Farewell Diane

A lot of folks have probably heard that Diane Greene was recently replaced as CEO of VMware.  If that's news to you, you can read more here and here. I'm not going to comment on the details of what happened, why, etc., but wanted to take the chance to talk about my interactions with Diane at VMware and to wish her well.

When I first interviewed at VMware back in 2005, I knew a couple of the other founders and early employees from my grad school days but hadn't met Diane.  Although I knew VMware had some great engineers and interesting technology I had some questions about the company - the relationship with EMC, competition from Xen and Microsoft, etc..  Diane took the time to sit down with me and answer my questions in a straightforward "no bull" fashion.  I was impressed with her knowledge of the industry and the strategic view she took of how the company needed to develop technologically in order to continue growing.  I was also impressed about how much she obviously cared about the company, its employees, and its ability to have an impact on the industry.  I wanted to be a part of that.

Since then I've interacted with her from time to time, sometimes in meetings at work, sometimes randomly bumping into each other on campus or out of the office (including early one morning at a Peet's Coffee on the other side of the country).  Even as the company grew (from about 1000 employees to 6000+ in the time I've been here), she remained engaged and knowledgeable about what was going on throughout the company.  And while I may not have agreed with every decision, I've continued to be impressed by her candor, integrity, and business savvy.

Farewell, Diane, and good luck with your next endeavor.

Trip report from SOSP 2007

I spent the last few days at SOSP 2007, the latest instantiation of a biennial conference on operating systems research. This was held in Stevenson, WA, along the Columbia River Gorge about 45 miles east of Portland.

General observations:

• This area is absolutely gorgeous in the fall. Living in California, I tend to forget about the whole trees-changing-colors thing in the fall. We had a couple of days of nice weather at the beginning of the conference and the views of the river and surrounding hills were just spectacular. Of course by the end of the conference we had cold drizzling rain and I remembered why I don't live there.
• For anyone looking for good brewpubs in the area, I highly recommend checking out Walking Man Brewery in Stevenson. The place doesn't look like much, but they had a very nice barleywine and imperial IPA, as well as a good standard IPA and stout. The smoked salmon pizza was also excellent. Double Mountain Brewery in Hood River, OR is also worth a visit.
• The fact that SOSP included 3 papers on OS support for Javascript is a sad reflection of the state of computing. Nothing against the authors of the papers (who were trying to find solutions to real problems), but ~50 years after the introduction of FORTRAN, LISP, and Algol 60, is this the best we can come up with?
• A lot more people care about byzantine fault tolerance (at least in the research community) than I would have thought possible.

Comments on specific talks:

• TxLinux: this looks at how to map the synchronization primitives in Linux (mostly spinlocks) onto transactional memory primitives. Nothing earthshattering, but some decent practical work, including looking at issues like dealing with I/O interrupts in the middle of a transaction, scheduling changes, and priority inversion. One of the problems with moving to new hardware paradigms (such as different consistency models or transactional memory) is figuring out what to do with all of that legacy code, most prominently operating systems, programming language runtimes, and large application platforms like databases.
• Triage: the goal here is to automatically debug problems onsite after a fault is detected (e.g., program crash). The main idea is to use checkpoints to back up to (hopefully) prior to the fault, and replay to introduce different variations to help detect the problem. E.g., if the problem goes away depending on scheduling order it's probably some sort of race condition. The implementation was focused on user level programs using OS checkpoint/replay support but I don't see any reason it wouldn't work for OS kernels (or more complex multi-process applications) with VM based checkpoint/replay.
• iComment: the basic idea here was to apply natural language processing (plus some manually constructed "filters") to infer program assumption based on comments. Aside from the fact that the testbed was the Linux kernel, this didn't really have anything to do with operating systems - the techniques would apply equally well (or equally poorly) to any sufficiently complex application. The assumption of this work is that developers are sufficiently mechanical in the way they write comments (e.g., "assumes lock is held" in the comment that prefaces a function) that a program can infer meaning and automatically test for correctness. But if we're so mechanical, why not use more formal annotations to express intent? The most prominent example of this is ASSERTs, which serve as both verifiable statements of intent and documentation of assumptions. I'd be more interested in research on what other types of annotations would be useful, and perhaps some analysis of why annotations haven't caught on, than in "fuzzy" natural language techniques.
• SecVisor: this project looked at using a small hypervisor (and hardware virtualization support a la SVM or VT) to prevent illicit kernel code execution. The hypervisor used shadow page tables to control the memory permissions, preventing kernel code from being modified or execution of text or user memory while in kernel mode. This relies on being able to detect when the processor switches between user and kernel mode (by tracing the entry/exit points), so that pages can be remapped (e.g., restoring user level execute permissions when exiting the kernel). Of course this assumes a static kernel text - supporting loadable kernel modules gets more complicated (the hypervisor has to get involved in loading the text and doing appropriate validation to make sure the module is OK).

