Slashdot Mirror
Experiences with Replacing Desktops w/ VMs?
E1ven asks: "After years of dealing with broken machines, HAL incompatibility, and other Windows frustrations, I'd like to investigate moving to an entirely VM-based solution. Essentially, when an employee comes in in the morning, have them log-in, and automatically download their VM from the server. This gives the benefits of network computing, in that they can sit anywhere, if their machine breaks, we can instantly replace it, etc, and the hope is that the VM will run at near-native speeds. We have gigabit to all of the desktops, so I'm not too worried about network bandwidth, if we keep the images small. Has anyone ever tried this on a large scale? How did it work out for you? What complications did you run of that I probably haven't thought of?"
There are a lot of complications using a VM - there's no 3D, no good audio etc.. Plus if your base computer does not fit into the HAL, you can't expect much out of the VM. I am actually surprised at this - a VM will give you the benifit of portability, but if that was your goal you'd be better off giving a laptop to all your employees.
Microsoft: "You've got questions. We've got dancing paperclips."
thin client be a cheaper and easier solution per seat?
Sounds like you want something like Citrix.
Although, what you could do is automagically have a standard WinXP workstation login on startup. Next, have VMWare in the startup folder so that it begins as soon as the computer logs in. Finally, have VMWare point to a disk image loaded on your server. The employees will then see a full-screen VMWare ready to authenticate on the network and begin their day.
If you really wanted to be fancy, have that image automagically map to a network drive on your SAN/NAS as the D:\ drive. Tell employees to use the D:\ drive to store all work-related documents.
It could work. But you'd be looking at maybe 5 minutes for the morning boot-up. Not to mention all the employees hammering the network for a 2~4gb image at 7am will really thrash the servers.
If you insist on doing this, go a bit further. Activate that WoL crap and autoboot the workstations at staggered times between 6am and 7am.
I'd rather you do it wrong, than for me to have to do it at all.
Get some Sun Microsystems SunRays. Seriously.. thats exactly how they work. Your session can be saved on server and resumed anywhere else you plug in your smart card. One server and all of the terminals you need.
LTSP.ORG does somthing similar. You run X clients on a common "server" and view it with an X server on almost anything with 64 megs or more of memory.
I work at a client site where I implement large software. I have my own laptop, which due to sadly lacking Oracle WAN performance, I primarily use as a dumb terminal to various Citrix apps, and Windows Remote Desktop at my home office where I can run Visual Studio, db-based apps etc.
This works great, with one major caveat. If the network starts stuttering, performance of remote desktop and citrix both suffer badly. Otherwise, the benefits are great: much reduced amount of sensitive data on laptop, access to a higher performance office machine, less app latency when talking to 'local' databases 2000 miles away.
-- "It's not stalking if you're married!" My Wife.
I'm a vmware/virtualization fan, but I don't think this is the best application. It seems to me that it would be smarter to use terminal services / citrix / a thin client approach
If you were going to use vmware, make a standard image and push it out to the local hard drives. don't update that image unless it is time to push out a new set of windows udpates/etc. if you need to update the image though, that is going to be *hell* on your network/file servers.
I think it makes more sense to run a virtualized server than a desktop.
Also, you might end up paying for 2x the XP licenses since you'd have to pay for the host + guest operating systems.
Evolution: love it or leave it
Where I work, we have a domain so a user can log onto any computer and have their email & favorites all set up. In their profile, it automatically maps their departmental network drives and their personal network drive (where they're supposed to save their documents to). The normal programs are installed on every machine, and it's not hard to temporarily install any special programs they need on the machine they use in the event theirs in unusable. The only issue we have is that for some reason, no matter how much we tell them to save on the network, they apparently refuse to listen and save stuff on their hard drive. And then subsequently blame us if their hard drive dies and they lose data. But that's another story.
What's the matter, James? No glib remark? No pithy comeback?
http://www.vmware.com/products/enterprise_desktop. html.
Just don't what... misconfigure or misapply the technology? If "Citrix" is anything, it's too expensive in some situations and inappropriate for others. Maybe you were just using some Citrix software to do something it's not ideal at doing, or otherwise using it incorrectly... in any case, it's kinda silly to malign an entire software suite with a vague anecdote.
