Airdesk

Windows Containers: Base Images

Posted on September 27, 2017 | by Airdesk | Leave a Comment

The Containers feature on Windows Server 2016 runs applications in containers. A container is an instance of an OS image. Let’s explore what an image is.

For Windows containers we can start with one of two base images:

Windows Server Core
Windows Nano Server

The base images are provided by Microsoft, and kept in the Microsoft repository in the Docker Hub registry.

To get a copy of the current Nano Server base image, we use the command:

docker pull microsoft/nanoserver

This downloads, unzips and saves the image in the Docker folder at C:\ProgramData\docker\windowsfilter.

Docker commands are run by the docker client from either the Command Prompt or PowerShell
The command processor must run elevated
The place where the images are stored, by default, can be changed in the configuration of Docker
By default Docker pulls the latest version of the image. Other versions can be specified explicitly.

An image is a set of files. Here are the image files for Nano Server:

The image consists of files and registry hives. Here are the contents of one of the folders for the Nano Server image:

The files look like a standard system drive:

The Hives folder is a collection of registry hives:

You can load the registry hives into Regedit in the normal way:

We also have a Utility VM folder with two Hyper-V Virtual Hard Disk (vhdx) files:

These are used when the container is run in a small Hyper-V virtual machine instead of directly on the host OS (Hyper-V isolation mode).

In my example of the Nano Server base image, there were two folders:

Each folder represents a layer. When an image is modified, the changes are saved in a new layer.

The command:

docker image ls

shows one image:

The command:

docker image history microsoft/nanoserver

shows two layers. The first layer is the original release of Nano Server, 10.0.14393.0, and the second layer is an update, 10.0.14393.1593. You can see the name, date, action that created it, and size of each layer:

The command:

docker image inspect microsoft/nanoserver

shows the details of the image. These include:

The unique ID of the image
The OS version
The unique ID of each of the two layers

If we look back at the Microsoft repository on Docker Hub, we can see the tags for different updates:

Update	10.0.14393.1066
Update	10.0.14393.1198
Update	10.0.14393.1358
Update	10.0.14393.1480
Update	10.0.14393.1593
Update	10.0.14393.1715

Update 1715 is newer than the one I pulled recently. If I run the command:

docker pull microsoft/nanoserver

again, I get the latest image. If I run the command with a tag appended, I get that specific image. In this case they are different update levels, but they could be different configurations or any other variation.

Now a third folder is added in C:\ProgramData\docker\windowsfilter:

The command

docker image ls

shows that I have two images:

The command:

docker image history microsoft/nanoserver

again shows two layers in the latest image. One layer is the new update, and the other layer is the same original layer as in the previous version:

The image name “microsoft/nanoserver” refers, by default to the latest version of the image, consisting only of the original layer and the newest layer. Docker keeps track of images and layers in a local database:

Summary:

Windows containers are instances of an image
An image is a set of files and registry hives
An image comprises one or more layers
All Windows container images start from either Windows Server Core or Nano Server
The layers may comprise updates, roles or features, language, applications, or any other change to the original OS.

Windows Containers: Add Feature

Posted on September 22, 2017 | by Airdesk | Leave a Comment

The Windows Server 2016 Containers feature enables Windows Server 2016 to run applications in “containers”. Let’s take a look at what this feature is.

There are plenty of guides on the Internet for how to set up containers on Windows. The purpose here is not so much to provide the instructions, as to see and understand how the new Containers feature is implemented.

Step 1: Build a standard Windows server. It can be a physical or virtual server.

Step 2: Install the Containers feature.

This creates a new service: the Hyper-V Host Compute Service. Note that several Hyper-V components are already installed by default in the server OS, without adding the Hyper-V role explicitly. The Containers feature extends the default Hyper-V services.

The Hyper-V Host Compute service is the one that will partition access to the Windows kernel by different containers.

Next, install the PowerShell module for Docker. There are two steps to obtain the module:

Add the Microsoft Nuget module
Add the PowerShell Docker module.

