Slashdot Mirror
Experiences with Replacing Desktops w/ VMs?
E1ven asks: "After years of dealing with broken machines, HAL incompatibility, and other Windows frustrations, I'd like to investigate moving to an entirely VM-based solution. Essentially, when an employee comes in in the morning, have them log-in, and automatically download their VM from the server. This gives the benefits of network computing, in that they can sit anywhere, if their machine breaks, we can instantly replace it, etc, and the hope is that the VM will run at near-native speeds. We have gigabit to all of the desktops, so I'm not too worried about network bandwidth, if we keep the images small. Has anyone ever tried this on a large scale? How did it work out for you? What complications did you run of that I probably haven't thought of?"
There are a lot of complications using a VM - there's no 3D, no good audio etc.. Plus if your base computer does not fit into the HAL, you can't expect much out of the VM. I am actually surprised at this - a VM will give you the benifit of portability, but if that was your goal you'd be better off giving a laptop to all your employees.
Microsoft: "You've got questions. We've got dancing paperclips."
thin client be a cheaper and easier solution per seat?
Get some Sun Microsystems SunRays. Seriously.. thats exactly how they work. Your session can be saved on server and resumed anywhere else you plug in your smart card. One server and all of the terminals you need.
LTSP.ORG does somthing similar. You run X clients on a common "server" and view it with an X server on almost anything with 64 megs or more of memory.
I'm a vmware/virtualization fan, but I don't think this is the best application. It seems to me that it would be smarter to use terminal services / citrix / a thin client approach
If you were going to use vmware, make a standard image and push it out to the local hard drives. don't update that image unless it is time to push out a new set of windows udpates/etc. if you need to update the image though, that is going to be *hell* on your network/file servers.
I think it makes more sense to run a virtualized server than a desktop.
Also, you might end up paying for 2x the XP licenses since you'd have to pay for the host + guest operating systems.
Evolution: love it or leave it
So a lot of expensive desktops emulating, um, pretty much themselves, using funky somewhat pricy software, running substantial images pulled off of expensive servers over an expensive network (bacause GB'net or not, a building full of folks starting up in the morning is gonna hammer you.) Then comes the challenge of managing all of those funky images, reconciling the oddities of an emulated environemnt, etc.
Could you make it work? Sure. But I gotta wonder if it'd be worth it.
Is gonna be any better then a well managed native environment? Or going Citrix clients? Or Linux/MacOS/terminals (chose your poison) boxes instead of MS Windows?
I hear your pain, I just think you're substituting a known set of problems with a more expensive, more complex, more fragile, baroquely elaborate, well, more-of-the-same.
It doesn't sound like much of an improvement really, just new and more complex failure modes, at extra cost.
Though, I guess, if you're looking for a new, challenging, and complex environment this would be it; just take your current one and abstract it another level. I wouldn't want to be the one footing the bill, or trying to rely on any of it, but at least it'd be something different.
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
First off, I don't think VM'ing your desktops is the answer. Current VM's really dumb down the hardware. You lose 3D, sound, and most of them run a bit slower than native (some quite a bit slower). Couple that with the size of most VM images (my Vista image is about 12GB) and you're really looking at a poor solution.
Here's what you should be thinking about:
- Get some kind of desktop management suite like Altiris. You can push software deployments easily, and it's very easy to lock machines down to the point where users can't fsck them up. I've consulted for companies that do this with hundreds of desktops and it's a very robust, reliable system.
- Go with a thin client setup like Citrix or Terminal Server. Users run nothing on their local hardware. Instead, everything runs on the big server. Downsides are similar to VM's (thin clients are notorious for very lightweight support for anything but the most basic sound and graphics) but you are at least spared the massive network thrashing of hundreds of users logging on and pulling down VM images at 8AM every morning.
- If it's users messing up machines that you're worried about, you might want to consider a solution by Clearcube. They take away everything except the keyboard, mouse, and monitor. The guts of the PC reside in a server rack in what is essentially a PC on a blade. The blades are load balanced and redundant, so swapping them out is a breeze. And users *can't* load software on them because there's no USB ports, no floppy drive...nothing! Unless you allow them to download it from the Internet, *nothing* is going to get on those machines if you don't want it to.
VM's make sense for server consolidation. I don't think they've yet gotten to the point where desktops run on them as a form of protection or reliability. There's too many other solutions that work better and have fewer downsides. The problem here isn't Windows per se, it's the fact that your workstations aren't locked down properly to prevent your users from doing stupid stuff in the first place. Fix that and suddenly you'll find a Windows workstation environment isn't the hassle it once was.
In the end they will lay their freedom at our feet and say to us, Make us your slaves, but feed us. - Fyodor Dostoyevsky
Citrix (or another similar product) is exactly what he should be looking into. Downloading entire disk images over a network is just a pain in the ass everytime someone boots. However Citrix isn't the solution to all things, yet it beats VMs for most practical applications.
