Red Hat Releases Windows Virtualization Code

dan_johns writes "Only one month after Microsoft released Linux code to improve the performance of Linux guests on Windows, Red Hat has done the reverse. Red Hat has quietly released a set of drivers to improve the performance of Windows guests hosted on Linux's Kernel-based Virtual Machine (KVM) hypervisor. The netkvm driver is a network driver and viostor is a Storport driver to improve the performance of high-end storage. This release includes paravirtual block drivers for Windows. Linux and Windows — virtually coming together at last."

Gentoo??

I use Gentoo; how does this affect me?

Re:Gentoo??

[palegray.net]

Now you can run Windows in a VM when people come over to avoid the shame of admitting you run Gentoo?

/me goes back to his Mac and Debian servers.

Re:Gentoo??

[Hurricane78]

Protip:

PORTAGE_NICENESS="19"
PORTAGE_IONICE_COMMAND="ionice -c 3 -p \${PID}
FEATURES="${FEATURES} parallel-fetch cchache"
CCACHE_DIR="/var/tmp/ccache"
CCACHE_SIZE="1G"

Re:Gentoo??

[Jurily]

Now you can run Windows in a VM when people come over to avoid the shame of admitting you run Gentoo

What shame? Absolutely nothing can establish your Alpha Geek status faster than saying "Umm, I don't have a graphical desktop right now, it's still compiling", and firing up lynx to check your email.

Re:Gentoo??

[palegray.net]

Don't do it front of an Apple shrine. Better to find a Debian shrine; you'll get more mileage in the afterlife, and you won't be eternally bonded to Steve Jobs.

Re:Gentoo??

[Jurily]

Real geeks decrypt their mail by hand.

Re:Gentoo??

[HeronBlademaster]

I like my protip better: Mount /usr/portage/var (or whatever portage's working directory is) on a 9GB ramdisk, and set MAKEOPTS to -j9.

Re:Gentoo??

[dasmoo]

You call that beautiful? Just because you can make a desktop rotate doesn't mean you should.

Re:Gentoo??

[locoluis]

Are you from South Korea?

Re:Gentoo??

[adam.ec]

mmmmm...... I've just spent the last two hours sorting an XP machine out with a DLL problem. On top of that most of my week has been spent updating our company machines with .net framework and it's updates because two applications that we have bought required it; and each machine would not update via our main server, only individually. In my book that constitutes dependencies and it was hell - three machines failed to update the frameworks and we had to pick out registry entries by hand to convince the machines that .net framework 3.5 wasn't actually successfully installed. I'll be honest, I use Slackware Linux which is always fun with dependencies without a package manager but I've had a lot more problems getting software to run on Windows without downloading patches, frameworks and other 'required' utilities. Also, last week, one of the department managers had a new laptop delivered and needed it for a short notice business trip. I installed Office 2007 as a complete install according to the menus. He took the laptop saying he would configure it later. Office then asked for the DVD three times while he was away to continue installing parts of applications rendering Powerpoint and Outlook useless until he came back to the office. That is the kind of dependency that really is hell.

Re:See!

Isn't it better when we all play nicely?

Gestures are good, but the proof is in the pudding. If Microsoft keeps up actions like this on a consistent basis, then good things will happen.

I just worry that this is more of a "Oh look, judge, the prosecution's arguments are invalid. Look at these two examples where we worked with open source! See?! We're not bad!"

Lack of Caring

[tychoish]

I suppose this is a good thing, and I'm a big fan of the virtualization, but really, why? Windows fails to compel.

Re:Lack of Caring

Way to display your ignorance! We're talking about paravirtualization, not the crappy performance you'll get from workstation or virtualbox. This is on par with esx, hyperv and xen. So, having better paravirtualization support for windows on kvm really leaves virtualbox completely in the dust. And I'm sure this is all done by ms and rh with a view to the server, not the guy who wants to virtualize xp to run cstrike.

How does this affect security?

[mlts]

I've always wondered how paravirtualizing some functions such as I/O or networking affects security.

Say a VM gets compromised, and is able to do what it wants with the block devices, how tough would it be to get out of the VM? If malicious code is able to access the host's block device that runs in kernel mode and start running code directly on the host's OS, game over.

Re:How does this affect security?

[AltGrendel]

That depends on if you are using Xen or Qemmu. There's a design flaw in Xen/SELinux that will allow a hacked guest to write to the physical drive without notifying SELinux. This was "fixed" when the Qemm/SELinux interaction was worked out. There's a blog from one of the Red Hat SELinux guys that gives more detail, but I can't find the link just now.

Re:How does this affect security?

