Virtualization Changes Everything!Curtis BrazierSr. Program Manager, Federal Cloudcbrazier@vmware.com                     ...
Agenda       •  About Me       •  Virtualization – what is it?       •  A little History Lesson       •  Where are we toda...
About Curtis    1987 – Control Data Institute    1988 – 1998 – installed, managed and maintained PC/LAN/WAN    1998 – 2003...
Virtualization – What is it?4
By DefinitionVirtualization is a framework or methodology of dividing the resources ofa computer into multiple execution e...
A little History Lesson6
1963 – Term “virtual Machine” was introduced       IBM 7044 (M44)       •  Experimental       •  Multiple images of itself...
!1964 – IBM System/360                                              !!!!!!!!!!!!!!!!!!!"#$%&                              ...
1972 – the introduction of virtual memory     IBM Announces virtual memory for              System/3702012 – Virtual Memor...
As time goes by… 1970-1990•  1974 – 8080 Microprocessor - “First True General Purpose Microprocessor”•  1980 – Ethernet pr...
1998 – Vmware files US Patent 6,397,242                                                                                   ...
As time goes by… 1990 - present •  1998 – Vmware files US Patent 6,397,242 •  1999 - VMware introduced VMware Virtual Plat...
Where are we today?13
Where are we today?•  Virtual Infrastructure most likely logical extension of physical infrastructure•  600+ x86 OSes can ...
Putting VM Maturity into Context          20 MILLION VMs                                    running on                    ...
Support all applications vApp: Standard Application Package Availability = 99.99%                                         ...
VMware vSphere –Virtual Datacenters (vDC)                        VMware vSphere17
Intelligent Policy Management – Standardized Service Tiers               SLA Definitions                Availability = 99....
Secure and Agile Hybrid Infrastructure                               VMware Driven Standards and                          ...
What else is New?•  QoS guarantees for Compute, virtual Network and virtual Storage•  Distributed Power Management – power...
What else is new?•  Distributed Virtual Networking     •  Edge device - DHCP, NAT, Port level FW, Load Balancing, IPSEC   ...
What else is new?•  High Availability for all – not just high end services     •  Zero downtime and automated restart of f...
What’s Next?23
Bring Your Own Device Begins with MobileMobile Virtualization Bridges Personal & Enterprise Workspaces            Personal...
February 2012 study on mobility                                                                                           ...
Mobile Application Investments in Federal    The rising adoption of mobile devices is driving demand for mobile applicatio...
End User Computing Platform for the Post-PC Era           SIMPLIFY        MANAGE            CONNECT             Desktop   ...
Big Data     My Apps, My Files, Native Device Experience28
Application Modernization Platform goes virtual                                       Modernize Create Agile             P...
Back to why you care30
Virtualization doesn’t change everything – but it does change IT                                               People     ...
The Next Breakthrough in Datacenter Economics                                        100                                  ...
Roles will changed - End-User Experiences Evolve                           Task                        Power     Knowledge...
Lessons Learned in Virtualization at Scale            Transformation                                  Strategy           C...
Data as-a-Service         A DoD Example35
Data as a Service                    vFabric Mission Enablement36
Putting it all Together: Mission Enablement      Existing Analytics            New Mission Apps                 SaaS Apps ...
Now What?38
Learn and Benefit from others - Accelerated Project Strategy     §  Quick and seamless implementation         •  Learning...
Just a thought! DoE Hanford Federal Cloud (HFNet)  §  Initial projections over the next four years indicate about $12 mil...
Thank you!     Questions?41
Upcoming SlideShare
Loading in …5
×

Virtualization Changes Everything | GSF 2012 | Session 3-3

513 views
427 views

Published on

Virtualization Changes Everything
By Definition, Virtualization is a framework or methodology of dividing the resources of a computer into multiple execution environments, by applying one or more concepts or technologies such as hardware and software partitioning, time-sharing, partial or complete machine simulation,emulation, quality of service, and many others.

