7

We are debating whether to add Client Hyper-V or VMWare Player Pro to new Windows 10 desktops later this year and have our developers run their developer tools in a Windows 7 VM on their local desktop. For security reasons, they will not have admin rights on their local workstation which will only be used to host their VM(s) and for office work not requiring admin rights such as email, web, Microsoft Office etc.).

The developers would have admin rights on the VMs instead. The VMs would be on an isolated network VLAN and AD domain with no Internet access and no direct file transfer or network access between the VM and host. The users will do all their development and testing inside the VMs.

I have not been able to find a true virtual machine "player" that only allows using existing VMs and not creating new ones when installed on a workstation.

Client Hyper-V does not work at all unless the users have either local admin rights on the host machine or are members of the Hyper-V Administrators group which allows them unlimited configuring of VM settings which will make it pretty simple for them to get around restrictions even without admin rights on the host. VMWare Player is not just a player. It also allows creating new VMs even without admin rights.

Is there any alternative vm software that allows use of existing VMs on their local workstation, but not adding or reconfiguring VM hardware?

If that cannot be done, how can we build a highly available virtual server in Hyper-V that would have the performance needed for heavy software development, long queries and builds and debugging etc.. Many of the developers work with 10 or more applications running at the same time and have 16GB RAM on their current systems.

So, I would guess we would need 2 very powerful severs with a huge amount of RAM to run 100 high memory VMs simultaneously and some kind of virtual SAN. It will also need the disk space and I/O to handle 100 busy workstation VMs.

If there were 100 VMs, we could run 50 on each in a 2 member failover cluster. If one goes down, the other would need to be able to handle the load of all 100 without a problem. We could also do planned live migrations to do maintenance such a Windows Update reboots on the hosts. We would then need SCVMM to manage them and assign private cloud access to the users so they can access the VMs and also create/revert checkpoints on their software testing VMs.

Since we have limited money, what would be a cost effective hardware design that could make this work (server specs etc.) and what ballpark price range would we expect to pay using hardware from a manufacturer like Dell or HP etc..?

If the costs are astronomical, we would then go back to the plan of adding VMs locally on workstations and try to find ways to restrict the users from creating unauthorized VMs.

15SX
  • 71
  • 2
  • 12
    Do you absolutely _need_ to stop developers from creating their own VMs or accessing the network? Are you 100% certain? Or was that just a "requirement" imposed from on high with no reason given? – Michael Hampton Jul 19 '15 at 05:12
  • 4
    Running 50 high performance dev desktops on 1 shared server sounds like a complete nightmare with regards to performance. We did some tests with vdi dev, the results were in line with several caveats mentioned in (recommended read): http://www.brianmadden.com/blogs/brianmadden/archive/2013/05/16/announcing-our-new-book-quot-the-new-vdi-reality-quot.aspx – ErikE Jul 19 '15 at 06:14
  • The title of the question is not at all representative of the content of the question. – T.J. Crowder Jul 19 '15 at 09:39
  • @T.J.Crowder You can always edit it. – Michael Hampton Jul 19 '15 at 15:18
  • @MichaelHampton: I gave up three-quarters of the way through the rambling, so I wouldn't be able to give a good title. – T.J. Crowder Jul 19 '15 at 15:19
  • 13
    Internet access and ability to download software is an indispensable part of any developer's toolset. I would refuse to work in your environment, and if these restrictions were imposed on me after signing on, I would find a new job. Good luck accomplishing anything. – Ex Umbris Jul 19 '15 at 15:21
  • I'm not even in the workforce, and this sounds horrible. Please don't inflict this setup upon any human beings. – Undo Jul 19 '15 at 21:57
  • 1
    I have to agree with the end of Zrin's answer, your are try to turn a social/policy problem into a technical one. Treat your developer as adults, they should be focused on work, not creating new VMs. – thing2k Jul 22 '15 at 06:01

1 Answers1

12

How about turning this around:

The workstations are in a secured LAN, Internet access is restricted with a proxy to a number of white-listed sites that developers need - like StackExchange :). Developers have admin rights on the workstations.

For all other needs, they can connect to a VM and have (external) e-mail and possibly full Internet access, but no access to the work related data.

This way, the needed performance of VMs is significantly lower. Perhaps also the number of them is lower. Perhaps you can assign VMs dynamically as they are needed.

Hardware requirements depend heavily on needed performance, but I'd personally go with around 10 cheap nodes with 8 core CPU and 32 GiB RAM and a very fast SSD RAID each - and fairly automated maintenance. This is for the case where the VM is not the main workstation but the auxiliary machine.

IIUC, your concern here is the security and safety of the code and documentation and you would like to have a system where you don't have to trust developers (too much).

I have a very similar task for a client of mine, just it's CAD instead of software development. For a big part, this is a social problem that we're trying to solve with technical means.

How can developers efficiently work without constant and convenient access to programming related sites and the StackExchange family? :)

Zrin
  • 597
  • 1
  • 5
  • 14
  • 3
    +1 for the turning around. – ErikE Jul 19 '15 at 10:11
  • 3
    If all the VMs are doing is browsing and office you could heavily oversubscribe them. No need for 80 CPU cores for 100 VMs each of which probably has 10% of uncorrelated CPU usage on average. – usr Jul 19 '15 at 13:06
  • 1
    @usr true, but when the hardware is so cheap I'd rather worry that the developers would see me as cheapskate than to have half of the cores idling. Anyway, one can start with fewer, and then add more nodes as needed. – Zrin Jul 19 '15 at 15:12
  • I don't know why I am not getting notifications for the responses, but a few things to add. They will have Internet access on their normal, locked down workstation without admin rights. They will have admin rights and limited network access on their development/testing VMs. Full admin rights and full Internet access on the same box do not work. It has a been a malware and unauthorized rogue software nightmare. They have the tools they need to use available on the LAN and there is a process to get new tools if there is a need to change to something new. – 15SX Jul 20 '15 at 01:44
  • We are looking at two options to get the VMs. Either adding VMs locally or adding them to a central server. I'm trying to see if there is any way to do this server based without it being cost prohibitive or much lower performance than locally running VMs. – 15SX Jul 20 '15 at 01:52
  • 1
    Yes, maybe switching it so their physical box is the development box instead of the VM being the development is an option. We would then need to remove Internet and email access from the regular LAN the physical boxes plug into and use the VMs on a segregated VLAN for running things requiring outside access (email, web browsing, IM etc.). I would guess we could get VDI that only has Outlook, IM clients, browsers, web conference clients etc. to run on less expensive server hardware. – 15SX Jul 20 '15 at 02:03
  • 1
    If you are restricting what the devs can install, you need to make sure the process to authorise software is quick, and if software is denied, there needs to be a very good and clear reason. Also regarding to software, have you looked at whitelisting. There tools in Win7 enterprise, and some, if not most, enterprise AV systems. Just a thought. – thing2k Jul 22 '15 at 06:14