Nuget is the Microsoft package manager for open source .NET packages:

Install-PackageProvider -Name NuGet -Force

Then the PowerShell module for Docker:

Install-Module -Name DockerMsftProvider -Repository PSGallery -Force

Next, we need to add the Docker components. Docker is a third party application that manages containers, on Linux and now on Windows. Microsoft provides the API (in the Hyper-V Host Compute Service) and Docker provides the application that uses the API to run containers. The documentation for Docker comes from Docker, not from Microsoft. The command to install the Docker package is:

Install-Package -Name docker -ProviderName DockerMsftProvider

I have broken these out as separate steps for clarity. If you install the PowerShell Docker module you will be prompted first for Nuget. The Docker package (last step above) will also add the Containers feature, if you have not already done it.

Docker is installed as a service (daemon) and a client to operate the service.

The Docker installation has these two executables.

The file dockerd.exe is the Docker service.

The file docker.exe is the client. Like a lot of open source tools, Docker is managed at the command line. You can run the docker client executable in the Command Prompt.

The Containers feature also creates an internal network where the containers will run by default. This consists of:

A Hyper-V virtual switch
A subnet used for the virtual network (always 172.17.nnn.0/20)
A virtual NIC on the host server that is presented to the virtual switch
Two new rules in the Windows firewall.

By default the Containers feature sets up a NAT switch. A Windows component, WinNAT, maps ports on the host to IP addresses and ports on the container network.

Here is the virtual switch:

And the NAT component:

The host NIC on this virtual switch:

The Hyper-V Virtual Ethernet Adapter shown in the normal Network and Sharing Centre:

You can create other types of virtual switches later.

The installation also creates two default firewall rules:

The Inter- Container Communication (ICC) default rule allows anything from the virtual container network:

and RDP:

It is not obvious why the Containers feature creates a firewall rule for RDP. It does not enable RDP on the host. And the containers do not support RDP.

In summary:

The Windows Containers feature is enabled as an extension of the default Hyper-V services.
The Hyper-V Host Compute Service allows containers to run processes on the Windows kernel. The Hyper-V Host Network Service creates the internal logical networks for the containers.
There is no need to install the Hyper-V role itself, unless you want to run containers in a VM (called Hyper-V Isolation Mode).
Docker is a third party application that uses the Windows Containers feature to create and run containers.
The Docker package installs the Docker components on top of the Windows Containers feature.
The Docker package installation also creates a virtual network for containers. This has a Hyper-V virtual switch with NAT networking, and a Hyper-V virtual NIC on the host attached to the switch.

So far, we have installed the Containers feature and the Docker components. We still can’t do anything until we obtain an image to create containers from.

Azure Domain Join

Posted on September 18, 2017 | by Airdesk | Leave a Comment

As well as doing large scale IT infrastructure projects, I also support a few small businesses run by friends. In one of them, for over a decade, they have had a server on site. Now they don’t. Everything is done in Azure.

They started with Microsoft Small Business Server. This provided Active Directory, Exchange, and File and Print. Over several years we moved to hosted e-mail, then Office 365. In this last stage we moved the PC’s from the local domain to the Azure domain. Users now sign in with Windows Hello, using a PIN. All the shared data is in SharePoint Team Site. All the personal data is in OneDrive. The local Special Folders on the PC are redirected to OneDrive. They use Skype, Yammer, Delve to work together, on iPad or PC. They can work at home or in the Office. Management of the PC’s is done with Intune.

Most of all, the server is switched off. No-one needs to come on site for hardware problems. Anyone can provide support, from anywhere, if they know Office 365 and Azure.

The Azure domain is not quite the same as a local domain. There is no Group Policy. If you wanted, you could add GPO’s with Azure Active Directory Premium, but it is not cheap, and of course you need some skills to manage it. It got me thinking about how we could replace GPO’s.

In one of my large scale assignments recently, where we rolled out a new global desktop, we actually needed only a few GPO’s. We had a big and complex policy to make Internet Explorer compliant with security standards. We had policies for certificates, wireless networking, passwords. But it was not very many. Without GPO’s we would need another way to do these configurations. But it would not be enough to justify keeping a global Active Directory infrastructure.