See, that's the big negative point in the entire setup. The bootup time is a pain in the neck, but people can live with that easily. They'll fetch their cups of coffee, have the morning conversation with coworkers and will return about 10 minutes after their machines have booted up. The real issue is the server getting hammered every morning, slowing these boottimes as more machines get added to the network.
I can hear it now: set up a second server, set up a third... etc etc. Yes, set up a bunch of servers that do nothing all day but hand out images, and don't forget about the backup servers (you don't want one of those servers to crash in the morning taking out the entire accounting department). I'm seeing an entire rack of machines at this point doing nothing but handing out images, wired up to really expensive network gear, doing nothing really useful. Don't get me wrong in this last statement, the usefulness of this construction is that you can easily exchange pc's and images not having to worry about hardware, software installed on each users pc, etc. But there's a lot of more cost-effective ways to achieving something that works similar.
Take that budget for those image servers, and backup servers, VM-software licenses, and networkgear, and buy a single server and a good backup mechanism (or a backup server in failover). Spend some time on setting up profiles and think about what software is present on all machines. Take an image of every machine you install differently, and copy that to the server. Buy software like Citrix (or anything else resembling it) to have special applications available at one server (think backups here), and you have a pretty decent solution that doesn't hammer your network/servers every morning and gives you a headache by 10am because some people aren't getting their images.
I've seen the concept of VM images on a server, and I've seen people get bitten by it because they didn't forsee the amount of storage and network traffic involved. Most of these people didn't have a need for such an elaborate solution. Hell, I've seen half a serverfarm run vmware because "it was a good way to virtualize systems, and make things easily interchangable" while those people would've been much more satisfied with a "simpler" failover solution (note those quotes, denoting that failover also requires thought, but usualy ends up being a cheaper solution hardware wise).
On top of it all, using VMs for desktop operating systems uses up a lot of resources. You're running an operating system, that runs software that runs another operating system. Some would say that it's hardly noticeable, but why waste the resources? You'll make todays hardware run like last years, which for most applications is not an issue, but most likely you're going to run last years hardware like hardware from two years ago because you'd have to invest in new desktops for the entire company otherwise.
Let's talk mobility for a moment. Imagine your salesman with his laptop and flashy UMTS (or whatever standard they've cooked up) connection on the road. He's going to want to be able to check his mail on the road, so he'll have to get an image over a connection that can hardly manage streaming video... Nope, you're going to give him his operating system, install his software and pray to god he doesn't send too many large documents over that very expensive UMTS connection. That sort of starts breaking the principle of having images f
I think I have to disagree. Most of the better gigabit nics out there support PXE boot. Get a small boot loader image going. If these will all be on the same lan segment, at boot time it will grab the latest loader image, boot the small loader (~2MB). The loader can then boot the full OS image.
You can then just capture or encapsulate the computing session to an image file. It's not a full virtualized environment, as you still get the benefits of the cpu horsepower at the workstation, but if corruption occurs ou just roll back the session file. I think.
This is how Windows hibernation functions in a nutshell, just dumps RAM to a file I think. I haven't tried this in practice, but it should work.
Karma: Chameleon (mostly due to the fact that you come and go).
Actually, with VMware workstation you can keep base images on the workstation itself and load only user's plugins / redo stuff over the network. That's what we do and we don't see any network hit on 100 Mbps LAN. This gives you ability to run free (as in beer) Linux distro on all your workstations, which enormously helps with PC support issues compared to any Windows version. With a bit of clever scripting, KDE session retrieves all the necessary stuff from MySQL backend and users have their workstation (Windows, Linux, whatever) running full screen in no time. With good PC hardware (which is dirt-cheap these days) noone can tell that what they see and work on is VM.
.edu so we get really nice discounts on VM licenses).
Granted, for large network this solution is probably too expensive (we are
What about staging the images overnight and keeping the backup image on the user's local C drive? If the network's up, use it to update the local cache overnight, as needed. If the network's down, use the cached image. You don't have to refresh the image daily, just when you want to make a change. The beauty is in ease of rollback when someone stuffs up a change on the client.
Do not mock my vision of impractical footwear
You don't need to "carefully" do anything. Folder Redirection in Windows was created just for the task. It's a feature that was introduced with Windows 2000. Beyond that you can use SMS and custom office installs to have everything configured properly everytime someone logs in. Mandatory profiles ensure that everything stays clean and spyware free. Which weaknesses are you referring to?
Beyond that I'll go and say that this approach is bomb proof and by redirecting files on to the servers which requires surprisingly little overhead you ensure that when users float from machine to machine they have all their application preferences and data. Settings can very from machine to machine with different version of software and whatnot but again, SMS will fix that.
I think we can all agree this is not a good use of virtualization. It would be very resource intensive and a simpler PXE solution already exists. With PXE you don't even have to have all the same hardware, just the proper drivers. SMS will take it from there installing the rest of the third party apps whatever they may be. Can be done from start to finish in under 30 minutes which is about how long it takes to fully restore an image. Of course over a gigabit link the time might be reduced but Windows will take a good 10 - 15 minutes to install over the network so it wouldn't be unreasonable for everything else to take another 15 minutes depending on how much there is. I know in my basic setup with Windows and Office its about 20 minutes give or take depending on processing speed and quality of hardware.
