OpenStack Summer Reading

Seeing that I’m now getting an out of office hit rate of above 50% (I’m based in EMEA) I thought it might be interesting to share a summer reading list. I’m going (or already went, in most cases) through this material myself during my planned downtime in the second half of August.

I’m very interested in OpenStack and have been fiddling with it for quite some time, I like how it touches a lot of technologies and evolves at breakneck speeds (It has become the fastest growing open source project of all time).

Recently a team from VMware, EMC, Cisco, Cloudscaling, Comcast, Mirantis, Rackspace, Red Hat, and Verizon completed a 5 day book sprint (for more info on book sprints visit booksprints.net) writing the OpenStack Architecture Design Guide.

Screen Shot 2014-07-23 at 12.20.28

I think this a good resource to get started with expanding your OpenStack knowledge if you are planning a design. For getting started with OpenStack without any background I recommend the OpenStack website as it has some great introductions to the different technologies. The architecture design guide explains some common use cases and what to look out for in each of them. Like with most cloud automation/orchestration frameworks it is not really feasible to give you a lot of prescriptive step by step advise since the system is so versatile you really need to look at your specific use case, the book however attempts, successfully, to provide some.  It does not cover installation and operations, for this another great resource is available for free, the OpenStack Operations Guide.

If you are more interested in the security aspect of running OpenStack there is another guide available that was also the result of a book sprint, called the OpenStack Security Guide.

The OpenStack Wiki also provides a great place to get started, but I often find a nicely packaged book is more suited towards learning.

The complete set of current OpenStack documentation can be found here. You can also contribute to OpenStack without needing to provide code by helping out the documentation effort, more information on how this works can be found here.

You can find an immense amount of sessions on YouTube around OpenStack as well, but since video has no place in a reading list… (just goolge it).

VMware also supports OpenStack integration by providing open source drivers (for Nova and Cinder) and plugins (for Quantum/Neutron) to integrate with our products. You can find, and read about, these on the VMware OpenStack community site.

Team-OpenStack-@-VMware-300x220

VMware also provides an (unsupported) vSphere OpenStack Virtual Appliance (VOVA) to allow for easy testing, proof of concepts, and educational purposes. It is a single Ubuntu Linux appliance running Nova, Glance, Cinder, Neutron, Keystone, and Horizon. There is also an VMware + OpenStack Hands On Lab available for you to experience the integration first hand.

Enjoy the summer!

Posted in vmware, OpenStack | Leave a comment

Zero Trust Network Architecture and Micro-Segmentation

A killer application

As defined by Wikipedia: In marketing terminology, a killer application (commonly shortened to killer app) is any computer program that is so necessary or desirable that it proves the core value of some larger technology, such as computer hardware, gaming console, software, a programming language, software platform, or an operating system. In other words, customers would buy the underlying technology just to run that application.

The Zero Trust Network Architecture

There is a simple philosophy at the core of Zero Trust: Security professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. Thus, security professionals must verify and secure all resources, limit and strictly enforce access control, and inspect and log all network traffic.

The core concepts of Zero Trust are:

  • There is no longer a trusted and an untrusted interface on our security devices.
  • There is no longer a trusted and an untrusted network.
  • There are no longer trusted and untrusted users.

Zero Trust mandates that information security pros treat all network traffic as untrusted. Zero Trust doesn’t say that employees are untrustworthy but that trust is a concept that information security pros should not apply to packets, network traffic, and data. The malicious insider reality demands a new trust model. By changing the trust model, we reduce the temptation for insiders to abuse or misuse the network, and we improve our chances of discovering security breaches before they impact the environment.

Screen Shot 2014-07-01 at 10.48.38

These approaches wrap security controls around much smaller groups of resources – often down to a small group of virtualized resources or individual VMs. Micro-segmentation has been understood to be a best practice approach from a security perspective, but difficult to apply in traditional environments.

