VM Junkie

September 2, 2009

VMworld session DV2363 – CVP Tech Deep Dive

Filed under: Uncategorized, vmworld — ermac318 @ 10:26 pm

This session was about VMware’s Client Hypervisor Platform, or CVP. CVP was announced a while back by VMware. Here are the highlights of the session.

CVP is a powerful client hypervisor solution, which is part of the greater VMware View offering. It is not going to be offered standalone, it is a View product only. It helps create what the presenters called a “thin” thick client.

There are two approaches to doing a client hypervisor: Direct Assignment or Advanced Device Emulation.

In Direct Assignment, technologies like Intel VT-D or other software techniques are used to pass through a physical device (such as a video card) directly into the VM. This has some advantages such as lower overhead, and if you’re running Windows in your VM then all you need is a set of Windows drivers, which are easy to find. Passthrough is also much easier to program…

It has several downsides, however. For example, it ties your VM to that particular hardware which reduces portability. It also becomes difficult to interpose on that device. For example, if the video card is owned by the VM, there’s no way for the hypervisor to access it. Same goes for the network card. The point being – if all you’re doing is passing through your physical devices, why do you need a Client Hypervisor? Just run native. You can’t add value when using passthrough on everything. For some device types (such as USB) where the O/S is expecting hardware to appear and disappear, passthrough is okay.

VMware’s strategy is around Advanced Device Emulation. Client only needs a driver for the emulated hardware device, because the hypervisor itself contains the driver for the underlying physical hardware. The advantages here are that it divorces the VM from the hardware, making portability easy, as well as simplifying hardware upgrade and recovery. Also, the Hypervisor can add functionality by managing the devices, such as enforcing network security policies and the like. This does mean that the hypervisor needs to have complete drivers for the underlying hardware.

VMware’s CVP has the following features:

  • Improved guest 3d support using a new type of virtual SVGA card. Supports DirectX 9.0L for Aero Glass.
  • Paravirtualized Wireless device. This is important because unlike a wired NIC, a wireless NIC only has one radio, so your hypervisor and VM can’t both be tuned to different networks. You need to give control of the radio to someone, so they allow the guest to control (using its native management capabilities built into the OS) that radio through a special VMware WiFi virtual device. This also means it works with guest-based “supplicants” like iPass.
  • USB is fully supported and is Passthrough like Workstation.
  • External Display and MultiMonitor capable. Allows extended desktop, mirroring, rotation either in built-in OS control (Windows 7) or through a special tab from VMware (WinXP, Vista, analogous to the ATI/nVidia control panel applets that do the same)
  • External Storage support for eSATA (!!) and built-in laptop card readers.
  • Power Management awareness – respond to guest power state (i.e. allow the VM to suspend or shutdown the physical hardware). Respect the guest power policy and connect special events to guest like the lid switch or the sleep/power buttons on the physical hardware.
  • Encryption support: the VMX and VMDKs are all encrypted using the onboard Intel vPro TXT and TPM capabilities. Uses 256-Bit AES encryption. When asked if this would be optional or modifiable, that is still to be determined.
  • CVP is based on linux and in the pre-beta version they showed, it actually had a shell we could break out into. In the final version we were assured this would not be available.

So what good is all this supposed to do? The idea is the user checks out a Virtual Machine (or one is pre-provisioned for them)  to their CVP device. That device is managed by View Manager, which accesses an embedded View Agent in the CVP. This is used for policy enforcement, heartbeats, configuration changes, endpoint statistic gathering, and managing transfers from the View Server. The VM can run offline and also is smart enough to adapt its virtual hardware (like number of CPUs, GB of RAM) to the underlying physical hardware. VMware is targetting only a 256MB overhead for CVP. Today the CVP can run one VM only, but could store more than one.

CVP is an embedded Linux Type 1 hypervisor with a minimal set of packages installed. It’s optimized for fast boot time, and will be fully qualified on individual hardware platforms (like ESX). It does not contain a general purpose OS, so no doing work in the CVP. VMware itself provides updates such as patches, bug fixes, and new hardware enablement. It will be updated monolithically like ESXi is (full firmware updates), and this is updated from the View Manager server. The codebase is really unrelated to ESX, it’s more based on Workstation for Linux.

CVP requires Intel’s vPro and integrates with it’s Active Management Technology (AMT) for a bunch of things like Inventory collection, remote power on/off, and configuration backup onto the AMT private storage. It will be compatible with all AMT-enabled management tools like Altiris, LANDesk, etc.

The CVP itself has no listening ports, so it should be impossible to break into via the network. The disks are encrypted, Intel TXT + Trusted Boot protects integrity of the hypervisor in hardware. After installation, laptop will only boot approved hypervisor (no booting to a rescue CD). Encryption keys are stored in the TPM module and are used to encrypt the drives.

I asked several questions at this session:

  • The demo from last year involved booting from a USB Key. Will boot from flash be supported?
    • Initial release installs on hard disk and runs there.
  • Will the CVP also work as a remote View client (with PCoverIP support)?
    • That is on the roadmap but will not be in version 1, only locally running VMs.
  • At VMworld 2007, tech for streaming a virtual appliance and booting it while data was still in flight was demoed. Will this be in CVP?
    • They have the code, but user issues kept it out of first release. How does user know when it’s safe to go offline? When they resolve this issue they will bring that code in.

Overall I am pretty excited about CVP. I understand the HCL may be fairly limited at launch, but it really does have tremendous potential for View environments.

Advertisements

3 Comments

  1. […] networking sessions Security Sessions at VMworld 2009 VMworld 09 – Long Distance VMotion (TA3105) VMworld session DV2363 – CVP Tech Deep Dive Author: esiebert7625 Categories: VMworld 2009 Tags: Sessions, VMworld 2009 Comments are […]

    Pingback by Welcome to vSphere-land! » Session Links — September 6, 2009 @ 3:36 pm

  2. […] Justin Emerson – VMworld session DV2363 – CVP Tech Deep Dive […]

    Pingback by VMworld 2009 (San Francisco) – Linkage » Yellow Bricks — September 9, 2009 @ 12:59 am


RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Blog at WordPress.com.

%d bloggers like this: