Jumping VDI

Centralized storage is a key component in the VDI world, if not the key component. If you think of the virtualization host being the CPU and memory for executing a virtual desktop, the centralized storage is the hard disk. Very simple metaphor. However, simple metaphor, but really tough requirements implied:

• A PC hard disk is cheap:
  Today's PCs come with a TB of space on the hard-disk. And this costs around a hundred euros. If you compare this with a TB in a SAN or a NAS, the price is very different. Fortunately a TB is typically not needed for the average enterprise PC.
• A PC hard disk serves a single user:
  A PC is usually a single user environment, meaning a user is running a single OS and a number of applications. Disk I/O is not an issue. If you have a central storage serving hundreds of virtual disks, disk I/O becomes a major concern. Just imagine hundred of users running each their own virtual disk with random read and write access. This can easily cause a major crisis for the central storage. And here factors like I/O, throughput, locking semantics of filesystems have to be taken into account. Requirements, very, very different compared to what's needed for a single PC's hard disk.
  
• A PC hard disk can crash:
  Same applies to a virtual hard-disk running on a central storage. And this can be caused through a HW failure on a central storage, a guest OS failure (blue screen of death), a network problem and so on. In other words, redundancy is key in the virtual world, complexity is higher.

So what have we done for Sun VDI 3 to address the storage requirements:

In the illustration above you see to connections to the storage: ZFS and iSCSI. These are the core elements of the concept:

ZFS - The filesystem is leveraged as it provides the essential filesystem capabilities required for Sun VDI 3:

• Snapshots to keep a safe state of a virtual machine disk. A lot of virtualization solutions today rebuild these capabilities on top, as part of the virtualization layer. ZFS provides this in-built fully transparent to the virtualization layer.
• Cloning to replicate virtual machine disks. A very typical requirement in the VDI world is, that specific user groups should have the same qualified desktop. Cloning is one answer. Cloning with ZFS is even a better answer as it replicates virtual disks instantly without consuming any disk space - well just a few kilobytes. Deploying hundreds of desktops becomes a task that can be done in minutes or a few hours rather than a couple of days or weeks. A tremendous advantage.

iSCSI - The protocol for remote block I/O:

• VirtualBox has an inbuilt iSCSI implementation that acts as iSCSI initiator. Actually it does way more. It treats an connected iSCSI target as if it was a hard disk. That means all block I/O is directly communicated between the VirtualBox and the central storage. No translation, just raw traffic for the best possible performance.
• All information about a virtual machine and a virtual disk are stored in the Sun VDI 3 datastore. This implies that the VirtualBox host is fully stateless. Only at the moment when a VM is started, VirtualBox is informed about the VM configuration and where the virtual disk resides.

The illustration above details the core concepts. As stated the VirtualBox host is stateless. The Sun VDI 3 broker has all the knowledge about the location and structure of the storage. The administrator configures for a group of VirtualBox hosts (VirtualBox Desktop Provider) a number of so called storage pools (ZFS), or in the language of the Sun Storage 7000 systems storage projects. Each pool can host many virtual disks. Each virtual disk is a volume (ZFS) or share (Sun Storage 7000 systems ). That's it about the terminology.

It becomes interesting if you look at how we envision to create the virtual disks. So we assume that most of the hosted desktops are very similar. Typically they are based on one Golden Image created and maintained by the administrator. In Sun VDI 3 we call those Golden Images templates. The administrator will import a Golden Image into Sun VDI 3 becoming a template. Idea is now to replicate the template as often as needed for all users. But instead of creating full copies for each desktop instance, we use the advantages of ZFS. Sun VDI 3 will create a snapshot of the template. And from this snapshot each new virtual disk is a clone, consuming initially almost zero physical storage. Only when the user actually accesses this volume, the differences will be stored into the volume and the volume grows.

Let's pause here for a second. Implications of this approach are such as creating a new clone is done within milliseconds, making the whole deployment much faster. It also allows the administrator to overcommit a storage pool, creating many more disk instances than physically possible.

After the virtual disks are created, the virtual desktops (virtual disk plus VM configuration) can be assigned to a user. Now, when the user starts accessing his virtual desktop, the following happens. First Sun VDI 3 selects the VirtualBox host which should execute the virtual desktop. Afterwards Sun VDI 3 sends over the VM configuration parameters as well as the location of the virtual disk to the VirtualBox host. The location is specified as an iSCSI target being served on a Open Storage server or Open Storage cluster. Thereafter VirtualBox boots directly the VM from the iSCSI target. Updates and write operations are sent to the iSCSI target, which is a sparse image of the original disk. Depending on the bandwidth and the caching capabilities of the storage host, this will be a very fast booting of the virtual desktop.

The 7000 series (Amber Road) provides the ideal components for this kind of deployment. On top of ZFS it offers a very smart management interface that makes storage administration very simple. And underneath it offers capabilities such as clustering or caching that help to build a very reliable, fast and cost effective solution. Besides Amber Road Sun VDI 3 lists OS2008.11 as a supported storage platform.