Micro-segmentation

Traditionally, network segmentation is a function of a switch. From a network perspective micro-segmentation is a design where each device on a network gets its own dedicated segment (collision domain) to the switch. Each network device gets the full bandwidth of the segment and does not have to share the segment with other devices. Micro-segmentation reduces and can even eliminate collisions because each segment is its own collision domain.

From a security perspective traditional segmentation works by implementing (next-generation) firewalls that act as “choke points” on the network. When application traffic is directed towards the firewall it enforces it’s rule-set and packets are blocked or allowed to pass through. This is a completely workable solution if you are just implementing controls (choke points) at limited places in the network, i.e. between the internal and external network, between business networks and the production network etc. If you would apply this same method to micro-segmentation however you would need to invest in large network boxes and with the advent of VM mobility you would potentially need to constantly update security rules to keep your policies up to date.

VMware NSX and micro-segmentation

In Virtual Machine land we would normally connect VMs to a virtual switch (port-group) and pipe that combined traffic to a network choke point, i.e. firewall, this breaks the idea of the Zero Trust architecture as you are already grouping certain VMs together. With NSX, policy can be applied to the individual VM level independent of placement. Every VM is literally first connected to the in-kernel statefull firewall before traffic goes out on the network. This implies that security can be implemented independent of the way the logical network is architected, i.e. it does not matter if this particular VM is grouped with other VM’s in say a DMZ segment, traffic will be filtered between VM’s making sure Zero Trust is maintained.

Posted in Networking, vmware | 1 Comment

On job-hopping and naivety

If you’re only interested in my technical posts feel free to skip this one, this is the second in a series of Sunday posts where I try to take a step back and structure my thoughts on work and career.

When you look at my linkedin profile, it certainly looks like I like to change jobs on a regular basis, but this is not reality, at least this is not how I perceive it to be.

I always start a new job fully committed, if I can’t get excited about the prospect of working at company XYZ I will not even think about signing on, no matter how good the head-hunter, no matter how big the carrot. I believe herein, at least partly, lies the problem, high expectations and an idolized view of the company are rarely met, and then disillusionment sets in. A company is not some abstract concept, what you perceive on the outside are it’s products, it’s spokespeople, it’s community participation, etc. this forms a complete picture which you then see through your own lens. Looking from the inside out is of course very different than looking from the outside in, every company has it’s warts and blind spots they are usually just at different places in the organisation.

funny-the-grass-is-always-greener-on-the-other-side-because-01

So where then does the train start to go off the track?

Like I said, and this can surely also be construed as naivety or failing to see reality on my part, I’m always very much committed to do my best work when I start someplace new, I did my research on the products and solutions and something got me exited enough to start believing, very much like being committed to a cause.

As Horace Mann’s injunction states;

Until you have done something for humanity you should be ashamed to die. -Horace Mann

Not everyone around you feels the same way, not everyone is motivated by the same things, not everyone feels they need to invest a disproportionate part of their life into their career, and that is totally ok. I just can’t help feel a little disappointed by it and then I feel I need to get moving, look for other likeminded people, driven by a bigger sense of purpose, naive as it may sound.

I really like what Dan Pink has said about what motivates us in his TED talk “The puzzle of motivation.”

Autonomy, mastery and purpose are indeed the driving concepts behind my career and I would gamble this is true for the most of us, maybe I would add a fourth one, sticking to ones principles and having a deep sense of justice. When I say “ones principles” I also mean the principles of the company, oftentimes it feels like being on the outskirts (I live in Europe) of a multinational corporation seems to somewhat dilute the message set forth at corporate, like a game of Chinese whispers, if not that, at least it feels like having less believers and more cynics around.

The only thing necessary for the triumph of evil is that good men do nothing. – Edmund Burke

This is usually the one that gets me in trouble and ultimately makes me vote with my feet, if this translates to the outside world as giving up too easily and being a job-hopper that’s unfortunate, to me it translates to standing up for your beliefs.