The problem with certifications

Posted on August 28, 2017 | by Airdesk | Leave a Comment

Certifications sound like a great idea, and if I were in HR recruiting IT people, I could be forgiven for thinking that they tell me something important about a person’s skills level. But I would be wrong.

The idea of certifications is not wrong. If I were having a boiler installed, I would probably want the technician to be certified to work with gas. This would be an industry certification, perhaps with an independent assessment body. They might also have done some training for the specific type of boilers they install. The IT industry does not do this. It has vendor certifications that are intended to demonstrate a skill level with a specific technology:

Cisco Certified Internetwork Expert (CCIE) and Cisco Certified Design Expert (CCDE)
Microsoft Certified Solutions Expert (MCSE)
VMware Certified Design Expert (VCDX)

The certifications are hard. Anyone who has a CCIE certification has demonstrated the ability to study and has the aptitude to pass a certain type of exam. They may also have been fortunate to have an employer willing to pay the steep fees for courses. The question, however, is whether they demonstrate real expertise in the technology.

The problem is that the course material is created with the idea of enabling an exam, and the exam is created purely as a test of the course material. An example will show what I mean.

This example is taken from the Cisco material for TSHOOT. This is one of the exams for the Cisco Certified Network Professional (CCNP) Routing and Switching certification. It covers the skills for troubleshooting and maintaining Cisco IP Networks. Cisco certifications are some of the best, so this example is not an adverse comment on Cisco. It is just an example of a certification topic.

Troubleshooting an IP network requires a good understanding of TCP/IP, and how packets flow through a network from server to switch to WAN and client, and back to the server. NetFlow is a way of recording information about flows, so that you can diagnose performance problems. There is quite a lot you need to know about flows in order to diagnose problems. The course material tells us that:

"A flow is a unidirectional stream of packets, between a given source and a destination, that have several components in common. The seven fields that need to match for packets to be considered part of the same flow are as follows:

Source IP Address
Destination IP Address
Source Port (protocol dependent)
Destination Port (protocol dependent)
Protocol (Layer 3 or 4)
Type of Service (ToS) Value (differentiated services code point [DSCP])
Input interface."

I suppose there are a number of concepts here. One is that the flow is a specific "conversation" between client and server. Now this is a bit surprising. It says "unidirectional". Does that mean that the response to a request is in a different flow? How can I tell if there is a network or server delay if the request and response are in different flows? Another concept is that you can’t jump between interfaces. You might have more than one network connection to a switch, but those would be separate flows. I don’t really need to know that there are precisely seven fields: I can always look that up. And I don’t need to know trick questions about what might be a field but is not. TCP/IP flows is a really interesting topic, and I would like to know a bit more about it.

Now here is the test question:

"Which of the following is not a NetFlow key field

Source IP Address
Layer 4 Source Port
ToS Byte (DSCP)
TTL
Input Interface."

Did you notice what happened there? I don’t need to know anything about flows. I just need to remember the list of seven fields. And I need to be aware of trick answers. Is Source Port really Layer 4? Is TOS value really a byte? Did I just forget TTL, or could there be a reason why Time to Live is a field that I have forgotten? None of this matters in the real world. In the real world we switch on NetFlow, and configure a collector like SolarWinds. The real work is in interpreting the NetFlow data. And NetFlow is expensive. And it can’t tell you what is happening on the parts of the WAN you do not control. And it does not tell you what response time the user actually experiences.

The problem here is the methodology. If the exam were in Algebra, there would be a vast body of knowledge, different course material, trained teachers and professional examiners. But there is no such body of knowledge or of educators for troubleshooting an IP network. Cisco has to get someone to prepare a course and someone else to prepare an exam. The exam is a test of the course.

Certification courses provide useful training. And simple exams that test whether you paid attention are OK. But certifications do not prove skills. They prove a willingness to study, and an aptitude for a certain kind of test.

Windows 10 S for Enterprise?

Posted on August 28, 2017 | by Airdesk | Leave a Comment

Windows 10 S is the new edition of the client OS that is restricted to run only applications from the Windows Store. The advantage is that it is more stable and secure than an OS where the user can install software from anywhere. Microsoft has positioned the OS for the education market. But perhaps it has possibilities for the enterprise too.

