Managing the Virtual Image Life Cycle
Managing the Virtual Image Life Cycle
More and more IT organizations are embracing virtual server and desktop infrastructure technologies. A December 2009 report from Forrester Research found that 71 percent of the companies it surveyed are using server virtualization and believe that 62 percent of their x86 server OS instances will be virtualized with the next two years. Virtual desktop implementations lag behind, but are gaining ground. A December 2009 study by Ziff Davis Enterprise's own Baseline found that 30 percent of participating executives expected deployment of VDI to increase at their companies.
For all the benefits that virtualization can deliver, the technology does not erase the need for physical-world management tasks such as prompt patching and, where appropriate, antivirus protection. In fact, some of virtualization's standout virtues-agility and flexibility, for instance-can double as management vices, particularly when it comes to managing these easily minted virtual machines as they move through their life cycles.
Rapid growth of virtual machines (both their images and their instances) can lead to a condition known as "virtual sprawl," in which lapses in basic care and feeding of multiplying, unaccounted-for virtual instances can present major IT and organizational challenges to enterprises.
Dealing effectively with VM lifecycle management boils down in large part to focusing on the management practices that worked in the physical world, beginning with well-planned golden images, adherence to timely patching regimes and careful system inventory. Certainly, these practices work a bit differently in the virtual world, so the key to success is watching out for virtual pitfalls and maximizing the advantages inherent in virtual platforms.
What's behind virtual sprawl?
Most virtualization implementations are focused on solving problems that were challenging when managing a one-to-one relationship between physical machines and software (OS and applications) such as underutilization and difficulties in providing management and security.
Previously, most enterprises suffered from what amounted to "physical server sprawl"-the result of years of building underutilized, heterogeneous, power-hungry and unmanageable server farms in fits and spurts as budget was available. This doesn't even take into account the difficulties involved in managing tens of thousands of physical desktops, pushing OS and application patches, enforcing security policy, and accepting that users typically need enough privileges to screw things up.
At first glance virtualization seems a natural solution to the problems of physical computing. Virtual machine images are more convenient to work with than physical machines because they can be treated, in essence, as data.
But now enterprises are starting to see a different kind of sprawl-virtual machine image sprawl. Virtual machine images are cloned, versioned, archived and, when in use, changed over time. The cost of physical server hardware controlled physical server sprawl somewhat, but virtual machines can be created, manipulated, duplicated and reconfigured without costing anything more than disk space. With the cost barrier removed, IT organizations are free to create countless virtual machine images with myriad configurations. Consider this the entry point for virtual sprawl, which, if not combated quickly and decisively, can ran rampant throughout an IT organization.
How does the sprawl grow? Each physical server is replaced by a virtual server image. Virtual server images are typically stored in a massive SAN (storage area network) environment, reaching hundreds of terabytes and even petabytes in some organizations, and deployed to a smaller number of well-utilized, homogeneous, commodity physical servers. Client machines (meaning an OS, apps, configuration and perhaps data) can be replaced by virtual desktops containing the same. But once deployed, no two virtual clients can truly remain the same for very long. Snapshots, clones, changes that are made and then rolled back, or not-all of this adds up to an explosion in the number of virtual machine images that must be catalogued, maintained, deployed and managed within an organization.
Start with your images
Just as with physical machines, virtual instances must be deployed and configured systematically to ensure security and reliability. Organizations need to determine which machines or images are eligible for a software deployment and then install and validate the software on each server, desktop or image. Installing enterprise software can be a time-consuming task that is best not repeated for 25,000 different images.
Organizations should create master images where software can be installed and validated once, although this is infinitely easier said than done. Every organization ends up with many, many heterogeneous images. The solution is either to deploy and update the same software on many images or to customize a single (or multiple) master image to produce many differently configured images.
