Likewise Blog

Virtualization has taken the one-to-one relationship of the physical server to operating system and turned it into a one-to-many relationship between the physical server and multiple guest operating systems running on the hypervisor.  As the management frameworks for running these guest operating systems within the hypervisor mature, creating in essence the “virtualization layer,” we are seeing an increasing amount of choice as out-of-the-box virtual appliances and purpose-built virtual servers catch fire in the market.

What is key here is the shift to a focus on the workload running on the guest OS – not the underlying OS.  Despite some vendor prognostications / protests, I predict the shift to a focus on the workload, meaning the applications / services the business cares about will continue and the OS will become more commoditized.  The key to success in this shift is meeting expectations of customers that the appliance or virtual server should just work with their existing legacy systems and processes.  If I spin up a virtual appliance, it must support seamless migration from (or integration with) legacy systems.

What is Likewise doing to support this shift?  Today Likewise provides platform interoperability for improved authentication and access control in virtualized environments for more than 75% of the hypervisor market (if you combine market-share for VMware and Citrix). Here’s what we do for each:

VMware embeds Likewise Identity Services to allow Microsoft Active Directory users to log-in to ESX/ESXi hosts.  VMware notes in a recent announcement, “As customers continue on the journey to cloud computing, they need to leverage existing security infrastructure for their virtualized environments,”

Citrix embeds Likewise Identity Services in XenServer, noting in a recent announcement, “It’s critical to provision users, applications and computing resources so that our virtualization technology has the same high levels of security as actual physical hardware.”

Likewise Enterprise then goes a step further, allowing users to manage authentication, access control, group policy, and reporting for demonstrating compliance for audit purposes across the physical and virtual environment, including the hypervisor and guest OS.  That end-to-end control allows organizations to address security–one of the main impediments to virtualization adoption.

With our focus on platform interoperability, we’re helping those progressing down the virtualization path focus on the workloads they are running, and doing our part to make the choice of what operating system on which to run a workload ubiquitous.

Interesting article on virtualization and the cloud by Amy Newman at ServerWatch.

http://www.serverwatch.com/article.php/3871306/Big-Blue-Bets-Big-on-Red-Hats-Virtualization-Technology

Aside from covering the news (Red Hat/IBM and VMware/Likewise announcements) Amy makes some prognostications of how the virtualization market may play out over time:

• VMware wins virtual server market in mid- and large-sized enterprises.
• Microsoft takes the top position in SMB virtualization.
• Citrix owns the virtual desktop.
• Red Hat succeeds in the cloud.

Interesting.  Especially interesting for Likewise, as we work with all four of these companies.  We license portions of our technology to both VMware and Citrix; we partner with both Red Hat and Microsoft.  We know all of these companies very well.

Increasingly I’ve heard our customers discuss their Likewise deployments in context with their cloud initiatives.  Here’s my take on the cloud, enterprise computing, and Likewise:

• The cloud is nearing the peak of the hype cycle.

• For the enterprise, most of the action (meaning $s) is in the internal cloud.

• The internal cloud is the modern data center — highly virtualized with the promise of vast scalability with a utility computing model.

• Companies are looking for common IT services across hypervisors, operating systems (Windows and Linux), and management components.

• The internal cloud is a bridge to hybrid and pure cloud topologies for enterprise computing.

• Winning technology providers will be those that unify these various pieces and platforms.

• Many organizations view authentication and policy as the right place to begin this unification process.

The one thing I know for sure is that the winner of the virtualization/cloud scrum will embrace cross-platform computing.  CIOs want to work with companies that make the various platforms work well together, not ones that make the problem worse.

Many of our customers tell me that Likewise is a great position for the cloud computing revolution.  I agree.

Here’s some more color on our work with integrators.  While we work with IBM Global Services, Accenture, and Avanade on many of our largest projects involving Likewise Enterprise, we also have seen robust growth in our work with regional integrators, many of whom have deep expertise in open source as part of their practices.

