Print

 VMware

VMware 

 

VMware (NYSE: VMW) is the global leader in virtualization solutions from the desktop to the datacenter bringing cloud computing to businesses of all sizes. Customers rely on VMware to reduce capital and operating expenses, ensure business continuity, strengthen security and go green. With 2008 revenues of $1.9 billion, more than 130,000 customers and more than 22,000 partners, VMware is one of the fastest growing public software companies. Headquartered in Palo Alto, California, VMware is majority-owned by EMC Corporation (NYSE: EMC).


 

 

 

 

 

 


 

 

 

 

 

vCloud

Q: When can we use the term 'Cloud OS'?

A:  “Cloud OS” can be used publicly now to refer to the VMware virtualization platform.  It cannot be used to refer specifically to vSphere 4 until vSphere 4 is announced

Q: Do we have a list of customers that are looking at cloud adoption? (Gartner etc…) What is the percentage of TAM (Total Available Market) looking at a cloud offering?

A - Our message is that cloud encompasses both what people are doing today with VI3 (the "internal cloud") as well as what people can do leveraging service providers.  By that definition, the TAM is the bulk of the market.  Gartner doesn't speak of a cloud "market" per say, but speaks of cloud as an evolutionary trend in how datacenters are architected, e.g. it's like "client-server computing" in that it's a datacenter architecture rather than a specific market.   Check the analyst relations / market intelligence page for analyst reports on cloud computing.

Application Services: Availability

 

Q: What are the network requirements for FT (minimum requirements) Is it able to work across sites yet? What are the impacts of latency and bandwidth? Do I need an additional network on top of the VMotion network?

A: A 1GB or better NIC connection is recommended for the FT logging, not to be shared with the VMotion network.  The greater the latency, the slower the primary VM will become--the logging is basically a synchronous connection.  Both primary and failover VMs use the same storage, so you're limited by storage latency to at best across a "campus".  You also need to be on the same subnet.  So you can't do FT over distance.

 

Application Services: Security

Q: Are there other vendors that offer something like vShield Zones?

A: No one has yet done anything specific to virtualized environments (which is a reason we're doing it), but there's nothing preventing someone from doing something similiar--there are a lot of vendors who have firewall/monitoring/filtering software (some even package them as virtual appliances already) that could be modified to be better opimized for the virtual environment.

 

Q: Is vShield Zones going to be PCI compliant?

A: The proper question is whether vShield Zones helps make your datacenter deployment PCI compliant, as it is the entire environment that is audited, not individual software components.   vShield Zones addresses the firewall and network segmentation requirements of PCI.  As vShield Zones contains a full stateful packet inspection engine in a virtual appliance, it provides the same packet filtering as a physical firewall appliance.  I have not heard any concerns from any security folks that a firewall virtual appliance would not meet the firewalling requirements.  For reference, in the attached PCI Data Security Standard, firewalling requirements are expressed in 1.1.3, 1.2, 1.3, 1.4.

There is a different concern that using a firewall virtual appliance such as vShield Zones mixes two trust zones onto the same physical ESX host, and that such a configuration could cause a breach of trust boundaries not through networking but through guest escape, should a flaw in guest isolation be discovered.  This has nothing to do with the PCI firewalling requirements, and the closest part of PCI that experts cite relevant to this is section 2.2.1, the one primary function per server rule.  There is no agreed interpretation of this with respect to virtualization, but if a PCI auditor does interpret that as physical server, then you can't use virtualization at all for PCI related data.  So vShield Zones does not improve or worsen the arguments around this, as the issue is about virtualization and not trust zones. 

The latter is a much broader PCI topic than vShield Zones.  To keep things simple for vShield Zones, I don't bring it up unless asked, so I only mention the first topic by saying that vShield Zones helps with PCI complaince by addressing the firewall and network segmentation requirements.

Q: Certain specific customers raise concerns on data security (“cross contamination”) when talking about VMsafe. Suddenly there is a single point of contact where the dataflow is analyzed. How can we address that?