When you stand for nothing, you fall for everything -Alexander Hamilton

In terms of people I think the late Randy Pauch states it beautifully;

Wait long enough and people will surprise and impress. When you’re pissed off at someone and you’re angry at them, you just haven’t given them enough time. Just give them a little more time and they almost always will impress you. -Randy Pauch

I want to believe that…

People who know me socially and on Facebook (see what I did there?) will corroborate that I like to joke around, regularly get on my high horse, and pick on stuff, people, and companies. This is not reality of course, I don’t really think your company is stupid and can do no right, one of my favourites to pick on is Microsoft;

Hyper-V, virtualization brought to you by the same geniuses who invented Internet Explorer

In reality I think Microsoft is a fine company, with lot’s of great people like Mark Russinovich, Scott Hanselman, Scott Guthrie, and many others that I respect. I rarely prescribe to a Technology Religion just for the sake of religion. This translates to my employers as well, I’m perfectly capable of seeing the bigger picture, I understand the reason things sometimes are the way the are, I get why a certain decision makes sense at a certain point of time even if it goes against core principles and values, but that does not mean I have to agree with it.

Another example that perfectly describes my sentiment of what usually happens when the idea of working somewhere has little in common with reality is a scene from the episode “And it’s surely to their credit” from the acclaimed TV-series The West Wing in which republican Ainsley Hayes takes a job working in a Democrat led Whitehouse out of respect for the institution and ends up, temporarily at least, feeling let down:

Sam Seaborn: See, I was told you were just going to be working in the Majority Counsel’s office, which I wasn’t wild about to begin with, but it’s my understanding I’d be talking to Brookline and Joyce, seeing as how they work for me.
Ainsley Hayes: I was taking initiative.
Sam Seaborn: Well, wasn’t that spunky of you.
Ainsley Hayes: Sam, do you think there’s any chance that you could be rude to me tomorrow? Tomorrow is Saturday. I will be here. You can call me and be rude by phone or you can stop by and do it in person. ‘Cause I think if I have to endure another disappointment today from this place that I have worshipped, I am gonna lose it. So if you could wait until tomorrow, I would appreciate it.

Looking back I think I can come to the conclusion that I feel more at home in a “start-uppy” environment, this can be a real start-up or a specific division inside a bigger company that is going against the norm and trying to disrupt by trying something new. I like taking the road less travelled, I like pulling threads to see where they lead, I like doing something that goes against corporate dogma. I hate “this is not how it works here”, “we’ve always done it like this”, “just give it a couple of months, you’ll see”.

People who say it cannot be done should not interrupt those who are doing it. – George Bernard Shaw

So next time you throw away a resume because the person applying has had too many jobs in the past, you could very well be denying yourself of your most committed and motivated employees, if only you could figure out how to better enable him or her.

Posted in non-technical, Uncategorized | Leave a comment

Horizon 6 – RDS Hosted Apps on Mac (user experience)

Now that Horizon 6 has been released to the public at large I’ve had a chance to play around with it, as an end-user, on my MacBook. The first thing you need is the new (version 3) VMware Horizon Client for Mac available for download on our website.

Screen Shot 2014-06-23 at 08.19.58

After installation you’ll notice the icon has changed from the previous version. (because we do apps now as well ;-) )

Screen Shot 2014-06-23 at 08.33.53

Enter the FQDN or IP address of your connection server, enter your credentials, and login.

macview2

After the connection is established via the Horizon client you’re presented with the resources you’re entitled to, in this case I can connect to a RDS desktop, some Horizon View Desktops, and some RDS Hosted Applications.

macview1

In this example I’ll open PowerPoint 2013 by double clicking the icon.

Screen Shot 2014-06-23 at 08.25.13

After the connection has been established I’m presented with my application, seamlessly integrated into my Mac desktop, remoted via PCoIP.

Screen Shot 2014-06-23 at 13.59.31

The application can be used in a windowed mode (see above) or full screen (see below).