Here’s a great Likewise write up from TooMuchGreen, a Leeds, UK based integrator focusing on Linux, Lamp, and open source solutions: http://toomuchgreen.eu/2010/01/wise-up-with-likewise/

“Likewise [Open] is a superb, quick and easy utility for both Linux and Mac which allows authentication (single sign on) to a Microsoft Active Directory network…”

One of our other integrators once wrote me an e-mail with the following equation:

Linux + LAMP + Likewise = goodness.

Amen.  The reason for this “goodness” is that we have offerings for system integrators that span from projects large and small.  Likewise Open is the best way  to authenticate Linux, Unix, and Mac systems into Active Directory for any size of project.  And it is free of licensing costs.  For complex projects that require group policy, audit, reporting, and event management we have a simple upgrade to Likewise Enterprise.

Hot on the heels of the recent Windows 7 launch on Oct. 22, the latest version of the wildly popular Ubuntu distribution of Linux has finally arrived exactly a week later. Ubuntu 9.10, also known by its nickname Karmic Koala, builds on the successes of previous versions of Ubuntu that are easy-to-use and freely available. Both Windows 7 and Ubuntu 9.10 are highlighting a few similar areas of improvement, namely the startup time for the OS, quicker access to data and files, and improved ease-of-use overall. Separately, Windows 7 and the recent Mac OS X Snow Leopard were made to be leaner than their bloated predecessors. This has never been an issue for Ubuntu.

It will be interesting to see the various comparisons that will be done for these OSs in the tech publications over the coming months. One thing for certain is that users will benefit from all these new OS-related innovations in 2009 alone. Isn’t competition great for the marketplace?

However, as Barry mentioned in his previous post, the game isn’t as much about the OS anymore, but has shifted more toward virtualized environments in the enterprise. Ubuntu Server edition happens to be a major player in these environments.

As users and businesses consider the deployment and use of Karmic Koala for evaluation purposes or on production systems, it becomes crucial that desktops, servers and virtual systems are properly authenticated, governed by group policies, centrally managed, and covered by event logs and reporting. Likewise makes it a simple process for IT administrators to join Karmic Koala systems to a corporate network managed by Microsoft Active Directory.

Ubuntu 9.10 is supported by Likewise today. You can find Likewise Open in the Karmic Koala repositories, or on our website.

Likewise’s roots with the Linux community go deep — back to the very beginning of the company. If you’re partial to penguins and working in a Windows world, there’s a pretty solid chance that you have heard of Likewise before. You may have even downloaded and tried out our Likewise Open. (If you haven’t—check it out—it’s free!)

Some of our key developers at Likewise and Krishna Ganugapati, our VP of Engineering, will be headed down to LinuxCon next week in Portland. Along with participating in the conference, Likewise will also have a table where you can meet some of the engineers and talk about interoperability between Linux and Windows.

If you’re headed to Portland, stop by the table and say hi!

What and why
Likewise-CIFS is a Linux and Unix-based file server that seamlessly integrates with Windows clients (as well as Mac and Linux clients). CIFS stands for “Common Internet File System”; often this functionality is also referred to as an SMB server because it utilizes the Server Message Block network protocol. We initially developed a CIFS client as part of our Likewise Open and Likewise Enterprise development effort. Other existing approaches had limitations particularly in scalability, platform support, and diagnostics. After we previewed our CIFS client work to several of our large Likewise licensees, they strongly encouraged us to expand the scope of our effort to include a CIFS/SMB server.  Hence Likewise-CIFS was born.

Who
Our clear target for Likewise-CIFS is large, high-end technology companies that build solutions on top of Linux or Unix servers but require interoperability with Windows. Likewise-CIFS offers these companies the best fully-interoperable server platform in the industry in terms of scale and performance. In our lab, we currently are able to demonstrate over 10,000 concurrent sessions (meaning 10,000 users connected to a single server). This an order of magnitude greater than other approaches and one of the primary reasons we’re getting so much interest in Likewise-CIFS. We view our primary consumers of this technology to be other technology providers but we have also seen interest in Likewise-CIFS by other organizations that have very high-end performance requirements.

