Client Virtualization In Depth: An ongoing series exploring the technology behind the next generation desktop.

My name is Nils Nieuwejaar. I’ve been a member of the engineering team at Virtual Computer since a little before we opened our doors two years ago. In this forum, I’ll be writing about a variety of technical issues, covering virtualization in general and NxTop in particular.

Our primary focus at Virtual Computer is on solving a host of management problems for our customers. While we make extensive use of virtualization to solve these problems, we don’t usually think of ourselves as a virtualization company in the traditional sense. More to the point, we don’t necessarily expect our customers to have a deep familiarity with virtualization technology.

My goal here is not to make a virtualization expert out of anybody, but simply to give our users enough information to understand how the different components in the full NxTop system work. This knowledge will help them get the best performance out of the system, and help them diagnose any problems that may arise in their environments. I’ll be covering topics that future customers ask the sales team about, that current customers ask the support team about, and that the support team asks the engineering team about.

Fully Virtualized I/O

When discussing NxTop with customers, they frequently have questions about how I/O works in virtualized systems like NxTop. The answer to this simple question turns out to be somewhat complicated.

I’ll start by talking fully virtualized I/O, which may be the simplest case to understand and the most complex to implement. When a typical Windows application wants to read data from disk, it makes a system call into the operating system, and the operating system in turn makes a call into the device driver controlling that disk.

When running on bare metal (i.e., on a real machine instead of a virtual machine), the disk driver builds up a command structure describing the I/O operation it wants to perform (read/write, sector ID, size, etc.), and then writes a “start I/O” command to a special address in the computer’s memory. The disk hardware is notified when that special address is written to. The disk controller reads the command structure from the computer’s memory, triggers the hardware to carry out the operation it describes, and notifies the OS when the operation is complete. The OS then returns from the system call, and the application proceeds.

The illustration above shows the different components you will find on a typical bare metal system. There are applications running on top of an operating system, and the operating system interacts directly with physical hardware.

The picture below shows a typical simple virtual platform:

Again we have applications running on an operating system, but in this case the operating system is running on top of a hypervisor instead of bare metal. A hypervisor is similar to an operating system, but instead of hosting applications like an operating system, it actually hosts operating systems. The hypervisor manages core resources like CPU and memory, and passes guest I/O requests to a virtual hardware platform. The virtual hardware that receives the I/O requests is nothing more than a piece of software owned and operated by a host operating system. The fundamental trick of virtualization is to make the guest operating system believe that it is interacting with real hardware instead of a piece of software.

(side note: whether the hypervisor and virtual hardware should be shown inside, beside, below, or on top of the host operating system varies from system to system, and gets into the distinction between ‘Type 1′ and ‘Type 2′ hypervisors, More on that in a different post.)

In a fully virtualized system, the disk driver believes that it is controlling a real hard drive. So to read a block of data from disk, it will build up exactly the same control structure described above, and it will write the ’start I/O’ command to exactly the same memory address. In this system however, it is the hypervisor that notices that that address has been written instead of a real disk controller. The hypervisor notifies the virtual hardware, which then reads the control structure out of memory, decodes it, and carries out the described operation.

In most cases, the guest’s disk is actually just a file in the host operating system’s file system. When the guest OS wants to read block 100 from its disk, the virtualization layer instead reads block 100 from the file. (side note: This is actually a significant oversimplification. In practice, a guest’s disks are stored in one or more files, each of which has a somewhat complex internal structure. More on this in another post.)

After the software layer reads the data from disk, it copies the data into the guest operating system’s memory, and sends it exactly the same ‘work completed’ signal that a real disk controller would. The guest operating system continues on its merry way, unaware that the disk request was satisfied by virtual hardware rather than physical.

This sounds relatively simple, and indeed it is when reading a single disk block. However, the IDE interface includes dozens of commands, errors, and status variables. It includes programmed I/O and DMA, supports hard drives and CDROMs, and so on. The guest operating system takes a high-level file operation from an application, translates it into very detailed, low-level IDE commands, and then the virtual hardware has to decipher those low-level IDE commands and transform them into file operations on its virtual hard disk. Doing all of this work for every disk operation can be time consuming, which results in poor disk performance for applications running in the guest operating system.