Windows 10 S was released in May 2017. It is only available as an OEM installation, for example in this Microsoft Surface Laptop.

Vendors with Windows 10 S laptops currently include Dell, HP and others. Prices are in a similar range to other laptops and notebooks.

The marketing from Microsoft is aimed at the education market, but what interests me is the scope for using Windows 10 S in the enterprise. Mobility is costly, and this OS might bring the cost down.

The main problem for enterprise mobility is making it secure. One approach to this is the managed laptop:

a custom Windows 10 Enterprise image
joined to the domain
encrypted
authenticated by a certificate
no admin rights for the user, OR admin rights with more active detection and blocking
SSL VPN client
web proxy client.

This has more complexity and higher support costs than a standard desktop.An alternative approach is to do away with the idea of validating the device at all, and provide access to enterprise data and applications only through a virtual desktop. In this case mobility is provided by any device running the remote access software: like Citrix Receiver or the VMware Horizon client. It can be a Mac, a Chromebook or a mobile thin client. The problem here is that, if you want to work offline, you need to store data and you need local applications. If you do that, you again need a managed device, and you add further costs.

Windows 10 S may provide a new option. Use a regular desktop in the office, and a Windows 10 S laptop for mobility. As the Windows 10 S laptop cannot run applications except from the Windows Store, the level of protection and additional support required is much lower. You can still run Office applications like Outlook. You can still edit a PowerPoint presentation or work on an Excel spreadsheet offline. But the scope for malware is much reduced. If you need to use an enterprise application like SAP when working from home, say, then you can use remote access to connect to a virtual desktop or a published application. But in this case the virtual desktop needs to be provided only to the mobile users and not to all users.

Windows 10 S supports these enterprise features:

Trusted Platform Module (depending on the OEM hardware)
Certificate Store for enterprise certificates
BitLocker disk encryption
Azure domain join and Windows Hello authentication
mobile device management with Intune, AirWatch or similar
desktop applications from Microsoft, Adobe, etc. as long as they are available from the Windows Store.

The typical company laptop is an expensive compromise. It needs to be powerful enough to run enterprise applications, light enough to carry around easily, secure enough to hold enterprise data, flexible enough to allow the user to work offline. I think on balance I would prefer to use a regular desktop in the office, and a Windows 10 S laptop for mobility.

OneNote and OneDrive

Posted on August 10, 2017 | by Airdesk | Leave a Comment

Have you tried using OneNote recently? It is a free product from Microsoft, but it rarely gets a mention. Combined with OneDrive, it is a good tool for keeping track of different types of information related by topic.

OneNote has been around since 2002. It is one of those products that you don’t hear much about, and it is easy to overlook. But it is a very useful tool for keeping track of different types of information related by topic. For example, let’s suppose you find a good article online. You want to make a note of the author, the URL, the key points and a graphic. Maybe you have other notes on the same topic. How do you do it, and where do you keep it?

You might try Notepad; but you can’t save the image or a hyperlink there. You could use MS Word, of course. Now you have a document. But how would you relate it to other material on the same topic: all in one document; or using different documents in a folder? And how you would you add something new from your mobile?

OneNote organises information in a hierarchy of Notebook, Section within Notebook, and Page within Section. You can move sections and pages around, if you want to reorganise. You can make links between sections and pages. In this sense it acts like a Wiki.

You can use different types of material: text, images, tables, audio and video files, hyperlinks, file attachments.

You can also use OneNote as the notes manager for Outlook items, like appointments, contacts or tasks. The Outlook plugin adds OneNote to the menu bar, and lets you choose which notebook to save notes in.

From the notification area on the desktop taskbar you can make "quick notes" without opening OneNote.

This opens a note with a cut down menu.

In Edge you can use the OneNote Web Clipper to clip pages or parts of web pages and put them straight into notebooks. For example, here we are clipping a piece of a web page from Wikipedia:

The screenshots shown here are from the free version included with Windows 10. Office 365 has an enhanced version: for example you can add a spreadsheet item instead of a simple table.

