VMware wil disable Transparant Page Sharing by default in future ESXi releases

VMware ESXi has an interesting feature called Transparent Page Sharing (TPS). TPS allows a deduplication of host memory. Typically virtual machine guest operating systems share a lot of common code. TPS basically scans on duplicate code in the host memory, make sure only 1 instance of code is loaded while pointers in memory of guests point to that instance.

The effect is savings on host memory and a better density. The result is lower costs per virtual machine.

VMware announced however it will disable TPS by default in future ESXi release because of security concerns.

VMware has released a knowledgebase article saying:

This article acknowledges the recent academic research that leverages Transparent Page Sharing (TPS) to gain unauthorized access to data under certain highly controlled conditions and documents VMware’s precautionary measure of no longer enabling TPS in upcoming ESXi releases. At this time, VMware believes that the published information disclosure due to TPS between virtual machines is impractical in a real world deployment.
Published academic papers have demonstrated that by forcing a flush and reload of cache memory, it is possible to measure memory timings to try and determine an AES encryption key in use on another virtual machine running on the same physical processor of the host server if Transparent Page Sharing is enabled. This technique works only in a highly controlled system configured in a non-standard way that VMware believes would not be recreated in a production environment.
Even though VMware believes information being disclosed in real world conditions is unrealistic, out of an abundance of caution upcoming ESXi Update releases will no longer enable TPS between Virtual Machines by default.

 

Andrea Mauro published a very well written blog about TPS and explaining some other caveats.

This paper in detail explains the security concerns when using TPS. The abstract of the paper reads:

 

TPS

VMworld 2014 Europe announcements

This is a summary of the announcements made at VMworld Europe Barcelona during the keynote on Tuesday October 14 .

The recording of the keynote can be seen here.

The announcements made at VMworld 2014 US can be read in this post.

Tuesday October 14 announcements

  • HP and Hitachi will deliver EVO:RAIL systems as well soon. HP product is called  HP ConvergedSystem 200-HC
  • VMware vCloud Air will be available in a Germany based datacenter
  • vRealize CodeStream announced
  • vRealize Air Compliance anouncement. A new SaaS based tool to quickly report on the configuration compliance of  avSphere Infrastructure and take proactive action
  • introduction of the vRealize Suite 
  • announcement of Horizon Flex . Enables to run virtualized desktop on offline clients. Kit Colbert of VMware has written a blog. 
  • EVO:RAIL comes with vCloud Air – Disaster Recovery service
  • CloudVolumes is now VMware App Volumes . It will be available this quarter and free of charge with VMware Horizon Enterprise. Sign up for the Early Access Program here.
  • A partnership between VMware and Palo Alto Network. Annoucement of  Palo Alto Networks VM-1000-HV designed specifically for VMware NSX interoperability. It is expected to be available in vCloud Air in the first half of 2015.

Nutanix announces all flash model and NOS 4.1 with Metro Availability

Nutanix made two new announcements today: 

  • a new hardware model: NX-9240 with only flash capacity. No spinning disks 
  • release of Nutanix OS 4.1 with Metro Availabiliy 

 

The NX-9240 is the first All Flash appliance of Nutanix. It has a raw Flash storage of 20 TB.

The main purpose of the NX-9240 is running Tier 1 applications like Oracle and SQL Server

Unlike the other models of Nutanix which can be mixed, the NX-9240 cannot be member of a cluster having non NX-9240 members.

The NX-9240  all-flash hyper-converged system is available today with list prices beginning at $110,000 per node.

The Nutanix press release is here.

Nutanix also announced the release of Nutanix Operating System (NOS) 4.1

New features in 4.1 are:

  • Metro Availability
  • Cloud connect
  • On-click hypervisor upgrade
  • Microsoft System Center integration
  • Data at rest encryption
  • SMI-S support for System Center

 

Metro Availability enables Nutanix clusters to stretch over two sites. The functionality is very similar to for example NetApp MetroCluster or EMC VPLEX.

Metro Availability allows for a seamless failover of virtual machines when the Nutanix cluster of complete site is unavailable. The solution has a Recovery Point Objective of zero (0). The recovery time objective is very low. In case of a unplanned failover the time to recovet will basically be the time required to boot the virtual machines.

Metro availability is very simply to setup unlike other solutions. It requires a latency of 5 ms and a fiber network. This limits distance between two sites to something like 100-150 km.

Mixing models in both sites is supported.

Metro Availability will be part of the Ultimate software edition. The primary site and the secondary site will need to have Ultimate license.

Details in this Nutanix blog.

Cloud Connect was announced in August. It will create a hybrid cloud infrastructure with many future features. In NOS 4.1 cloud connect is still limited to storing backup data in the public cloud. Initially Amazon Web Services is supported. Azure and Google Compute are on the roadmap.

Other future use cases are disaster recovery and cloud bursting.

http://www.nutanix.com/blog/2014/08/19/announcing-nutanix-cloud-connect/

 

One click hypervisor upgrade allows for a simple upgrade of any Nutanix supported hypervisor: ESXi, Hyper-V and KVM.

System Center integration enables Virtual Machine Manager and Operation Manager to detect Nutanix nodes and report on performance and health.

Data at rest encryption enables self encrypting of drives. Initially this feature is supported on the 3000 and 6000 series. This is a often requested feature in finance, healthcare and government environments.

More information here 

Nutanix 4.1 Features Overview (Beyond Marketing) – Part 1

Nutanix 4.1 Features Overview (Beyond Marketing) – Part 2

Nutanix 4.1 Features Overview (Beyond Marketing) – Part 3

VMware Mirage 5.1 released

At September 16 VMware released VMware Mirage 5.1 

Mirage enables central image management of physical desktops and laptops. It supports VMware View as well. It will be interesting what happens to VDI image management now VMware acquired CloudVolumes and is working on Project Fargo.

Mirage uses layering. It disconnects drivers, applications, device and user profiles from the operating system.

The advantage from a management perspective is the ability to have local, offline execution of applications with central management.

What’s New in Mirage 5.1?

Mirage 5.1 introduces more than 20 new features, enabling you to extend the management of remote and mobile-user devices. Included are the following new features and improvements:

  • IT managers can control the Mirage clients’ bandwidth consumption from the Mirage Management console. You can limit bandwidth by subnet or by Active Directory site.
  • Mirage now has an API that currently supports centralization and OS migration use cases. You can use the API to integrate Mirage with third-party systems, such as ticketing or help desk applications. Partners and customers can access and integrate with Mirage data and services.
  • You can now install and configure the Mirage Gateway server by using a self-installed Web configuration portal.
  • IT managers can generate a variety of reports from the Mirage Web Manager console. The reports provide analytics for Mirage operations. You can generate reports on demand, or save report parameters as a template and generate the report according to a specified schedule.
  • You can provision a device with a base layer and app layers using a single wizard.
  • Mirage now includes the VMware Customer Experience Improvement Program (CEIP). When you join CEIP, the CEIP tool collects technical data from the Mirage database and log files, and sends the data to VMware on a daily basis. Before the data is sent to VMware, it is made anonymous and is encrypted in your systems or servers.
  • You can now protect all fixed drives by using the Mirage upload policy.

The release notes are here

More information on Mirage here.

Download here.