There has continued to be great coverage and response to the Citrix/Intel client hypervisor and “Project Independence” announcements.  We have been keeping pretty busy over the last couple of days talking with press and analysts about our perspective on these industry developments, and it is already very clear that Citrix and Intel’s involvement is going to bring a whole new level of visibility to the ecosystem of companies working hard to make bare metal client hypervisor technology a reality.

Chris Wolf of Burton Group is one of the industry analysts who was way out in front of the client hypervisor’s emergence as a PC management technology, and he provides a very good assessment of the Citrix/Intel announcement on his blog.  In his post, Chris put out the call to other companies like Virtual Computer and VMware to comment.  So far, it looks like I am the only one who has weighed in.  Here is what I had to say:

At Virtual Computer, we are cheering this announcement, because it completely validates our vision of transforming the way PCs are managed through client-side virtualization. We also view Citrix as a very partner-friendly company that we can be successful collaborating with as part of a broader industry ecosystem. Since day one, Virtual Computer has described itself as a PC lifecycle management company—not a hypervisor company. If you go back and read our original press release when we came out of stealth mode, a lot of shared vision with Project Independence shines through.

We have implemented a Xen-based bare metal client hypervisor as transformational technology to help us achieve our vision for PC management. However, we never had any illusions that we would always own the hypervisor. If a standard or de facto standard client hypervisor existed, we would have used it. Given that one didn’t, we looked at available options such as Xen, KVM, etc. before ultimately deciding that Xen was the most mature technology available to serve as the “engine” of NxTop Engine. However, we went into it recognizing that just because a bare metal client hypervisor standard did not exist, this did not mean that there never would be one. At the time, many were predicting that Microsoft would include a bare metal client hypervisor as part of Windows 7. In addition, we also saw it as plausible that companies like Citrix and VMware would augment their server-hosted VDI offerings with a client hypervisor (though I would not have predicted so quickly!).

With that as the backdrop, we built NxTop around Xen, but with clear lines of delineation between our management technology/intellectual property and the hypervisor. We were never planning to monetize the hypervisor, and any improvements we make to Xen will go back to the open source community in a timely manner. If at some point, a better client hypervisor option than Xen emerged, we were well prepared for it. However, to the extent that Xen emerges as the industry standard client hypervisor, as the industry momentum is starting to foretell, it makes Virtual Computer a much more valuable member of the ecosystem given our expertise and head start. I also think that an ecosystem and standards driven approach, bolstered by the Xen open source community, has much better potential to achieve widespread adoption than a proprietary hypervisor approach from which only one company stands to gain.

The client hypervisor train is clearly picking up a head of steam this week, which is making life very exciting for innovative startups in the space like Virtual Computer.  That’s us waving from the front row!

When we were in the early stages of developing NxTop Engine, our bare metal client hypervisor, one of the more challenging exercises we faced was determining how to best address the various input/output (I/O) paradigms on a PC. On one hand, we wanted to fully abstract the hardware from the operating system, so we could have a common virtual hardware platform and eliminate driver management headaches as part of our broader mission to make PCs easier to manage, maintain, and secure. On the other hand, there are a number of I/O touch points with a PC end-user, most notably in areas such as graphics, USB, disk, and networking, where the performance expectations are extremely high.

When it comes to dealing with I/O on a client hypervisor platform, a number of options exist. The first I will mention is full hardware device emulation. Complete emulation of physical devices is the “bread and butter” of virtualization technology. It does come with a performance price when compared to an operating system running on native hardware. This makes emulation a suitable option for less intensive I/O activities for which a slight performance hit is indiscernible to a PC end-user.

Another I/O virtualization technique is paravirtualization (also known as “enlightenment” in Microsoft Hyper-V parlance). With paravirtualization, optimizations (in a form of specialized class drivers) are made within the guest operating system that enables it to more effectively share physical hardware resources with other guest operating systems, achieving near-native I/O performance. This makes it an ideal approach for I/O activities with higher performance requirements, as it provides the end-user with the look and feel of native PC performance without “breaking” the virtual hardware platform abstraction model that makes life so much easier for the IT team to manage desktops. To build great paravirtualized I/O subsystem is a huge undertaking, but our awesome engineering team made it look easy.

When all else fails in attempting to achieve true virtualization on a client hypervisor, a final I/O approach that can be utilized is a technique called “pass-through.” As the name suggests, pass-through allows a guest operating system, such as Windows, to achieve native I/O performance by bypassing the hypervisor and using the same collection of Windows drivers that IT folks love to hate to access the physical PC hardware. For a virtualization vendor, a pass-through approach is a tempting way to avoid the whole issue of building a high performance paravirtualization I/O subsystem. Perhaps the engineering skill set to do that is just not there, so why not just use some hardware PCI mapping tables and off you go. However, if you think that native Windows drivers, bypassing the hypervisor and talking directly to physical PC hardware is a “visionary” virtualization technique (as another virtualization company likes to call this approach), then I have a famous bridge to sell to you.  We view pass-through as an I/O technique of last resort to use in a client hypervisor, because that model of I/O virtualization makes desktop management more complicated and more expensive. And after all, isn’t desktop virtualization is all about simplifying and reducing management costs? If a client hypervisor doesn’t make PC management easier, what’s the point?

As we were designing NxTop, we painstakingly analyzed each I/O requirement of the client PC and selected the most appropriate approach for each. In doing so, we struck what we feel is the most optimal balance between PC manageability and security for the IT team and a better overall user experience for end-users. Early feedback is that we have hit the mark.