When you open OneNote, you sign in with a "Microsoft" account, either a personal account at live.com or a business account through Office 365. You can add more than one account so, for example, you could share a Travel notebook between your personal and your business accounts. You only need to open the notebooks you choose, so at work you could open a Projects and a Travel notebook, while at home you could open a Travel and a Family notebook.

OneNote notebooks are saved automatically in OneDrive, the online personal datastore. This makes them accessible from anywhere, provided your security settings allow it. You can open your notebooks from Windows, Mac, iPad, Android and Windows Mobile clients. So, if you are away from your desk and you want to make a note, you can save it in the right notebook instead of hunting around for it later.

You can also share notebooks. You can share with Edit or View rights. The sharing is managed through OneDrive permissions, and you can manage the sharing in OneNote or OneDrive.

OneNote is a good example of a simple idea developing over time into a useful tool. Do you remember Groove? Groove was a tool created by Ray Ozzie, creator of Lotus Notes. Groove Networks was founded in 1997, and acquired by Microsoft in 2005. Groove allowed document synchronisation and sharing, where both parties connected through a broker. Ray Ozzie later became Chief Software Architect at Microsoft., where he started the services that became Azure. The broker was the forerunner of SaaS services, and Groove was the forerunner of OneDrive. Now OneNote and OneDrive do more or less what Groove used to do, but in a simpler and more versatile way.

Windows 10 Licensing on Cloud

Posted on June 6, 2017 | by Airdesk | Leave a Comment

You probably know that, until recently, the Microsoft license did not permit you to run a Windows Client OS on cloud infrastructure. This has now changed. The exact license terms are difficult to find, and the cases where the changes could make a difference are limited. Here is a summary.

The clause that restricts you is the one that permits you to run a virtualised copy of Windows only "on (a) device(s)dedicated to Customer’s use". Here is the relevant document: Licensing Windows Desktop OS for Virtual Machines.

The key parts of this are:

Virtual Device Access (VDA) Rights are what you need to access a virtual copy of the Windows client OS. "VDA Rights" are not the same as "VDA Subscription". VDA Rights are what you acquire either with Software Assurance to run a copy of Windows, or a VDA Subscription if you are running something else.
VDA Rights are subject to the restriction above, to run only on dedicated hardware.

To state the obvious, this means no Windows 10 in Azure or AWS running on shared infrastructure. Under these terms, for example, you cannot use Azure to provide a DR facility for enterprise desktops.

In May 2016 a Microsoft blog said that Windows 10 would be coming to Azure through a partnership with Citrix, using XenDesktop: Microsoft and Citrix Partner to Help Customers Move to the Cloud. This was picked up widely in the press. The Citrix offer was announced in April 2017: Citrix XenDesktop Essentials for Azure.

On the face of it this is a significant change. Yes, it has a minimum requirement of 25 users, but still it is:

a monthly subscription, not a long term contract
pay for capacity if you use it, and not if you don’t.

The curious thing about this is that there is no corresponding announcement from Microsoft, and no apparent change in Windows 10 licensing. So what exactly has changed?

The Citrix offer requires the customer to have an "Enterprise Agreement"
This EA will cover all users and devices in the organisation, already permitting them to access virtual Windows 10 Enterprise through VDA Rights (although restricted to dedicated hardware).

So the change is that, provided you have an Enterprise Agreement, and use XenDesktop Essentials with a minimum of 25 accounts, you do not need to use explicitly dedicated hardware.

Separately, in May 2017 Microsoft introduced a new offer: Azure Hybrid Use Benefit for Windows Server and Windows Client. This is not explicitly related to the Citrix XenDesktop Essentials offer. It allows customers to upload a Windows 10 Enterprise image to Azure, but "Only Enterprise customers with Windows 10 Enterprise E3/E5 per user or Windows VDA per user… are eligible".

