The troubling Heartbleed SSL vulnerability that’s causing a stir this week also affects many VMware products.
The weakness in the OpenSSL protocol revealed this week affects 66% of Web servers and allows anyone to read the memory of systems secured with the problematic OpenSSL software. The problem had gone undetected for two years and analysts are confirming it’s as bad as advertised, potentially putting millions of passwords and other secure information at risk.
In a KnowledgeBase article, VMware listed its products that have shipped with the vulnerable OpenSSL 1.0.1. They include ESXi 5.5, vCenter Server 5.5 and vCloud Automation Center 5.1.x and 5.2.x. Earlier versions of ESXi and vCenter Server are not affected.
Microsoft supporters are having a field day with the news, quick to point out that Hyper-V and Azure aren’t affected and poking fun at VMware’s prior claims of being more secure. So just how big of a deal is this for shops running VMware?
“It’s both a fantastically world-ending, huge deal that we should consider turning the Internet off for — and not a big deal at all,” said Trevor Pott, IT consultant for eGeek Consulting.
The potential vulnerability is scary, but not necessarily because VMware’s products are affected.
“The thing is, vSphere is rarely open to the outside world,” Pott said. “So, theoretically I could crack your SSL if I was sitting on your network sniffing your traffic. But if I’m behind your firewall sniffing your network traffic, you’ve got bigger problems than this.
“VMware and everybody who was vulnerable to this had the code to fix it in hours. So that means, if there isn’t a patch out for VMware’s products yet, there will be in a matter of days.”
Any Internet-facing device, including the dozens or hundreds found on a corporate network, are potentially at risk, but virtualized workloads may actually be easier to protect, Pott added.
“In a virtual environment, I can easily stand up a firewall in front of systems that I can’t patch, and I can essentially create an SSL proxy where the proxy facing the Internet is, in fact, patched,” he said. “The fact that I’m in a virtual environment means I could stand up a solution to this in minutes.”
Hot on the heels of its AirWatch acquisition and end-user computing group shakeup, VMware has made another big-name move.
The company has hired Chris Wolf, one of the most well-known virtualization analysts in the industry, as its chief technology officer (CTO) for the Americas. Wolf joins VMware after four years at Gartner, where he was a research vice president focused on private cloud computing and virtualization. He previously worked as an analyst for the Burton Group, which Gartner acquired in 2010, and as an independent consultant.
In a blog post announcing his move, Wolf said he wants to continue to advocate for VMware users as he did at Gartner.
“In a world of growing technological complexities and rich automation, the last thing you need is a vendor selling you something,” he wrote. “You need a partner that wants to be there with you and share in your successes.”
Wolf’s hiring is the latest in a series of major changes at VMware, as the server virtualization market leader now tries to move into the cloud and end-user computing (EUC) markets. Let’s take a look at the moves made in just the past three weeks:
- Jan. 6: VMware replaces EUC CTO Scott Davis with Kit Colbert, a rising star within the company, and hires two veteran execs away from rival Citrix.
- Jan. 8: VMware promotes Ben Fathi, senior vice president for research and development, to its primary CTO position. That seat had been vacant since Steve Herrod left the company a year ago.
- Jan. 22: VMware acquires AirWatch, one of the leading enterprise mobility management vendors, for $1.5 billion.
As someone who has never worked for a vendor, Wolf should provide a fresh perspective at VMware. He has not been afraid to criticize the company in the past, especially when it comes to branching out into new areas. Before VMworld 2013, he asked if VMware was more focused on its hardware partners than its customers in its push to build software-defined data centers.
“Ten years ago VMware didn’t care who it offended,” he wrote. “Along the way server hardware vendors had no choice but to partner with them. … In the process of becoming a ‘big company,’ VMware lost its inner voice.”
And during the conference, Wolf told us that VMware didn’t do a good enough job explaining what software-defined data centers are and how customers can build them.
“They started to paint a picture that we have to start defining data centers in software, but I don’t think VMware went far enough,” he said.
What do you think about VMware hiring Chris Wolf? Let us know in the comments.
VMware will offer a commercial version of Project Serengeti, its open source initiative to run Hadoop workloads in virtual infrastructures.
The new Big Data Extensions plug into vSphere and allow administrators to deploy, monitor and manage Hadoop clusters on VMs directly from vCenter. The extensions are also designed to improve the performance of Hadoop, the popular open source big data analytics platform.
“We’re making Hadoop a first-class citizen on vSphere,” said Fausto Ibarra, a senior director of product management at VMware. “It’ll be just like any other workload.”
Hadoop and other big data platforms typically require dedicated hardware, which can be cost-prohibitive for smaller organizations and also raises concerns around reliability. VMware released Project Serengeti last year to address these problems, and the Big Data Extensions further that cause by adding full enterprise support.