Dual License.
Likewise-CIFS (currently in early beta) has been and will be released under the GPL v2 license. We also can license it under a commercial license to organizations that require a commercial license. Here’s a link to the code: www.likewiseopen.org or directly at git://git.likewiseopen.org

Progress and Community
Even though our formal Likewise-CIFS release is still several months away (Sept. 2009 target) we have already signed several significant deals with large, household name IT providers. (We’ve not announced these deals publicly yet). In addition to revenue, these deals have provided us a terrific opportunity to exercise our code in some of the most demanding computing environments that exist. And, we’re now getting code contributions from others providing us with a growing community of developers committed to the success of this Likewise initiative.

Focusing on Broad Interoperability Problems
This is one of several moves that you will see from us as we build on the great success of Likewise Open and Likewise Enterprise. Likewise exists to solve problems that exist between Windows systems and non-Windows (Linux, Unix, and Mac) systems. While there is much talk in the industry, at times there is a shortage of the real foundational pieces that are required to make it all work. Likewise-CIFS is one of these important foundational technologies for broad interoperability between mixed platforms.

Likewise execs will be attending the Burton Catalyst Conference in San Diego this week.  The Burton Group analysts are extremely knowledgeable in the Active Directory Bridge Category and their insights have been very helpful to us.

Along with the Identity Management and Virtualization tracks of the conference sessions on Wednesday-Friday, two specific sessions are interesting to us:

On Monday, July 27th, Mark Diodati, a senior analyst for Burton Group with emphasis in identity management and authentication, will deliver a session titled Active Directory Bridge Products: Getting More Value from the Windows Infrastructure:

• We’ll Identify sweet spots where AD bridge products can assist with compliance goals, improve security and the user experience.
• Survey the AD Bridge market and discuss recent acquisitions.
• Discuss areas of potential concern, including UNIX namespace reconciliation
• Discuss the exciting merge of the AD bridge and “classic” UNIX security product classes (e.g., CA Access Control, Symark PowerBuilder, IBM TAMOS, and Fox Technologies BoKS)
• Step through the functionality of an AD bridge product, including installation, importing of UNIX users and their binding to existing Active Directory users, Group Policy Management of UNIX policies, authentication to UNIX resources against Active Directory, and single sign-on via Kerberos.

Then, Thursday, July 30th, at 11:15pm, John Matthew will deliver a session titled Case Study: Bridging the Gap between Active Directory and non-Windows Systems and Servers.  John is an IT Project Manager for NBC Universal, and will talk about how NBC used Likewise to solve their AD integration problems.  Here is the abstract:

Today’s complex IT environments are more diversified than ever, incorporating greater numbers of Windows, Unix, Linux and Mac-based hardware.  The need exists for solutions to bridge the gap between Microsoft’s Active Directory, the most common directory and authentication technology in the Enterprise, and non-Windows systems and servers.

When NBC Universal’s IT SWAT team was looking for a way to securely authenticate their Unix and Linux servers with Active Directory, they turned to Likewise Open.  This solution gave them a cost-effective way to join these servers with the directory saving them countless hours of administering accounts on separate systems.

If you happen to be attending the conference, make sure to stop by and check out either of these sessions – and if you see us, say hello.

I’m at OSBC (Open Source Business Conference and sat through an interesting session run by Chris DiBona, Google’s Open Source Program Manager, and Dirk Hohndel, Intel’s Chief Linux and Open Source Technologist (Intel is an investor in Likewise) (his blog: http://www.hohndel.org/communitymatters/).  The topic: “Where’s the Risk, Exactly?”  Meaning where is the risk to organizations that are using and developing with Open Source Software.  

The risk question, as the CEO of an business with an Open Source business and development model, is one that that I’m asked with some regularity.  Chris and Dirk certainly got the details right I’d like to add on with actionable information.  I worry at times that overloading the uninitiated with the minutia of the ins/outs of OSS licensing can freak out mainstream organizations that are considering moving to OSS.  And if you believe the analyst numbers presented in a couple of the keynotes, our economic climate is accelerating Open Source adoption in organizations of all sizes so this is an important time to help folks figure out how to correctly use and develop with Open Source. 

