Virtual Desktops — Secure Global Desktop stays alive after Oracle Sun merger

On January 27, Sun and Oracle have been merged into one company; Software. Hardware. Complete.

Oracle is continuing the Secure Global Desktop product as part of their virtualization technology group. The product has been placed within the Desktop Virtualization portfolio.

The announcement has made by Edward Screven, Chief Corporate Architect, during his webcast: "Oracle + Sun: Virtualization Strategy".
The sheets of this presentation are down loadable as well.

Good news for everyone working with Sun Secure Global Desktop or should we now refer to the product as Oracle Secure Global Desktop :)

Secure. Global. Desktop. Complete.

Thin Guy — I remember...

As a 29 year old in the fall of 1999,  I was recruited by tech juggernaut and dot com sweetheart Sun Microsystems to come aboard in their Professional Services division focusing on PC NetLink (remember that!!??) and interoperability.  When I officially started in January of 2000 (I had to make sure the Y2K bug didn't bite Bellagio!) "Interoperablity" meant a totally different thing to Sun at the time.  To me, and the team I joined, it meant making Sun hardware work in a Microsoft environment.  Unix and SPARC in a MS Domain?  Impossible?  Nope.  We were wildly successful for PS, a small team raking in millions in billable hours.

Eventually that led me to working with the Sun Ray product and doing the sacrilegious thing of displaying full screen MS Windows on a Sun Ray without ever interacting with Solaris from a user perspective.  That eventually led to a job with Sun Ray Engineering where I've spent (thus far) the best years of my life.  Three of my five daughters were born under the SUNW stock ticker.  10 years, my second job out of college, friends that I consider some of the best I've ever had.

I could dedicate a whole blog entry to the "second half" of my tenure at Sun, where I got involved with Social Media.  I owe a lot to the Blogs.Sun.Com  team, without their vision I wouldn't know half of the people that I know around the world today.  Thin Guy became synonymous with Sun Ray.  (Could you believe I was going to first use "Tall Guy"?).  Talk about social media building a brand.  I'm now introduced as "Thin Guy" rather than my given name of Craig Bender.  There are so many to thank, Linda Skrocki, Rama Roberts, and of course the very early blogging queen Mary Smaragdis (Not to brag, but I was her new favorite blogger once...that was a huge deal).  And the friends I made on those teams...too many to list.  Liz Ditucci, Dave Arguelles, and so many others.  I feel like I know them all personally even though I've only met one of them in real life.

If you're worried about me, don't be.  I'm continuing on at Oracle and more importantly so are the Sun Ray, SGD, VDI, and VirtualBox products.  The blogging policy is a wee bit different at Oracle, so my blog posts will be "on topic" for my job.  I'm contemplating moving the personal topics (recipes, workouts, autism, general humor) to a new non-work related blog, but all the technical posts will continue to live over at Think Thin.

I have so many great memories of Sun.  My colleagues made Sun what it was.  The technology was a side effect of the freedom given to extremely talented people and the eye for hiring exceptional talent.  We may have lacked at execution on bringing the stuff to market, but Sun was an innovator.  Note to hiring companies, if someone has a couple of years at SUNW/JAVA on their resume, that's all you need to know.  They're a keeper.  One last thing about my time at Sun...I used to travel a lot (150K+ airmiles a year).  I saw the world and it was beautiful.  But when my youngest was diagnosed with autism, the travel was becoming harder on our family and had to be reduced and that was OK with Sun.  Their work from home program was not only saving both employees and the company money, the environment, it might also have "saved" a little girl as well.  While I won't say she's recovered, she's a totally different kid because Sun's policies allowed me to be there for her.  For that I am eternally grateful.

With that I bid this "S-Word" blog goodbye.   Catch me on Think Thin and speaking at Oracle events near you.  Thank you so much for your readership.  Let's see if Thin Guy can be synonymous with Oracle VDI.  I know my new boss is finally getting the N|C he always wanted.  GO ORACLE!

ThinkThin — SRS Patch Information

We've put together a page on the SRS wiki that provides all the latest Sun Ray Software patch information.  We don't have any patches yet for the new SRS 5 release, but we have a placeholder when they are released.

http://wikis.sun.com/display/SRS/Home

Oh, and here's a little tutorial about how you can tell what SRS patches are already installed on your Sun Ray servers.

• For Solaris:  showrev -p | grep SUNWut
• For Linux:  rpm -q SUNWutfw
  

Remember, patching your systems will help you avoid time consuming problems in the future, and time is money.