In many ways virtual machine images are data and can be managed similarly to other business data such as document and data stores. Treating them as data allows IT organizations to simply back up and archive virtual machine images following corporate data retention policies. But virtual machine images are more than a static chunk of data, and it is critical that they be treated as if they are custom-developed code. They are virtual IT assets; in some ways they are software versions of physical IT assets. They need to be provisioned and checked for licensing, protected from and scanned for malware, and patched with the latest OS and application fixes.
It is for this reason that VDI best practices dictate creating a gold image to serve as a template for user virtual desktops. Storage is allocated to a virtual machine image (or this can be dynamic) and the OS and apps are installed and patched. When deemed to be gold, the virtual machine image should be cloned; work with the clone and archive the original.
Chances are that an enterprise will end up with many clones as virtual machine images are deployed, customized and updated. There will be a lot of similarities between virtual machine images, so they are excellent candidates for data deduplication and virtualized storage datastores. Many times virtual sprawl isn't confined to the data center and can take place across the entire enterprise network, especially in business continuity use cases where virtual machine images are getting deployed, synchronized and backed up across typically slow WAN links. WAN optimization devices, such those made by Cisco, Blue Coat and Riverbed, can help relieve the traffic burden.
Patching virtual machines is a particularly thorny issue. Often, as in the case of anti-malware software, patches and updates may need to take place as frequently as every hour. The greater the variety of virtual machine images that must be updated the more difficult and time-consuming the task. Thinking about how patch management is usually done (through client agents), how can patches be pushed to virtual machines when they aren't powered on?
All of this patching makes maintaining the gold virtual machine image more difficult. Management overhead increases exponentially with more virtual machine images, more virtual machine instances and more patches. These things happen naturally over time, so eventually an organization must sift through and clean up virtual machine images, decommission some, commission new clones from a patched gold virtual machine image and customize the clones. This is where having a current, easily accessible and comprehensive catalog or inventory of virtual machine images becomes critical.
There is also the issue of management of dormant virtual machine images versus active virtual machine instances. Agents that run on instances and report information back to a central server (like most endpoint software) may neglect to manage images while stored on disk. Maintaining entire virtual machine images is extremely time-consuming. Except for the smallest operations, firing up every virtual machine to update it, scanning it, applying patches and then shutting it down would take man-years.
I reviewed Shavlik NetChk Protect 7 and found it to be a very helpful patch management and anti-malware solution for virtual machine images. During testing, I was able to patch and protect virtual machine images (VMX files) with the same ease as managing a physical machine. Also, it almost goes without saying that VMware vSphere should be considered by any organization trying to manage the deployment, patching and redeployment of virtual machine images.
Inventory is essential
Keeping track of deployed systems and determining which software is installed where has implications for licensing, as most enterprise commercial software is licensed on a per-installation or per-user basis. Software needs to be inventoried before it can be maintained and patched. It's also critical to prevent unauthorized software such as peer-to-peer file sharing from being installed and run to ensure that physical compute resources are used for legitimate business purposes.
There are many inventory control products on the market today from companies such as IBM Tivoli, CA, BigFix and Symantec. In essence, these solutions install an agent on each machine (virtual or physical) that periodically scans the file system and memory, determines what software is installed, and reports back to a central reporting server. Traditional physical solutions require the machine to be powered on and the agent to be running, and many times the scanning is resource-intensive.
A better way is to work with virtual machine image files directly on disk. This is where VMware stands above other virtual machine image management and tracking solutions. VMware vSphere, with add-ons such as Host Profiles, VMware vCenter, VMware vCenter Orchestrator and VMware Update Manager, is an excellent solution for configuration management.
Thinking strategically, integration between the virtual machine, the virtual machine image and storage is going to become tighter and tighter. NetApp, EMC and just about all the other companies in the space are focused on alleviating the pain points around storing and managing virtual machine images on disk. For example, NetApp FlexClone creates a gold virtual machine image from which it can deploy thousands of virtual machine clones directly at the datastore.