My friend had setup Windows for his girlfriend as guest OS under Linux host. He was using VMWare. His girlfriend was forced to use IE to access her University Intranet. Also she needed M$Office for documents from profs. The notebook was constantly plagued by malware/spyware/etc making it barely usable.
My friend installed Linux (Gentoo one) and VMWare Workstation. Inside the VMWare he installed the OEM Windows off the notebook. State of Windows - fully updated and with M$Office installed - was saved on backup image. In guest Windows, all work was done on SMB/CIFS drive of host Linux.
The only problem was video performance - e.g. macromedia flash animations at times were making the notebook to melt. Also there were some sporadic network problems - mostly attributed to poor Windows network stack implementation. (IOW, the network problems occurring with normal Windows installation under VMWare were occurring more often. E.g. Windows DHCP client was at times failing to get address from host Linux. That IE thing was at times failing to load pages properly or simply hanging. The usual WinXP/IE problems.)
Advantages were clear. Spyware/malware got to notebook? - recover from backup image. Something crashed? - data are most likely are Okay on host Linux hard drive. Also, gradually girlfriend ha been taught how to use Linux and how to get around the University Intranet with Linux and Firefox/Konqueror. Though most documents she used still required M$Office under Windows.
All hope abandon ye who enter here.
What you forget with your Citrix solution is that you move the problem from the network to the CPU and memory.
When you have an entire office full of modern PCs (say with 512-1024 MB of RAM and a 2-3 GHz class CPU) you are wasting a large amount of real estate when you run ICA Client on all those and make the people work on one or a few Citrix servers where they all have to compete for a few CPUs and a lot less memory.
Citrix is nice, but it is not the answer to everything. When the users run intensive or inefficient applications, it can be a severe performance problem.
The solution he has in mind does not have that problem, because his applications run locally so they utilize the local resources available on the desktop.
People actually use wakeup on lan on desktops?
Yes, we use WOL to wakeup windows workstations in the weekend (or the night, in emergency cases) and install/update software or hotfixes.
So, the user is not bothered with waittime reboots after application installs.
Also with such a setup GF could never get help anywhere else. She's locked in, muahahaha.
Everytime I hear this it amazes me how unrealistic this line of reasoning really is. The essential statement is that, since there was a way to prevent the problem, the onus is on the user to "know what to do" because they are obviously "ignorant". It's like returning a broken hammer to the hardware store only to be told you "shouldn't have hit something so hard". Have you considered that the real problem lies in allowing vendors to completely avoid liability for their mistakes? Perhaps the lack of an economic incentive to make a good product has created the environment where this is possible?
From a practical perspective, telling college students not to download music, to avoid MySpace, and to not download seemingly harmless things like Screensavers and Wallpaper is about as effective as the rhythm method. Sure, they're "sinners" with their pr0n and their music. How dare they? They get what they deserve by using a computer on the internet to download the information they want. That's a sin to be sure. It's strange how that apparently makes them culpable for systematic, intentional, and malicious exploiting of their computers. Of course, the long-term social effects of corporate self interest manipulating law and public opinion to create stigma in their economic interest is beyond the scope of a Slashdot comment.
Back to the technical issues. Understand that a lot of malware immediately turns off ActiveX security. They leave the door wide open behind them. In your perfect world, not only does every user have to be perfectly responsible and knowledgable, but they also can't make even a single mistake--since this basically leaves them wide open (i.e. it doesn't ask, just downloads and installs any application that asks) in many cases.
Similarly, there is no safe site. A vast majority of the web is ad sponsored. A single malicious banner ad can catch millions (the recent MySpace incident for example). Expecting every user and every advertising company (with possibly tens of thousands of ads) to not ever make a single mistake is unrealistic as it is lazy. The web can be secure if people would put the effort into getting secure systems developed and into place instead of blaming security problems on the sinners.
Ironically, one of your "solutions", Antivirus Software (a.k.a. stopgap measure or snake oil depending on your inclination), is probably the reason things are as bad as they are. Rather than closing holes, AV just stomps the critters that run in through them. If users had insisted on fixes and security rather than installing Norton Antivirus (and considering it "fixed", things probably wouldn't be nearly so bad as they are. It would also be nice if the economic disincentive for insecurity would lie with the vendors where it belongs, not with each and every user.
People don't realize it, but this is really an old misconception. Make something illegal, and its sources become disreputable. This then reinforces the belief that it's inherently bad. My issues of concern are software licensing, patents, and copyright reform. I'm sure the same argument could (validly) be made for marijuana, prohibition, and prostitution.
Of course we've got a double-whammy with software security. Not only are the sinners browsing seedy sites, there is also no one responsible for protecting them (since the vendors have all licensed their cares away).
I think Mauve has the most RAM. --PHB (Dilbert Comic)