[TheRaven64]

Paravirtualisation just means that you're using a set of simple interfaces to communicate with the hypervisor driver, rather than an emulated physical device. You're still sending commands from the guest to the hypervisor (or, in the case of Xen, to a privileged guest), and it is still completing them on your behalf by talking to the hardware. If anything, PV is more secure, because the code running outside the guest is much simpler than a full emulated device. If there's a bug in the host PV drivers that permits arbitrary code execution then it's possible to escape from the VM. If there's a bug in the host's device emulator, then it's possible to escape from the VM. The second is more likely, because the code is much more complicated. A Xen PV block device interface, for example, is about 200 lines of code.

Re:How does this affect security?

[Anthony+Liguori]

I've always wondered how paravirtualizing some functions such as I/O or networking affects security.

Say a VM gets compromised, and is able to do what it wants with the block devices, how tough would it be to get out of the VM? If malicious code is able to access the host's block device that runs in kernel mode and start running code directly on the host's OS, game over.

Unlike Hyper-V and Xen, in KVM a paravirtual device looks an awful lot like an emulated device. For instance, virtio-net appears to the guest as a normal PCI device. It's quite conceivable that a hardware vendor could implement a physical virtio-net card if they were so inclined. In our backend, we implement virtio-net like any other emulated device.

This means from a security perspective, it's just as secure as an emulated driver. It's implemented in userspace and can be sandboxed as an unprivileged user or through SELinux.

VMware uses a similar model. Hyper-V and Xen prefer to not model hardware at all and use special hypervisor-specific paths. From a security perspective, the fact that these devices are on a different code path means that they have different security characteristics than emulated devices. For instance, in Xen, a paravirtual network device is backed directly in the domain-0 kernel so an exploit in the xenpv network device is much more severe than an exploit in a Xen emulated network device (since the device emulation happens in an unprivileged stub domain).

Re:How does this affect security?

[QuantumG]

when I worked at VMware we used to just call it "cheating". You'd often hear engineers referring to "the drivers we use to cheat", and communicating through the "backdoor port".

Re:How does this affect security?

[julesh]

"communicating through the backdoor port" == "talking out of your ass"?

Re:How does this affect security?

[QuantumG]

8 years and finally someone outside the company gets that joke.

Re:See!

[Ynot_82]

Since when has Linux /not/ played nicely with windows?

It's the other direction that's strewn with landmines

A good thing.

[LoRdTAW]

Cooperation like this is a great gesture. MS releasing code to help Linux run better in their VM's is a good thing and I am glad Red Hat returned the favor. With shops today running a mixed environment this helps them with transitioning or running apps side by side. Great for Linux development/testing on Windows and now better Windows development/testing on Linux systems. Now if only Apple would allow OSX to run in a VM. Developers could have one system running the OS of their choice and do all their cross platform development and testing on one system. Great for small developers who might code on a laptop or prefer to have a single system for development.

Re:A good thing.

[shentino]

MS only released it because they got caught violating the GPL.

Re:A good thing.

[spitzak]

Not really. The authors of the code wanted it released in such a way that it could be incorporated into the kernel source code. This meant it had to be GPL or the kernel maintainers would not add it. It is irrelevant whether or not releasing it some other way would violate the GPL, as the authors never intended to do that.

The real news is that somehow magically Microsoft was not forced to GPL every bit of code that they ever wrote, despite their repeated claims that the GPL is a "virus" that "infects everything it touches". They basically proved that they directly lied about this.

Re:See!

[wamerocity]

Landmines explode in either direction. I think it's more like the metal spikes coming out of the ground when you try to drive out of a parking garage without paying.

How is this new news?

[jamesh]

How is this new news? Xen and VMWare have had PV drivers for Windows for ages...

Re:How is this new news?

[jamesh]

Fortunately a brave soul in the community stepped up and wrote a set of GPL drivers

Yes. Me. :)

Never happen with Apple

[Sycraft-fu]

For better or worse, right or wrong, Apple is convinced they are a hardware company. They make their money on hardware in their mind, they just use their software to help sell their hardware. So they don't want you doing virtualization. They are not at all interested in your running their software on other people's hardware. For that matter, they aren't really interested in you running VMs all on their stuff. They'd much rather you have to buy 5 Xserves than buy 1 and do 5 VMs.

Just life, and it isn't likely to change unless Apple starts losing money (and probably not even then).

Re:Never happen with Apple

[mlts]

The nice thing is that if you need to run VMs on OS X, you can move VMs from VMWare ESXi to VMWare Parallels on the Mac with little effort. Most of the time, it can copy directly. Worst case, you might need to copy the hard disk files and reinstall the VMWare client stuff.

Though it would be nice for Apple to have VM functionality built into the OS, or available easily, thankfully there are programs that allow Macs to be VM hosts. VMWare is a big one, but I have used Sun's VirtualBox as well, and even though it might not have the features that VMWare has, it still is decent.

Quiet release

[dkleinsc]

Tell me, since when does a press release for Techworld + a front-page /. article count as releasing "quietly"?