- Paul, SRS documentation lead

stotti.blog() — Boards.ie Forums have been hacked – don’t panic!

Though i’m not Irish it has come to my attention that one of the largest bulletin boards in Ireland, boards.ie, has been hacked today. The attackers gained access to parts of the database ” [..] which includes our members usernames, email addresses and obfuscated passwords [..] ” as stated on the official landing page that replaced the usual forums today.

The team of boards.ie reset all user passwords and advises all their users to change the password on all other sites where they might have used it as well. In my opinion this is a good step but not absolutely necessary. And i tell you why: boards.ie uses an uptodate version of the bulletin board software vBulletin. That uses the MD5 algorithm to “obfuscate” the users’ password. As written earlier the MD5 algorithm is known to be unsecure and should not be used to encrypt user passwords – except it has been salted. Salting means that there is an additional “secret” (technically: an additional set of bits) used to hash the obfuscated string. This increases the so called entropy of the hashsum. And this, in return, makes it very hard to “crack” the hash using traditional methods like brute-forcing or using rainbow tables. That means it’s very hard for hackers of boards.ie to get access to other systems using the gained user data. So relax and don’t panic!

Anyway the team of boards.ie has done good resetting all the user passwords as an additional security mechanism. If you want to know more about cracking MD5 hashsums I’ll suggest you to have a look on my more in-depth articles regarding this topic:

• How to crack MD5 passwords online
• How to crack MD5 passwords with John the Ripper

[UPDATE]
The boards.ie team states on Twitter (@boards_ie) that they will not send out new passwords but require users to set a new password when the site is back up:

We are not sending out new passwords. Once the site is back, you will be invited to change your password yourself.

I guess that’s fine as well.
[/UPDATE]

[UPDATE2]
@john_ruddy has made a good point. In his opinon it might be possible that the hackers will send E-Mails to the users of boards.ie containing false instructions to set a new password or enter other sensitive data. So please be aware of phishing attacks!
[/UPDATE2]

Fat Bloke — Audio in 64-bit Windows guests

In case you haven't noticed, a lot of Fat Bloke's Blogs are reminders to self Here's another one... 

If you have created a 64-bit Windows 7 virtual machine, you may think it is awfully quiet. This is because the 64-bit version of Windows 7 does not ship with drivers for the audio device (AC 97) which VirtualBox presents to the guest OS.

If you want audio you have to go get the drivers and install them yourself. I got mine from Realtek site. 

Once you have installed them, and rebooted, you should get audio just fine.

- FB 

Fat Bloke — Technology of the Year

Question: what do the following have in common?

1. Intel Nehalem Processor 
2. Microsoft Windows 7 
3. Cisco's Unified Computing System (UCS)
4. Amazon Web Services 
5. Apple iPhone OS
6. Sun VirtualBox

Answer: They were all winners of InfoWorld's 2010 Technology of the Year awards.

-FB 

Fat Bloke — Speeding up your Linux Guests

With the clock ticking over to a new decade, now would seem to be a good time for a quick blog on timer interrupts in guests and how you can speed up your guests, while also lightening the load on your host, with the judicious use of a bit of guest configuration.

All operating systems make use of a system clock which ticks at a particular frequency. Common Linux distributions use kernels which drive the clock at 100Hz, 250Hz or 1000Hz. You can find out what your Linux kernel is configured for using this command:

grep CONFIG_HZ /boot/config-<kernel>

where kernel is the version of Linux you're running. The result of this command on my Oracle Enterprise Linux installation looks like this:

[root@localhost grub]# grep CONFIG_HZ /boot/config-2.6.18-164.el5
# CONFIG_HZ_100 is not set
# CONFIG_HZ_250 is not set
CONFIG_HZ_1000=y
CONFIG_HZ=1000

...which tells me that my kernel is configured to use a 1000Hz clock tick.

In a virtualized environment this means that there will be lots of context switches as the host schedules the guest to deal with clock ticks which don't do very much.  And this will become most visible by seeing a relatively high host cpu usage even when the guest is idle. (Note that the exact behaviour also depends on the host system. For example, the same OEL vm runs comfortably on my Mac host, but my Windows host gets very busy running it.)

