All Posts in “Uncategorized”

EVC, Patios, & Oh My!

Ever walk into a datacenter where they have vSphere clusters defined by the processor types? It happens more than you would think, this is because there is a misconception. Recently I saw one where they couldn’t live vMotion between two vSphere 6 clusters because the processors were different generations.

“Umm, turn on Enhanced vMotion Compatibility (EVC)?”, I asked.

The answer was that they didn’t want to limit the capabilities of the cluster. Their initial plan was the newer hardware cluster would handle all of the heavy workload VMs and keep all of the light VMs on the older hardware. They also believed that EVC would drop everything down to the lowest common denominator and limit the faster procs to the slowest speed.

So I showed them the actual vSphere Documentation.

You can use the Enhanced vMotion Compatibility (EVC) feature to help ensure vMotion compatibility for the hosts in a cluster. EVC ensures that all hosts in a cluster present the same CPU feature set to virtual machines, even if the actual CPUs on the hosts differ. Using EVC prevents migrations with vMotion from failing because of incompatible CPUs.

EVC masks only those processor features that affect vMotion compatibility. Enabling EVC does not prevent a virtual machine from taking advantage of faster processor speeds, increased numbers of CPU cores, or hardware virtualization support that might be available on newer hosts.

EVC cannot prevent virtual machines from accessing hidden CPU features in all circumstances. Applications that do not follow CPU vendor recommended methods of feature detection might behave unexpectedly in an EVC environment. VMware EVC cannot be supported with ill-behaved applications that do not follow the CPU vendor recommendations. For more information about creating well-behaved applications, search the VMware Knowledge Base for the article Detecting and Using New Features in CPUs.

Imagine it this way, you are invited to an orgy and there are a mix of folks, old, young, good looking, and ugly. Some of these folks may be left out when it’s time to pair up. But if they all wear masks you limit the impact of bias based on at least one category. EVC also doesn’t restrict the capabilities and instead allows for a everyone to appear to perform the same to the VM’s so it’s like giving the old guys at the party Viagra.

Next I set about tackling the concern of mixed workload environments. Have you ever laid down base rock for a patio? It takes a mix of stone sizes, so that when they compact they interlock and form a smooth, solid surface from which you can build your patio. VMware workloads are very similar, it’s not that there aren’t reasons to restrict workloads to specific hosts, but it’s better if you have a mix to have better utilization. It also ensures that there is a more solid foundation for the entire virtual environment.

VMworld 2015 a couple thoughts

So many blog posts this week, but I had some thoughts I needed to get out. VMworld 2015 is in the books and it was fun but how much was really announced and what makes sense?

Let’s start at the top, there were a lot of announcements but none more misunderstood than the first days. VMware announced Photon and their Container solution. The second seems like a stab at trying to remain relevant with the current IT trends. Most likely that is what it is, as I have discussed before containers are an application deployment methodology that doesn’t solve a problem rather re-hash previous solutions to the same issue of application management. But Photon I think was overlooked as how big of a deal it really is.

Photon means that VMware will have a lightweight VM kernel to quickly deploy applications on top of vSphere directly. This is different than containers; this is changing to a unikernel approach. It means that VMware realizes that we no longer need to continue the path of managing operating systems, runtime environments, and all the layers that come in between. Unikernels may very well be the future of how we deploy apps. But we will table this for another conversation.

What else was announced? Lets see EVO: SDDC I have no words for this yet, it seems interesting a Hyper Converged vRA platform based on EVO. Could be cool let’s see what becomes of this.

Partnerships with Microsoft on the EUC front, makes a lot of sense. This will open the doors for AirWatch and AppVolumes to provision applications for users on physical and virtual desktops as well as mobile devices. Pretty slick.

Oh and Cross-cloud migration which I was jokingly calling Criss-Cross Cloud Sauce.

This one got so much hate on twitter, because it doesn’t support non-VMware cloud environments. Yes this stinks but who is to blame? Is it VMware’s fault for not better positioning vSphere as the infrastructure hypervisor of choice for AWS, Azure and the like? Sure maybe although as we have learned through mapping as a thing matures the likelihood of competition through the maturation process to commoditization breeds divergence from the original market leader.