Find out how Virtualization has changed over the years, where we are today, what to expect in the future, and why you should care about it.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
513
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Virtualization Changes Everything | GSF 2012 | Session 3-3

  1. 1. Virtualization Changes Everything!Curtis BrazierSr. Program Manager, Federal Cloudcbrazier@vmware.com © 2009 VMware Inc. All rights reserved
  2. 2. Agenda •  About Me •  Virtualization – what is it? •  A little History Lesson •  Where are we today? •  What’s next? •  Why should you care? •  Closing2
  3. 3. About Curtis 1987 – Control Data Institute 1988 – 1998 – installed, managed and maintained PC/LAN/WAN 1998 – 2003 – Novell, Inc. 2003 - 2006 – RSA and Gemplus 2006 – Present - VMware3
  4. 4. Virtualization – What is it?4
  5. 5. By DefinitionVirtualization is a framework or methodology of dividing the resources ofa computer into multiple execution environments, by applying one ormore concepts or technologies such as hardware and softwarepartitioning, time-sharing, partial or complete machine simulation,emulation, quality of service, and many others.5
  6. 6. A little History Lesson6
  7. 7. 1963 – Term “virtual Machine” was introduced IBM 7044 (M44) •  Experimental •  Multiple images of itself •  Bring down entire system to patch underlying OS Proved that “close enough” to a virtual machine system wasn’t good enough. 7
  8. 8. !1964 – IBM System/360 !!!!!!!!!!!!!!!!!!!"#$%& ! ! IBM Cambridge Scientific Center and MIT •  CP-40 ran multiple OS instances •  CMS (Cambridge Monitor System) •  Multiple “client” interfaces •  GA January 1967 !! !8 "#$%&!!(#!)$!%*#!$+,-%!./-!$),!%*# !!!!!!!=*#!01-%#23456!>.-!$+,-%!.(( !!!!!!!/#B+C#,#/!%)!8?-%)2#,-!+(!9: !!!!!!!=*#!01-%#23456!8)-%!EFG!HD!I
  9. 9. 1972 – the introduction of virtual memory IBM Announces virtual memory for System/3702012 – Virtual Memory can beovercommitted by ~2:1 (transparentpage sharing, Balloon drivers, linkedclones, etc.)9
  10. 10. As time goes by… 1970-1990•  1974 – 8080 Microprocessor - “First True General Purpose Microprocessor”•  1980 – Ethernet project began between Intel, DEC and Xerox•  1981-1984 – Ethernet Voice over IP experiments expose weakness in Ethernet interconnection and scale. Concept of vLAN (virtual Local Area Network) and Ethernet Switching came alive.•  1988 - Sun Version 1.0 - SoftPC and SoftWindows software emulators of x86 hardware.10
  11. 11. 1998 – Vmware files US Patent 6,397,242 modity operating systems has proved challenging. In th mappings, and keeps them consistent with the GVPN-to-GPPN mappings managed by the guest OS [1]. Since the hardware TLB we describe several key challenges, sketch high-level solu caches direct GVPN-to-MPN mappings, ordinary memory refer- explain where more complete technical details can be fou ences execute without incurring virtualization overhead. sequent sections. 3.2 Multi-Shadowing Existing virtualization systems present a single view of guest Context Identification. The VMM must identify the “physical” memory, faithfully emulating the properties of real hardware. One-to-one GPPN-to-MPN mappings are typically em- text accessing a cloaked resource precisely and securel ployed, backing each guest physical page with a distinct machine to use the shadow page table with the correct GPPN-to-M page. Some systems implement many-to-one mappings to sup- port shared memory; e.g., transparent page sharing maps multiple Section 5 explains how Overshadow leverages the shi GPPNs copy-on-write to a single MPN [4, 30]. However, existing identify application contexts, without relying on an untru virtualization systems do not provide flexible support for mapping a single GPPN to multiple MPNs.1 Secure Control Transfer. Applications must interac Multi-shadowing is a novel mechanism that supports context- Figure OS to Cloaking Protocol. State transitionand need to be adapted fo 1. Basic perform useful work, diagram for dependent, one-to-many GPPN-to-MPN mappings. Conceptually, multiple shadow page tables are used to provide different views of execution. Overshadow performs this adaptation by i maintaining the secrecy and integrity of a single cloaked page. Applica- guest physical memory to different shadow