If you see an idle Linux guest which is configured for a 1000Hz clock using up lots of host cpu cycles, you may want to reduce the clock frequency using the boot time parameter "divider=10". You can do this by adding the parameter manually as the grub boot loader starts, or by editing the grub configuration file as follows:

1. Edit /boot/grub/grub.conf
2. Duplicate the existing Title section, and rename it (this means you can choose at boot time which config to use)
3. Add the "divider=10" parameter as follows:

 kernel /vmlinuz-2.6.18-164.el5 ro root=/dev/VolGroup01/LogVol00 rhgb quiet divider=10

Here is what my complete grub.conf looks like now:

This results in fewer context switches, a lighter host load (as measured by Window Task Manager) and faster guest execution. For example, the speed to boot my OEL vm (on a Windows 7 host) dropped from 115 seconds to 80 seconds which, according to my calculations, is a 30% increase in performance. Not bad for a simple bit of configuration

-FB 

Joerg's Desktop Blog — Hotdesking sessions to and from the Sun Display Access Client

The initial release of the Sun Desktop Access Client (SDAC) does not participate in the smartcard-based hotdesking that is typically used with Sun Ray Desktop Units (DTUs).

Nevertheless hotdesking capabilities are an important feature of the Sun Ray system. So how can SDAC participate?

Answer 1: NSCM

The simplest solution to be able to hotdesk Sun Ray sessions to and from an instance of SDAC is to use NSCM. This has a few restrictions:

• It works only on Solaris. Not much of a restriction, if you are running SRSS on Solaris already, but a significant problem, if you are using Linux.
• KioskMode and NSCM are a poor fit, as every user must authenticate on UNIX in order to get session access. No problem, if your users have a UNIX login account and are logging into a regular UNIX session anyhow. But if you are using Kiosk Mode, then requiring UNIX authentication first is a poor fit. Even if you can set up PAM to make NSCM use a different authentication source (for example ActiveDirectory), there is no single sign-on: the user will have to authenticate again within your Kiosk Session.
• NSCM is an all or nothing decision for non-smartcard sessions. If you enable NSCM, it applies to all non-card sessions. You can't disable it selectively, for example when you use token-specific kiosk policy.
• NSCM is slightly less comfortable than smartcard-based hotdesking. When you hotdesk a NSCM session, you need to enter both your user name and password. With smartcard-based hotdesking, you only need to enter your password to unlock the screen. And you can use AMGH to preselect a username even on initial login.

If you are not affected by these restrictions or can live with them, then NSCM is clearly the method of choice to obtain sessions that can be hotdesked to SDAC.

Answer 2: Token Aliasing

What if NSCM is not an option, because Kiosk Mode is being used, SRSS is running on Linux or your users can't remember their user names?

In that case you can use a lesser known features of SRSS: token aliasing.

Token aliasing comes at the cost of added administrative effort. It requires that only registered tokens are allowed access. This means that every smartcard, every DTU used for non-smartcard access and every SDAC instance (more exactly: profile) must be registered in the Sun Ray data store, before it can be used for Sun Ray sessions. This burden can be offloaded to your users, by enabling self-registration functionality when configuring registered token policy. Or it can be integrated with a corporate database of tokens, by using the ATI feature (see the ut_ati_script_interface(3) man page for more information). But neither of these will create aliased tokens for you - that will require manual intervention by an administrator.

So how does token aliasing help with SDAC hotdesking?

When you configure two (or more) tokens as aliases of each other, all the aliased tokens access the same session. Every smartcard is associated with a unique token, as is every DTU and every SDAC profile. (The tokens for the latter two are called pseudo-tokens.) So if you configure a SDAC pseudo token as an alias of a smartcard token, then a specific SDAC profile can be used to access sessions bound to this smartcard. In other words, you can hotdesk your card session to SDAC (with this profile) and vice versa.

As you probably noticed this means that an SDAC profile can access only one predetermined smartcard session. This is good for security - the session bound to Alice's smartcard can only be accessed using Alice's SDAC profile, but not using Bob's profile. But it also means that you can't use SDAC to quickly access an arbitrary session from any client. Bob's boss can't borrow Bob's laptop to get to his session, as he most likely has no registered profile there.

There is one pitfall with aliasing: if more than one aliased tokens are connected at once, only one of them can get access to the session. In older releases of SRSS, this resulted in session ping-pong: the second token that connects takes over the session from the first. This causes the first DTU to restart, present its token again, and take back the session. Now the second client restarts and everything repeats itself until one of the clients is disconnected.