Is it the fault of us all not demanding a standardized interface and API set for all clouds to be built to? Again we need to look at the maturation process, has cloud adoption gained enough leverage that the consumer base can better dictate the standards of the utility? Eh most likely not, although we can vote with our dollars, we don’t yet see the vast majority shifting the needs and standards practice of cloud … yet. I think this comes soon though, as more cloud providers continue to shift to meet mandates and security compliances the market will force the providers to begin to standardize practices. It’s happening in small ways today. Long-term niche markets will continue, but the vast majority of cloud will have the ability to leverage a unikernel approach to deployment. This will come either through the adoption of a Cloud Foundry like PaaS solution for all app deployments, or through native applications kernelization (new word!) . But either way if we utilitize the deployment of applications we must standardize the platform on which we deploy (that’s actually part of the value prop for Cloud Foundry or any PaaS).

Security and DevOps were both big topics at VMworld this year, new version and product releases be damned these topics were what excited me. Most likely because they are some of my main focuses. What got your engine running?

Lastly thank you to all who attended my session with Travis Howerton all 103 of you so surprised at that level of attendance for a Federal session.

Cars, Highways, and Ninjas = Secure Clouds?

Where to draw the line? The term secure multi-tenancy has become the bane of my existence recently. I was having a conversation with a friend at VMworld and realized that the issue is one of where we draw the line of demarcation.

When it is said that VMware vRealize Automation (vRA) provides secure multi-tenancy it really means that there is a logical separation that demarks one teams policy from another, but that isn’t the same as say VMware vCloud Director (vCD) which draws a logical separation around all resources including network, storage and compute. The analogy of cars and highways became the communication platform of choice. So let’s get into it.

A car as a tenant has all of the components needed to drive it wherever the driver or tenant owner wishes to go. There is an assumption of security in that car, and when properly secured with the doors locked and windows up this car is a secure tenant environment. The highway that the car wishes to drive on is then viewed as the infrastructure and as long as one car drives down it’s own highway all things are okie dokie. In this scenario the road has no lanes of separation and the driver can drive at their own pleasure. This is then a private cloud with the tenant owner owning the road that they drive down as well as the car.

Let’s start with multiple tenants first. If there are more than one car on the same highway and both are equally secured than great no problem. As long as both stick to the same rules and don’t run into each other. This is where defining lanes is imperative not just from a policy standard but also a logical separation. But what happens if one of the drivers wants to open the sunroof? Should they not be allowed to do that, even if they understand the risks that are associated with it? In my last blog post I talked about risk management. This is a matter of assessing the risk based on knowing the other cars are secure, but what if one of the other cars has a ninja? Now when the ninja decides he wants to jump from car to car and slips into a sun roof now he can ruin the highway for everyone by crashing his car into everyone else. This is where things get crazy, if we think that policy alone will ensure that cars won’t go driving around smashing into each other than we are most likely correct, but how do we keep out the ninjas? Partly we do this through logical separation ensuring no hopping across storage, compute or networking components. Again this is a matter of risk assessment, acceptance and mitigation.

It’s important to note that this isn’t the most secure method. You still need to accept that ninja’s can jump into sunroofs you just need to watch for them and have precautions in place. If you are risk adverse you could air gap each tenant to their own set of infrastructure but this is essentially loosing every aspect of what drives clouds to be more cost effective than traditional data centers.

There are micro-segmentation techniques for internal tenant organizations, and macro level segmentation for dividing up physical to logical resources for multi-tenant environments. There are Intrusion Detection Solutions (IDS) and Intrusion Protection Solutions (IPS), there are firewalls and host bases security services but at the end of the day it comes back to risk management.

No is the answer vRA does not provide Secure Multi-Tenant capability as per my definition. But it does allow for policy based separation. So if you trust all of the other cars on the road to not crash into you and follow the rules than maybe you can accept the risk of driving vRA with other tenants. vCD is logical separation, if you are cool with the other cars on the road knowing the rules and having their own lanes to stay in and their being some guard rails than maybe vCD is your cup of tea. Yet if you can’t deal with the craziness of this and want separate highways for every driver than air gapped physical separation may be your bag.

Whatever solution you choose do the risk assessment understand what you are getting yourself into, and how to mitigate the risks that are there. You will have to accept a certain amount of risk business justifications are typically the best way to CYA on those decisions. That equation is very simple:

Risk = Threat x Vulnerability x Cost 

Risk assessments are both quantitative and qualitative so determining what risks are available for mitigation, acceptance, and avoidance get measured quantified and qualified so they can be measured and rated.

I am not going to get into this process because I don’t feel like writing a CISSP study guide. You all want to know more ask questions, read the many sites out there. Who knows maybe we will start to see security become a major part of cloud designs moving forward and we will all have armored cars on every highway we drive on.