With this approach storage becomes way cheaper and affordable. And besides price it offers advantages in terms of desktop deployment time and capacity planning. This is more than just cool. It's a very different and efficient approach to VDI.

-Dirk

« previous | next »

In my next couple of articles around Sun VDI 3 I want to focus on the back-ends, so VirtualBox including its storage access and finally on the additional features for the VMware backend. Looking first at VirtualBox we see a clean and simple architecture:

The VirtualBox host is completely stateless. All state is captured and stored by the Sun VDI 3 Broker . This includes the access information to the VirtualBox hosts, the storage hosts, the configuration of the virtual desktops, the access information to the virtual disks ....

VirtualBox hosts are managed in clusters. A cluster spreads the load for a given number of virtual desktops between the embedded VirtualBox hosts. The Sun VDI 3 Broker or multiple instances thereof take care of the load-balancing, which includes starting the virtual desktops on the most appropriate host as well as creating the next virtual desktop on the storage with the best capacity.

When you start the system the first time, there are no virtual desktops, of course. The administrator prepares a virtual machine with the well known VirtualBox user interface on his laptop e.g. Thereafter he imports the virtual machine through the administration UI. This virtual machine can then be used as a template to clone various instances thereof. And as we are using ZFS as the storage management interface, cloning will be more or less instantaneously. But more on this aspect in the next article.

VirtualBox supports a ton of different desktops as a guest. We can't do that for VDI as the test matrix would simply be way too big. Initially we focus on Windows (Vista, XP and W2K), a Linux flavor (Ubuntu 8.10) and OpenSolaris 2008.11. More details around the guest support for EA2 in the Release Notes. Note that the list might be extended for the final release.

As mentioned in previous articles we use the RDP server of VirtualBox by default to do the remote access to the desktop. This has couple of benefits such as the more PC like experience for the end user or that you can access even non-Windows guests with an external RDP client. But in some cases you might want to use the Windows RDP server that is built into Windows XP or Vista. For example if you want to use the multimedia enhancements specifically developed for Sun Ray. This is possible, it just requires a different networking (bridge instead of NAT) and a setting to use the Windows internal RDP server. Of course you can't use this configuration with W2K, Linux or OpenSolaris.

The same limitation applies to the Windows in-built system preparation tooling (sysprep). This is highly useful when you are cloning desktops in order to create for each instance (clone) a unique identity. For OpenSolaris or Linux there is no such capability. In consequence there will be restrictions in the automation process, as clones might require a manual post configuration step.

That's it for now. In the next article I'll take a closer look at the storage side of things.

-Dirk

« previous | next »

Name a customer who is not using a directory service. There are barely any. In the Sun VDI 2 world there hasn't really been an integration with the directory world. Simple identifier have been used, that happen to match with an user ID in a directory. Things changed with Sun VDI 3:

A directory is now a key element of the Sun VDI story. Basically, without a directory binding it is not possible to assign a user to a desktop. And here we focus primarily on Active Directory being dominant in the Windows world. In addition we support Sun's LDAP directory. Other directories might need some manual intervention and are not covered out of the box or we simply don't know at this point.

Main purpose for the binding to the directory is to identify the entities that should get access to a desktop in one way or the other. Entities are users and user groups. Sun VDI 3 has a predefined understanding of what a user and a user group is. This understanding is identical to the one implemented in Secure Global Desktop (SGD). Besides the fixed definition of a user or a user group we have a custom query mechanism for LDAP similar to the one found in SGD.

Next to entities from the directory we have also included tokens into the list of managed objects. Tokens are the IDs of a smartcard or the ID of a Sun Ray Desktop Unit (DTU). You may ask, why is this included into a VDI solution. Sun Ray Server Software provides this feature as well.

Quick answer to that question is, Sun VDI 3 targets to be a self-contained solution that can be used by various clients, where one - a prominent one, of course - is the Sun Ray. Managing in this context the relationship between a smartcard, a user and a desktop is a core functionality that should be in one place and not spread around various places.

Effectively this gives an administrator a number of choices:

• Assignment of a user to an individual desktop
• Assignment of a user to a pool
• Assignment of a user group or custom query to a desktop or pool
• Assignment of a token to a user - so when you stick in your card, the desktop(s) of a user are presented to the user.
• Assignment of a token to a desktop or a pool - this allows to have different smartcards for a desktop or to assign a DTU to a desktop, which is then more or less acting like a real PC.

Another nice thing about having this all in one place is the fact, that it should be fairly easy to combine an Identity Management solution with management of virtual desktops. You can easily imagine that on-boarding of people can imply the assignment of a smartcard to a user and a user to a desktop. The reverse applies to the off-boarding. And in-between identity management can provide all means of user self service, like requesting a restart of a stuck VM, asking for an additional VM etc ... This in combination with the management of application access is a very strong value proposition. If you have more interest on how an Identity management integration looks like, please contact Paul Walker from the Sun Identity Management group.
Well, that's it in on the directory integration. At least on the surface ;-) Give it a try with the current public Early Access Program and let me know what you think about.
Cheers, Dirk