Weekly Edition
Return to the Press page
| |||||||||||||
|
| |||||||||||||
VMware exec says Windows days are numbered (ComputerWorld)
Stephen J. Vaughan Nichols
discusses Paul Harapin's
predictions for the end of Windows.
"Seriously.
In an ITWire tale, Paul Harapin, VMware's managing director for Australia and New Zealand said Windows is already being replaced by virtual appliances running on Linux. In ten-years, there will be no more Windows.
OK. I know people at Red Hat who would say that that's exactly what will happen. That's right out of the new Red Hat KVM-based virtualization playbook. But, someone from VMware saying this? Wow."
(Log in to post comments)
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 18:18 UTC (Wed) by rahvin (subscriber, #16953) [Link] I think he's right. Any service that can be replicated on Linux will be. It just makes sense and it's the primary seller of VMWare. In fact VMWares success directly related to the creation of Redhat's strategy, and it's not just Rehat, Novell has a very similar strategy. There's big money in VM right now. Maybe Xen and the OSS distributors can cannibalize or grow the market but the fact is VM a huge money saver for companies. Power has gotten so outrageously expensive along with the cooling to go with it that servers have a tremendous long term expense. If you can shrink 6 servers in 1 your long term savings more than make up for the cost of software and/or support and that has caused the creation of a huge market for software to handle the VM's a market by my estimation (given energy costs) is going to continue to grow and expand. Once you have the VM architecture it's almost a no brainer to replace MS services with small individual Linux VM's to handle the tasks. Need 3 VM's to handle the task of a single windows server? Not a problem once the architecture is in place, the only costs are support.
I just don't get virtual appliances Posted Aug 20, 2008 23:11 UTC (Wed) by dmarti (subscriber, #11625) [Link] If you deliver an application as a "virtual appliance" then any OS security update becomes a security update to your application. Sure, you can strip the OS down, but imagine a customer with a bunch of ISVs' virtual appliances on the day everybody releases a fix for a commonly used library.
I just don't get virtual appliances Posted Aug 21, 2008 5:36 UTC (Thu) by k8to (subscriber, #15413) [Link] Is the cost for this really higher than the cost for updating the library for only "one" operating system per host? I assume one of the following is true. 1 - You use the normal distro update mechanisms 2 - You use a custom update mechanism 3 - You don't have any rhyme or reason for update mechanisms Does haveing various virtualized machines tend to move people from one choice to another? I'd expect there'd be some of 3, and then customer pressure to enable 2, products to do 2, or at least a return to 1, among the vm-application providers. There are certainly likely to be more raw updates, but the computation time to update is not high, and the bandwith cost is solvable with networks. The problem scenario is if each VM explodes, you have more explosions, but I think you're somewhat screwed in a non-VM case as well if you use 1 or 2 to automate exploding your entire server farm. What am I missing?
I just don't get virtual appliances Posted Aug 21, 2008 22:31 UTC (Thu) by rahvin (subscriber, #16953) [Link] I don't think the pain of updates to Linux is anywhere near the pain of updating MS products. Not being in IT, I had always heard that patch Tuesday are the worst updates to apply as you never have any idea of what they will break because of how convoluted the windows code base is. Having hundreds of VM's as opposed to 1/3 as many Windows servers would seem to me at least to be far easier to handle. Especially given how easy patching the major distributions is now as most have auto security update systems you can use.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 23, 2008 19:07 UTC (Sat) by giraffedata (subscriber, #1954) [Link] When you replace 6 servers with 1, what are you shrinking? Same number of MIPS, same amount of memory, same amount of disk space.I think you're just shrinking physical administrative work. Most of the advertisement I see for doing this combination stresses the reduction of the most expensive resource -- human. I know combining lets you overlap the reserves that you build into each of the 6 servers, but I think of that as adminstrative cost too, because you build that in to avoid the labor involved in moving physical resources around when the workload changes.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 23, 2008 21:12 UTC (Sat) by dlang (✭ supporter ✭, #313) [Link]
actually, you are not shrinking your administrative work, you are increasing it.