Paravirtualized I/O

To help avoid the performance problems that come with operating on emulated hardware, we use a different I/O model for performance-sensitive devices such as disk and network. This model is referred to as paravirtualization as opposed to the full virtualization we’ve already discussed.

In paravirtualized I/O, the device driver running in the guest operating system understands that it is running on virtualized hardware. Instead of attempting to talk to a physical disk, a paravirtualized (PV) disk driver in the guest will communcate directly with a partner device driver running in the host OS. As illustrated below, the PV driver bypasses the virtual hardware model, avoiding all of the expensive encoding and decoding steps.

Just a couple of notes on terminology: since there is no disk device per se here – just two cooperating drivers, we typically don’t talk about ‘PV devices’. Instead we mostly talk about PV drivers. If you have ever used VMware’s Tools, VirtualBox’s Guest Additions, or Microsoft’s Hyper-V Integration Services in a virtual machine, you have been using some type of PV drivers.

Each driver actually has two parts: a front end and a back end. The frontend driver runs within the guest. It plugs into the guest operating system’s driver stack in essentially the same way a physical driver would, so the rest of the operating system interacts with it just like a physical device. The backend driver runs in the host operating system. It receives I/O requests from the frontend driver, and executes them. These I/O requests arrive from the guest fully formed in a commonly agreed upon format. There is no expensive decoding/translating process as with emulated devices.

In addition to communicating at a higher level, PV drivers generally offer additional opportunities for improved performance. We can change buffer sizes, queue depths, algorithms, or features at any time. Since the I/O model is simpler, it is easier to identify and fix any performance or correctness problems. For a single point of comparison: in NxTop Engine, basic IDE emulation takes 4 times as much code as the backend disk driver, and runs at a fraction of the speed.

Since the front end and back drivers are generally written in conjunction with one another, there is no ambiguity about the expected behavior. When writing software that emulates a particular hardware device, the documentation of the device’s behavior may be unavailable or incomplete. This may cause the implementor of the virtual hardware to be reluctant to support the highest performing and most complicated mechanisms, instead forcing the device driver to fallback to older, simpler, and better documented mechanisms.

The most significant drawback of the PV I/O model is that you need new drivers for each operating system you want to use as a guest. The devices provided by a fully virtualized system tend to be common enough that drivers will be available for nearly every OS. For PV I/O, you will always need to write new drivers. The NxTop platform includes PV drivers for disk, network, mouse, and USB for Windows XP, Vista, and Windows 7, which covers nearly all of our customers’ needs.

The screenshot below shows a picture of the Windows 7 Device Manager, with the NxTop PV drivers installed on the NxTop Engine.

You may have noticed that prior to this I never mentioned whether I was describing the NxTop Engine (i.e., the client) or NxTop Center (i.e., the server). In fact, this discussion applies equally well to both components of the NxTop system. On the server, we make use of Microsoft’s Hyper-V Integration Services when the IT admin is managing and publishing a NxTop image. On the client, we make use of our own PV drivers when the end user is running the published image.

Finally, I should mention that there is another interesting type of I/O in a virtual environment: passthrough. We don’t currently make use of this in NxTop engine, but I’ll talk more about it in future posts.

In my last post, I got on a bit of roll about how the various industry players are approaching client hypervisor hardware compatibility (or not as the case may be).  Now that I have that out of my system, I thought I would begin to describe some of the things I believe we did right with our approach for NxTop.  I’ll start with a big one:

NxTop is compatible with, but does not require, Intel vPro and VT-d.

Several of the other client hypervisor products in works are being centered on Intel vPro.  This makes sense on one level, since vPro is at its core a management and control point that is independent of the operating system. A client hypervisor is a very logical extension of that. The rub is that there are many corporate PCs with years of life remaining in them that are not vPro enabled.  There are also many enterprises ordering large volumes of PCs who do not want to pay a premium for vPro-enabled PCs for all classes of users.  When you are dealing with hundreds of thousands of PCs, any incremental cost per unit adds up very quickly, so this is a real consideration in today’s budget conscious times.

One of the major stumbling blocks of server-based desktop virtualization is that while it offers significant management and security benefits, it can generally only be deployed for a subset of an organization’s users.  Limiting client hypervisor compatibility to the highest end of the corporate PC market and not providing backwards compatibility with existing business class PCs would impose the same limitations on the adoption of client-side virtualization.  For obvious reasons, we did not want to see that happen.