Fortunately the 'RHA' hotdesk security feature, introduced in SRSS 4.1, fixes this problem: now the user can only take over a session for her token after authenticating to the RHA session lock. When she does this, the first client will restart, but will only display the session lock and wait for the user to come back to that location. If you like ping-pong, you can still get the old misbehavior by disabling RHA.

The pitfall that remains, even with RHA, concerns Kiosk Mode: as there is no authenticated UNIX user, no RHA authentication can take place. The session takeover protection still applies though, so if the user left his card inserted in a DTU, he will be unable to get to his Kiosk session from his aliased SDAC profile. Of course with traditional smartcard hotdesking you also don't get to hotdesk, if you forget your card elsewhere.

And how can token aliasing be set up?

By now you are probably itching to learn how you can configure token aliases.

If you aren't, why are you still reading?

Keep in mind though, that use of token aliasing is only suitable, if 'registered token only' policy can be used in your deployment. And if NSCM works for you, you can save all this administration effort.

The approach I outline here is to start with unaliased registered tokens, delete one of them from the Sun Ray Data Store and reregister it as an alias of the other. I recommend to start with both tokens registered, so that you can leave the task of figuring out the token identifier to the initial registration process, for example to self-registration. Alternatively you can obtain smartcard token identifiers by using a token reader and derive pseudo tokens from the desktop identifier (see the utdesktop(1M) man page or the Desktop Units tab in the Sun Ray administration GUI).

To make a SDAC pseudo-token an alias of another token using the Sun Ray administration GUI:

1. Go to the Tokens tab
2. Find the SDAC pseudo token for the user. An SDAC pseudo token id has the form pseudo.<32 hexadecimal digits>, for example pseudo.d98765f12345f23b697cfd9d072786b7.
3. Click on the token ID to go to the pseudo.d98765f12345f23b697cfd9d072786b7- Token Properties page.
4. Select the pseudo token ID and copy it (to the clipboard).
5. Check that there are no sessions for this token (Advanced section). If there are sessions, terminate them.
6. Go back to the Tokens page.
7. Place a check mark on this pseudo token to select it and click Delete to delete it.
8. Find the smartcard token for the same user, for example Payflex.500abcd000000100.
9. Click on the token ID to go to the Payflex.500abcd000000100 - Token Properties page.
10. Click the New... button on the Alias Tokens table (Advanced section) to open the New Alias Token for Payflex.500abcd000000100 page.
11. Select Enter token identifier manually: and paste the pseudo token into the token id field (from the clipboard).
12. Click OK.

To do the same using the command line (assuming both tokens have the name 'Barfurth'):

First determine the involved tokens, for example:

  # sdactoken=`utuser -ln Barfurth | sed -n 's/^\(pseudo\.[0-9a-f]\{32\}\) .*/\1/p'`
  # echo $sdactoken
  pseudo.d98765f12345f23b697cfd9d072786b7
  # cardtoken=`utuser -ln Barfurth | sed -n 's/^\(Payflex\.[^ ]*\) .*/\1/p'
  # echo $cardtoken
  Payflex.500abcd000000100

After obtaining the tokens, delete the existing unaliased registration and create an alias instead:

  # utuser -d $sdactoken
  # utuser -ai $cardtoken $sdactoken

Fat Bloke — Christmas VirtualBox Movies

The FatBloke loves movies at Christmas. So to add to the festive cheer, he has produced a couple of his own based on some of the new features of VirtualBox 3.1. This special, bumper Christmas double-bill features movies about Teleportation (is this how Santa gets about?) and Snapshots. You can watch in HD and full screen mode, but no 3D yet

Merry Christmas

-FB 

stotti.blog() — The origins of Cross Site Scripting

Cross Site Scripting (XSS) celebrates its 10th birthday this december. Well, it is not exactly definable when the first XSS hack popped up, but at least the term originates in mid-December of 1999. David Ross, security engineer at Microsoft, just shared this short anecdote and wrote which terms were in discussion for the thing we now know as XSS as well:

Unauthorized Site Scripting
Unofficial Site Scripting
URL Parameter Script Insertion
Cross Site Scripting
Synthesized Scripting
Fraudulent Scripting

I think i like “Fraudulent Scripting.” Anyway, i absolutely agree to Davids conclusion to his post:

Let’s hope that ten years from now we’ll be celebrating the death, not the birth, of Cross-Site Scripting!