So a lot of expensive desktops emulating, um, pretty much themselves, using funky somewhat pricy software, running substantial images pulled off of expensive servers over an expensive network (bacause GB'net or not, a building full of folks starting up in the morning is gonna hammer you.) Then comes the challenge of managing all of those funky images, reconciling the oddities of an emulated environemnt, etc.
Could you make it work? Sure. But I gotta wonder if it'd be worth it.
Is gonna be any better then a well managed native environment? Or going Citrix clients? Or Linux/MacOS/terminals (chose your poison) boxes instead of MS Windows?
I hear your pain, I just think you're substituting a known set of problems with a more expensive, more complex, more fragile, baroquely elaborate, well, more-of-the-same.
It doesn't sound like much of an improvement really, just new and more complex failure modes, at extra cost.
Though, I guess, if you're looking for a new, challenging, and complex environment this would be it; just take your current one and abstract it another level. I wouldn't want to be the one footing the bill, or trying to rely on any of it, but at least it'd be something different.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
They just used NIS and NFS, and the net effect was pretty much exactly what you describe... Sit down at any machine, log in, and your environment loads exactly the way you left it on the last machine, everything's safely backed up at the server end, and the client machines are pretty much disposable and interchangeable, and so on. Only difference if you're not farting around with virtual machines... ie. you're not quite as "cutting edge" but on the desktops themselves, don't you want a more proven system? So why wouldn't you just do the same thing, and use said proven, if something of a pain to administer, system?
As an alternative to NIS, Netinfo does much the same thing, only it wasn't designed by people quite so sadistic as NIS. You'd still be using NFS though...
cya,
john
Imagine all the people...
First off, I don't think VM'ing your desktops is the answer. Current VM's really dumb down the hardware. You lose 3D, sound, and most of them run a bit slower than native (some quite a bit slower). Couple that with the size of most VM images (my Vista image is about 12GB) and you're really looking at a poor solution.
Here's what you should be thinking about:
- Get some kind of desktop management suite like Altiris. You can push software deployments easily, and it's very easy to lock machines down to the point where users can't fsck them up. I've consulted for companies that do this with hundreds of desktops and it's a very robust, reliable system.
- Go with a thin client setup like Citrix or Terminal Server. Users run nothing on their local hardware. Instead, everything runs on the big server. Downsides are similar to VM's (thin clients are notorious for very lightweight support for anything but the most basic sound and graphics) but you are at least spared the massive network thrashing of hundreds of users logging on and pulling down VM images at 8AM every morning.
- If it's users messing up machines that you're worried about, you might want to consider a solution by Clearcube. They take away everything except the keyboard, mouse, and monitor. The guts of the PC reside in a server rack in what is essentially a PC on a blade. The blades are load balanced and redundant, so swapping them out is a breeze. And users *can't* load software on them because there's no USB ports, no floppy drive...nothing! Unless you allow them to download it from the Internet, *nothing* is going to get on those machines if you don't want it to.
VM's make sense for server consolidation. I don't think they've yet gotten to the point where desktops run on them as a form of protection or reliability. There's too many other solutions that work better and have fewer downsides. The problem here isn't Windows per se, it's the fact that your workstations aren't locked down properly to prevent your users from doing stupid stuff in the first place. Fix that and suddenly you'll find a Windows workstation environment isn't the hassle it once was.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
An "unsupported configuration"...
In Soviet Washington the swamp drains you.
I think I have to disagree. Most of the better gigabit nics out there support PXE boot. Get a small boot loader image going. If these will all be on the same lan segment, at boot time it will grab the latest loader image, boot the small loader (~2MB). The loader can then boot the full OS image.
You can then just capture or encapsulate the computing session to an image file. It's not a full virtualized environment, as you still get the benefits of the cpu horsepower at the workstation, but if corruption occurs ou just roll back the session file. I think.
This is how Windows hibernation functions in a nutshell, just dumps RAM to a file I think. I haven't tried this in practice, but it should work.
Karma: Chameleon (mostly due to the fact that you come and go).
Hmm. Your main issue is going to be switching machines. I see three ways of doing this:
Some virtual machines let you suspend to a file. This is nice if you must run Windows, or some other uncooperative OS. But, that still means suspend to a file, which will take some time. As for the disk, that would be fairly trivial -- your host OS would be Linux over NFS, so your disk image is an NFS file.