The primary aspect of vPro that is relevant to client virtualization is Intel Virtualization Technology for Directed I/O (VT-d).  VT-d extends the base Intel virtualization extensions for the x86 architecture that exist in most business class machines today (VT-x) to include an input/output memory management unit (IOMMU).  The IOMMU makes it possible to securely assign physical hardware components directly to specific virtual machines.  This has many practical uses (particularly in overcoming performance challenges in areas such as graphics), but it has some major downside in that it requires hardware-specific drivers in each virtual machine and makes supporting the full array of graphics cards quite challenging.  Stay tuned for more on this in a future post.

With NxTop, we have achieved a very high level of performance without reliance on IOMMU.  This enables NxTop Engine to run on any platform with VT-x.  So when we go into an enterprise where they are currently buying the latest Dell E-series PCs but they have a bunch of older D630s (usually with a mix of Intel and NVIDIA graphics chips), it’s never a problem to get started.  We are not talking to the client about a utopian management model in the future when all of their current PCs are in the graveyard.  We are saying, “Hey, let’s gets started—TODAY.”

With this as a backdrop, I do not in any way want to leave the impression that we don’t see value in both vPro and VT-d/IOMMU functionality.  Continuing innovation from the processor manufacturers will only expand the set of management and performance features we can offer as part of NxTop, and we are embracing this innovation with open arms.  However, we don’t think client virtualization can take off without support for a wide range of PC platforms both new and existing.

Yesterday, we announced an update pack for the NxTop 1.2 release that set the world on fire at VMworld back in August. NxTop 1.2 was really more than a point release for us, since we added some fairly significant improvements to the product. Notable among them were seamless integration of our NxTop Center management system with Windows Server 2008 w/Hyper-V and one-to-many management capabilities for Windows 7 a good two months before it reached general retail availability.

In the time since the 1.2 release, we have had our heads down and focused on taking the NxTop Engine experience to greater heights. It hasn’t been glamorous stuff. For the most part, it has been benchmark, optimize, and repeat in a number of performance and user experience areas. There are literally folks on our engineering team that have been so deep into Xen and the Windows stack that I am not sure they will ever be the same.

The result of these efforts is a great set of year end updates to NxTop that will allow our customers to accelerate their rollout plans as we head into the new year. The coming year is predicted to be a big one for client hypervisor technology, and the fact that NxTop has the maturity and performance to run on real end-user desktops while competing offerings amble towards beta is very gratifying to us.

But don’t worry, we aren’t resting on our laurels. Work is already well underway on our next major release of NxTop, and based on what I have seen so far I think it will really turn some heads.

Find the smart car at VMworld for a chance to win it! Stop by our VMworld booth (#1940) for details.

With less than a week to go until VMworld, life has been pretty exciting around the Virtual Computer offices as we put the final polish on our latest NxTop product functionality demos.  Today, the excitement level reached a fever pitch, as we announced our new “Get Smart About Desktop Virtualization” program that will formally kick off at VMworld.  The “Get Smart” program will highlight how a PC management approach that leverages client-side virtualization provides significant cost-saving benefits versus both server-centric virtual desktop infrastructure (VDI) models and traditional agent-based PC management approaches.  The best part is that when the dust settles, one lucky IT professional will walk away with a cool new car that is….well, smart!

The “Get Smart” program will feature a number of activities at VMworld where attendees can learn about NxTop’s unique PC life cycle configuration management capabilities, as well as interact with some of our key partners who help bring it all together.  The more you interact with us and our partners, the more chances you will have to win the car.  Keep reading the blog and come by and see us at Booth #1940 next week to get all of the details, including some “extra credit” opportunities for all of you star pupils out there.

Travel budget blues keeping you away from VMworld this year?  There are still plenty of opportunities to get involved.  In conjunction with the “Get Smart” program, we have launched a new online community site that includes a very nifty total cost of ownership (TCO) calculator.  The tool is highly configurable, so if you don’t like our cost assumptions, simply plug in your own.  Think our overall methodology is flawed?  Stop by the forums and say what’s on your mind.  While you are at it, sign up for one of our upcoming webinars on “The New Economics of PC Management,” which will provide another chance to see NxTop in action, along with an in-depth review of our TCO methodology.  Online forum contributions and webinar attendance will earn VMworld attendees additional chances to win the car and provide those playing along at home with a chance to win.