Screen Shot 2014-06-23 at 08.27.22

Posted in vmware | Leave a comment

On working for a vendor and being a trusted advisor

For the last 7 years or so I’ve been working for a number of different vendors in the IT space as a systems engineer. If you’re working for a vendor, systems engineer usually translates to pre-sales (this is not always obvious to customers in Europe, but that’s another story, for another time) which means, as the second part of the title indicates, you have a sales quota, and succes is partly measured by how much products and solutions you sell.

Now, I don’t believe the majority of people, in reality, act as a “pre-sales” or “account manager” stereotypes (I’ll let you fill in how such a stereotype would look like, it’s not that hard). People are varied and complex, and so is the way they embody their jobs, nothing really is black or white,mostly just lot’s of grey. But for some however, the world seems to be only black or white.

Anyway let’s assume if you are in pre-sales that you want to act as a trusted advisor (it’s in most job descriptions for pre-sales engineers right?) for your customers, what does that look like?

When you are working for a vendor you have specific technology, products, or solutions, to sell. You get indoctrinated with a specific world view, if you are not careful you start to drown out other valid opinions and you get hooked on your organization’s dogma. A bit like only watching FOX News if you live in the United States.

fox-global-warming-4eb996d-introOn the other hand there is the more noble goal (and the only way I, and lot’s of my colleagues, would be able to look ourselves in the mirror in the morning) of doing what is in the best interest of the customer, being a trusted advisor. In my view this means defending your organisation with vigour if and when appropriate, but also knowing intimately what your solutions can and cannot do by recognising when what the customer wants is not actually on your truck to sell. If that is the case you either feel defeated and walk out, or you work with the customer to find the best solution, building the relationship, not building your next commission cheque. Your honest opinion, if you have earned the trusted advisor role at the customer ofter carriers great weight.

“Every man is entitled to his own opinion, but not his own facts!”

I’ll give just one example from when I was at my previous employer Riverbed Technology, I was called out of the blue by a former customer (not a Riverbed customer yet), he had done some research online and was convinced our products would be the perfect fit for his needs. I could see my sales guys face light up when he witnessed the call, and then turn into contempt when I advised that Talari Networks*, not Riverbed, would be the way to go. I knew the customer, I knew the environment, I understood the problem he was trying to fix and I knew we couldn’t do it at the time (the required features have since been integrated into Riverbed’s products). I can still walk in the door at this customer today and have a chat about his projects, he knows I won’t twist his arm to turn things into a fit for my company, and he calls me when he thinks there is even the slightest chance I do have something for him.

So like the excellent TV series “The Newsroom” (it should come as no surprise that if I dislike Fox I like something Aaron Sorkin has written :rolleyes) asks itself when trying to shed the yoke of biased newscasts before it: 1) Is this information we need in the voting booth? 2) Is this the best possible form of the argument? 3) Is the story in historical context?

7501752278_fb40f8c2edI think we can do a better job by holding ourselves to higher ideals and dispense more facts and less fiction. The customer is smart, the road from products to sale is long and fraught with dangers (a quote I hear more and more is that 50 to 75% of the sales process takes place before the vendor is even involved by going out online to find information, talking to peers, and talking to partners whom are more traditionally seen in the trusted advisor role) so we should, and can do better.

* In all honesty my mind quickly went to Talari Networks, and not for instance to Ipanema Technologies, also because of competitive threats of one versus the other. It is never just black or white.

Posted in non-technical | Leave a comment

VMware Horizon View – High Level Storage Caching Options

What are we trying to solve?

Probably the most quoted statement about VDI is that solving the storage problem is hard. Why?

Replacing your users’ physical desktops, which have local disks, with a virtual machine in the datacenter requires you to think about cost (enterprise storage is probably more expensive than consumer grade disks in a pc) and performance (if you have 10.000 PC’s being migrated to VDI are you going to have 10.000 HDD’s in your datacenter storage box?).