You can already run a Windows desktop in Amazon Web Services (AWS). Here the licensing terms are more straightforward:

For a regular Windows "desktop experience" you get a licensed copy of Windows Server Datacenter Edition. Desktop Experience is a feature of Windows server that adds some of the features of a Windows client. Datacenter Edition is the license that allows you to run multiple virtual copies of the OS on one host.
For a minimum of 200 machines per month, you can Bring Your Own License (BYOL), provided you have VDA Rights (see above).
This puts a value on the license part of the VM of $4 per month, but with a 200 minimum.

So in summary:

You can already run a virtual desktop (a real dedicated desktop, not a session) using a Windows Server OS on Azure or AWS without restriction
You can already run a virtual desktop using your own Windows client licenses on any dedicated hardware, if you have VDA Rights through Software Assurance or a VDA Subscription.
As a special case of 2) above, you can already do this on AWS with a minimum of 200 desktops
You can now (2017) run a virtual desktop with your own Windows client licenses in Azure, if you have a Microsoft Enterprise agreement.

To use a virtual desktop on any scale you will still need the surrounding infrastructure: a machine composer; a broker; and a client. XenDesktop Essentials provides a way of obtaining these on a monthly rental, compared to the normal annual subscription or perpetual license.

Windows 10 Performance on AWS

Posted on June 5, 2017 | by Airdesk | Leave a Comment

Amazon Web Services (AWS) offers a range of Windows 10 virtual desktops, called WorkSpaces. Let’s see how they perform.

The summary is that:

A Standard Windows 10 WorkSpace performs similarly to a top of the range Dell laptop
A Graphics Windows 10 WorkSpace performs similarly to a high performance Dell workstation.

That’s useful to know. If you want to give people access to a good all-round machine, then the Standard WorkSpace will do it. And if you want to give them access to a high performance machine occasionally, then a Graphics WorkSpace will do it. Meanwhile they can carry around a tablet like the Surface Pro for everyday convenience, and still have access to the whole range of Office 365 applications.

The costings are a bit of a surprise, but that will have to follow in another post.

First, the definition of the WorkSpaces. AWS offers four levels of performance for Windows 10:

Value	1 vCPU, 2 GiB Memory, 10 GB User Storage
Standard	2 vCPU, 4 GiB Memory, 50 GB User Storage
Performance	2 vCPU, 7.5 GiB Memory, 100 GB User Storage
Graphics	8 vCPU, 15 GiB Memory, 1 GPU, 4 GiB Video Memory, 100 GB User Storage

The Windows 10 WorkSpaces run a copy of Windows Server 2016, using one Datacenter Edition license for all copies running on the same host. So it is not quite accurate to call it a Windows 10 desktop. AWS describe it as: " a Windows 10 desktop experience, powered by Windows Server 2016." It makes no practical difference to the functionality, or the benchmarking.

An AWS WorkSpace is a virtual machine with a rudimentary system for brokering the machines to different users, and a remote access client. This, again, makes no difference to functionality or performance, but it explains why we have these categories (Value, Standard etc.) rather than the usual mix of ECS virtual machines.

The software I use for benchmarking is PassMark PerformanceTest. I have been using it for some time. It is a good product, and I have my own benchmarks from different types of machines to compare with. The methodology is very simple: start the machine; install the software; run the benchmark. Ideally you might do several runs, but I have not found that to be necessary.

Let’s get to the results. First the benchmarks for the different WorkSpaces.

Computer	Value	Standard	Performance	Graphics
CPU Mark	1774.9	3527.4	2450.8	7879.3
2D Graphics Mark	297.9	513.2	344.3	460.8
Memory Mark	742.3	1494.8	1647.9	1869.7
Disk Mark	801.2	805.8	880.9	1252.2
3D Graphics Mark	N/A	N/A	N/A	3988.4
PassMark Rating	751.5	1223.2	1010.6	2652.2

The Performance WorkSpace is a surprise. This is configured with the same 2 vCPU as the Standard, and with more memory. But the results are lower than for the Standard. I checked this twice, and I ran the test again on the following day to confirm. The figures here are the best obtained. A possible reason is that this is configured with only one physical core, with hyperthreading enabled, whereas the Standard is two physical cores, with hyperthreading disabled. Whatever the reason, it is obviously not worth paying more for the Performance WorkSpace, unless you need the additional memory. It could really be called a "Memory" WorkSpace.