before you had six copies of an OS to patch and administer, after combining them you now have seven (the six virtual machines and the host OS)
unfortunately many people view virtual machines the way you do and don't ever update them, eventually this is going to start catching up with people.
there are valid reasons to do virtualization
1. you have programs that won't play well with each other that you want to isolate.
and the requirements of the systems are such that a single box can power them all
then it can save you power, rackspace, and possibly money to buy one box to host the other logical systems as virtual machines.
virtualization doesn't solve many problems by itself (in spite of what the vendors claim). yes, it allows you to do graceful migrations from one system to another (by suspending the virtual machine on one box and starting it on another), but only if all the settings are still valid in the new location (same network settings work, no connections to local resources, etc). but this is _not_ the same as making the application highly available, if the first machine crashes the second machine does not have a fully up-to-date copy of the virtual machine to run
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 23, 2008 21:45 UTC (Sat) by giraffedata (subscriber, #1954) [Link] actually, you are not shrinking your administrative work, you are increasing it. Possibly, but note that I didn't make a statement about the total administrative work. I said you shrink the physical administrative work. This is apparently especially costly for some installations. Taking racks apart and moving memory and CPUs or recabling is more expensive than typing commands from a remote office. Sometimes those commands can even be issued automatically.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 18:52 UTC (Wed) by sg7jimr (guest, #22837) [Link] The irony here is that Windows is the horse VMware bet on. They abandoned Linux users by making their VirtualCenter product (which manages VMware clusters) a Windows application, and migrated their old management client from an architecture that ran on Linux to one that required .Net. Linux administrators wanting to manage VirtualCenter are stuck with a very limited and clunky web interface. If VMware can see the future so clearly, what bonehead made that design decision? Who besides VMware thinks Windows when they hear the term "high availability cluster"? The bias in favor of Windows is also seen in the related Converter and Consolidated Backup utilities.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 19:28 UTC (Wed) by wilreichert (subscriber, #17680) [Link] No worries, they've got 10 years to re-write everything in gnome and kde flavored versions.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 20:22 UTC (Thu) by massimiliano (subscriber, #3048) [Link] Or, if they developed it using .NET (extremely likely), they'll just port it to Linux very easily...
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 19:54 UTC (Wed) by leoc (subscriber, #39773) [Link] I think he means on servers, not clients.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 20:59 UTC (Wed) by chojrak11 (guest, #52056) [Link] I'd say one more VMWare's fuckup and *their* days will be numbered.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 21:20 UTC (Wed) by ccchips (subscriber, #3222) [Link] Right. 6,491,237,442,918,220 ;)
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 20, 2008 21:51 UTC (Wed) by Cato (subscriber, #7643) [Link] Microsoft is a direct competitor of VMware so it's hardly surprising that VMware promotes Linux as competition for Microsoft. I hope they're right but they could make a start by providing better product support for Linux, as mentioned above.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 0:19 UTC (Thu) by dps (subscriber, #5725) [Link] I think the end of windows is unlikely to happen soon. In particular KVM and VMware are actually rather good x86 box simulators (albeit with some hardware assistance, which probably helps quite a lot). This allows you to *continue* to use windows rather than move wholesale to something else. Xen is different. Despite actually managing to make one version of windows work a version of Xen licensing issues made it impossible to use. Xen ports of Linux and FreeBSD, where the licensing was not a problem, are actively used. What might be numbered are the days of higher-end boxen running windows, providing lots of services and not being very insecure as a result. Virtual machines isolate the services making breaches much more limited. I expect to see the same thing happen on linux, solaris, etc but less so because those systems and fundamentally more secure[*]. SELinux, and systems like trusted Solaris, offer capabilities that windows on VMware can only dream about. On the desktop none of this really applies. Isolation at this level is usually annoying and reduces productivity. Only if your desktop might have both secret and top secret windows, and users that cannot be entirely trusted, are you likely to think the extra security is worth the pain of seriously reduced desktop features. [*] You can render this statement false by moves like allowing large groups of people access to a root shell (like my work does). I would be one of the people that does have this access, which I have never had any desire to use myself. Note than I *not* a system administrator---if I was root access would be restricted the few people that could find a very good reason for having it. You might also find some of your "unlimited internet access" only works if you use the provided proxies.