Even though we have a well-ordered list of more pressing things to do, we couldn’t resist taking a little bit of time yesterday to pull down the newly released Windows 7 beta to give it a whirl on NxTop Engine, our bare metal client hypervisor.

It took a “hammer tap” or two from a couple of the smart guys we have roaming the halls here, but within a couple of hours of download we had it running on a bare metal laptop concurrently with XP and Vista virtual machines.  I will try to shoot some video later and post it.

Exercises like this, while admittedly of little short-term significance, really drive home why bare metal client virtualization will become the predominant method of executing end-user desktops.  I have seen a fair bit of commentary on whether enterprises running XP should move to Vista as a hardware/application compatibility stepping stone or skip Vista and wait for Windows 7.  With a product like NxTop, this becomes purely a business decision rather than a technology decision.  There are two key reasons for this:

Full Hardware Abstraction
By fully abstracting the hardware from the operating system, the process of certifying an operating system becomes orders of magnitude easier.  NxTop Engine houses the various physical hardware drivers in the virtualization layer, presenting a generic set of virtual hardware to the operating system regardless of underlying physical hardware.  The IT team will no longer need to worry about drivers, and Virtual Computer will do all of the work required to make our virtual hardware compatible with new operating systems like Windows 7 as they are released.

Point-and-Click Deployment of Multiple Operating Systems
Today, rolling out a new operating system is a major project for most IT organizations.  Very few IT teams are willing to flip a switch and move all users simultaneously to a new operating system–for good reason.  The potential pitfalls include hardware compatibility issues, incompatibility of key applications with the new operating system, and end-user training just to scratch the surface.  Even if all of the issues can be solved, there is also that minor issue of reimaging every PC in the organization.  Even with PC imaging tools, this would take more time than most IT teams can afford.

With NxTop, the IT team would simply create a new master virtual machine on NxTop Center and publish it to their users to run alongside the existing operating system.  At this stage, users can become acclimated with the new operating system but are still able to access their existing desktop environment.  After a reasonable transition period, the IT team can simply unassign the legacy operating system.  Or, if certain users require ongoing access to their legacy operating system for lagging incompatible applications, the two desktops can run concurrently to provide a longer-term application compatibility solution.

I am looking forward to playing around with Windows 7.  It took service pack 1 and maxing out my RAM to get me there, but I am actually starting to prefer Vista to XP.  I am interested to see if Windows 7 delivers further improvement.

Our view from day one has been that by running virtual machines directly on traditional PC hardware rather than remotely on servers, we can deliver the manageability, reliability, and security benefits of desktop virtualization while providing a better end-user experience.  Graphics performance is quite literally the most visible aspect of the user experience, so it is a major area of focus for us.  We have great 2D graphics working in our beta deployments today, but we won’t be satisfied until we have 3D graphics performance that is not discernable from a native operating system installation.  We don’t want to “cheat” (and open up a big security hole) by allowing a graphics driver in Windows to bypass the hypervisor.  We want to do it all in virtualization.

Our fearless CTO, Alex Vasilevsky, not only came up with a great architecture for fully virtualized 3D graphics, he actually showed up one day with a working proof of concept.  A couple of us decided to put it to the test and run two separate 3D applications (Quake and Google Earth) in two separate virtual machines. As you can see, they are running simultaneously. With NxTop, you can switch between them in an instant while both operating systems are using 3D graphics. By the way, be careful when switching to Google Earth while playing Quake, as you generally get killed pretty quickly when you’re not paying attention to the game.

Check out the video:

On the heels of Alex’s “Why Bare is Better” post last week, Yi-Jian Ngo of Microsoft is highlighting how “bare metal” client virtualization technology may be the key to driving mass adoption of desktop virtualization. Yi-Jian is the guy who takes startups like us by the hand and helps them navigate the waters at Microsoft, and it was great to finally meet him in person last week at VMworld. Yi Jian is discussing what he calls Desktop Virtualization 2.0 on his Core Infrastructure blog. In the post he discusses the two current definitions of desktop virtualization.