In preparation for today’s public beta release of the Big Data Extensions, VMware earlier contributed code to the Hadoop community that optimizes Hadoop’s placement of data when running on virtual infrastructure, Ibarra said. The vendor also worked with the makers of the leading Hadoop distributions to share virtualization best practices.
The Big Data Extensions support the following Hadoop distributions:
- Apache Hadoop 1.2
- Cloudera 3 Update 6
- Cloudera 4.2
- Hortonworks Data Platform 1.3
- Mapr 2.1.3
- Pivotal HD 1.0
The Big Data Extensions will be generally available by the end of the year. VMware also announced that Pivotal HD, its parent company EMC’s Hadoop distribution, has received VMware Ready certification.
VMware will cut 900 jobs as it rationalizes its product portfolio in the course of the coming year, executives said on the company’s earnings call Monday night.
VMware has added 6700 employees in the last three years, and the overall headcount by the end of fiscal 2013 is still expected to be up by 1000 despite the job cuts, officials said. The company ended 2012 with 13,800 employees.
VMware CEO Pat Gelsinger said at the beginning of the call that VMware would realign itself around three “growth priorities,” the software-defined data center, the hybrid cloud, and end user computing. Product expansion is expected in management, networking, security, storage and high availability.
VMware has made a $30 million investment in IT automation software maker Puppet Labs, the better to develop new integration between Puppet and its virtualization and cloud management software.
Puppet can already manage VMware’s vSphere virtual machines, as well as its Application Director. The goal of the new investment is to create direct provisioning hooks between Puppet and VMware’s management products this year, which include vCloud Automation Center, vCenter Operations, and vCenter Configuration Manager, according to Puppet Labs CEO Luke Kanies.
“They’re good at managing the VM as a unit, and we’re good at looking at the VM and making sure it’s going to do what it’s supposed to do,” Kanies said.
Puppet, available in open source and Enterprise editions, allows systems administrators to determine how they want their infrastructure to look and then carries out the necessary steps automatically, allowing for fast, repeatable systems provisioning, configuration and management.
This is VMware’s second investment in Puppet Labs in the last 18 months; in November 2011 it joined Google and Cisco in an $8.5 million round of financing for the company.
Puppet does work with other kinds of hypervisors and cloud management systems, including Citrix’s CloudStack, OpenStack, Red Hat Enterprise Virtualization, and Amazon Machine Images. Recently, the company talked with Microsoft as well, Kanies said, but 90% of Puppet’s customers are VMware users.
That said, Kanies dismissed the idea of Puppet becoming a VMware company.
“The fact that we integrated with OpenStack doesn’t mean we’re becoming a cloud company,” he said.
A new online calculator says VMware’s server virtualization software is more expensive than Microsoft’s. The surprising source behind the calculator is VMware.
The new calculator’s results, highlighted by Microsoft in a gloating blog post, show vSphere 5.1 Enterprise Plus as 19% more expensive than Hyper-V 3.0 with System Center 2012 when running 100 virtual machines (VMs) with an iSCSI SAN. Other configurations, such as running 150 VMs on NAS, also show VMware to be more expensive (by 6% in that particular case).
While embarrassing for VMware, this development is just one tiny part of bickering that has been going on for quite a while. And even these favorable calculator results are not good enough for Microsoft. In last week’s blog post, VMware’s rival insisted the findings are still off, particularly when the full vCloud Suite is taken into account.
Has anything really changed?
This summer’s SearchServerVirtualization.com special report on VMware and Hyper-V pricing and licensing found that the actual overall cost for the two platforms depends heavily on the size of the IT shop and the type of workload being virtualized.
It also found that the story doesn’t end there. For one thing, public-facing cost calculators are based on list prices, which enterprises rarely pay, thanks to Microsoft and VMware’s deep discounts.
Some shops may find the cost savings enticing enough to swap out one hypervisor for another, but VMware also remains the incumbent vendor in most enterprise shops, and the costs of switching have many users saying Microsoft’s savings aren’t worth it.
It’s also important to remember that VMware and Hyper-V don’t match feature for feature, especially with several of Windows Server 2012’s Hyper-V advanced features still waiting on System Center Virtual Machine Manager 2012 Service Pack 1 to be put to the test.
VMware has not responded to multiple requests for comment about its online calculator.
Update: VMware published a blog post yesterday called “Flawed Logic Behind Microsoft’s Virtualization and Private Cloud Cost Comparisons” which says that in the more common configuration of 128 GB memory server hardware, VMware vSphere remains on par with or cheaper than Hyper-V, and concludes that the Microsoft blog post pointing out the calculator’s findings “is yet another attempt to artificially inflate VMware’s prices and distract customers from the shortcomings of their own products.”
VMware has issued yet another patch – the fourth in the last week — to correct problems in vSphere 5.1. This time, it’s for vSphere Replication.
The fix in vSphere Replication 22.214.171.124 is twofold, according to a VMware blog post: correcting installation problems, and allowing the software to actually recover virtual machines at a secondary site when the primary machine is down, disconnected from the network or loses access to storage.