Here is the comparison with other machines. First the Standard WorkSpace compared with a Dell Latitude E7240, a good quality laptop.

Computer	Standard	E7240
CPU Mark	3527.4	3495.3
2D Graphics Mark	513.2	563.6
Memory Mark	1494.8	1166.1
Disk Mark	805.8	2186.2
3D Graphics Mark	N/A	457.4
PassMark Rating	1223.2	1719.6

The Standard WorkSpace is comparable to a top of the range laptop like the E7240 (although that model is a bit old now). The CPU benchmark is comparable, although the SSD on the physical laptop is much faster than the virtualised SSD on the WorkSpace. The WorkSpace CPU is two cores on an Intel Xeon E5-2676, while the laptop CPU was 4 cores on an Intel Core i5-4210U.

Here is the Graphics WorkSpace compared with a Dell Precision M6700 mobile workstation (again, a bit old now):

Computer	Graphics	M6700
CPU Mark	7879.3	9520.0
2D Graphics Mark	460.8	754.0
Memory Mark	1869.7	2232.1
Disk Mark	1252.2	589.5
3D Graphics Mark	3988.4	956.0
PassMark Rating	2652.2	2075.0

We can see that:

CPU is comparable – 8 cores on an Intel Xeon E5-2670 against 8 cores on an Intel Core i7-3940XM
Disk is better than the Standard, not as good as the Dell laptop SSD, but better than the Dell workstation SATA
The graphics are outstanding

My overall impression is that I would be happy with the Standard WorkSpace as a substitute of a laptop, and very happy with the Graphics WorkSpace as a substitute for a workstation.

The Future Desktop

Posted on April 20, 2017 | by Airdesk | Leave a Comment

I have been doing a bit of work with data visualization recently, using Tableau. It got me thinking about the way we use data to produce information, and how that is changing.

One of my early career challenges was to analyse what effect promotions had on overall product sales. In Unilever at that time the standard practice was to run product promotions with the supermarkets every few months. The idea was to gain more prominent shelf space, and so increase sales. The promotion had to offer something extra (money off, extra free, two for one) and manufacturing had to be geared up to support the extra volume. The annual financial plan had to be modelled on the anticipated peaks and troughs of volume. In fact you could say that the whole operation was geared around these promotions.

But the question was: did we actually increase overall profitability; or did we displace volume from one cycle to another? My job was to look at the evidence to see what we could conclude about the effectiveness of promotion on profit.

The trouble is, I had no tools. I could get data about production, physical sales to the supermarket and market share by getting reports from the "mainframe", but I had no tools to analyse them. I had to draw graphs by hand. I plotted sales volume against market share and drew these up on paper and on acetates (remember those?). The results were presented to the Board, and I was asked to go and discuss them. I could make only the vaguest conclusions: promotions did not seem to increase market share in any sustained way; sales volume seemed to fall after a promotion by as much as it had increased; average price sold and profitability went down as much as sales volume went up.

At that time there were no computers on desks. Now the purpose of the desk is to hold the computer. Today I would be able to draw nice graphs, with bubbles expanding and floating upwards. But would it make any difference? No, because there was no useful data to make the correlation between the promotion and the effect on consumer behaviour. The real difference between then and now is not the computer. It is the data.

One of my pet peeves is the phrase "the pace of change is increasing". No, it is not. The pace of change is a constant. If it were increasing, it would either have to change direction and start slowing down at some point, or it would have to increase ad infinitum, which would be an absurdity. The phrase is a rhetorical device to encourage action. But you have to consider that if your call to action is a logical absurdity then there is something wrong.

OK, so what is changing, because something is? It is the availability of data about the world and our actions in it. The steadily lower cost of technology is making more and more data available, and giving us better tools to turn the data into usable information. We have more information, so we can act with more knowledge. We can use the data to gain a new insight into the behaviour of the world. It may be what we guessed intuitively, without data, or it may be new. So instead of "the pace of change is increasing" we have "the availability of data and information and knowledge is constantly increasing". We can respond in two ways:

Collect more data. This is what the Internet of Things is about.
Use the data more effectively. This is what Data Visualization is about.