Stay tuned more more contest details as VMworld gets under way.  See you in San Francisco!

Greetings from Chicago, where I am attending Brian Madden’s seventh annual BriForum event.  The event got off to a great start yesterday.  It is a smaller event as conferences go, but you won’t find a larger concentration of the brightest minds in desktop virtualization anywhere.  BriForum provides a great opportunity to see and touch some of the best virtualization technology available today, but I have been particularly drawn to some of the sessions focused on where this is all headed.  Chetan Venkatesh from Atlantis Computing did a really interesting session yesterday morning called “Envisioning the Desktop of 2015: A Tale of Three Clouds and Liquid Desktop Computing,” and Brian Madden and Martin Ingram of AppSense revisited their past predictions for the evolution of desktop computing in “Looking Towards the New Desktop.”  In both cases, the brand of client-side desktop virtualization we practice at Virtual Computer factored heavily into the presenters’ view of the future.

Walking around BriForum, one really gets the sense that there is a perfect storm of industry events brewing that is really going to cause desktop virtualization to take off in the next 12 months.  For example, all signs are that Microsoft “got it right” with Windows 7, and that its release will be a catalyst for many organizations to look for new and innovative ways to deploy and manage their desktops.  We think we have one for them.  If you happen to be a BriForum and would like to connect to see a live demo of NxTop, feel free to grab me by the shirt, ping me on Twitter (@dlane), or use the form we have available on our web site.

Fortunately for me, my time spent contemplating the future of desktop virtualization with really sharp people will not end with my departure from BriForum on Thursday.  I am excited to be teaming up with Rachel Chalmers of The 451 Group next week on the webinar, “Five Ways Virtualization Is Changing Your PC.”  It will be held next Wednesday (July 29) at  11:30 a.m. ET.  We will explore a number of the ways in which client-side desktop virtualization will transform the PC for both IT admins and end-users, including:

• The ability to run multiple operating systems on a single device and easily move from a personal to a corporate environment
• Easy migration from Windows XP to Windows Vista or soon Windows 7
• Enhanced data protection, backup and security
• Improved PC management for mobile and remote workers
• Remote desktop access to your documents, settings and self-installed applications

Visit our registration page to learn more or to register.

When the topic of virtualization comes up, there are really only four companies that come to mind: Citrix, Microsoft, VMware, and Virtual Computer.  Right? 

The folks at SAP recently finalized the agenda for their upcoming SAP Virtualization Week 2009, scheduled for April 20 – 23 in Palo Alto, CA.  One of the highlights of the event will be a panel discussion that will feature our own Alex Vasilevsky along with Simon Crosby of Citrix, Mike Neil of Microsoft, and Steve Herrod of VMware.  I am guessing that it will be a lively and entertaining discussion.

The event agenda and registration details can be found on the SAP web site.  The SAP event timing and location lines up very well with the IDC Virtualization Forum West if you happen to be attending that event.  Travel budget in shreds on the floor?  SAP is also offering an option to view a webcast of the event via Citrix GoToWebinar.

When we were in the early stages of developing NxTop Engine, our bare metal client hypervisor, one of the more challenging exercises we faced was determining how to best address the various input/output (I/O) paradigms on a PC. On one hand, we wanted to fully abstract the hardware from the operating system, so we could have a common virtual hardware platform and eliminate driver management headaches as part of our broader mission to make PCs easier to manage, maintain, and secure. On the other hand, there are a number of I/O touch points with a PC end-user, most notably in areas such as graphics, USB, disk, and networking, where the performance expectations are extremely high.

When it comes to dealing with I/O on a client hypervisor platform, a number of options exist. The first I will mention is full hardware device emulation. Complete emulation of physical devices is the “bread and butter” of virtualization technology. It does come with a performance price when compared to an operating system running on native hardware. This makes emulation a suitable option for less intensive I/O activities for which a slight performance hit is indiscernible to a PC end-user.

Another I/O virtualization technique is paravirtualization (also known as “enlightenment” in Microsoft Hyper-V parlance). With paravirtualization, optimizations (in a form of specialized class drivers) are made within the guest operating system that enables it to more effectively share physical hardware resources with other guest operating systems, achieving near-native I/O performance. This makes it an ideal approach for I/O activities with higher performance requirements, as it provides the end-user with the look and feel of native PC performance without “breaking” the virtual hardware platform abstraction model that makes life so much easier for the IT team to manage desktops. To build great paravirtualized I/O subsystem is a huge undertaking, but our awesome engineering team made it look easy.