Making code reviews less painful

One constant in large software development projects is code reviews - letting your peers look at what you've done to make sure you haven't missed anything.  It's been called the last defense against brokenness since it represents the last check before your code goes into the common repository and affects the rest of the developers (and sooner or later, your users).  And, at least in my experience, the tools available for code review are barely adequate.  In the 13+ years I've been doing code reviews (both as reviewer and reviewee), I've used a wide variety of tools, from simple text-based ones like diff and patch to more complex web-based tools that generate dynamic HTML pages with pretty colors indicating what's changed.  Although these have gotten better and better at highlighting the changes and allowing you to look at other context in the modified files, they generally don't help at all with the other side of the review process - capturing comments and the discussion around them.  That's usually left in email, often one-on-one between the reviewer and the developer - meaning other reviewers miss the context of previous review comments.  Or everybody sees the comments, even about code they're not interested in.  Also, as a reviewer I really get tired of typing in file names and function names or line numbers before every comment so people know what I'm referring to - I want to focus on the substance of the comments, not how to describe the location of the code I'm talking about.

I've seen a few attempts to address these issues, but the one I've been using lately that seems to have a lot of promise is ReviewBoard.  This was developed by VMware's Christian Hammond and David Trowbridge (with help from others), and a number of groups within VMware are now using it (so I've had a chance to use it "in anger").  It's a browser-based online review system, and can be used to look at file diffs, expand out unmodified sections of the file, etc..  In addition, comments are added within the tool itself, and can easily be associated  with a given source line (clicking on the line brings up a box to enter the comment).   When the reviewer is done with comments, they're "published", and the developer sees them.  They then can respond, the reviewer can respond to the response, etc. - and the conversation is all captured within the tool.  (It's tied to email as well, so you don't need to keep refreshing your browser to see what's changed.)  In addition, one reviewer can see the comments from another reviewer - and add their own comments.  The developer can also refresh the changes after updating to address the review comments.  The end result is to capture the entire review process in a single place - in a way that's transparent to all participants.

ReviewBoard is built on python and django, and has backends that support CVS, Subversion, Perforce, and Mercurial.  It's under an MIT license, so you can look at the code and change it however you want.  If you're a developer who works on a project where you do code reviews, I'd suggest checking it out.

The Value of Virtualization

From Jonathan Schwartz:

[...] if you can double server utilization via Solaris Containers or VMWare, people don't buy fewer computers - they buy more. The value of innovation, at least to our core customers, is growing so fast that if the price declines, the overall return (value/price) goes through the roof - encouraging a feedback loop.

The corollary to this is that if you're not willing to cannibalize your own business (by improving value/price, whether through better performance, better utilization, or lower price) your competitors will do it for you.

And Jonathan, it's VMware :-).

Solaris 10 in a VM

I've noted previously that one of the non-Sun distros of OpenSolaris (Nexenta) is available in a VM.  Now, Sun has now quietly added the Solaris Enterprise System Virtual Machine 1.0 to the Sun Download Center (as a free download).  This is Solaris 10 Update 1, plus the Studio 11 compilers, plus all the Java Enterprise System software - app server, web server, directory server, etc. - all in a VMware virtual machine.  No OS or application install, just download and untar, fire up VMware Player/Server/Workstation (take your pick), and power the VM on. 