Issue to watch for here: Local cache. I don't care how fast your gigabit is, that server is going to feel some stress. I tried setting up gigabit just for file sharing, and it was never as fast as it should have been, yes I was using Jumbo Frames, and it's just a crossover cable, yes it was cat6. And even if that's flawless, there's the server at the other end. You probably want good local caching, probably local disk caching. InterMezzo would have been good, but they've pretty much died. You might try simply throwing tons of RAM at the problem, or you might try cachefs (never got it working, but maybe...) or maybe one of the FUSE things.
Second way: Don't use VMs. VMs will never be as fast as a native OS. But "native OS" can still work roughly the way the VM image does above, if your hardware is identical. With Linux and Suspend2, you can suspend and resume from pretty much anything you can see as a block/swap device. So, all of the above caching issues apply, but just run it as a network OS, have one range of IPs for machines still booting and logging in, and another for fully functional machines. Here, when the user logs in, the bootstrap OS tells itself to resume the OS image from the network.
You could also do this with Windows by copying a local disk image around -- after you hibernate, boot a small Linux which rsyncs the whole disk across the network, including hiberfile.sys. Everything besides the OS itself would be stored over the network already anyway (samba).
I don't know if this will work -- after all, no hardware is truly identical. But it may be worth a shot.
Advantage: Both Linux and Windows XP know to trim the image a bit on suspend, so it won't be a whole memory image, just relevant stuff. Truly native speed.
Disadvantage: If I'm wrong, then you won't be able to properly resume on a different box.
Finally, you could stick to software which supports saving sessions and resuming them. I know Gnome at least, and maybe KDE, had this idea of saving your session when you log out -- and telling all applications to do so -- so that when you log back in after a fresh boot, it's like resuming from a hibernate.
Advantages: Fastest and most space-efficient out of all of them. Least administrative overhead -- in the event of a crash, there isn't nearly as much chance for bad stuff to happen. Easily works cross-platform, native speed on any supported platform. Simplest to implement, in theory.
Disadvantage: Not really implemented. 99% of all software may remember useless things like window size and position, but very few actually store a session. If you mostly roll your own software, this may be acceptible.
And of course, you could always do web apps, but those won't be anywhere near native speed -- yet.
All approaches share one flaw, though -- bad things happen when a box goes down. With a VM image (or a suspend image), if you crash, you'll obviously want to restore from a working image -- but what about the files? If they're on a fileserver, does your working image properly reconnect to the fileserver, or does it assume it's still connected (thus having weird things cached)? The third option (saving sessions) is the safest here, because in the event of a crash, programs behave the same way they would on a single-user desktop. But you still lose your session.
What others are suggesting -- various terminal server options -- is much slower, but it also means that as long as the application server is up, so is your session. If you crash, you can switch to another machine and literally be exactly where you
Don't thank God, thank a doctor!
http://www.vmware.com/products/ace/
"With VMware ACE, security administrators package an IT-managed PC within a secured virtual machine and deploy it to an unmanaged physical PC. Once installed, VMware ACE offers complete control of the hardware configuration and networking capabilities of an unmanaged PC, transforming it into an IT-compliant PC endpoint."
--BlueLines "The cost of living hasn't affected it's popularity." -anonymous
You don't need to "carefully" do anything. Folder Redirection in Windows was created just for the task. It's a feature that was introduced with Windows 2000. Beyond that you can use SMS and custom office installs to have everything configured properly everytime someone logs in. Mandatory profiles ensure that everything stays clean and spyware free. Which weaknesses are you referring to?
Beyond that I'll go and say that this approach is bomb proof and by redirecting files on to the servers which requires surprisingly little overhead you ensure that when users float from machine to machine they have all their application preferences and data. Settings can very from machine to machine with different version of software and whatnot but again, SMS will fix that.
I think we can all agree this is not a good use of virtualization. It would be very resource intensive and a simpler PXE solution already exists. With PXE you don't even have to have all the same hardware, just the proper drivers. SMS will take it from there installing the rest of the third party apps whatever they may be. Can be done from start to finish in under 30 minutes which is about how long it takes to fully restore an image. Of course over a gigabit link the time might be reduced but Windows will take a good 10 - 15 minutes to install over the network so it wouldn't be unreasonable for everything else to take another 15 minutes depending on how much there is. I know in my basic setup with Windows and Office its about 20 minutes give or take depending on processing speed and quality of hardware.