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 2:13 UTC (Thu) by Sutoka (guest, #43890) [Link] There are a few cases where I think VMs/Containers might be very useful on the desktop, primarily with web browsers. Web Browsers are *still* the main point of entry for most infections (not counting the silly ones where the user explicitly downloads, installs, and grants permission) on the desktop, so being able to restrict it as much as possible would greatly help security. If the Web Browser could be thrown inside a very restricted VM or Container you'd be able to greatly limit the impact of most browser exploits (I'm not gonna even think about the case where the user downloads, grants permission to, and runs 'EVILSCRIPT.SH' as thats a completely unrelated problem). If a small chunk of the browser was split off into a helper app that ran in the host system as the user wanting to browse the web (that'd simply be the process responsible for writing any data other than the cache/history/cookies, popping up the file dialogs and etc), that'd allow the user to keep (most) all the functionality while greatly reducing the attack vectors; you'd have to compromise the web browser, THEN either the helper app (which should be *much* easier to audit as the code should be far smaller), the kernel(+VM if not using a container), or Xorg (from what I hear, this'd be a *major* problem). At the very least it sounds interesting to me in theory, a similar approach could be taken for lots of desktop applications (like online games), and Containers sound like they'd be the best way to implement this although I have little experience with them (like can you put an application into a container with an EMPTY filesystem?).
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 5:24 UTC (Thu) by Duncan (guest, #6647) [Link] Actually, the concept of a VM browser appliance, it's own little machine, /without/ that helper you mentioned, seems pretty appealing to me. So it gets 0wn3d, so what? Let it run amok in the VM where it can't touch anything else, and where shutting down the browser shuts down the VM, which is reset to a mostly clean state on restarting it. Let the save dialog save in that sandbox, not anywhere out of it, and let the user access the stuff in that sandbox as they would stuff in a chroot from outside it. The user could then cp/mv a file to elsewhere on the the parts of the system they can write to, but the browser and anything (plugins, etc) running in the same VM would have access only to the filesystem and machine in the VM. One could even have a special VM supplied by their bank, that /only/ did banking, and was separate from all the other VMs. Online games and the like could work similarly. Mail? Same thing, it's own VM, limited to writing to its own VM managed filesystem sandbox. That one could have a browser in the VM as well, which would load when you clicked a link, but it too could only write in the common mail/browser sandbox, which would be separate from regular system browser sandbox. The user in the hypervisor could of course copy files and etc between sandboxes or out of the sandboxes into the hypervisor level, but the apps within the VMs couldn't access anything outside their VM. Of course this would play havoc with browser based system updates, since all they'd update would be their little VM, not the hypervisor, which would have to run its own updates, but that shouldn't be a problem. The hypervisor could in fact have its own little update VM (it's a net based update fetching service so it goes in a VM, not directly on the hypervisor), limited to that one special service, with the hypervisor then copying the updates out of it and applying them on the main system. Meanwhile, VMWare's still black-box proprietaryware, and as such, it's out of the question here, as of course are MS OSs in VM or out. KVM or xen, sure; they aren't proprietaryware. Duncan
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 9:14 UTC (Thu) by NAR (subscriber, #1313) [Link] Well, when I click on a link pointing to a .doc file, Opera opens OpenOffice for me, so the VM should have an OpenOffice too. And a PDF reader. And a media player. Anyway, I'm not sure how this would make anything more secure. I don't know if the browsers have any code that they automatically run on startup (think about Firefox extensions) - for the attacker it's enough to install such code and the host is owned, at least for the purposes of sending spam or trying to break into other hosts.