The first is what he calls “the model of virtual machines running in the bowels of the datacenter/cloud and projected out to users” – this is traditional desktop virtualization, or VDI. The second is where Virtual Computer’s NxTop is: running virtual desktops on the bare metal of a PC. Three use cases are mentioned:

The use cases for bare metal client virtualization are still emerging, though there are at least three that come to mind. One is the ability to deploy a locked-down workspace for corporate use side-by-side with a second workspace that end-users can modify but is walled off from certain resources, simultaneously maintaining ease of management while allowing some degree of end-user flexibility. Second is the quick deployment of policy-compliant workspaces to clients used by temporary or guest workers. And third is the offloading of certain utilities, particularly desktop security software, onto a separate virtual machine – possibly portending the arrival of desktop virtual appliances.

Absolutely right. We’ve been talking with hundreds of IT administrators responsible for PC management and find these to be among the top use cases for NxTop. It boils down to this: NxTop needs to make overall laptop and desktop management easier, more secure and quick to deploy. For the end-user, it needs to offer everything they’ve come to expect from a desktop experience.

There have been a number of really big announcements at VMWorld this week – including the launch of our own NxTop!  A side effect of all the press releases making the round is that there is confusion around what a bare metal hypervisor is and why it is useful, so I thought some clarification would be helpful.

All of the virtualization options on mobile devices up to this point have been “hosted” solutions (sometimes called type-2 hypervisors).  That is, it is a virtual machine running on top of a standard operating system installation – like Windows or Linux.  VMWare ACE and others are examples of type-2 hypervisor solutions.   Also, according to their keynote demo and press release, the VMware vClient initiative is a ‘hosted solution’ of  a Linux operating system and a VMplayer.

NxTop is something different.  It incorporates a ‘Bare Metal’ (type-1) hypervisor. The NxTop engine sits directly on hardware and not on an OS.  Think of ESX vs. Workstation.  This gives you additional management capabilities and security.  For example, if Windows is inoperable (bluescreen, bad patch, etc.) and is not recoverable, NxTop Center still has access to the out-of-band management stack and can revert to a snapshot in a jiffy.  Additionally, the ‘attack surface’ is minimized as you are now talking about under 100k lines of code in a hypervisor vs. millions in a hosted operating system.  Finally, the hypervisor with full control of the hardware is better able to enforce isolation between multiple virtual machines running on the same client.

A hypervisor by itself is not that interesting – but the management and security features it enables are.  Hope this helps clarify the differences between a type 1 hypervisor (bare metal hypervisor) and a type 2 hypervisor (hosted solution).

Our booth at VMWorld has been packed all week long, thanks again for stopping by!

From InfoWorld: Five Steps to Safer Virtual Servers

1. Protect your host operating system by using server hardening tools and methodologies.
2. Ensure that your host OS is as secure as the guest operating system.
3. Security policies in the host OS should reflect requirements of individual virtual machines.
4. Manage virtual processes more like you already manage your physical resources.
5. Stay vigilant about securely managing the physical infrastructure.

In short: practice the same common sense you would in the physical world!

Virtual sprawl. That’s the phrase used to describe a virtual machine environment that gets out of control because it is just so easy to create virtual servers using many of today’s tools. The phrase often comes up when someone is discussing the need for virtualization management systems.

The right management system will help keep track of all of your virtual machines but to really keep virtual sprawl contained, you need the discipline of only creating what you need and having the right tools in place before implementing your virtualization solution.

This is harder than it sounds.

It’s easy to create new virtual computers and servers — and, with such low cost to creating them, it’s easy to overlook the need to have a plan in place before implementation. Of course, if the right management systems were a part of the solution (which they should be and, depending what you’re looking at, might be), the problem of virtual sprawl goes away.

Or, at the very least, becomes easy to contain.

By the way, the title of this post isn’t mine — it’s a quote made by Deepak Mohan of Symantec. The full quote is:

“Virtual machines are easy to deploy and propagate like rabbits, and that causes complexity of management from the data perspective.”

I came across it in an article this morning.