The licensing minutia does matter and if you get it wrong, particularly if you’ve not even tried to get it right, this can lead to pain and misery and even the loss of a job  if you’re a technology leader and this badness happens under your watch.  That said, it isn’t difficult to get it right and here is some actionable advice to organizations that are considering Open Source Software for the first time:

1.  Get a pragmatic, Open Source savvy attorney and listen to them.  I can make an excellent referral to ours if you like.  If the attorney you’re working with advises you that it is risky to use open source it is probably safe to say that they are not open source savvy.

2.  Get a business oriented and Open Source-experienced project manager.  There are details that need to be gotten right and someone that has experience in these areas will help things go smoothly for your project.

3.  Scan your code.  Here is one company that does this: 

http://www.blackducksoftware.com/   

There are others.  I won’t be surprised if you are surprised by the results of your first scan.  Dirk has a test that is a good one:  do your developers have illicit MP3 files on their computers?  What makes you think that this isn’t true of illicit code snippets that they have downloaded?  It is just the same, I assure you.  This is good hygiene even for commercial software companies; as I said you’ll be surprised at what you find.

4.  Train your developers on the basics of how to do Open Source the right way.  If you are a small company this can be less formal.  If you are a big company your lawyers will appreciate a fancy, formal, and detailed program.

5.  Operated in good faith to do the right thing.  Contribute back when you are required to and meet other license obligations as appropriate.  If you don’t you can get a community of pissed of developers and then not-necessariy friendly lawyers that may, and rightly so, make your life more complicated than you wish.

6.  Work with quality Open Source Software vendors.  Like Likewise.  [Sorry for the quick plug.] Your life will be simpler in the long run.  

Hope this helps!!

Barry 

PS: Loved a couple of things from the Ron Hovsepian’s (Novell CEO) keynote: 

- 67% of prospects/customers rank interoperability between Linux and Windows as one of the top factors in selecting a server OS.  Amen.

- Interoperability is one of the key issues for Linux in the data center.  Double amen.

I’ve spent the past couple of days looking at IBM Tivoli Identity Manager (ITIM). One of our customers uses this product and wants us to be able to work with it. It’s pretty cool, but somewhat painful to get running. It’s a Web-based application so, naturally, it’s built on top of IBM Websphere. It needs a database where it can store authoritative identity information so, naturally, it needs IBM DB2. There’s the actual code itself, of course. Then there’s the “Directory Integrator” which can interface with other directory systems. Then there are “adapters” – I was using the Active Directory Adapter. It runs as a service, communicating with ITIM over http, ideally, over https (SSL). If you want to do the latter, you’ll need to install a certificate authority so that you can generate certificates for ITIM and the adapter. I used the “Rapid Install” option and it was pretty good, but only after I gave up trying to install on anything other than drive C (in Windows).

WIth all these components, I was pleasantly surprised that everything pretty much worked as expected. I’ve become accustomed to large systems being inherently flaky. ITIM was solid.

It was also pretty easy to modify ITIM. I took the AD adapter and was, relatively quickly, able to extend it to support the additional attributes that we use in AD. I also modified some forms to support input/modification of these attributes. It only took me a couple of iterations to get right (mostly, due to my own bad typing but also due to some unexpected changes in letter case). We can now use ITIM to provision and maintain accounts in AD that are usable by UNIX, Linux and Mac OS X machines outfitted with our Likewise Enterprise agent.