Our view from day one has been that by running virtual machines directly on traditional PC hardware rather than remotely on servers, we can deliver the manageability, reliability, and security benefits of desktop virtualization while providing a better end-user experience.  Graphics performance is quite literally the most visible aspect of the user experience, so it is a major area of focus for us.  We have great 2D graphics working in our beta deployments today, but we won’t be satisfied until we have 3D graphics performance that is not discernable from a native operating system installation.  We don’t want to “cheat” (and open up a big security hole) by allowing a graphics driver in Windows to bypass the hypervisor.  We want to do it all in virtualization.

Our fearless CTO, Alex Vasilevsky, not only came up with a great architecture for fully virtualized 3D graphics, he actually showed up one day with a working proof of concept.  A couple of us decided to put it to the test and run two separate 3D applications (Quake and Google Earth) in two separate virtual machines. As you can see, they are running simultaneously. With NxTop, you can switch between them in an instant while both operating systems are using 3D graphics. By the way, be careful when switching to Google Earth while playing Quake, as you generally get killed pretty quickly when you’re not paying attention to the game.

Check out the video:

I recently wrote an article for Virtualization Journal. In the article I give an overview of virtualization but quickly move into the area of desktop virtualization, why companies will be embracing virtual desktops very soon, the differences between types of desktop virtualization (type 1 vs. type 2, which I also discuss here and, most importantly, I discuss how desktop virtualization with a type 1 hypervisor (bare-metal) is going to really change the way PCs are managed.

The model of directly executing multiple virtual environments on the same physical PC in full isolation from each other enables many important PC management functions, including but not limited to:

• System updates
• Backup
• Recovery from errors
• Root-kit detection
• Malware and software virus detection
• Machine lockdown
• Full support for mobility and disconnect use

These capabilities are provided for all desktop operating environments running on PC architecture, while remaining protected from each other and their security vulnerabilities. This model of desktop virtualization is suitable for devices that are always connected to the network, such as stationary desktop PCs connected via a persistent network connection, and mobile notebooks that can be occasionally disconnected from the corporate networks.

Go to Virtualization Journal for the full article and check out what we are doing with NxTop to make virtual desktops a reality.

On the heels of Alex’s “Why Bare is Better” post last week, Yi-Jian Ngo of Microsoft is highlighting how “bare metal” client virtualization technology may be the key to driving mass adoption of desktop virtualization. Yi-Jian is the guy who takes startups like us by the hand and helps them navigate the waters at Microsoft, and it was great to finally meet him in person last week at VMworld. Yi Jian is discussing what he calls Desktop Virtualization 2.0 on his Core Infrastructure blog. In the post he discusses the two current definitions of desktop virtualization.

The first is what he calls “the model of virtual machines running in the bowels of the datacenter/cloud and projected out to users” – this is traditional desktop virtualization, or VDI. The second is where Virtual Computer’s NxTop is: running virtual desktops on the bare metal of a PC. Three use cases are mentioned:

The use cases for bare metal client virtualization are still emerging, though there are at least three that come to mind. One is the ability to deploy a locked-down workspace for corporate use side-by-side with a second workspace that end-users can modify but is walled off from certain resources, simultaneously maintaining ease of management while allowing some degree of end-user flexibility. Second is the quick deployment of policy-compliant workspaces to clients used by temporary or guest workers. And third is the offloading of certain utilities, particularly desktop security software, onto a separate virtual machine – possibly portending the arrival of desktop virtual appliances.

Absolutely right. We’ve been talking with hundreds of IT administrators responsible for PC management and find these to be among the top use cases for NxTop. It boils down to this: NxTop needs to make overall laptop and desktop management easier, more secure and quick to deploy. For the end-user, it needs to offer everything they’ve come to expect from a desktop experience.

There have been a number of really big announcements at VMWorld this week – including the launch of our own NxTop!  A side effect of all the press releases making the round is that there is confusion around what a bare metal hypervisor is and why it is useful, so I thought some clarification would be helpful.

All of the virtualization options on mobile devices up to this point have been “hosted” solutions (sometimes called type-2 hypervisors).  That is, it is a virtual machine running on top of a standard operating system installation – like Windows or Linux.  VMWare ACE and others are examples of type-2 hypervisor solutions.   Also, according to their keynote demo and press release, the VMware vClient initiative is a ‘hosted solution’ of  a Linux operating system and a VMplayer.

NxTop is something different.  It incorporates a ‘Bare Metal’ (type-1) hypervisor. The NxTop engine sits directly on hardware and not on an OS.  Think of ESX vs. Workstation.  This gives you additional management capabilities and security.  For example, if Windows is inoperable (bluescreen, bad patch, etc.) and is not recoverable, NxTop Center still has access to the out-of-band management stack and can revert to a snapshot in a jiffy.  Additionally, the ‘attack surface’ is minimized as you are now talking about under 100k lines of code in a hypervisor vs. millions in a hosted operating system.  Finally, the hypervisor with full control of the hardware is better able to enforce isolation between multiple virtual machines running on the same client.

A hypervisor by itself is not that interesting – but the management and security features it enables are.  Hope this helps clarify the differences between a type 1 hypervisor (bare metal hypervisor) and a type 2 hypervisor (hosted solution).

Our booth at VMWorld has been packed all week long, thanks again for stopping by!