I was having an interesting discussion the other evening at BeanSec with Jeanna Matthews from Clarkson University. Jeanna is one of the authors of what I think is the best book available on Xen virtualization, Running Xen.
In between rounds of libations, the topic of Hypervisor-neutral, VM portability/interoperability between the virtualization players (see right) came up. If I remember correctly, we were discussing the announcement from Citrix regarding Project Kensho:
Santa Clara, CA » 7/15/2008 » Citrix Systems, Inc.
(Nasdaq:CTXS), the global leader in application delivery
infrastructure, today announced “Project Kensho,” which will deliver
Open Virtual Machine Format (OVF) tools that, for the first time, allow
independent software vendors (ISVs) and enterprise IT managers to
easily create hypervisor-independent, portable enterprise application
workloads.
These tools will allow application workloads to be imported
and run across Citrix XenServer™, Microsoft Windows Server 2008 Hyper-V™ and VMware™ ESX virtual environments.
On the surface, this sounded like a really interesting and exciting development regarding interoperability between virtualization platforms and the VMs that run on them. Digging deeper, however, it’s not really about virtualization at all; it’s about the delivery of applications and services — almost in spite of the virtualization layer — which is something I hinted about at the end of this post.
I am of the opinion that virtualization is simply
a means to an end, a rationalized and cost-driven stepping-stone along the path of
designing, provisioning, orchestrating, deploying, and governing a more agile, real time
infrastructure to ensure secure, resilient, cost-effective and dynamic delivery of service.
You might call the evolution of virtualization and what it’s becoming cloud computing. You might call it utility computing. You might call it XaaS. What many call it today is confusing, complex, proprietary and a pain in the ass to manage.
Thus, per the press release regarding Project Kensho, the notion of packaging applications/operating environments up as tasty little hypervisor-neutral nuggets in the form of standardized
virtual appliances that can run anywhere on any platform is absolutely appealing and in the long term, quite necessary.*
However, in the short term, I am left wondering if this is a problem being "solved" for ISV’s and virtualization platform providers or for customers? Is there a business need today for this sort of solution and is the technology available to enable it?
Given the fact that my day job and paycheck currently depends upon crafting security strategies, architecture and solutions for real time infrastructure, I’m certainly motivated to discuss this. Mortgage payment notwithstanding, here’s a doozy of a setup:
Given where we are today with the heterogeneous complexity and nightmarish management realities of our virtualized and non-virtualized infrastructure, does this really solve relevant customer problems today or simply provide maneuvering space for virtualization platform providers who see their differentiation via the hypervisor evaporating?
While the OVF framework was initially supported by a menagerie of top-shelf players in the virtualization space, it should come as no surprise that this really represents the first round in a cage match fight to the death for who wins the application/service delivery management battle.
You can see this so clearly in the acquisition strategies of VMware, Citrix and Microsoft.
Check out the remainder of the press release. The first half had a happy threesome of Citrix, Microsoft and VMware taking a long walk on the beach. The second half seems to suggest that someone isn’t coming upstairs for a nightcap:
Added Value for Microsoft Hyper-V
Project Kensho will also enable customers to leverage the
interoperability benefits and compatibility between long-time partners
Citrix and Microsoft to extend the Microsoft platform. For example,
XenServer is enhanced with CIM-based management APIs to allow any
DMTF-compliant management tool to manage XenServer, including Microsoft
System Center Virtual Machine Manager. And because the tools are based
on a standards framework, customers are ensured a rich ecosystem of
options for virtualization. In addition, because of the open-standard
format and special licensing features in OVF, customers can seamlessly
move their current virtualized workloads to either XenServer or
Hyper-V, enabling them to distribute virtual workloads to the platform
of choice while simultaneously ensuring compliance with the underlying
licensing requirements for each virtual appliance.
Project Kensho will support the vision of the Citrix Delivery Center™
product family, helping customers transform static datacenters into
dynamic “delivery centers” for the best performance, security, cost
savings and business agility. The tools developed through Project
Kensho will be easily integrated into Citrix Workflow Studio™ based
orchestrations, for example, to provide an automated, environment for
managing the import and export of applications from any major
virtualization platform.
Did you catch the subtlety there? (Can you smell the sarcasm?)
I’ve got some really interesting examples of how this is currently shaking out in very large enterprises. I intend to share them with you, but first I have a question:
What relevance do hypervisor-neutral virtual appliance/machine deployments have in your three year virtualization roadmaps? Are they a must-have or nice-to-have? Do you see deploying multiple hypervisors and needing to run these virtual appliances across any and all platforms regardless of VMM?
Of course it’s a loaded question. Would you expect anything else?
/Hoff
* There are some really interesting trade-offs to be made when deploying virtual appliances. This is the topic of my talk at Blackhat this year titled "The Four Horsemen of the Virtualization Apocalypse"
The answers to your questions/suppositions are quite simple:
"It all depends upon the auditor."
Most of the folks I’ve spoken to recently are essentially counting
upon the ignorance of the auditors and the general confusion regarding
terminology and technology to glide by at this point.
Server/blade/hypervisor/switch … it’s all fun and games until someone loses a (PC)I… 😉
"As long as I put in place the same host controls I do in a physical
environment and not tell the auditor it’s virtualized, it’s all good
and what they don’t know, won’t hurt me."
Sad but true.