At parity once again

[stox]

No longer does Microsoft enjoy an advantage hosting mixed VM's. I am sure the boys in Redmond are not amused. Kudos to the folks at RedHat.

Re:At parity once again

[_KiTA_]

I am sure the boys in Redmond are not amused.

Microsoft and Red Hat agreed to support each others' operating systems in their virtual environments, so this action is to be expected.

Yes, they expected it just like they expected people to extend Kerebos Authentication and XML filetypes right back at them. Microsoft embraces and extends OTHERS, they don't GET embraced and extended.

Windows Server able to run Linux VMs easily means more people willing to move from Linux to Windows, cause they can virtualize their Linux apps until they've ported them over -- and since they went to all that trouble to pay for Windows server... Might as well keep it.

It doesn't really "work" for Microsoft the other way around, ya know.

Re:At parity once again

[nxtw]

Yes, they expected it just like they expected people to extend Kerebos Authentication and XML filetypes right back at them. Microsoft embraces and extends OTHERS, they don't GET embraced and extended.

No; Microsoft and Red Hat joined each others' virtualization validation programs. As a result, Red Hat will support Windows server operating systems on Red Hat's virtualization software. This support is a direct result of Red Hat participating in Microsoft's validation program.

The list of vendors participating in Microsoft's program includes other companies, such as VMware, Citrix, Cisco, Oracle, and Sun.

Re:See!

[timeOday]

At least linux tries. But there is a fundamental shortfall at the moment - lack of support for a common filesystem! Windows only does NTFS, and NTFS-3G in linux grinds to a halt and freezes if you write substantial amounts of data. (This is most often noted by people trying to run VMWare images on an NTFS filesystem from a linux host, since suspending and snapshotting the guest take lots of space). That leaves you with fat32, and 2GB files aren't what they used to be.

Asp.net

[viking567]

One step closer to http://slashdot.org/Default.aspx

Re:See!

[fuzzyfuzzyfungus]

A common filesystem(one nicer than fat32, or iso9660, and more generally useful than UDF, at any rate) would be nice; for external storage devices and for certain hobbyist dual-boot scenarios; but I, in my own experience, just don't feel the need as keenly as I used to. I wouldn't be surprised if the reason that one doesn't exist(to any really useful degree) is that others have similar experiences.

With computers so cheap, and getting ever cheaper, and networking going from common to ubiquitous, and little network storage widgets popping up even on home networks, not to mention the increasing amount of stuff that lives on a remote server somewhere, I just don't find myself needed to access one OS's partition from the other very much. If I really do need to grab some file, NTFS-3G's inefficiency just isn't a big deal.

The overwhelming majority of file transfers between OSes(or between the same OS on different machines) that I end up doing these days are via some network protocol, http, sftp, smb, IMAP, etc. that abstracts away the filesystem on the other end, and is spoken just fine by most anything. With virtualization becoming an increasingly common, and for most purposes superior, alternative to dual booting, network transfers even work for two OSes on the same machine.

It would be nice if there were a properly interoperable filesystem in common use(if only so we could shove a stake through exFAT's black heart before it takes off); but it just hasn't been a big deal for a while now, for me.

Re:See!

[maharb]

It might be a legit improvement and a strategic move from Microsoft. Windows doesn't care if they are being run in a VM on a Linux box. They still sell support, licenses and all that other good stuff. In fact, VM's might mean more windows installs, more license keys sold, more support requests, and more money for Microsoft. Why would they want to stop paying customers from doing what they want on their box. Hell, Microsoft is probably thrilled that people are running Linux on a licensed copy of Windows in a VM rather than native and they are probably thrilled that windows is being installed on VM's on a Linux host. Win win for Microsoft and Linux. Soon they will both have 100% market share. lol.

Re:See!

[timeOday]

Come to think of it, I've only had it actually lock up when running VMWare from that ntfs partition. VMWare can be very disk intenstive (snapshots, suspend+resume) and runs largely in kernel mode, maybe it's choking on the delays?

I'd be very curious what you get from the following test - here is my output from running the following command on both ntfs and ext3 filesystems:

time dd if=/dev/zero of=test bs=1024 count=2000000

On NTFS:
2000000+0 records in
2000000+0 records out
2048000000 bytes (2.0 GB) copied, 146.024 s, 14.0 MB/s

real 2m26.053s
user 0m1.168s
sys 0m15.221s

On ext3
2000000+0 records in
2000000+0 records out
2048000000 bytes (2.0 GB) copied, 18.2012 s, 113 MB/s

real 0m18.213s
user 0m0.448s
sys 0m9.605s

As you can see, the ntfs-3g write speed is slower by a factor of 8! Moreover mount.ntfs saturates a core under sustained writing. It's just not good enough for running an i/o intensive application on.

