Cloud Cloud Jobs: Odin VDI and IBS

IBS has long been engaged in the development of high-availability IT solutions for the corporate sector. At one time, we were interested in the container virtualization technology of Parallels Containers for Windows (today the Parallels division that developed it works under the Odin brand). On its basis, together with the Odin team, we created a joint product: Odin VDI is a solution for virtualizing user workstations. In this post we will tell the story of the creation of this solution, describe its functionality and advantages, and also dwell on the certification of Odin VDI in FSTEC.

Odin VDI: what is it and for whom?

Probably, the attendees do not need to explain in detail what VDI technology is. The data centers deploy users' workstations in the form of virtual machines with user OS (Windows 7/8), and users get access to them via LAN / WAN from anywhere in the world and from any device, be it a computer, thin client, or mobile device. At the same time, the user's workflow is practically unchanged - the way he worked with his desktop, he works with it as well. At the same time, everything is dramatically improved in terms of data access security, availability of jobs, simplicity and cost of maintenance. In addition, it is the most economical way of deploying new points of presence regardless of the geographical location of employees and functional requirements.
')


And everything seems to be good, but only with VDI there was always one problem - the substantial cost of the server infrastructure and licenses of Microsoft, which often leveled all the above advantages.
Solution - Parallels Containers for Windows (hereinafter - PCW). PCW is a technology for creating containers with Windows OS based on Windows Server 2008/2012. PCW allows you to achieve a greater density of users on a server compared to traditional VDI (up to 200-250 pieces) while saving on Microsoft licenses.

The following components have also been added to Odin VDI:

• Odin Connection Broker is a connection broker that manages the infrastructure of virtual desktops and connects users to it.
• Odin VDI Client - client for access devices based on Linux and Windows, designed to connect to virtual desktops.
• Odin Hardware Node Extention is an agent that allows a connection broker to manage virtualization hosts.

The Odin team, based on the requirements for the product, carried out serious work on improving the virtual infrastructure management server Odin Virtual Automation .

Why choose Parallels Containers based container virtualization?

There are many technologies of consolidation and remote access to users' workplaces on the market.

A classic terminal server based on a single OS, to which all users are connected, did not suit us according to the functional criterion: there were difficulties in adapting the current client applications to the terminal mode. In turn, hypervisor virtualization required quite a lot of resources, since each virtual machine needs hardware emulation. This entailed additional costs and reduced desktop density. Of course, the fact that at each workplace you can install your own OS, there are certain advantages, but they do not cover the overhead.

After going through the options, we came to the only possible - container virtualization, which won against the hypervisor in the density of users and allowed us to solve the problem of applications running in terminal mode. In fact, we stopped at the golden mean between the terminal server and hypervisor virtualization. You can learn more about this technology and containers for Windows in the Parallels Habra blog .

The platform is based on the Windows Server 2008/2012 base server operating system, on top of which PCW is installed and working environments run, so-called containers, isolated at the level of the address space of the RAM and the private area on the disk. The latter do not need an individual OS installation and hardware emulation, since the base OS instance is run in all of them.

Each container runs individual processes, has its own registry, network adapters and users, the allocated amount of RAM, and the hard disk. The running container, which is not running, consumes only 200-300 MB of RAM. In this case, the system works fully, and users do not notice any difference compared to the classic version. IT professionals, in turn, note a significant reduction in overhead costs for the organization of virtual environments. By average, to ensure the work of the same number of virtual workplaces with container virtualization, one and a half times less computing resources and storage resources are required.

And what in practice

We present only one calculation of the implementation of our platform on the example of a large company from the extractive sector. The calculations were performed in 2014 at the current rate. The corporation in question has a large number of subsidiaries with a separate and geographically heterogeneous infrastructure. IT administration is built according to the classical scheme. Operating expenses for 400 users (this is only a small part of the total number of users that we used as reference) are $ 61K per year, and another $ 144K is spent on replacing personal computers. We were faced with the task of reducing the cost of the infrastructure of user workstations.