Exactly, Cross Site Scripting has to vanish. Keep your code clean, validate every input and adopt common security principles!

stotti.blog() — How to generate test files of any length

Every now and then my fellow coworkers and me are faced with clients that mention problems uploading files of a specific size to web content management systems (CMS). While we are trying to solve the problem we need to test the upload ourselves. Now the filesize differs with every inquiry and we have to come up with files that extend this size. What to do in this case? Browsing the web for files of a specific length? Crawling through our media asset management system to fetch a file that fits in? No, there’s a better solution to that: the file generation tools of the operating system!

photo credit: Velo Steve

Microsoft Windows, Linux and Mac OS come with standard tools that allow file generation and manipulation. This article tells you how to use them to generate files of any length.

Generating files of any length on Windows

First open the command line interface by clicking Start > Run… and entering “cmd” (without the quotes) in the dialog form. By pressing Enter the command line interface will pop up and you can insert the following string to create a new file:

C:\>fsutil file createnew <filename> <filesize in bytes>

As you see you have to state the specific filesize in bytes! For a conversion of megabytes or kilobytes to bytes see this or this conversion tool.

For example this string creates a new file named testfile.txt sized 1 Kb located in the root directory of partition C:

C:\>fsutil file createnew C:\testfile.txt 1024

Generating files of any length on Linux

File generation with Linux is as easy as with Windows. The `dd` tool to (amongst others) create new files comes with virtually every distribution. Here is the example command, intended to be run from within a shell.

dd if=/dev/zero of=<filename> bs=<initial blocksize in bytes> count=<iterations of the blocksize>


The easiest way to create a file of specific length using `dd`is by utilizing suffixes like K (for Kilobytes) or M (for Megabytes) like this:

dd if=/dev/zero of=testfile.txt bs=1K count=1

The command above creates a file of 1KB size in the current working directory.

The man page of `dd`lists the suffixes you may utilize:

BLOCKS and BYTES may be followed by the following multiplicative suffixes: xM M, c 1, w 2, b 512, kB 1000, K 1024, MB 1000*1000, M 1024*1024, GB 1000*1000*1000, G 1024*1024*1024, and so on for T, P, E, Z, Y.

As `dd` is available for all Linux/Unix distributions this applies to Unix Systems (e.g. Solaris) as well.

Generating files of any length on Mac OS

OSX provides a shell app that’s more convenient to use than `dd`. It’s called `mkfile`. Start it by firing up a Terminal window located here:

/Applications/Utilities/Terminal.app

Like `dd` the OSX pendant `mkfile` can be used with suffixes as well. Here you can use b for Bytes, k for Kilobytes, m for Megabytes and finally g for Gigabytes. See it in action:

mkfile 1k testfile.txt

As expected this creates a 1KB sized file in the current working directory.

Conclusion

As you can see, it is really easy to create test files of virtually any length on all major plattforms like Microsoft Windows, Linux and Mac OS. Try it out!

Fat Bloke — Solaris 10 10/09 Virtual Appliance

Some time ago we talked about virtual appliances as an easier way of distributing operating systems and even complete software stacks. 

Well, for the first time there is now a Solaris 10 10/09 (aka u8) ovf available.

Just:

• Download the appliance
• Unzip (if not done automatically for you)
• Then in VirtualBox, choose the File...Import Appliance menu item
• Navigate to the ovf file and import

And after clicking Import you will get a sys-unconfig'ed Solaris 10.

On first boot you do the config and hey presto, you have Solaris 10 running in a vm.

For best results, don't forget to then install the VirtualBox Guest Additions by choosing Devices...Install Guest Additions from the VirtualBox menu.

-FB 

Fat Bloke — VirtualBox 3.1.2 released!

VirtualBox 3.1.2 has just been released.

It is a bug fix release and available to download from the Usual Places.

For a fuller list of fixes check out the ChangeLog. 

-FB 

stotti.blog() — Jurgen Appelo on agile project management and software development

Some of you readers may already know that i work as an interface between the competent departments and the development teams. I act as the lead of these teams and communicate the functional requirements of the clients and the internal departments to the technical personnel such as developers, system engineers etc. Vice-versa i communicate the open questions of the technical teams to all other parties and enforce problem solving remedies to keep the development on track. My function is called “Technical Project Manager.” In this role i constantly try to adopt new project management principles and further my knowledge of software development practices.