How much IOPS do you really need?

If you look at the IOPS a single HDD in a PC can deliver you should expect something in the 75 to 100 IOPS range for a single 7.200 rpm SATA drive

But what if there are more IOPS available?

The figure below looks at what Windows would request if it had unlimited IOPS available. As you can see a desktop search reaches up to 900 read IOPS and opening a 5MB PowerPoint file pushes 500 and more read IOPS.

xtremio iops

In order to limit this (expected) behavior we sometimes disable certain services/functionality in a virtual desktop environment, this then becomes a trade-off between user experience versus cost of the back-end infrastructure. Seeing that a typical desktop only has about 100 IOPS available you can of course argue that a user is waiting on the spinning disk in a physical environment anyway so he doesn’t expect it to be faster. (not really the best design principle imho).

The picture above also indicates what causes IOPS spikes (index-searching, opening applications, AV-scanning,…) so we should incorporate these in our VDI design.

Read / Write ratio

A typical pattern (it all depends on use cases of course) we see, after user logon, is around 70 to 80% write IOPS and 20 to 30% read IOPS for a virtual desktop. Because we have multiple virtual machines accessing the same back end storage we also run into the storage IO blender issue which causes the write IOs to be random and typically 4K in block size.
When we are using a storage array we also need to take into account the RAID write-penalty, i.e. you have multiple writes taking place for each block depending on the protection level, the table below gives an overview.

writepenalty

Storage Caching options

Note that the feasibility of any of these techniques depends on the type of VDI environment you are architecting, and these are some examples of what is possible, the list is no way exhaustive.

VMware itself has some options to alleviate some of the issues related to storage in a VDI environment like CBRC/View Storage Accelerator and VSAN.

Memory based read IOPS caching

VMware View Storage Accelerator

The vSphere host Content Based Read Cache (CBRC) feature  is known as View Storage Accelerator in Horizon View. It addresses a.o. things the initial IO required during booting of the virtual desktops by caching, completely transparent to the virtual desktop, the most common blocks in memory on the host, the maximum amount of memory that can be allocated to CBRC is 2GB per host.

For a Windows 7 guest single vSphere host boot storm the effect of CBRC looks something like the picture below.

bootstorm-CBRC

Memory based read/write IOPS caching

Atlantis ILIO

Atlantis Computing takes the memory caching approach a step further by having the entire virtual desktop run in memory on the host, this way both reads and writes are served by the vSphere host greatly improving performance of the guest. To get round the limited capacity of memory they use in-line deduplication. Persistent storage is achieved through fast replication to a separate replication host. Atlantis claim 80% IOPS reduction on the back-end storage while only needing 5% of the original capacity. The solution can be coupled with vSphere CBRC to further increase performance acceleration.

atlantis-ilio-persistent-vdi-4_0

Liquidware Labs Flex-IO

Flex-IO provides IOPS acceleration for non-persistent desktops, like Atlantis ILIO it leverages the memory of the vSphere host for R/W operations and uses compression to alleviate capacity requirements.

flexio

Flex-IO can also be coupled with vSphere CBRC to increase the performance gains.

Infinio

Infinio Accelerator’s distributed storage architecture uses two vCPUs and 8 GB of RAM from each server to provide a distributed, de-duped cache. This can then also be leveraged for VDI workloads. As far as I know Infinio exposes NAS services only at the moment. The product is aimed at easy install and easy removal without reconfiguration or any downtime, it connects to the vMotion network and optimizes NAS traffic (assuming it runs over the same vmkernel port) on the fly.

B-infinio-architectureInfinio recenlty hired the former EUC CTO from VMware Scott Davis.

Host (server) based flash caching

VMware vFlash Read Cache

At the moment of writing Horizon View does not support VMware Flash Read Cache.