The VM seems to work pretty well, though there are a few caveats.  The virtual disk is IDE, so don't try to  use this with ESX or VI3 (which don't support IDE virtual disks).  It's also 20GB, so be sure to have plenty of disk space available on the host.  Also, this is update 1, not update 2, so it doesn't have the latest patches (or ZFS for that matter).  And the VM doesn't have the VMware guest tools installed, though that's easy enough to do if you're running a recent version of Player, Server, or Workstation.  Installing guest tools will improve the console UI experience and networking performance (though be sure to fix up the /etc/hostname.* and /etc/dhcp.* files after installing).  (If anyone from Sun involved in creating this is reading, I have some suggestions for improvements.)

I assume the various included components each have their own license restrictions, so examine the licenses carefully.  Solaris itself has a free right-to-use but you'll need to pay for support.

The README for the VM mentions the availability of a smaller S10U2 VM without the JES and Studio apps, but I haven't been able to find it.  A search on sun.com just hits the VM above as well as a bunch of references to the JVM.

Update (3/19/07): there are now four Solaris VMs available from Sun, including S10U3 and Solaris Express (aka Nevada) build 55.  VMware tools are pre-installed (at least in the two I downloaded), but the VMs are still using IDE disks so they won't work for ESX/VI users.

What was that again?

This morning during his keynote address at VMworld Mendel Rosenblum talked about (and demoed) a new virtual machine monitor capability we've been playing with in VMware R&D, called record/replay.  The basic idea is to be able to record the instruction stream that a virtual machine executes and be able to reproduce it exactly at a later time.  This isn't just the instructions associated with a single application process or thread; it includes all code executed within a VM, including multiple processes, kernel code, and interrupt handlers.  The replay can even run faster than the original execution (if desired), since during replay the host can skip over idle time.

What can you do with this technology?  Well, one obvious use is debugging.  A common problem in the development of operating system kernels and complex applications is non-reproducible bugs - a bug that happens due to a specific combination of asynchronous events and can't be readily replicated.  Often these are due to races due to incorrect locking or other timing related problems.  Even if the developer is lucky enough to get a core file containing a memory image of the system at the time the bug is detected (or shortly thereafter), the detection often occurs far enough after the initial problem that it's difficult to tell what happened.  There's also the problem that the act of creating a core file (particularly of an OS kernel) can distort the contents.  Personally as a kernel developer I've spent many hours staring at object code and remnants of register and kernel memory state and trying to deduce why a problem occurred, wishing I had a time machine that would allow me to back up and see the state of a given register before it was clobbered by unrelated code, or figure out what thread scribbled garbage onto a critical data structure.

With record/replay, you have the ability to exactly replay the execution of instructions in such a way that you can move forward and backward in time, and examine memory and register state at different points.  In addition to aiding in manual debugging, it enables wider use of tools that automatically detect bugs based on the instruction stream and changes to memory state.  Such tools are normally not feasible for use in production or even general QA, since they cause a substantial slowdown which reduces performance and can change timing and drive away bugs.  But with the ability to replay execution, we can do heavy-duty processing and analysis after the bug has already occurred, when performance is less of a concern.  The analysis can even be done on another system, perhaps the developer's machine rather than the machine dedicated to QA or production use.

You can also probably think of other uses for this technology - one that comes to mind is keeping a log of execution for analyzing security attacks.

So how do we do this?  Moreover, how do we do this efficiently?  Obviously, we could record the VM's instruction stream by trapping every instruction and recording the PCs - then on replay, walking through the instruction trace and single-stepping or emulating each instruction.  That would be extremely slow, though; the CPU would spend most of its time trapping into the virtual machine monitor rather than executing the applications running in the virtual machine.  It's similar to what classical instruction emulators do, which often have performance slowdowns of 100x or more.  Clearly this approach wouldn't be viable for real application use.

The answer is to think about what affects the stream of instructions that are executed by an operating system (and the applications running within it).  Most of the time, the CPU simply executes a deterministic series of instructions - the instruction that will be executed next is determined solely by the previous instruction executed along with (in the case of a conditional branch) the current state of processor registers and memory.  If this was the only thing determining execution order, we could replay an instruction stream by simply starting with the same register and memory state (including the current PC), and starting execution.