contexts. The “context” tion reads RA and writes WA manipulate plaintext page contents, while that determines which view (shadow page table) to use for a partic- kernel reads RK into the K use an encrypted version of the page. A shim and writes W address space of each cloaked application. T ular memory access can be defined in terms of any state accessible cooperates with the shim to implement a transparent t secure hash H is computed and stored immediately after page encryption, to the VMM, such as the current protection ring, page table, in- and verified immediately prior to page decryption. struction pointer, or some other criteria. that interposes on all control transfers between the a Traditional operating systems and processor architectures im- Virtualization-Based normal. By checkingwill beRetrofitting attempts toshim-based interpoFigure 2. Overshadow Multi-shadowinghierarchies, enablingdimension of protection [25]. Architecture. an additional offers The VMM enforces two vir- and OS. The detailed mechanics of plement hierarchical protection domains, such as protection rings Overshadow: A as Approach the hash before decryption, any to detected. corrupt interrupts, faults, and system calls are discussed in Secti cloaked pages Protection in Commodity Operating Systems secret key K orthogonal to existing ventional protection policies. a wide range of uncon- Overshadow currently uses a singletualization barriers (gray lines). One isolates the guest from the host, and VMM managed by the VMM to encrypt all pages; see Section 7.7 for details. System Call Adaptation. Most SHA-the other cryptographically isolates Cloaking applications from the guest OS. Encryption uses AES-128 in CBC mode, and hashing usessystem calls require on 3.3 Memory cloakedThe shim cooperates withXiaoxin Chen interpose on all E.encryption, presenting Pratap Subrahmanyam marshalling between cloaked and uncloaked argument Carl A. the current implementation. 256; both are standard constructions. An integrity-only mode could Cloaking combines multi-shadowing with Christopher between be supported easily, but is not part ofWaldspurger the VMM to Tal Garfinkel control flow Lewis different views of memory – plaintextBoneh∗ and encrypted – to different †the cloaked application and OS. Our use of encryption is similar to Jeffrey Dwoskin guest contexts. Dan XOM [19, 18], Others, such as file I/O operations, need more complex e Dan R.K. Ports‡ Basic Cloaking Protocol. Consider a single guest “physical” page (GPPN). example,in read page is mapped into only For At any point time, the and write system calls are im ∗ Stanford University † Princeton University ‡ MIT which modified both VMware, Inc. the processor architecture and operating sys- tem{mchen,talg,lewis,pratap,carl}@vmware.com dabo@cs.stanford.edu shadow page table – either a protected application shadow to encrypt and isolate application memory. The term “cloak- one jdwoskin@princeton.edu encrypted I/O. Section 6 explains how ing” has also been used by Intel’s LaGrande Technology (LT) [13], using mmap for drkp@mit.edu used by a cloaked user-space process, or the system shadow usedcopy is still valid. If the (IV, H) ahad been discarded, it would not for all other accesses. Whenarepage is mappedfor cloaked execution. which introduced different architectural mechanism for creating system calls the adapted into the application orthogonal protection domains.be possible to decrypt thecontrast to XOM it isLT, our virtualization-based cloaking In page after and swapped back in. x86 Virtual Machine Monitor – Intro of privileged and non-privileged execution shadow, its contents are ordinary plaintext, and application reads and writes proceed normally. Mapping Cloaked Resources. Figure the security provided state transition diagram Overshadow must trac Cloaking is compatible require any changes to the processor architecture, OS, or Unfortunately, 1 presents the basic by commodity operating for man- Abstract with copy-on-write (COW) techniques does not applications. In fact, cloaking based on multi-shadowing representssystems is often inadequate. Trustedbetween page is accessed via thefor sharing identical pages withinchange toentrusted VMs.functionality already aging cloaked pages. When the cloaked application virtual