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 22, 2008 1:30 UTC (Fri) by Sutoka (guest, #43890) [Link] >Well, when I click on a link pointing to a .doc file, Opera >opens OpenOffice for me, so the VM should have an OpenOffice >too. And a PDF reader. And a media player. This is what I was thinking the helper app would be useful for, it could also mediate for the other applications (although if you wanted to EMBED them inside the browser that would take more work). >Anyway, I'm not sure how this would make anything more secure. >I don't know if the browsers have any code that they automatically >run on startup (think about Firefox extensions) - for the attacker >it's enough to install such code and the host is owned, at least >for the purposes of sending spam or trying to break into other hosts. You could use things like SELinux and firewalls (on the host and/or VM) to limit what the browser in the VM could do. You could have the host+vm drop all out going mail connections based on port, as well as dropping all incoming network connections. You could make the malware author's job a bit harder by having a high-level firewall (layer 7 firewall, was it called?) that'd drop non-http/https connections. None of this is meant to be The One Solution, but just yet another layer of security (security is all about layers, remember? :P). This wouldn't protect you against all issues, but it'd help minimize the impact as well as compartmentalize the damage.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 22, 2008 10:00 UTC (Fri) by NAR (subscriber, #1313) [Link] This is what I was thinking the helper app would be useful for, it could also mediate for the other applications (although if you wanted to EMBED them inside the browser that would take more work).I don't really know how this helper application would work, but either it should be able to communicate out from the sandbox VM (e.g. to an already running OpenOffice instance), which is an obvious security threat, or there should be a complete OpenOffice, etc. installation inside the sandbox VM - in that case the synchronization of the preferences, etc. would be inconvinient. You could use things like SELinux and firewalls (on the host and/or VM) to limit what the browser in the VM could do. You don't really need a separate VM for that. You could have the host+vm drop all out going mail connections based on port The problem is that the user might want to send an e-mail from the VM (think about mailto: links). This setting would break this feature. as well as dropping all incoming network connections. On a typical desktop the host firewall drops these kind of connections anyway. just yet another layer of security (security is all about layers, remember? :P) On the other hand yet an other layer is yet an other piece of software that can contain bugs, can be misconfigured and annoys the users (think about the need to move files in and out of the VM). I think that given the integration of browsers into the desktops, we've passed the point when a browser could have been put into a sandbox.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 22, 2008 1:49 UTC (Fri) by efexis (guest, #26355) [Link] "Meanwhile, VMWare's still black-box proprietaryware, and as such, it's out of the question here"Far from it, vmware already have an appliances download section on their website, and [at least] one of them is a browser vm; a small linux install which boots to browser you can run in vmware-player or -server (free downloads) on windows or linux.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 22, 2008 15:08 UTC (Fri) by jhardin (guest, #3297) [Link] "Far from it"? How does the availability of open-source VM guest images refute the claim that VMWare itself is a proprietary black box? That's like claiming the availability of open-source Windows programs means Windows itself is not proprietary..."Meanwhile, VMWare's still black-box proprietaryware, and as such, it's out of the question here"Far from it, vmware already have an appliances download section on their website, and [at least] one of them is a browser vm; a small linux install which boots to browser you can run in vmware-player or -server (free downloads) on windows or linux. If VMWare is not a proprietary black box, then please post a URL where we can download the buildable sources for it.
VMware exec says Windows days are numbered (ComputerWorld) Posted Oct 14, 2008 2:38 UTC (Tue) by efexis (guest, #26355) [Link] How does the availability of open-source VM guest images refute the claim that VMWare itself is a proprietary black box?It doesn't, it refutes the claims that vmware being proprietary means things are "out of the question" for it, such as "Let it run amok in the VM where it can't touch anything else, and where shutting down the browser shuts down the VM, which is reset to a mostly clean state on restarting it". VMWare may be proprietary, but these things are possible with it.
VMware exec says Windows days are numbered (ComputerWorld) Posted Aug 21, 2008 14:36 UTC (Thu) by shapr (subscriber, #9077) [Link] In my recent switch to doing windows development, I've discovered great benefits to running a 32bit windows system in VMWare on top of a 64-bit Linux host with 8GB of ram. I think VMWare is right. At my job we deploy large chunks of software to production machines, I'd rather deploy to a local VM and then run the new VM in place of the previous production VM. Testing and everything else would be much easier.
|
|
||||||||||||