Execution isn't always deterministic, of course.  The source of non-determinism is I/O, particularly interrupts (including timer interrupts), I/O port accesses, and data copied into memory via DMA.  You can view these as external inputs that influence the execution of a virtual machine (or a physical one, for that matter).  If we can keep track of these external inputs, we can record the information needed to reproduce a VM's execution without having to record a complete instruction trace.

The problem of recording the execution of a VM for exact replay then becomes one of logging these external inputs and the times (relative to the execution of instructions within the VM) when they occur, and (on the replay side) synchronizing the execution with emulation of the inputs.  As an example, think about the effect on a VM of receiving a network packet.  There are two external inputs: the packet is copied into the VM's memory, and an interrupt is raised to notify the VM that there is new data to process.  (I'm glossing over minor details like changes to ring buffer registers here.)  While recording, we need to log the contents of the packet, the time the data is copied into memory, and the time the interrupt was raised (which may be the same).  While replaying, we need ensure that these inputs are made visible to the VM at the exact same point in the VM's execution as when recording.  In between these synchronization points, the VM can execute normally - meaning that user level code can execute at full speed on the processor.  That's the key to being able to record and replay execution efficiently.

All of this is obviously focused on uniprocessor VMs - record/replay for SMP VMs is a more difficult problem.  And I'm glossing over a number of implementation details.  But it gives an idea of what's possible by interposing at the virtual machine level.

Virtually running

One of the nice things about working at VMware is the number of active people here, and the support that the company gives to non-work "wellness" activities.  People regularly get together during the week to play pretty much every sport imaginable, from ultimate frisbee to soccer to capoeira.    A number of us are runners, and in addition to getting together for training runs we have fun competing in the JPMorgan Chase Corporate Challenge in San Francisco every September.  This year, despite cold, fog, and wind, 107 VMware employees participated - a pretty significant percentage of the employees in the area.  Although we didn't win the event, we did place 2nd in the men's team competition and 5th among the women's teams.  Pictured above is 3/4 of the men's team - that's Mike Clayville on the left, me in the middle, and Ole Agesen on the right.  Chris Gullo couldn't make our impromptu award ceremony and is missing from the photo.  Inside the boxes are very nice engraved plates from Tiffany's, awarded to the top 3 teams in each competition.

Thanks to Craig Williams for organizing the VMware participation at the race, and for the picture.

VMware Usenix BoF

Heading to Boston to attend the annual Usenix technical conference.  For those attending, I and some of my VMware colleagues will be hosting a BoF on virtualization Thursday night at 8PM in the Arlington room.  Please join us and bring all of your questions about VMware technology and virtualization.

OpenSolaris, Virtualized

I've been asked a few times by various folks about the availability of OpenSolaris-based virtual machine images that can be played in VMware Player, VMware Server, VMware Workstation, etc..  I'm happy that I now have an answer - the Nexenta folks have made a preinstalled VM image available with their latest release (Alpha 4).  This is a great opportunity for anyone who wants to try out OpenSolaris but doesn't have a spare machine to dedicate to it - you can use an existing Linux or Windows box, download VMware Player or Server and the VM image, and quickly be up and running with a nice slick distro based on the latest bleeding-edge OpenSolaris code.  The VM image is available from the Nexenta site here (scroll down to the bottom) as well as the Genunix mirror here.

More on VMware and Solaris

Nice step-by-step writeup on installing Solaris 10 in a VM. Most of it also applies to Solaris Express.

A couple of things to add to my earlier notes on VMware/Solaris issues. The latest kernel patches for Solaris 10 (118844-19 and 118844-20) cause a panic on boot on some systems, including in a VMware virtual machine. Some limited details are available here. The workaround is to boot under the kernel debugger (kmdb) - type "b kmdb" when you get the "(b)oot or (i)nterpreter" prompt. You can make this persistent with "eeprom boot-file=kmdb" once you're booted (or by messing around with the boot configuration menus, but I don't recommend that for the easily frustrated).

The latest version of Solaris Express (build 27a, the one with ZFS) won't install in a VM if you use the graphical install and the default guest memory size (256MB). It hangs trying to load the X server and window system into memory. Either increase the memory (I suggest at least 512MB), or select the text install by hitting "4" when you get the question about install type. This should be fixed in a later build (to automatically fall back to the text install if there isn't enough room for the graphical install).