Performance Measurement

Posted on April 17, 2017 | by Airdesk | Leave a Comment

This is about our experience recently on a project to improve the performance and stability of a set of engineering applications after migration to a new datacentre. We had really excellent data produced by the application centre business analysts. These showed in detail that applications were significantly slower than previously, across a wide range of transactions. On average, transactions were taking 25% longer (let’s say). Someone set the objective that we would not be satisfied until 90% of transactions were within the benchmark figure for each transaction.

On the face of it this was going to be difficult, because we knew that there would always be variability, and this new target effectively outlawed variation. We did not know the previous variability. If the benchmark transaction times were only met say 70% of the time previously, then there was no reason for them to now be met 90% of the time.

The first and obvious variable was the user site. We found that, if we excluded the sites with known poor networks, or those sites which seemed to have a much higher incidence of poor results (because that is how we knew they had a poor network), then the number of transactions outside the benchmark dropped significantly. But they were still a lot more than 10%. Obviously the site and the network did not account for all poor performance.

The second obvious factor was the performance of the computing platform (Citrix XenDesktop). We could not tell if a poor test result correlated with a general experience for other users of poor performance on the platform at that precise time. But the general feeling was that the platform must have periods of poor performance. So the number of virtual machines was increased; the number of users per virtual machine reduced; and in some cases the number of vCPU’s per virtual machine increased. It made no difference. There continued to be a significant number of transactions outside the benchmark times.

One of the issues for us was that we could not reproduce the problem on demand. The analysts had all experienced a bad transaction. But it was not repeatable. So we knew that we were looking for erratic rather than predictable results. When we looked at the test data again, we found that the Average time (the average time taken for a number of instances of the same transaction) was very misleading. We found that the Median value was indeed well below the benchmark transaction time. Most people were experiencing good performance most of the time, but some people were experiencing poor performance some of the time. The measurements at the time of poor performance were extreme, so they made the averages less useful.

The example I think of is taking a train to work. It normally takes 30 minutes. Four times out of five the train runs on time, but the fifth time it is cancelled and you have a 20 minute delay for the next train, which also runs more slowly, taking 40 minutes. It is not useful to say that the journey takes on average 36 minutes. You would not be on time to work more often if you allowed 36 minutes. Instead the conclusion is that the service is unreliable, which is quite a different thing.

So we plotted the actual times in a scatter graph, and it was immediately clear that the real problem was not performance, but reliability. We also calculated the standard deviation, as a more accurate representation of variability, which told us the same thing. Examples:

We decided that, instead of looking at the things that affect performance (vCPU, vRAM, disk latency, network latency) we would look at the things that affect reliability. We started by analysing each transaction with SysInternals Process Monitor and Wireshark, to understand what exactly caused time to be taken. The results were a revelation. We found a set of causes that we would not have guessed existed:

A benchmark transaction exported from the old system without version history. The transaction attempted to validate the version number by checking prior versions, before giving up and running.
An export to Excel failed if Excel is already open in the background. It continued to fail silently until the user runs it with Excel not open.
A transaction called an external module. The module is signed with a certificate from the vendor. The transactionattempts to check the revocation of the certificate. If the user has an invalid proxy server configuration then there is a delay before a timeout expires and it continues. If the transaction is run a second time there is no check and it is fast.
The user logs on. The application searches in various non-existent locations for a user configuration. After around 20 seconds it finds a configuration and begins.
Running a transaction for the first time causes the data to be cached locally. The second time it runs from cache and is fast. Therefore the recorded time depends on the instance of running.
A report writes to Excel at a network location. The data is transferred to the remote file in very small packets, taking a long time. Another report run to a local file, which is then copied to the remote destination, and completes in a fraction of the time.

The conclusions? it is important to look at the data statistically to see whether the problem is about performance or reliability; and you need to understand the makeup of the transaction to know what may cause it to take longer than expected.