ITIM and other Identity Management Systems (IdMS) are a good idea for any company with a large number of employees that need computer accounts on many different systems. Although our software allows non-Windows systems to directly authenticate against Active Directory and, thus, eliminates the need to use an IdMS to provision UNIX, Linux and Mac OS X machines, an IdMS can still provide value to organizations that use Likewise software. First, an IdMS provides an established workflow for provisioning new user accounts. This workflow can include approval processes for any granting of extended privileges. Second, an IdMS typically can synchronize accounts on a wide variety of systems. A user might have an AD account, for example, but also an Oracle database account or an SAP account. Although Likewise facilitates consolidation on a single, AD-based, identity many applications still require that users be provisioned in their own user stores. With Oracle, for example, you can tell it that a user will be authenticated, externally, with Kerberos, but you still have to provision the user in Oracle in order to identify the user as such. Finally, IdMS systems can integrate with other HR systems, for example PeopleSoft or similar systems. These features allow an IdMS to be used as the “authoritative” source of account information. When an employee joins or leaves a company, the IdMS can help provision or deprovision the user’s accounts, as necessary.

Although there is some overlap between commercial IdMS systems and our Likewise software (both can be used to accomplish “single username/password” for Windows and non-Windows computers), I think that the combination of products is a powerful combination. By allowing all non-Windows systems to authenticate directly against AD, we eliminate the need to use the IdMS to update large numbers of individual UNIX/Linux/Mac OS X machines. Likewise also adds group policy and single sign-on features that an IdMS does not provide. By using Likewise coupled with an IdMS (instead of manually provisioning users in AD), a company can enforce proper account management processes in AD and can also provision non-AD systems and applications.

In my last post, I mentioned network and application monitoring as one of those best practices that’s unfortunately not practiced as often as it should be. The importance of monitoring systems cannot be overstated. You want to know that your computers are functioning as you expect them to and that the applications running on them are also functional. Note that these two are only slightly related and correlated. True, if a computer has crashed, the applications running on it have also crashed. On the other hand, just because your hardware and operating system are running doesn’t mean that your applications are. This is the essential difference between network and application monitoring. I’ll come back to this point later.

If monitoring is so important, why doesn’t everybody do it? Well, in a sense they do, but the poorest practice is to rely on human monitoring (i.e. waiting for your customers to tell you your computers are down). Why doesn’t everyone implement automated monitoring systems? To consider the answer to this question, let’s review how these systems work.

There are various ways of classifying monitoring systems. One way to classify them that’s relevant to this discussion is based on whether the system is agent-based or agent-less.

In an agent-based system, special monitoring software is present on every computer and network device that is to be monitored. This monitoring agent evaluates the health of the computer/device and signals to the central monitoring software when something is out of kilter. Monitoring agents can sometimes also be queried by the central monitoring console in order to provide operating metrics, for example, performance data or resource availability data. Because it’s the agent that detects anomalies and informs the monitoring console, these systems can also be considered push type systems; the agent pushes the data to the console.

Agent-less systems do not require any special monitoring software on the computers and devices that are being monitored. Instead, the monitoring software uses pull mechanisms to evaluate the health of a monitored entity. These mechanisms might consists of low-level network probes, for example, pinging a device or higher level probes such as a specific HTTP request or an RPC call.

Agent-less systems are easier to implement, but agent-based systems are inherently more capable of evaluating system health as they have all operating system services at their disposal rather than just the ones accessible through external network means.

As a personal opinion, I also posit that agent-based systems are superior at hardware and OS monitoring whereas agent-less systems are ideal for application level monitoring. The former is typically more concerned about hardware and system services whereas the latter is concerned solely about whether applications are functional or not. How best to evaluate applications? Simulate their their use and evaluate the quality of their responses. Say you are monitoring a banking application. What better way to determine whether the application is running properly or not than by simulating a user, bringing up the bank web site, performing a transaction and checking your balances. Remember to use dummy accounts set up for this purpose.

There are some decent agent-less monitoring systems. Nagios, for example, supports numerous network probes that can be used in clever ways. Writing new probes is relatively easy, too. Nagios, by the way, can support both agent-based and agent-less monitoring. SiteScope, formerly from Mercury, now from HP, is also pretty cool.