We proposed to transfer 400 users to the VDI infrastructure (the transition to hardware thin clients will occur in stages - 20% per year) and calculated the prospects from the point of view of economic efficiency for the next 5 years. The capital cost of this event was $ 380K. In turn, the use of virtual desktops will save $ 130K annually on PC purchases and maintenance, that is, the initial investment will pay off in less than three years.

In addition to cost savings, the introduction of VDI facilitates system management and increases administration efficiency through centralization, standardization and unification of resources. This is true for large companies with hundreds and thousands of users. Only the server component needs administration.

There is a reduction in the cost of servicing jobs, support and networking, as well as the purchase of equipment: with a powerful server infrastructure, the technology allows the use of cheaper devices for local deployment.

The total cost of ownership of VDI is overwhelmingly lower than with the standard architecture, which means the company's total IT costs will be significantly minimized. Although, of course, much depends on the specific IT landscape and client conditions. That is, we assume that in some special cases the decision may not bring tangible economic effect, but we can always calculate the TCO at the preliminary stage. In general, you can get an idea of ​​the price of the solution using a calculator (at the end of the longrid about the product).

In addition, Odin VDI increases the level of information security in the organization through built-in information security tools. The latter include access control, security event registration, integrity control, and backup. The solution easily integrates with various levels of the corporate infrastructure of the IB - centralized identification and access control systems (IDM), event monitoring and incident investigation systems (SIEM), security monitoring systems and hardware authentication tools.

A bit about compatibility

We conducted a large number of tests of thin clients and made sure that our VDI works fine on a wide range of equipment and supports a wide variety of operating systems.

Below we publish a list of processor types, GPUs, and operating systems on which VDI has been successfully tested:
OC

• Debian
• Ubuntu
• DEPO OS
• Infotecs terminal linux
• Windows Embedded Standard 7

Processors

• AMD G-T40N Dual Core
• AMD G-T44R Dual Core
• AMD G-T56E Dual Core
• Hisilicon Hi3716C
• Intel Atom D2550
• Intel Celeron J1900
• Marvell Armada 310 ARMv7
• ARM Freescale i.MX Cortex-A9
• ARM Cortex-A9 Quad Core

GPU

• SiS VOLARI Z11
• AMD Radeon HD6250
• AMD Radeon HD6290
• Intel GMA3150
• Intel GMA500
• Mali400

The amount of RAM in the terminals was from 512 MB to 4 GB, flash memory from 512 MB to 16 GB. Size - from the exotic, with the usual business card, to the standard terminal. All this only confirms the fact that VDI can be confidently used on ordinary PCs and computers with Windows and Linux operating systems. However, it is obvious that the latter option is less profitable than the use of terminals, and we have real confirmation of this.

Why we certified Odin VDI at FSTEC

Already at the initial stage of the joint development of IBS and Odin, it was decided that the solution would be certified by FSTEC. That is, we did not go the usual way, when the solution does not have sufficient information security mechanisms and is complemented by certified security tools already at the implementation stage. The mechanisms of information security were incorporated into the solution initially.

The IBS team insisted on opening the source code to the regulator, and this is one of the most important features of our product. Odin VDI is certified by the FSTEC on the fourth level of control of the absence of undeclared capabilities (NDV) and can be used in GIS and SPIDN of the highest level of security.

Today, there is no other VDI solution certified with opening source codes on the market. This procedure not only made our product unique, but also allowed us to minimize the amount of security assets imposed as part of building a secure infrastructure. The logical result is a reduction in the cost of virtual workplaces.

In addition, the solution supports third-party crypto-providers, which opens up additional possibilities - GOST-encryption and authorization according to GOST-certificates. The fact that the platform was developed by Russian companies is especially valuable for government agencies that are faced with the task of finding fully domestic solutions for IT and information security.



In addition, together with Odin, we are constantly working to improve the solution and refine it to the specific requirements of our customers.

Questions and comments are welcome :)

IBS experts, Anton Karasev, Andrey Sungurov and Sergey Rukavishnikov, as well as our colleague from Odin, Vladimir Porohov, took an active part in preparing the post.

Odin VDI development team from IBS .