addresses and c respondence 11 Commodity operating systems the corewith securing sensitive pages system shadow (transition 1),OS components include page from the a relatively small or between MMU Plaintext the VMM unmaps the not data are remarkably a VMM. We initially describe cloaking using ajust the kernel sources. The shim is responsible for keeping a complete lcan be shared transparently,to and pageToencryption handled implemented by large and complex, and consequently, fre- like a but also device drivers and system services that application shadow, encrypts the page, generates an integrity hash, quently prone model. Details concerning this limitation, we in- andrun with privilege (e.g., daemons that run as root in Linux). These compromise. address metadata management high-level componentsmaps the page into a large bodyshadow. Thethe VMM. The shim resides in and generally comprise the is cached by kernel may then pings, which system of code, with broadCOW fault. troduce a virtual-machine-based system called Overshadow that integration with existing systems are presented in later sections. attack surfaces that are frequently vulnerable swap the pagebugs or and may read the encrypted contents, e.g., to to exploitable to disk, also overwrite itsvirtual e.g., to swap in a the application, and interposes o guest contents, address as previously-encrypted protects the privacy and integrity of application data, even in the event of a total OS compromise. Overshadow presents an represent eachmisconfigurations. Once such privileged code is compromised, an Single Page, Encrypted/Unencrypted Views. We applica-Virtual DMA. Cloaking is also compatible with virtual devices page from disk. access to sensitive data on a system. While attacker gains complete
  12. 12. As time goes by… 1990 - present •  1998 – Vmware files US Patent 6,397,242 •  1999 - VMware introduced VMware Virtual Platform for the Intel IA-32 architecture. •  2001 - VMware created the first x86 server virtualization product (GSX) •  2003- First release of first open-source x86 hypervisor, Xen •  2003 - Microsoft acquires Virtual PC •  2006 – VMware launches Type 1 Hypervisor (ESX) •  2008 – Vmware acquires Trango (ARM Chip virtualization) •  2008 – Microsoft unveils Hyper-V •  2008 – New End Point Remote display capabilities (Virtual GPU, PCoIP, Citrix HDX, HTML 5, Web 2.0) •  2009 – VDI starts to take hold as technology matures12
  13. 13. Where are we today?13
  14. 14. Where are we today?•  Virtual Infrastructure most likely logical extension of physical infrastructure•  600+ x86 OSes can be virtualized•  A VM can have 8 vCPUs, 1TB RAM and 8 vNICs•  Hypervisor is now stateless – in memory/PXE enabled auto-deploy•  Centralized command and control of geographically dispersed virtual infrastructure available•  DMTF OVF (Open Virtual Format) Standard (VMW, MS, Citrix, Oracle, RSA, others) •  1.0 – 2009, 1.1 2010, 2.0 in working group •  First and only virtualization standard •  Now ISO standard •  Defines hypervisor agnostic workloads (1 or many VMs) •  Meta-data tagging14
  15. 15. Putting VM Maturity into Context 20 MILLION VMs running on VMware vSphere Someone turns on If they were physical machines they would stretch 1 VM EVERY SIX SECONDS 2x the length of Great Wall of China That’s faster than the rate of babies born in the U.S. 5.5 vMOTIONS PER SECOND >1,650 ISV PARTNERS >3,000 APPS CERTIFIED ON VMware Healthcare Telecom 10 out of the Top 10 5 out of Top 5 Finance Retail At any given time, more VMs are in motion than planes, which take off about once per second globally. 10 out of Top 10 4 out of Top 515
  16. 16. Support all applications vApp: Standard Application Package Availability = 99.99% An uplifting of a virtualized workload Security = High App App App •  VM = Virtualized Hardware Box OS OS OS •  vApp = Virtualized Software Solution Performance = 500 msec vApp Properties SLA Definitions •  Comprised of one or more VMs (may be multi-tier applications) •  Encapsulates resource requirements on the deployment environment VMware Infrastructure à Virtual Datacenter OS •  Distributed in industry standard Open Virtualization Format (OVF) Built byManagement Federation & Management •  ISVs / Virtual Appliance Vendors Choice •  IT administrators Cloud OS Cloud OS Standards •  SI/VARs` Cloud 1 Cloud 2 16
