you still lose your session.
What others are suggesting -- various terminal server options -- is much slower, but it also means that as long as the application server is up, so is your session. If you crash, you can switch to another machine and literally be exactly where you
Don't thank God, thank a doctor!
- Mobility. Your "machine" is just a bucket of bits. Once your "machine" is virtualized, you are no longer tied down to a single piece of hardware. You can sit anywhere and have your complete environment. Having a hardware issue? No problem, just walk up to another machine and start using it where you left off.
- Isolation. Once everything is wrapped up in a virtualized sandbox, many security problems become a lot easier. You can easily isolate and monitor what the guest is doing, and it's darn near impossible for even malicious software to cause serious damage. User screwed up the configuration or got infected by spyware? Just roll back to an earlier VM snapshot. Better yet, have them boot into a pristine image every time. Thus, the solution to just about everything is just a power-cycle.
- Easy management. Running on a virtual machine gives you a standard platform, so you can keep a single golden image instead of the N different images for each piece of hardware. Just keep that image up to date, and periodically push new versions out to users. User having trouble? You can get an exact replica of their whole environment for debugging, without the user having to do anything.
You can get some of these benefits with thin clients and/or Citrix, but those have their own share of problems. Thin clients have lots of problems, the most obvious of which is if the network goes down, you are hosed. Working on a laptop and/or with an intermittent connection is not possible. Besides, nowaways it's pointless. Decent hardware is so cheap, it no longer makes since to strip down hardware at the client side. In fact, many times desktop PCs turn out to be *cheaper* than thin clients. (God, I love economies of scale...)Disclaimer: I work at moka5, a startup company out of Stanford that does desktop PC virtualization. We have a beta product called "LivePC Engine" that adds a demand-paging layer to VMware, so you can run your PC environment from anywhere (without having to download the whole thing), share it with other machines, and subscribe to other people's shared LivePCs and automatically get updates as they are posted.
If anything, the internal Sun deployment proved that it was a) possible to run an enterprise almost completely on data center, lab machines and SunRays and b) that global hot desking is a pretty damn cool. The ability to get your session from half a world a way or even at home with little to no lag is awesome. Don't get me wrong: the technology isn't perfect, but overall, it is pretty darn good.
Folder redirection is not roaming profiles.
It uses the offline files system to smartly synchronize the files, and maintain them when you're off the network. Also, it doesn't sync the whole profile. You can configure what you want to sync.
Further to the Sun Ray comment, you could implement a project similar to one I did last year. Basically use the Sun Ray server software to point to windows terminal servers on you network. Setup the terminal servers in a cluster for load balancing, and just export your sessions (one will need to be a terminal services licensing server). We've used this for open access machines in a branch of our org and it works a treat. People sit down, move the Sun Ray mouse and are presented with a Windows 2003 server login screen instantly. The login to our domain (god bless samba) and get full network shares and printers. sessions are run off the TS servers so if there is a disconnect the data is still on the server. Patching is a breeze, just sort out the big iron in the back and it pushes to all the thin clients. Only issue we've had is that some USB drives don't have drivers in solaris 10 (which handles the usb devices) and that occasionally causes a crash. Beyond that, it is very stable.
Exactly!
This is brought to you from a SunRay at home, talking to the server in the garage...
Combined with Tarantella, you can have every Windows application you want. The latest revision of the SunRay server also works on Linux (RedHat I think)!
I run my Windows apps in QEMU, but that is because only my wife and I share the SunRay server...(2.4GHz P4, 3GB RAM). From a users perspective its just perfect! Power-on in the morning, insert your card, login and last nights session is still there. Just upgraded to the latest Open Solaris build so I had to reboot the machine, but before that my machine had reached 317 days of uptime!
In an office environment your mileage will vary, but I have always appreciated the silence of my office working on a SunRay.
Regarding the GP, downloading VM images just doesn't make sense compared to a SunRay, especially if you already have GB ethernet. Make sure the servers have enough RAM and don't let them play Quake!
(and yes, I work for Sun...)
Your goals may be better accomplished with a different approach.
Now you have most of the benefits you asked for: you can have users switch places at random, you can replace physical computers and set them all up with the same VM... you can even have them all run windows on a linux host if this helps prepare for "the big switch". :)
As for your maintenance of the VMs, you can remotely log in to any of the workstations and replace the old VMs with new ones when you need to update something. Ocasionally you can wipe out all files that are kept on workstations to ensure that no kiddie p0rn is found, and to further illustrate that it is essential to keep all work-related files on the server as instructed in 2)
Couldn't agree with you more.