You do have a point...
I'm amazed nobody has brought this up. Someone said you'd need twice the XP licenses. That isn't true if the host OS on each PC is Linux. VMware DOES have a client for Linux. I imagine it would be a lot more secure if Linux was the host, and you can customize all the startup scripts so you wouldn't have any unncessary overhead.
I'm not sure on the loading time differences between XP host and Linux host, but last time I ran VMware on my XP laptop, it was slower than shit. 1gb of ram, Turion 1.8ghz, it ran slow...... SLOW
You can't legally do this with Windows. The (bulk-licensing) EULA states that you are allowed to install Windows on one computer and one virtual machine *that runs on the same computer*. Moving the image from computer to computer is specifically prohibited, IIRC (yes, I've considered doing this before).
Your goals may be better accomplished with a different approach.
Now you have most of the benefits you asked for: you can have users switch places at random, you can replace physical computers and set them all up with the same VM... you can even have them all run windows on a linux host if this helps prepare for "the big switch". :)
As for your maintenance of the VMs, you can remotely log in to any of the workstations and replace the old VMs with new ones when you need to update something. Ocasionally you can wipe out all files that are kept on workstations to ensure that no kiddie p0rn is found, and to further illustrate that it is essential to keep all work-related files on the server as instructed in 2)
Vmware ACE would probably be a good choice, it allows you to lock down the host hardware, disabling various pieces.
VM's can run off of network shares if you set things up right. Fast network, and you won't see a problem. I have run VM's off mirrored ximeta netdisks over 100meg with NTFS as the partition type, and it worked great, although it was only about 4 machines accessing it at one time. For office apps and such, it's a piece of cake.
I encourage people to use vmware for laptops. Create an encrypted disk with the vmware image that they want to run, then if the laptop gets stolen, you have to decrypt the disk before you can get to the really good stuff. Backups are easy, and it makes if necessary, laptop "sharing" something that you can do pretty easily as well. Multiple shifts can PC share easily as well. It's also easier to fix problems test updates and such by just snagging a copy of the image, and monkeying with it.
Citrix and remote desktop have their places as well.
My friend had setup Windows for his girlfriend as guest OS under Linux host. He was using VMWare. His girlfriend was forced to use IE to access her University Intranet. Also she needed M$Office for documents from profs. The notebook was constantly plagued by malware/spyware/etc making it barely usable.
My friend installed Linux (Gentoo one) and VMWare Workstation. Inside the VMWare he installed the OEM Windows off the notebook. State of Windows - fully updated and with M$Office installed - was saved on backup image. In guest Windows, all work was done on SMB/CIFS drive of host Linux.
The only problem was video performance - e.g. macromedia flash animations at times were making the notebook to melt. Also there were some sporadic network problems - mostly attributed to poor Windows network stack implementation. (IOW, the network problems occurring with normal Windows installation under VMWare were occurring more often. E.g. Windows DHCP client was at times failing to get address from host Linux. That IE thing was at times failing to load pages properly or simply hanging. The usual WinXP/IE problems.)
Advantages were clear. Spyware/malware got to notebook? - recover from backup image. Something crashed? - data are most likely are Okay on host Linux hard drive. Also, gradually girlfriend ha been taught how to use Linux and how to get around the University Intranet with Linux and Firefox/Konqueror. Though most documents she used still required M$Office under Windows.
All hope abandon ye who enter here.
Also with such a setup GF could never get help anywhere else. She's locked in, muahahaha.
In every single case I've ever seen of being "constantly plagued by malware/spyware/etc," it was someone who was doing it to themselves. They were constantly stealing music, downloading porn or otherwise being stupid about their online activities. They didn't have automatic updates set, or were ignoring the stupid bubble that says they had updates waiting to be applied. They weren't running decent AV, probably never scanned their machine for spyware and so on.