When all else fails in attempting to achieve true virtualization on a client hypervisor, a final I/O approach that can be utilized is a technique called “pass-through.” As the name suggests, pass-through allows a guest operating system, such as Windows, to achieve native I/O performance by bypassing the hypervisor and using the same collection of Windows drivers that IT folks love to hate to access the physical PC hardware. For a virtualization vendor, a pass-through approach is a tempting way to avoid the whole issue of building a high performance paravirtualization I/O subsystem. Perhaps the engineering skill set to do that is just not there, so why not just use some hardware PCI mapping tables and off you go. However, if you think that native Windows drivers, bypassing the hypervisor and talking directly to physical PC hardware is a “visionary” virtualization technique (as another virtualization company likes to call this approach), then I have a famous bridge to sell to you.  We view pass-through as an I/O technique of last resort to use in a client hypervisor, because that model of I/O virtualization makes desktop management more complicated and more expensive. And after all, isn’t desktop virtualization is all about simplifying and reducing management costs? If a client hypervisor doesn’t make PC management easier, what’s the point?

As we were designing NxTop, we painstakingly analyzed each I/O requirement of the client PC and selected the most appropriate approach for each. In doing so, we struck what we feel is the most optimal balance between PC manageability and security for the IT team and a better overall user experience for end-users. Early feedback is that we have hit the mark.

Even though we have a well-ordered list of more pressing things to do, we couldn’t resist taking a little bit of time yesterday to pull down the newly released Windows 7 beta to give it a whirl on NxTop Engine, our bare metal client hypervisor.

It took a “hammer tap” or two from a couple of the smart guys we have roaming the halls here, but within a couple of hours of download we had it running on a bare metal laptop concurrently with XP and Vista virtual machines.  I will try to shoot some video later and post it.

Exercises like this, while admittedly of little short-term significance, really drive home why bare metal client virtualization will become the predominant method of executing end-user desktops.  I have seen a fair bit of commentary on whether enterprises running XP should move to Vista as a hardware/application compatibility stepping stone or skip Vista and wait for Windows 7.  With a product like NxTop, this becomes purely a business decision rather than a technology decision.  There are two key reasons for this:

Full Hardware Abstraction
By fully abstracting the hardware from the operating system, the process of certifying an operating system becomes orders of magnitude easier.  NxTop Engine houses the various physical hardware drivers in the virtualization layer, presenting a generic set of virtual hardware to the operating system regardless of underlying physical hardware.  The IT team will no longer need to worry about drivers, and Virtual Computer will do all of the work required to make our virtual hardware compatible with new operating systems like Windows 7 as they are released.

Point-and-Click Deployment of Multiple Operating Systems
Today, rolling out a new operating system is a major project for most IT organizations.  Very few IT teams are willing to flip a switch and move all users simultaneously to a new operating system–for good reason.  The potential pitfalls include hardware compatibility issues, incompatibility of key applications with the new operating system, and end-user training just to scratch the surface.  Even if all of the issues can be solved, there is also that minor issue of reimaging every PC in the organization.  Even with PC imaging tools, this would take more time than most IT teams can afford.

With NxTop, the IT team would simply create a new master virtual machine on NxTop Center and publish it to their users to run alongside the existing operating system.  At this stage, users can become acclimated with the new operating system but are still able to access their existing desktop environment.  After a reasonable transition period, the IT team can simply unassign the legacy operating system.  Or, if certain users require ongoing access to their legacy operating system for lagging incompatible applications, the two desktops can run concurrently to provide a longer-term application compatibility solution.

I am looking forward to playing around with Windows 7.  It took service pack 1 and maxing out my RAM to get me there, but I am actually starting to prefer Vista to XP.  I am interested to see if Windows 7 delivers further improvement.

Virtualization Congress has posted a list of proposals for presentations that will be a part of Virtualization Congress 2009 in Las Vegas. Head on over to vote for the presentations you’d be most interested in attending, such as Mobile Desktop Virtualization with Cloud-Based Disaster Recovery.