It really matters what the people are doing as to what they get.
If they're doing Customer Service, sure, throw them on a Ray. Technical Support will work too, but I hope you have enough virtual applications or people that know your software pretty well. If done right, TS works fine (just keep a few windows boxes around for weird testing issues)
If they're programmers - you should really be asking them for a wishlist of what they want and then filter it out from there. Personally, I think Rays don't work too well for some programming situations due to tools required and load on the computer. Heck, I know a C++ programmer that works better on a Mac than anything else. If his productivity goes through the roof on a Mac, give the man a Mac.
The edubuntu distribution is basically a plug-n-play instant LTSP environment.
I use it for junk laptops with busted hard drive controllers. I just wish wireless network cards had boot proms, I'm using MMC/SD cards to bootstrap.
Before I part with'em: two pennies weigh ~4.996+/-0.014g, have a zinc core, and the face of Lincoln. You can keep 'em.
About windows roaming profiles; these things tend to grow huge (I have found a couple of them over 1 GB). They eventually will saturate your network and will have the user bitching about long delays after logons. Maybe if you have 1Gb to the desktop, this will not be an issue, but try streaming a 1 Gig profile over wireless.
My other OS is the MCP!
But you have to have a different image for each distinct hardware profile. In a large network, it's a headache you don't want.
;) Do you want to be the guy who gets called in 100 times at 4am on saturday to fix a broken server?
Bascially, there are 3 or 4 major solutions, in order from simple to hard:
1. RDP, Citrix, Terminal Services
2. Roaming profiles with redirected desktop/startmenu/etc. (in windows) (take advantage of local machine's power)
3. Image boot, like you were talking about
4. Custom web-based application
Obviously number 4 will preclude using your office products or other software, but if the user really only has a few roles, you could make a custom app that does what they need to do and skip all the other crap. Lock down the machines and use a generic profile for all users. It's hardware independent, etc.
I had the same problem. In a Windows environment, I used regular domain profiles with redirected desktop and start menu, printers, etc. That way each user can move around. The problem is with outlook, because it stores the messages in the local profile in the personal folder. Without exchange, you have people lugging around 600-1000MB outlook folders every time they switch computers. It takes a few minutes to boot....... anyway, each windows box is totally open so they can do whatever they want with it (within reason). Then for the critical stuff, I built a custom web based app with LAMP and it handles the databases, etc. As the app expands, the windows profiles will be slowly locked down until we only need a web browser to do all the necessary work. At that point (2 years ahead), all the computers will need to be replaced, and they can be replaced with thin clients. It works great with outlying or out-of-state branches because I don't have to worry about their system configuration ever, and they can contract their own PC tech to handle the day to day crap.
With the images, you are going to want to blow your head off if someone has a problem with their sound card or something. You'll find they have a different sound card, have to make a whole new image, then make sure that image chases the computer (MAC address) and not the user. You'll have to have roaming profiles anyway in this case.
Remote desktop/terminal services work great. They are the original. No worries about desktops at all, but you can still run all the software you want. Old school terminals work good for certain task also. I used to work at a large unnamed hotel in Las Vegas and they ran everything critical on a big AS/400 and the clients used the 3270 emu software on standard windows boxes (with Netware 6...ugh). You get colored text and that's it. But that's enough for most purposes.. Of course, you have to have some major hardware up top to serve all these clients. It's the best choice if money is no object and security is. Terminal services will necessitate high-end servers, and you need redundancy otherwise one of them going down will take out many clients. With the AS/400, you get legendary 24x7 1 hour response service team (in suits) but it's like $500K a year
Cool! Amazing Toys.
Yes, yes you are. First of all, it is entirely possible to download music and movies without being infected. Second of all, with the right operating system, you can do all that shit without even any significant risk of being infected. Yet, many are locked into Windows.
Then again, I do run windows (hardware support issues) and I'm not getting owned.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
My employer uses Thinkpads with docking stations as standard issue. For those of us who need more power, we just use Terminal Server (or another remote access program for non-Windows computers.) We use Connected Backup to backup the laptops on a daily basis over the network.
While I personally would prefer a more powerful laptop, (as I do serious development,) I'd rather use a laptop then a generic workstation. I can telecommute with it anywhere in the world, and I can use it in meetings with a projector. This is more difficult with generic workstations.
No, I will not work for your startup