And yes, I'm blaming the victim. While there *should* be sense in saying that you ought to be able to walk anywhere without fear, if you keep going to drug-riddled areas downtown and getting mugged, then STOP GOING TO THOSE AREAS. Learn to take some responsibility for your own damn habits and learn a bit. You change the oil in your car and give it the occasional tune up... why not the same to your computer?
She's at a university. She can probably find more help there than most places. Heck, myself and at least five other companies support Linux in a town of less than 500,000 (Springfield, Missouri), so I don't think this nearly as true as it used to be.
Besides, think of the geeks. A girl, at university, that will seek you out because you can fix her laptop--that's running Linux--and who might find out that you DON'T have a tentacle pr0n fetish like her current boyfriend. The romantic possibilities are endless! Don't be selfish...
I think Mauve has the most RAM. --PHB (Dilbert Comic)
The edubuntu distribution is basically a plug-n-play instant LTSP environment.
I use it for junk laptops with busted hard drive controllers. I just wish wireless network cards had boot proms, I'm using MMC/SD cards to bootstrap.
Before I part with'em: two pennies weigh ~4.996+/-0.014g, have a zinc core, and the face of Lincoln. You can keep 'em.
Everytime I hear this it amazes me how unrealistic this line of reasoning really is. The essential statement is that, since there was a way to prevent the problem, the onus is on the user to "know what to do" because they are obviously "ignorant". It's like returning a broken hammer to the hardware store only to be told you "shouldn't have hit something so hard". Have you considered that the real problem lies in allowing vendors to completely avoid liability for their mistakes? Perhaps the lack of an economic incentive to make a good product has created the environment where this is possible?
From a practical perspective, telling college students not to download music, to avoid MySpace, and to not download seemingly harmless things like Screensavers and Wallpaper is about as effective as the rhythm method. Sure, they're "sinners" with their pr0n and their music. How dare they? They get what they deserve by using a computer on the internet to download the information they want. That's a sin to be sure. It's strange how that apparently makes them culpable for systematic, intentional, and malicious exploiting of their computers. Of course, the long-term social effects of corporate self interest manipulating law and public opinion to create stigma in their economic interest is beyond the scope of a Slashdot comment.
Back to the technical issues. Understand that a lot of malware immediately turns off ActiveX security. They leave the door wide open behind them. In your perfect world, not only does every user have to be perfectly responsible and knowledgable, but they also can't make even a single mistake--since this basically leaves them wide open (i.e. it doesn't ask, just downloads and installs any application that asks) in many cases.
Similarly, there is no safe site. A vast majority of the web is ad sponsored. A single malicious banner ad can catch millions (the recent MySpace incident for example). Expecting every user and every advertising company (with possibly tens of thousands of ads) to not ever make a single mistake is unrealistic as it is lazy. The web can be secure if people would put the effort into getting secure systems developed and into place instead of blaming security problems on the sinners.
Ironically, one of your "solutions", Antivirus Software (a.k.a. stopgap measure or snake oil depending on your inclination), is probably the reason things are as bad as they are. Rather than closing holes, AV just stomps the critters that run in through them. If users had insisted on fixes and security rather than installing Norton Antivirus (and considering it "fixed", things probably wouldn't be nearly so bad as they are. It would also be nice if the economic disincentive for insecurity would lie with the vendors where it belongs, not with each and every user.
People don't realize it, but this is really an old misconception. Make something illegal, and its sources become disreputable. This then reinforces the belief that it's inherently bad. My issues of concern are software licensing, patents, and copyright reform. I'm sure the same argument could (validly) be made for marijuana, prohibition, and prostitution.
Of course we've got a double-whammy with software security. Not only are the sinners browsing seedy sites, there is also no one responsible for protecting them (since the vendors have all licensed their cares away).
I think Mauve has the most RAM. --PHB (Dilbert Comic)
You know you're addicted when your non-geek wife recognizes Slashdot...
My dear wife thought that Linux was black text in a terminal, and that the mud I used to play, Nuke, was green text in a termial. Got alot of mudding in while "learning" Linux to prepare for the future.
But alas, all good things must come to an end. She finally wised up and figured out I could mud in any color text *grin*.
I traded my "Life" for a "Wife". So far in the grand scheme, I have come out way ahead!
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
As I've seen your pr0n collection firsthand, I assume that you're speaking hypothetically?
Dewey, what part of this looks like authorities should be involved?