Hyper-V Program Manager
Virtual PC, Virtual Server and Hyper-V all have a simple command to “Turn off” a running virtual machine.
Unfortunately, it is one that causes us a bit of consternation when we look at it with usability and user friendliness in mind.
A long time ago (just over 10 years ago) most computers had big mechanical power switches on them. When you “turned off” a computer you were immediately cutting the power to the system. But that is not the way the world works any more.
Today – when you press the power button on the front of the computer case (many, but not all, computers still have to “old school” power switch on the back of the case) the computer actually continues to run – and sends a message to the operating system to shut down as quickly as possible. This is a much safer and cleaner way to turn off a computer. It is also not as reliable.
Operating systems do not always shut down when asked to shut down.
To deal with this – physical computers allow you to hold down the power button. After a couple of seconds of being held down it will issue an “old school” power off.
But why is this relevant to virtual machines?
When you select to “turn off” a virtual machine – you are actually getting an “old school” “cut the power” kind of turn off. The concern here is that back in the days of yore, people were trained to always shutdown a computer before turning it off. These days it is almost always safe to just lean over and press the power button on your computer. The same cannot be said for turning off a virtual machine.
We have debated back and forward about how to correctly communicate to users exactly the risks they are taking when turning off a virtual machine – but have come up with no good answers.
We have joked that the turn off button should be labeled “cut the power” and have a picture of a power cord being pulled out of the wall. But this would doubtlessly cause a huge amount of confusion (also – we would have to create localized graphics that display the correct kind of power outlet for each different country ).
We have also discussed whether we should implement a modern “turn off” that does a quick shut down. The problem here is how do you handle when the virtual machine fails to shut down? You cannot expect people to hold down the turn off button with their mouse for a couple of seconds – waiting for the virtual machine to turn off.
So for now – things remain as they are. Just remember – the next time that you go to “turn off” a virtual machine – you really are pulling the power immediately.
I think I like it as is ... sometimes things go wrong with a VM's OS and you just need to "hit the power button".
You could on a per policy basis enable a turn off which mimics the way shutdown behaves in Windows or *IX. First you play nice, then if things do not work and you have a policy for forceful shutdown, then you just turn the machine off. Things to think though: (1) Would such a policy be per machine, per server or per something else like Azman scope? (2) What is the timeout to wait before moving to forceful shutdown?
Why not think about it the same way the Windows team does?
When you issue a shutdown inside of Windows, apps are signaled to shut down, and then the OS can shut down, but sometimes some apps will hang. When this happens Windows alerts the user, giving them the option to kill the processes and immediately continue the shut down. The same thing could be done on a higher level with Virtual Machines. Hide the VM window and trigger the "modern" shutdown with a timeout that prompts the user to kill the VM like Explorer prompts the user to kill apps.
On the flip side of course, the user may have configured the guest OS to NOT shut down on power button, so this may only be a useful option for Virtual Machine Addition-enabled guest OSs where you could pass special messages in to control the shutdown process. Virtual PC for Windows 7 takes a route similar to what I suggest for XP Mode.
HP's iLO interface has an option called "press and hold."
There are enough other options available in the box to communicate you are doing something drastic. If you really wrestle with this in the long dark hours when infomercials rule, you could always add an additional information label to the shut down box when you do select that option.
Describe it as an emergency power off equivalent to disconnecting the power cable, and does not allow the OS to shut down cleanly, and should be an option of last resort.
It would not be the first confirmation dialog in VPC and the like.
... If you do it, please do not put a modal dialog which says: Do you really want to do this? If it is per policy, once the policy is set I would not want manual confirmation, more so if I have a farm of 1000 vms I need to shut down.
Gargari / Dan Bugglin -
:-) - There is a sister post to this that discusses shut down coming tomorrow - which touches upon many of the points that you have made here.
And here we hit the classic issue of usability / user interface design: people do not read text descriptions. Rather they make assumptions and forge ahead (we all do it). The best UI is the one that does what you assume it will do :-)
Can "turning off" a VM cause damage to the VHD file for example?
...Except the OS disk scan and OS corruption that might occur from that of course.
What Virtual PC 2007 does seems to be simple and effective: pop up a box asking whether you want to save the machine state, send the shutdown signal or power off the machine; if you don't want to see the box you can specify a behaviour in the VM's config. It's never happened to one of my VMs but I assume that if you send the shutdown signal and it hangs then you can just 'hard' close it.
Or am I missing something?
Perhaps a less ambiguous name might be "Emergency Stop" with a big red button of the sort you see in machine workshops?
Ben, I wonder (though it's not a VPC-specific question) whether you can flesh out a bit more the difference between the "old-school" power-off and the clean (power API based) shutdown in XP? Even with no applications running, on the Dells I'm used to, a power-button-initiated shutdown always completes much quicker than does a Start | Shutdown sequence.
Interesting usability problem. How about making the "Turn Off" feature do the OS-controlled shut down first, but have that feature display a separate dialog box with a progress bar (similar to the one the Hibernate/Resume feature uses) to illustrate that it's shutting down. That dialog could also have a "Turn Off Immediately" button to help the user escape if the child-OS is refusing to shut down in a timely manner.
Since you don't want people to become overly reliant on Turn Off Immediately, it would give them the ability to do it when needed, but they wouldn't be able to acheive it without attempting to shut down the OS safely first.