Re:See!

[Korin43]

The NTFS drivers for Linux work pretty well.. And ext2 IFS works except for:

* Inodes that are larger than 128 bytes are not supported.
* Access rights are not maintained. All users can access all the directories and files of an Ext2 volume. If a new file or directory is created, it inherits all the permissions, the GID and the UID from the directory where it has been created. There is one exception to this rule: a file (but not a directory) the driver has created always has cleared "x" permissions, it inherits the "r" and the "w" permissions only. See also section "What limitations arise from not maintaining access rights?".
* The driver does not allow accessing special files at Ext2 volumes, the access will be always denied. (Special files are sockets, soft links, block devices, character devices and pipes.)
* Alternate 8.3-DOS names are not supported (just because there is no place to store them in an Ext2 file system). This can prevent legacy DOS applications, executed by the NTVDM of Windows, from accessing some files or directories.
* Currently the driver does not implement defragging support. So defragmentation applications will neither show fragmentation information nor defragment any Ext2 volume.
* This software does not achieve booting a Windows operating system from an Ext2 volume.
* LVM volumes are not supported, so it is not possible to access them.

exchange/ad on linux (haha)

[itzdandy]

The problem for me with this is that Windows is a poor server OS. The only compelling reason to run Windows servers is active directory and exchange. IIS is not nearly as good as apache or nginx or comanche or lighttpd (specifically, overhead, flexability, security, and performance!)

The costs for many organizations to engineer, deploy, and support windows servers for exchange and sharepoint is equal to or greater that the cost of outsourced/hosted. You can get hosted exchange for under $12/user/month at rackspace which compares well enough to a MCTS for Windows server and exchange as that 55,000 can do well over 350 exchange accounts without a power bill.

A linux server may take some expertise to setup but needs far far less daily upkeep. You can employ many less techs and hire in from the local tech shop for big deployments. I have an email server (ubuntu 6.04) that has been running for over 3 years without any effort on my part. The only downtime it has ever had was when the power failed and it shut down after the UPS was drained. $1200+ about 6 hours config (say $85/h) and no maintenance is something is am sure no windows server can or ever has matched.

back on point here, stop investing time and money is getting windows to run faster virtualized, put those dollars into alternatives to windows software. it has happened before that an OSS alternative (apache) has become so dominant that the big vendors have the alternatives rather than the standard. (bind, apache, sendmail and postfix, courier etc)

Re:See!

[izomiac]

I prefer Ext2FSD myself, but neither is ideal. They require a helper application that doesn't autostart (there's a non-working option for it), and they can be fickle about mounting (e.g. click mount and it doesn't happen, or open the drive and Windows asks to format it). I've had data loss with NTFS-3g (hopefully that bug's been squashed), and exFAT isn't supported in Linux.

IMHO filesystem compatibility is a great example of how Linux devs are bad at leaving boring, but critical applications half done. E.g. they work, but have you have to jump through hoops and even then there are major bugs and little to no polish. Ideally, you could use any Windows or Linux filesystem in the other OS transparently with all features, to the point that the common user doesn't need to know what filesystems their partitions use.

All that said, I use FAT32 or Ext2 for shared partitions for lack of a better alternative.

Re:See!

[amRadioHed]

Sure, samba would be great for a universal file system if USB drives had Ethernet ports.

Re:See!

[martyros]

MS is only playing nicely because it has to, for the time being. Namely:

• World Domination will fail if virtualization is near-ubiquitous and MS isn't involved. MS had to enter the virtualization market.
• Entering the market gives them a chance to do their "embrace, extend, extinguish" tricks to make sure they're dictating the rules (see RTF, IE, OOXML, C#, &c &c) instead of being dictated to.
• However, they aren't as strong in the server market as they'd like. Namely, they know that if Hyper-V won't run Linux servers well, large segments of the market won't use it -- even people who are normally of the "Nobody ever got fired for buying Microsoft" persuasion. That means limited market penetration, which means no market leverage, which means they're being told what to do instead of telling others what to do.
• Therefore, they have to make Linux run well on Hyper-V.

At least for now. If history is a guide, if MS does get established in this market, it will be using all of its old dirty tricks to fight against non-Microsoft servers, just as it's been consistently doing in other areas for the last 25 years.

Microsoft / Red Hat Child

[jchawk]

What do you think the demon baby these two are going to have is going to look like?

Re:See!

[David+Gerard]

This is actually entirely false for servers - server vendors make damn sure Linux works out the box. Dell, Sun or HP would never release an x86 server these days that doesn't run Linux perfectly. All of them will deal with Red Hat in paid support and (in my experience) happily treat CentOS as Red Hat for problem solving purposes.

Random desktop crapware, yeah. But this virtualisation exercise is for the benefit of servers, after all.