One common method to stumble about when you’re faced with software project management is the agile management principle. Some of its well known instances are Scrum (which i use) and Extreme Programming (which i don’t). But agile management is not just about a specific implementation, its about the way we work. Jurgen Appelo of NOOP.nl embraced most of the agile paradigms and how they might influence our work into one well done presentation. Here’s the video of his talk at the Agile Eastern Europe Conference in Kiev:

The slides themself are noteworthy too. Fetch them at Slideshare:

Overall an excellent talk on the agile approach and its impact on every day work life. Definatly worth watching!

(via Projektmanagement Blog, in German)

Fat Bloke — VirtualBox 3.1 released (last week)!

(A little late, I know but last week was kinda busy...)

Even though the version number only moved from 3.0 to 3.1, last week's VirtualBox release was a significant one with lots of very cool, but also very useful, new features:

Teleportation

Teleportation is Live Migration++. It is the ability to move currently running virtual machines across different physical machines with no interruption as you do it. And whereas with Live Migration/vMotion the virtualization platforms have to be near identical to work, teleportation is powerful enough to cope with:

• different host operating systems, such as Windows to Linux
• different classes of computer, such as server to laptop; and even
• different CPU architectures, such as Intel to AMD (yes, the manual has a bug here) 

This means greater choice of platforms for customers, and interesting solution opportunities for our partners.

VirtualBox exposes the teleportation primitives via APIs which higher level logic can call to direct the teleportation process. For people looking to exercise these APIs you can use the VBoxManage command line tool, such as:

VBoxManage modifyvm <vm name> --teleporter on --teleporterport 1234 \ 
  --teleporterpassword password --teleporteraddress <dns name/ip address>

VBoxManage controlvm <vm name> teleport --port 1234 \
 --host <dns name/ip address> --password password

stotti.blog() — Update went wrong, blog gone mad

Dear readers of stotti.blog(),

unluckily some updates of this blogs’ software did not succeed well. So all the articles were offline for the last three days. It’s all repaired now. Sorry!

[update]
In the last days i got some mails of readers (thanks!) stating that the website loads too slow. I am aware of this issue. Mostly its because of the theme i am using. It comes bundled with a bunch of a JavaScript scripts that bloat the overall size of the pages and make the page load slowly. I have turned them off today, hoping to change for the better until i have chosen a new template – or even build my own, not just a skin for a pre-made template.
[/update]

White men can't jump — VDI Image Layering

Hi,

There is been quite some hype around "Layering" of desktop images. Where Layering means being able to assemble an VDI image more or less on the fly with different parts overlay each other or where the final image is just patchwork combined from different sources. There are a few articles on Brian Madden around this topic, with the most recent one being a "technical" description.

Technically I really think this is an interesting problem to solve. It needs a lot of engineering brain to be able to assemble an image of various pieces, such as the OS, standard apps, user apps and user data. But this is just one side of the coin. The flip side is, that all solutions are simply not manageable because of the involved complexity. With each new potential combination of OS and apps, independent of how the final layering is done, you create a resulting VDI image, that would need to be qualified before releasing it to the user base. There is a good example from Brian on what happens if a new Windows Service Pack is deployed.

A lot of Windows admins have already a sense of the implied complexity. Just think about your experience with the Windows Group Policies. Group Polices can easily be layered and overlaid. But how long does it take to understand the so 'called' result of operation, so which policy setting applies to the end user at the end of the day when he is logged on a certain desktop. This can really create headaches.

And headaches will be even worse when companies start to make big bets on image layering technology these days. The increased flexibility of being able to define which user gets which app on demand is paid by the price of increased qualification effort and dealing with incompatibilities. From my perspective this is a huge investment risks.

So, what remains. I'm a strong believer in strictly separating the problem of replacing PCs with Thin Clients in order to centralized the image management in the data center. This can be done in a first step while still applying the same image provisioning techniques as in traditional PC environments.

And the second problem can be addressed by various means such as delivering certain apps through terminal services or through application streaming. Of course with the known issues that this is not possible for every app and that there is additional infrastructure and bandwidth needed to serve or provision these apps. And there is also the possibility to focus more on managing templates instead of all individual rolled out virtual desktops. This at least requires a separation of the user data, if the user data is important. Or you do a mix of App virtualization and VDI template management. Again doable with more complexity.