As to agent-based monitoring, the pickins are much slimmer. The simplest agent-based systems are, naturally, based on the simple network monitoring protocol (SNMP). SNMP allows devices to “publish” a set of data that can be queried and displayed by monitoring consoles. Device manufacturers (SNMP is most heavily used by routers and other network gizmos) design a tree like structure of data called a management information base (a MIB). At each node in the tree is some datum that describes the operational health of the device. The manufacturer gets a magic number assigned to the company and each node in the MIB is identified by the company OID and a dotted sequence that describes the node’s position in the tree. SNMP-aware monitoring software, once informed of the device’s MIB, can query the device (using the SNMP protocol) to retrieve values for the various data nodes. SNMP also allows management software to write to SNMP addresses in order to configure devices. Finally, devices, having detected anomalies, can raise SNMP traps that can be “caught” by monitoring software.

The main drawback with SNMP is that it has a very poor security model. SNMPv3 (the latest incarnation) tries to address the security issue, but few devices support the new version. Without good security, SNMPv2 allows non-authorized users to view the operational status of a monitored device and to, perhaps, gain information that can be used to compromise it. Note too that devices that support configuration via SNMPv2 are vulnerable to being maliciously configured by non-authorized users.

While SNMP is frequently implemented in network hardware, it is also occasionally implemented in UNIX and UNIX-like computers and very occasionally on Windows machines.

Naturally, Windows computers are typically monitored using a different technique. Three of them, in fact. Sigh.

First, Windows computers support RPC. An administrator can tell if a Windows computer is healthy by connecting to it with a remote management console and looking at various data. The perfmon program, for example, can display graphs of Windows performance counters that measure available disk space, RAM and hundreds of other data.

Second, Windows computers support the Windows Management Instrumentation (WMI) protocol. WMI is a crude object oriented mechanism that allows Windows monitoring and management software to query system metrics, set system parameters and invoke management functions. WMI, by the way, is based on an IMTF standard known to the rest of the world as CIM or WBEM. Forget about the “standards” part – Microsoft WMI is not interoperable with anyone else’s implementation. The Microsoft Systems Center Operations Manager (MOM) folk had to implement their own WBEM code for Linux/UNIX in order to monitor these systems. The mechanism they implemented is actually the third monitoring technique that’s available on Windows, WS-Management or WS-Man as its frequently referred to.

WS-Man, like all of the WS-* protocols, is based on SOAP. A WS-Man aware monitoring program can read performance metrics and write configuration values by performing XML-based SOAP calls to a monitored device.

Although WS-Man seems like A Good Thing, especially since Microsoft is providing it on non-Windows platforms, I think it has several key flaws. First, WS-Man is based on both SOAP and WMI/CIM/WBEM. SOAP requires a considerable bit of glue in order to implement. In Windows, C# and .NET makes it pretty easy. On Unix, you can do it in C++ using Axis for example, you can do it in Java using Sun JWSDP or you can do it in Perl/Python or other SOAP aware scripting language. Each of these has its flaws. The C++ approach is error prone. The .NET or Java approaches require a huge runtime memory footprint. The Perl/Python approach is typeless requiring manual development of SOAP WSDL files instead of reflection-based synthesis. Beyond the SOAP issues, WMI/CIM/WBEM is simply butt-ugly (maybe even fugly). The technology had the misfortune of being designed at a time before Java and C# came into fruition. As a result, it’s extension mechanism is just clunky.

Beyond SNMP, RPC, WMI and WS-Man, there are yet other solutions. Companies that make monitoring software (for example, Microsoft, IBM, HP, BMC, Computer Associates, and others) frequently have their own proprietary monitoring agents that use yet other protocols.

Given all of these unattractive alternatives, it is not suprising that companies don’t diligently monitor all of their systems. The ones who do this best usually end up using a mashup of various mechanisms: SNMP for network hardware, Systems Center/MOM for their Windows systems, some Nagios for agent-less monitoring, toss in some HP OpenView in one or two divisions and some home grown stuff elsewhere.

What would Alan Turing do? Ack. I suppose WS-Man is better than the alternatives but I just can’t imagine Cisco adding all the necessary software to implement it.