  17. 17. VMware vSphere –Virtual Datacenters (vDC) VMware vSphere17
  18. 18. Intelligent Policy Management – Standardized Service Tiers SLA Definitions Availability = 99.99% Availability 99.99% DR RTO = 1 hour DR RTO 1 hour Back up daily Max Latency = 500 ms Storage capacity 1 TB Performance High I/O Security High ? Availability 99.99% 99.9% 99.0% DR RTO 1 hour 3 hour none Back up daily weekly none Storage 10 TB 10 TB 10 TB capacity Performance Gold High I/O Silver Med I/O Bronze low I/O High Mid low Security § DR plan § Back up Virtual Infrastructure § Anti-virus § FirewallAutomated…. Placement Provisioning of infra services18
  19. 19. Secure and Agile Hybrid Infrastructure VMware Driven Standards and Management Enable Enterprise Private Cloud Class Clouds Public & Service Clouds Externally Provided Cloud Options Cloud Consumption Public Clouds VMware public Portability cloud partners Operations and Management Cross-Cloud Standards vCloud API vCloud Datacenter Open Virtualization Format Security & performance for enterprises Security and Compliance Cross-Cloud Management vCloud Connector vCloud Powered Broad array of Virtualization VMware-compatible clouds for any business need19
  20. 20. What else is New?•  QoS guarantees for Compute, virtual Network and virtual Storage•  Distributed Power Management – power on only what you need•  Predictive Analysis of issues with automated remediation when possible •  Compliance templates that auto alert and remediate •  Applicable to infrastructure and PaaS applications•  Virtualization capable and aware TC and DB services •  Not just hot add of CPU/RAM •  Integrated monitoring for performance issues from app to infrastructure. •  Application performance based expansion/contraction of services •  Full control of DB schema, table, clone, etc.20
  21. 21. What else is new?•  Distributed Virtual Networking •  Edge device - DHCP, NAT, Port level FW, Load Balancing, IPSEC VPN, etc. •  You choose the edge! It’s virtual! How about every vNIC? •  Automated policy enforcement •  Default fail closed •  VXLAN – extended virtual LAN •  vMotion Anywhere enabler •  “flattens” your L2 geographically dispersed networks •  Reduces network re-config of transient workloads •  In Cache Memory Data as-a-Service •  “Smart Data” – through persistent queries (more on this later)21
  22. 22. What else is new?•  High Availability for all – not just high end services •  Zero downtime and automated restart of failed service •  DR to the cloud if you like as a safety net•  Virtual Security evolving quickly (more secure than physical) •  DIACAP and STIG hypervisor hardening •  Hypervisor based End Point anti virus protection •  Security policy follows virtual workloads •  Dynamic Trust Zones can be established and enforced •  DLP available•  Projects AppBlast, Octopus, Horizon Mobile •  Agentless Windows/Linux/Web App delivery to HTML5 •  Dropbox for the enterprise •  Secure BYOM – virtualization of the ARM Chip has begun22
  23. 23. What’s Next?23
  24. 24. Bring Your Own Device Begins with MobileMobile Virtualization Bridges Personal & Enterprise Workspaces Personal Enterprise•  Unrestricted access to personal •  Virtual “Work” Phone - fully- data and applications encrypted Runs Locally•  Make calls, share pictures •  Fully Managed by IT•  Personal (‘home’) phone •  Corporate applications and cannot be altered by IT Infrastructure support •  Complete Separation and Isolation 24
  25. 25. February 2012 study on mobility Mobility on the Rise Feds anticipate increased use of PC alternatives Approximately what percentage of employees at your agency use or will use each of the following devices for work-related tasks? That means, in the next two years, the Federal workforce* will need: 44,430 additional laptops 355,440 additional smartphones 533,160 additional tablets stay connected IT Manager, Civilian agency25 Take Away: Good Things Come in Small Packages 4 *Based on 4,443,000 total Federal employees, http://www.opm.gov/feddata/HistoricalTables/TotalGovernmentSince1962.asp