Proximal Data

Proximal Data Autocache is a vSphere works as a vSphere attached solution where it inspects all I/O from all virtual machines and places hot I/O into a local PCIe flash card or solid-state disk (SSD). By design, AutoCache is a read cache with write through and write around semantics. It’s algorithm supplies hot reads back to the VMs that request them, without requiring any sysadmin configuration to modify the deployed storage or VM infrastructure. AutoCache creates a universal cache for all VMs that adapts automatically to the changing workloads of the environment, shifting cache resources on the fly to VMs that most need them. Cold data is then moved to the storage array.

AutoCache_after_292

Pernixdata FVP

FVP virtualizes flash and RAM across servers to create a clustered pool of high-speed resources that accelerate reads and writes to shared storage. This should decrease Horizon View latency by up to 80%.

pernix

FVP can also be couple with vSphere CBRC to further accelerate performance.

PCIe Flash based host storage

Virident/Fusion-IO/XtermSF/…

In these types of setups the vSphere host is populated with Flash cards that are used to offload , this is usually limited to non-persistent desktops requiring replica’s of the golden image to be placed on all local flash datastores.

Storage based caching options for VDI

With the advent of All Flash Arrays using in-line deduplication putting persistent desktops on an AFA has become a reality from a cost perspective.

VMware itself has recently GA’ed VSAN as an option for Horizon View giving you a mix of performance (SSD based R/W cache, no actual persistent data is stored on the SSD) and price conscious capacity (HDD) for a virtual desktop environment.

Other storage vendor options include, like on the server side, various caching options to front-end spinning disk, or have a tiered solution that intelligently moves data based on performance requirements.

Conclusion

Depending on your use case and budget you can pick and choose the best option for your specific environment. Remember that different parts of your user population can require a different setup with different capabilities, a sure-fire way to fail any VDI deployment is by treating all your end-users the same.

Posted in vmware | Leave a comment

NSX Service Chaining

When NSX was introduced to the public at large during VMworld 2013, there was a logo slide including all the initial NSX partners that had a working demo together with NSX. Now in order to have both solutions work together in a meaningful way we often resort to service insertions or service chaining.

nsx_partners_vmworld2013

What is service chaining?

Some different definitions exist which is somewhat expected in what is a very active (SDN) market right now, I’ll liken it to when you, in a traditional network with lots of middle boxes (load-balancer, WAN accelerator, Firewall, etc.) you have to cable up these appliances in your network and then manually configure the traffic flow to “route” via these boxes for a specific service. i.e. you want your external website to be load-balanced across multiple front-end servers so you point your webclients towards the load-balancer whom then spreads the traffic across multiple servers. In the SDN/NFV space this is somewhat similar but more rapid and dynamic (on-demand), i.e. you can create policies that govern when certain services are required and these (usually through VM’s) are then put into the data path if and when needed. Since it should be fast to provision a new VM/application, provision network services should be equally fast, and we are not limited to the standard network plumbing (L3-4) either, which is quite important. In the world of Virtualization where Virtual Machines can move around physical hosts and physical network devices it is imperative that service chaining or service insertion can deal with these events, this is somewhat trickier in purely physical world.

Some service chaining/service insertion solution examples;

Security with Palo Alto Networks

If and when the added security capabilities of the virtual Palo Alto security appliance are needed traffic from the VM is transparently (you don’t need to do network configuration) inserted in the path of the virtual security appliance. Context is shared between NSX and Palo Alto Panorama (centralized management) to keep track of VM movement and make sure that security policies can still be enforced.

WAN optimisation with Silver Peak

The Silver Peak integration (Agility for VMware Software Defined Data Centers / point-and-click workload optimization) provides traffic redirection for workload optimization, meaning that if WAN optimization is required you can enable redirection for a specific application/VM toward the Silver Peak VX VM which then does the optimization across the WAN.

ADC services with F5 Networks

Trend Micro Deep Security

Many more examples, in various stages of development, exist.

 

Posted in NSX, SDN, vmware | Leave a comment