The fix for the recovery feature addresses syncing recent changes to a VM over to the secondary site in the event of a failure. When vSphere Replication 5.1 is used as a standalone product, outside of VMware Site Recovery Manager (SRM) deployments, the sync fails, and so the entire recovery fails, according to a VMware Knowledge Base article.
This fix follows patches issued last Monday that finally allowed compatibility between vSphere 5.1 and VMware View 5.1, as well as compatibility between vCenter Converter Standalone and vSphere 5.1, and then another issued last Thursday which addressed widespread issues with single sign on and custom SSL certificates in vCenter Server.
VMware pros say the number of patches required for this release is unusual.
“5.1 was hugely rushed. Quality was non-existent,” said Derek Seaman, a vExpert working for a major telecom, whose blog has been a source for corrections to SSL certificate documentation.
Some partners say the serial nature of these patch releases has only aggravated users’ frustration.
“I realize that these were important patches and updates, but a few days’ delay and simultaneous release would have been viewed in a better light,” said Tim Antonowicz, senior architect at VMware partner Mosaic Technology in Salem, NH. “A coordinated effort, where the patches were bundled into a single release event covering several products, would make much more sense to customers.”
VMware has released a software update to vCenter Server and a new package of documentation meant to address widespread problems with single sign on and SSL certificates uncovered by users of vSphere 5.1.
However, since the patch was released last Thursday, VMware bloggers who have gone over the release notes with a fine-toothed comb have pointed out some ‘gotchas’ and open questions pertaining to the purported fix.
Earlier this month, VMware shops were up in arms over problems with the vSphere 5.1 Single Sign-On feature, which is now a required part of vCenter Server 5.1 installation. Problems included failed vCenter services on startup and an inability to login to vCenter Server.
Various failure scenarios and the login issue are resolved issues in vCenter Server 5.1.0a.
But there are also new issues brought up in the release notes that hadn’t been publicly documented before, according to a blog post by Maish Saidel-Keesing, a virtualization architect for an Israeli technology company.
These issues include added overhead to the installation process – VMware recommends using an independent installer at this point rather than a simple installer, for example, and requires manually created database users rather than an automatically created ones.
“It is good to see that VMware have fixed some problems with the installation process,” wrote Saidel-Keesing. But he’s still left asking, “Was the release rushed out – so that these issues were not addressed beforehand?”
Michael Webster, a VMware Certified Design Expert and director of IT Solutions 2000 Ltd., a VMware consultancy based in Auckland, New Zealand, noted in a blog post that there’s still a ‘gotcha’ with SSL certificates in a certain scenario:
when vCenter system is an all in one configuration with everything on the same VM and using a local [Microsoft] SQL Server database. Update Manager will not be able to log into or register with vCenter when the SSL certificates have been changed. This prevents you from updating the SSL certs for Update Manager and Update Manager may no longer work. This does not appear to occur when the MS SQL Server database is remote.
For that reason, Webster says he is recommending that clients place vCenter Server and the SQL Server database on separate VMs, even in small environments.
In the meantime, Webster is building his own utility for SSL certificate management, called vCert Manager, which will allow completely automated management of SSL certificates in a vSphere environment.
SAN FRANCISCO — If this whole virtualization thing doesn’t work out, several VMworld 2012 attendees will have photography careers to fall back on. People at VMware’s annual conference this week took and shared hundreds of images on the mobile photo-sharing service Instagram, and quite a few came out pretty good.
We scoured Instagram for photos that either used the #vmword hashtag or used the service’s location-based check-ins to say they were at VMworld. Here are nine VMworld Instagrams that stood out:
VMworld seems to get bigger every year, and with each leap in growth comes some overcrowding. Some years, it’s been long lines to get into first-come, first-serve sessions, for example. And perennially, according to attendees, Hands on Labs at the show have issues on the first day.
This year was no exception. There were widespread reports on Twitter Sunday that the wait for Hands on Labs could exceed 3 hours.
“Apparently there is a script that kicked off the provisioning of all the lab VMs. However, even though the script returned a positive status, the VMs were not actually started up.
“Then about 3:45PM the hosting site that had the HOL manuals died. 60 minutes into my lab, after waiting 4.5 hours, it totally fell flat and died. So that was 5.5 wasted hours,” reported one attendee.
The holdups at the Hands on Labs were such an issue that attendees reportedly appealed directly to incoming CEO Pat Gelsinger in a Q&A session Sunday to fix the problem.
Meals for attendees were also a point of contention this year. Granted, accommodating 20,000 people, even at a venue like Moscone, must be difficult. But Monday’s breakfast saw many attendees forced to find a place on the floor to eat due to inadequate seating in Moscone West. Attendee lunches in Yerba Buena Gardens were a nice idea, but again, users found themselves pulling up a spot of pavement on which to have their boxed-lunch picnics.
Maybe next year, attendees will get a few more creature comforts for their admission fee.