  26. 26. Mobile Application Investments in Federal The rising adoption of mobile devices is driving demand for mobile applications. Although most of the demand centers on custom software development vs. packaged software products, software vendors should consider their ability to deliver capabilities through multiple devices and with varying delivery models. We have not invested in mobile apps to date 39%n = 130(Respondents could choose more than one answer) Source: 2011 BizTech report, “Federal Mobile Applications: Lessons Learned and Best Practices in Supporting the Mobile and Digital Agenda to Enhance Citizen Services” 26
  27. 27. End User Computing Platform for the Post-PC Era SIMPLIFY MANAGE CONNECT Desktop Service Universal Services Broker App Catalog Service End Users Users, Desktops, Apps, Data Policies Secure Data Universal Service Access27
  28. 28. Big Data My Apps, My Files, Native Device Experience28
  29. 29. Application Modernization Platform goes virtual Modernize Create Agile Private Applications Data Fabric Clouds Data Services Deploy and Public Scale with PaaS Clouds Msg Services Micro Clouds Other Services29
  30. 30. Back to why you care30
  31. 31. Virtualization doesn’t change everything – but it does change IT People Staff trained in virtualization and cloud computing Technology Process Service-based architecture Project management methodology with “cost arbitrage” and SDLC to leverage virtualization and cloud technology31
  32. 32. The Next Breakthrough in Datacenter Economics 100 Decrease labor cost through self service, policy based automation and post-ITIL Labor 67 management Software 17 Hardware 7Facilities + Fabric 4 Telecom 5 Legacy Source: TMT Value Migration Database, Gartner IT Key Metrics Data 2009; McKinsey 32
  33. 33. Roles will changed - End-User Experiences Evolve Task Power Knowledge Workers Users Mobile Workers Users Library Service Administrators Managers Cloud: Flexible, efficient, scalable Infrastructure Software Security & Administrators Developers Architects33
  34. 34. Lessons Learned in Virtualization at Scale Transformation Strategy Cloud requires transformation of Not all clouds are created equal – Standardization and not all applications behave the both architecture and organization Software same in the cloud products and versions must be standardized, integrated and deployed on standard infrastructure blocks Automation Multi-Tenancy Cloud leverages automation from Establishing an organizationallyboth automatic and scripted sources Virtual Infrastructure driven hierarchy and ensuring logical separation throughout the stack Management Expertise Integrating the management of Security and Control Achieving benefits from the cloud requires an evolution of skills and multiple resource pools, environments, Maintaining security and compliance expertise and clients within change processes when users have access to and control over the environment 34
  35. 35. Data as-a-Service A DoD Example35
  36. 36. Data as a Service vFabric Mission Enablement36
  37. 37. Putting it all Together: Mission Enablement Existing Analytics New Mission Apps SaaS Apps NAVSOC SOCOM DISA SOF Community Private DaaS Infrastructure Cloud Existing Data Sources 37
  38. 38. Now What?38
  39. 39. Learn and Benefit from others - Accelerated Project Strategy §  Quick and seamless implementation •  Learning during implementation impacts user satisfaction and puts the entire project at risk •  Lessons learned in early services shorten subsequent phases Customer Approach to Services Days per phase of Implementation39
  40. 40. Just a thought! DoE Hanford Federal Cloud (HFNet) §  Initial projections over the next four years indicate about $12 million in total cost saving, DOE officials said. •  The savings include: •  Reducing CO2 emissions by 3 million pounds. •  Reducing power by 2 million kilowatt hours. •  30 percent reduction in the total cost of ownership. •  48 percent reduction in operating expenses.The Energy Department has forged a partnership with Lockheed Martin to increaseenergy efficiency through data center consolidation and IT enhancements.The partnership is the first use of a federal Energy Savings PerformanceContract to reach sustainability goals through improved IT practices, DOE andLockheed Martin officials said. ESPC contracts let agencies embark on energy-savings projects without upfront capital costs and without special congressionalappropriations. 40
  41. 41. Thank you! Questions?41

×