Managing VM sprawl with a VM library

Also, it's not unusual that users learn of virtualization and end up building and deploying VMs without the knowledge of their IT departments, resulting in a plethora of unregulated systems. In this article, I'll describe some of the problems that this can cause and offer suggestions on how IT departments can rein and manage virtual machines.

With the rise in popularity of virtualization products for both workstations and servers, users can easily build and deploy their own VMs. Often, these VMs don't meet standards in the following areas:

• Consistency: End-users rarely have the expertise (or inclination) to follow best practices, such as enabling only necessary services and locking down their system configurations. The result is a wide variety of VMs that are deployed on an ad-hoc basis. Supporting these configurations can quickly become difficult and time-consuming.
• Security: Practices such as keeping VMs up-to-date and applying the principal of least privilege will often be neglected by users who deploy homegrown VMs. Often, the result is VMs that are a security liability and that might be susceptible to viruses, spyware and related problems that can affect machines throughout the network.
• Manageability: Many IT departments include standard backup agents and other utilities on their machines. Users generally won't install this software unless it's something that they specifically need.
• Licensing: In almost all cases, operating systems and applications require additional licenses. Even when end-users are careful, situations that involve client access licenses can quickly cause a department to become noncompliant.
• Infrastructure capacity: Resources such as network addresses, host names and other system settings must be coordinated with all of the computers in an environment. When servers that were formerly running only a few low-load applications are upgraded, they tend to draw more power (and require greater cooling). IT departments must be able to take all of this information into account, even when users are creating their own VMs.

One method by which organizations can address VM sprawl is to create a fully supported set of base virtual machine images. These images can follow the same rigorous standards and practices that are used when deploying physical machines. Security software, configuration details and licensing should all be taken into account. Procedures for creating new virtual machines can be placed on an intranet, and users can be instructed to request access to virtual hard disks and other resources.

Enforcement is an important issue, and IT policies should specifically prohibit users from creating their own images without the approval of IT. This will allow IT departments to keep track of VMs, along with their purposes and functions. Exceptions might be made, for example, when software developers or testers need to create their own configurations for testing.

The process of determining what to include in a base VM image can be a challenge. One goal should be to minimize the number of base images that are required, in order to keep things simple and manageable. Another goal is to try to provide all of the most commonly used applications and features in the base image. Often, these two requirements are at odds with one another. Figure 1 provides an example of some typical base images that might be created. Base images will need to be maintained over time, either through the use of automated update solutions or through the manual application of patches and updates.

Figure 1: Sample base VM images and their contents.

With most virtualization platforms, the process of duplicating a virtual machine image is as simple as copying one or a few files. But there's more to the overall process. Most operating systems will require unique host names, network addresses, security identifiers and other settings. IT departments should make it as easy as possible for users to manage these settings, because conflicts can cause major havoc throughout a network environment.

One option is for IT departments to manually configure these settings before handing over a VM image to a user. Another option is to use scripting or management software to make the changes. The specific details will be specific to the operating system, but many operating systems offer tools that can be used to handle the deployment of new machines. One example is Microsoft's Desktop Deployment Center, which includes numerous utilities for handling these settings (note that most utilities should work fine in virtual machines, even if support for virtualization is not explicitly mentioned).

Building disk hierarchies

Many server virtualization platforms support features that allow for creating virtual hard disks that are based on other virtual hard disks. Remembering that the goal is to minimize the number of available images while still providing as much of the configuration as possible, it's possible to establish base operating systems and then add on options that users might require. Figure 2 provides an example for a Windows-based environment.

Figure 2: An example of a virtual hard disk hierarchy involving parent and child hard disks.

Keep in mind that technical restrictions can make this process less than perfect. For example, a base virtual hard disk cannot be modified, so if you need to add on service packs, security updates or new software versions, you'll need to do that at the child level.

Overall, by using virtual machine libraries, IT departments can make the process of creating and deploying virtual machines much easier on end-users. Simultaneously, they can avoid inconsistent and out-of-date configurations, just as they would with physical computers. The end result is a win-win situation for anyone looking to take advantage of virtualization.