A - There is an FAQ being developed right now that goes into more detail about this and can address the concerns.

The entire hypervisor is a single point of contact of all dataflow, so VMsafe solutions are basically treated as an extension of the hypervisor, but rather than letting partners write code in the hypervisor we try to keep a clean partition for stability by having them write most of their code in a virtual appliance.

 The main point is not any VM can access the API and act as a VMsafe virtual appliance - we do have a number of authentication and access controls in place and on the roadmap.  Basically VI admins who 'own' a workload VM must "opt in" their VM's to be protected by one or more VMsafe appliances explicitly, by default a VMsafe appliance cannot just start looking at activity from other VM's.  Later we will have signing and authentication of VMsafe appliances to be recognized by ESX automatically through digital certificates.

That leaves the VMsafe appliance itself as needing to be secured - if the partner solution is flawed, it can be a point of vulnerability to hijack the partner solution with malware.  This is really no better or worse than physical security appliances or security agents.  Flaws in personal firewalls and antivirus can and have allowed worms to systematically compromise ALL your physical servers, because they all have the same flaw.  Just because VMsafe consolidates network/CPU/mem/disk traffic does not this exposure any more systematic.

 One could argue that VMsafe based appliances are even less exposed to malicious activities, because they do sit on the production network like a network appliance nor are they exposed in-guest like a software agent.  Therefore they have no surface area exposed to malicious worms and threats on the guest network, so it is hard to malware to even access the VMsafe appliance.

 We can look at adding some of these into the FAQ, but they should only be in an internal FAQ; security topics are best not raised unless the customer is asking.

 Also note vShield Zones 1.0 is not yet a VMsafe appliance, so in the K/L timeframe this will be more about third-party VMsafe solutions.

 

Infrastructure Services: vCompute

 

Q: Can VMs be VMotioned between ESX3.5 and 4.0?

A: Yes. And also from 2.5.5 to 4.0 using upgrade Vmotion

Q: Is DPM supported on all x86 servers that can run ESX or is it the most recent Intel/AMD servers?

A: DPM will be supported on specific server models that support one of the supported wake protocols (iLO, IPMI, or wake-on-LAN).

Infrastructure Services: vNetWork

Q:  vShield Zones requires Distributed Switch but that is not part of the Advanced package. How will that work?
A: vShield Zones does not require DVS.  In fact, in version 1.0 Zones will actually require more effort to set up with DVS than with the standard virtual switch.

Q: Does Nexus support require DVS?
A: Yes.

Infrastructure Services: vStorage

 

Q: Isn't thin provisioning the basis behind ESX 3.x?

A: Default provisioning of VMDKs with ESX today (3.x) is to allocate all of the requested space up front.  With vSphere 4 Thin Provisioning you can, from the vSphere Client (VC), choose to have ESX allocate space as needed (thin provision).

Q - Can you please provide me with an accurate list of our ecosystem partners who are working on vSphere vStorage APIs?

A - For the vStorage APIs for SRM the list is the one we all know and love.

- For the vStorage APIs for Data Protection, we have CA (ArcServe), Commvault (Galaxy Simpana), EMC (Avamar, Networker), HP (Data Protector), IBM (Tivoli Storage Manager), Symantec (Backup Exec, Backup Exec System Recovery, NetBackup Enterprise), Vizioncore (vRanger Pro). Note that we can't break NDA to make any statements on when which backup vendor will release which version using the APIs.

- For the vStorage APIs for Multipathing, EMC and Dell are currently working with us although I don't know if Dell has allowed us to share that yet.

 - For the other APIs, there are still some discussions going on between alliances and engineering about what partners and when can be involved since it's a sensitive topic with partners, so there's not a public list yet.  Note that the other APIs are not available yet in vSphere 4.0, they're further out on the roadmap.

Questions on vCenter / Management

 

Q: Will vCenter Server 4.0 be backwards compatible?

