At VMworld Europe 2009, I got to speak with Joel Stocker about Citrix’s new client hypervisor, codenamed Project Independence. Joel is Senior Technical Product Manager of the Virtualization and Management Division. I got a demo of the client hypervisor and we got into a nice discussion about this new product.
First, one should keep in mind that this article is based on an early alpha version. Citrix is planning on releasing a tech preview this summer and a first release is planned for November 2009. Therefore, don’t read this as a product review, instead; use it as a view on what is coming and as my view on what I think might be missing. I discussed some of my opinions on this with Joel and he told me he is going to look into some of the things we discussed.
An overview of the client hypervisor
The Citrix client hypervisor is a Xen-based hypervisor and will have primary / parent partition that will boot first and will be used to access the hardware. Dual boot between primary OS with hypervisor and primary OS without hypervisor is possible. Right now only Windows XP, Vista and Windows 7 are supported in the primary partition.
After the primary partition is loaded, the other partitions (virtual machines) can be managed through a web interface in the primary partition. This interface integrates with XenDesktop (VDI) and XenApp (Presentation Server), which gives the user great control over what technique to use, depending on the device he or she is or the location. The user will also be given the option to check out a VM to take it on the road.
Once one or more virtual machines have been started, the user can switch between them using CTRL+1, CTRL+2 through CTRL+9. A guest OS running in a virtual machine, will have access to virtual hardware through the primary partition using emulated hardware, just like with XenServer and Hyper-V. At this point there were no Linux drivers available, but they are to be expected in the final release.
The demo I have seen, only offered limited hardware support for graphics, network and disk but Joel assured me that support for USB, Wireless networking, Power Management, etc, is being worked on very heard.
A really great feature is the possibility to “publish” an application from a VM into the primary session. In this way, for example MS-Word can run inside a VM but is shown on the primary session. Citrix is using its ICA technology for this and client drive mapping is also possible in this way.
For a client hypervisor, I think, it is a waste of resources that always the primary partition has to be running. With a server based hypervisor that uses a primary partition, this partition normally holds the essential tooling and takes care of some household tasks for the hypervisor. Only stuff that is really needed will get installed in this primary partition. Memory usage of this primary partition is relatively low compared to the total available memory in the host.
In the client hypervisor concept, there is an essential difference however. Memory in a desktop or laptop is normally the one thing you’re always short of. With Citrix and others promoting the BYOC (Bring your own Computer) concept, the primary partition will often hold the users “private” OS. The OS that he or she will use to install all the stuff he downloaded from unknown sources, the OS that will hold pictures of family, etc. If it is anything like my home pc, Vista will already claim at least 1GB of RAM after startup. This memory is no longer available to secondary partitions that will be started. And just as having a memory claim there will be a (small) cpu claim from all those handy little programs that start on Windows boot and will keep on running when switching to your business VM, as the BYOC-concept wants you to do. I would very much care for a very small OS that is just enough to load the hypervisor and then offer the user a choice of VMs to be started. As busybox is used as hypervisor OS for the Citrix Client hypervisor, why not make this bootable?
The concept of BYOC addresses most security issues by stating that the VMs are completely isolated from each other and from the primary partition. I’m willing to accept that the network stack going through the primary partition is safe enough, but if this primary partition is needed to boot the whole client hypervisor, present the web interface and manage the VMs, isn’t this “dirty home OS” primary partition connected to your business network then? There should be some kind of firewall in between that is managed by the hypervisor that can detect the business network and isolate this primary partition from the business network. At this point Citrix has no solution for this.
One could choose to use a more secure install in the primary partition and move the “dirty home OS” install into a VM, but you will then lose the 3D graphics support. Only the primary partition can fully use the GPU, the other partitions (VMs) will be able to use emulation for the graphics adapter, but it is not sure if at the first release, there will be full 3D support in the VMs. Knowing that it took VMware quite some time to implement 3D support in their VMware Workstation product, I wonder if we can see full 3D support for the VMs in the Citrix client hypervisor real soon.
Another point on security is that the data on the user’s computer, including the Virtual HardDisks (VHD’s) of the corporate VMs is not encrypted. A user losing his or her laptop with a corporate (checked out) VM on it, will probably hold sensitive data saved in the VHD files. And thanks to worldwide standards these VHD files will be very easy to copy and access by other systems. This certainly is a point Citrix should take a look at.
Beta and concept
Now I do know that what I have been looking at is a very early beta or even alpha version, but this version does show the design Citrix is thinking of. By each new beta release, the technique will become more robust and performance will get better. But if they don’t add some changes to the design, the end product will lack some necessary features to make the Citrix Client Hypervisor the success it can be.