At the end of the day there is no way to manage all apps completely flexible as it would be desirable. And the only way out for enterprises is to get rid of those apps that have such a strong dependency on the OS, that you can't run them in an App-Vitualization manner. Convert them into Web or Java apps. Sounds simple, but I understand that this is nothing near or mid term. But this is more than ever the future. Reduce your dependency on the OS and you gain all the flexibility in how you deliver the apps to your users and how you entitle your users to use them.

Enough opinion for today,

Dirk

White men can't jump — Untold secrects about Sun VDI 3.1: Surving without a directory

Hi,

Imagine the following situation: You have to prepare a demo with Sun VDI. Equipment is available. Software is there. You have the guest desktop at hand. Installation and configuration works just like a charm.

Well, and then you start the admin console and the first thing you see is, "Please configure a user directory". Damn, totally forgot about this one. Okay, get OpenDS ...

But there is also another way. Sun VDI has 2 in-built tokens: AnySmartCard.000 and AnySunRayClient.000.

Just look at their names and you get their meaning immediately. Use these 2 default tokens to assign a desktop pool to any smartcard inserted or to any Sun Ray connected to Sun VDI. Very handy for demos. We used this e.g. at JavaOne. This feature has been integrated into VDI 3.1. Give it a try.

-Dirk

PS. You find theses default tokens by selecting the token section and hit simply the search button in the admin UI.

Fat Bloke — ACPI Shutdown and Windows 7 or Vista

A little something that had me scratching my head for a while and may save others some time....

When you try to close the window of a VirtualBox virtual machine session, a dialog pops up thus:

In the past, the "Send the Shutdown signal" has sent a Powerdown message which caused Windows XP vm's to gracefully shutdown.

But on Windows 7 vm's, the default Power Options when installed on a laptop are undefined:

So to get the previous behaviour you need to change the Power Options as follows:

Hope this saves someone some time.

-FB

White men can't jump — Point and Shoot Sizing: Sun VDI 3.1, Sun VirtualBox 3.0.12, Sun Fire X4170

Although we have just released the 3.1, we are very busy these days. We had planned to do some sizing of the virtualization and storage layer, but there is simply not enough time to do it right now.

However, we have done a 'Point and Shot' sizing for the X4170 running VBox 3.0.12 under Sun VDI 3.1. We have taken an X4170 and wanted to understand how many VMs can be executed with a defined workload. The workload has actually been the same as with previous load tests. You find the definition in the VDI 3.1 deployment guide: http://wikis.sun.com/display/VDI3dot1/Deployment+Guide

The exact setup has been:

• 3 VDI core server managing 1 VBox host (X4170) connected to a 7210 Open Storage.
• X4170: 2 CPU (2.5 GHZ), 32GB RAM

We had 2 test runs:

1. Image Win XP SP2, 512 MB, 12 MB Video RAM: Goal: Start as many VMs as possible and continuously execute Office workload
2. Image Win XP SP2, 256 MB, 12 MB Video RAM: see above

Results for test run 1:

• 48 VMs running, executing load, tests showed that VMs are responsive (connecting with the console to selectedVMs)
• Memory consumption: 96% or 31GB
• CPU consumption: 40-50%

Results for test run 2:

• 95 VMs running, executing load, Tests showed that VMs are responsive (connecting with the console to selected VMs)
• Memory consumption: 97% 31,3 GB
• CPU consumption: 50-80%

Observations:

• The Nehalem CPU in combination with VBox 3.0.12 has much better performance. 12 VMs per physical core seems possible for modest Office work still leaving some CPU headroom.
• The memory overhead of VBox is closer to 20%. In previous tests we have calculated 10%. Plus roughly 1 GB for the OS.

Although this was just a 'Point and Shot' sizing it has a clear message:
The economics are way different with the Nehalem CPU. A 10VM per physical core seems to be a good and conservative starting point, when customer workloads are unknown. An X4170 (2 CPU, 64-72 GB RAM) seems to be an ideal platform to host 80+ desktops of 512MB memory. Going over the 72GB memory limit will require to use 8GB DDRs which are way more expensive.

We will continue sizing once we are less busy. Stay tuned,

-Dirk

ThinkThin — Command Line Reference Doc Updated

Hi everyone, short note here.

I have created a new version of the handy Command Line Reference doc for Sun desktop technologies. This is  a pdf with quick links to the complete man page reference for SRSS 4.2, SRWC 2.0 and VDI 3.1.

I know that the man pages are now up on the Wiki, but sometimes it's easiest to just have this thing as a shortcut for quick reference.

Enjoy, let me know if this pdf doesn't work on your system.