A: Yes, from version 2.5.x and forward

 

Q: If customer requires vCenter Server Heartbeat functionality, would they need to buy that + the vCenter Server license?

A: Yes.

 

Q: How do we position our management integration with the big management providers (e.g. IBM, HP etc…)? Will they not see us as a threat and will eventually want to integrate the virtual world management features into their own product? Where will that leave us?

A - In general, there will continue to be areas where each vendor clearly owns the management and areas where there is overlap.  In general, system management vendors don't expect to manage every aspect of the underlying environment--their value is in having a single console that acts as a high-level console across multiple silos of infrastructure--it would be painfully expensive for the systems management tools to try to write and support code to do everything for every aspect of every part of the environment.  For example, HP still sells Insight Manager even though they also have OpenView, IBM still sells IBM Director even though they have Tivoli, etc.--different tools focus on different layers of the infrastructure.  Our engagement with the systems management vendors has been focused on making it possible for them to understand the virtual environment (via our APIs) without needing to do all of the development and coding work themselves so that they can provide the value-add of providing a single management console across the environment--physical and virtual, x86 and UNIX, etc. that can tie into the virtualization-specific tool from VMware.  So rather than messaging competitively to them the way Microsoft does to some degree (e.g. management of physical + virtual), we have a more partner-friendly message of integration where VMware specializes in VI management and the systems management vendors specialize in unified management of physical and virtual at a higher level.

Q: How is DPM integrated with the big management tools/suites? Will it not cause an alert if servers are dynamically powered down? Is the only way to write specific scripts in these tools (so the manual way) or are we working to get DPM fully integrated with the management tool suites?

A - We are working with the major monitoring software vendors on this. A number of them have already planned new releases of their VMware modules that will include DPM-awareness. Although we have some insight into that roadmap, we’re not typically at liberty to share the dates with customers. Their best bet is to contact their mgmt software vendor directly to find out when the solution is coming.

 

Q: Orchestrator is of interest for a more detailed analysis. Are there plans to do a follow up training on this topic?

A - Check with David Friedlander about additional Orchestrator trainings.

Questions on management products

Q: Is there a list of products that will and will not be compatible with vSphere 4 at GA?

A: A list is being finalized.  A customer-facing version of that list will be provided on the UpgradeCenter portal that will be released at vSphere 4 launch. 

 

Q: For the add-on management products, do you know when the slideware is going to be released to the sales engineering teams?

A: We are planning a separate launch for the new and updated add-on management products in Q3, at which time the content for them will be updated.

Q:  When will the AIM products (SRM, LM, LCM, etc.) be compatible with vSphere?

A:  Our public statement will be that we plan for most of the AIM products to be compatible with vSphere with updates to them that will be delivered in 2H 2009. 

Q: Will Lab Manager work with vSphere Standard?

A: Lab Manager, like almost all of the AIM products, will require an update before it is compatible with vSphere 4.  That update is expected to happen in H2 2009.  Our plan is that Lab Manager and the other AIM products will support vSphere Standard and higher editions once they are updated.

 

Questions on View

 

Q: So a View deployment needs full vCenter Server?

A:  If you purchase VMware View SKUs, you receive a vCenter Server Standard license.  If you build a View environment by purchasing VI licenses, you can choose to use either vCenter Server Foundation or vCenter Server Standard with the same limitations as vCenter Server Foundation has.  Note that View will not be compatible with vSphere 4 until a future update.

Q: Will VMware View be available to work with VMware vSphere vCenter 4?

A: Not immediately at GA.  The next release of View is expected to support vSphere 4.

Miscellaneous

Q: Is there a PDF already prepared to show the upgrade process?

A: Yes see document: http://communities.vmware.com/viewwebdoc.jspa?documentID=DOC-9257&communityID=2701  

 

Q: Is VMware tools updated? Reboot required?

A: Yes, and so is virtual HW. Reboot required. Remember 2.5 to 3.0 upgrade? Can be done with VUM.