Desktop_Cmd_Ref-11.25.09.pdf

Brad 

White men can't jump — The hidden major update: Sun VDI 3.1

Hi,

We have released Sun VDI 3.1 yesterday. There are already many posts about it, such as this one from Chris about it. The most confusing about this release is the version number, which suggests that Sun VDI 3.1 is just a minor update. Well, it is not.

It has many new things inside that together offer a number of very compelling and unique solution stacks. I've summarized these solution stacks in a presentation that I gave yesterday:

stotti.blog() — Google will inform webmasters about their vulnerable software

As announced earlier Google will soon start to inform webmasters if they’re running out-of-date or vulnerable software. All webmasters registered with the Google Webmaster Tools will soon get notifications in case of using outdated software. Google is trying to achieve this by parsing the HTML code of the website, especially the generator meta tag. Quoting the Google Webmaster Central Blog:

One of the ways we identify sites to notify is by parsing source code of web pages that we crawl. For example, WordPress and other CMS applications include a generator meta tag that specifies the version number. This has proven to be tremendously helpful in our efforts to notify webmasters. So if you’re a software developer, and would like us to help you notify your users about newer versions of your software, a great way to start would be to include a generator meta tag that tells the version number of your software. If you’re a plugin or a widget developer, including a version number in the source you provide to your users is a great way to help too.

If you’re using (open-source) software that is writing a generator meta tag including its name and version into the HTML code, then you’re likely to get notifications by Google if this piece of code is outdated. I think this is a good thing and it won’t cost Google that much computing power as they are already parsing the source code of the site anyway. On the other hand i am not fond of software that is giving away too much information about itself. I am still a fan of security by obfuscation – as long as this is not the only line of defense.

ThinkThin — Please Welcome Sun VDI Software 3.1

Hot on the heels of the Sun Ray Software 5 release, Sun VDI Software 3.1 was just made available (get it here). This is an exciting update for us, here is a quick overview of what's new: 

• Microsoft Hyper-V support
• Previous versions of Sun VDI Software already allowed for heterogeneous virtualization hosts, but we extend this support to include Microsoft Hyper-V in VDI 3.1. This means that you can use Sun built-in, VMware vSphere (or just ESX and vCenter, if that's what you've got), Microsoft Hyper-V, or any combination(!) to host your virtual desktops. This provides amazing flexibility and really reduces concerns around lock-in of any particular vendor. Want to change platforms? Easy, put up the new environment, test it with a group of users, migrate everyone over, and shut off the old one when you're ready (or keep it as a backup).
• Remote Desktop Services support
• We have lots of customers who use both classic server-based computing (SBC) and VDI at the same time. The trouble is that many architecture have you managing the two environments completely separately. But with Sun VDI Software 3.1, Windows Server 2003 and 2008 can be desktop providers. This means you can choose to assign any combination of VDI and SBC desktops to each of your users and manage the assignments from one management interface.
• Sun Desktop Access Client
• Sun VDI Software has leveraged both Sun Secure Global Desktop Software and the Microsoft Remote Desktop Connection client to provide access from Windows PCs. With version 3.1, we add the Sun Desktop Access Client into the mix (no, we haven't dropped SGD or RDC support!). The Sun Desktop Access Client is a purpose-built piece of software that installs on Windows PCs and allows direct access to Sun VDI Software without any further server configuration or setup. It also leverages the exact same protocol as our award winning Sun Ray clients. It's simple, high performance, and allows you to seamlessly shift your virtual desktop session between a Sun Ray client and a PC.
• Enhanced Adobe Flash media support
• For a virtual desktop to be truly useful, it needs to approach the capabilities of a full desktop PC. A traditional stumbling block for any sort of remote access technology is high performance video and animation. With this release, Adobe Flash content is accelerated for both Sun Ray clients and Sun Desktop Access Client enabled PCs.
• USB direction for Windows XP
• If you're using a Sun Ray client and Windows XP as your virtual desktop operating system, you can now plug many USB devices into your Sun Ray client and they show up automatically in your Windows XP session.

There are lots of other smaller updates, too. For the full skinny, please read the  full product documentation and enjoy the new release!

-Chris 

Fat Bloke — Sun VirtualBox 3.0.12 released!

In the spirit of, "Hey we fixed a bunch of bugs, why hold on to them?" VirtualBox 3.0.12 was released today.

You could read about the fixes or just go get the new version. 

-FB