A cloud computing-related Security+ question

Someone tossed a Security+ study question my way this week. This is an example of Security+ trying to be CISSP Lite, but it’s still a valid question–probably for either test, and for SSCP and CISM too.

A small not-for-profit organization needs to invest in a new expensive database. There is no budget for additional servers or personnel. Which of the following solutions would allow it to save money by avoiding hiring additional personnel and minimize the footprint in their current datacenter?

A. Linux
B. Software as a Service (SaaS)
C. Infrastructure as a Service (IaaS)
D. Platform as a Service (PaaS)

Let’s take it one at a time.

Read more

What happens when you put a dipstick, a screwdriver, and a SAN in the same room

It was 2007, give or take a year. I was working a shop that had a WAN connecting four data centers around the world. A couple of hard drives in a SAN at one of the remote data centers had either failed or were in the process of failing.

No problem, we said. We’ll send some drives, and we’ll send along some extras so the next time it happens, you can just grab a spare off the shelf, slam it in, and not miss a beat.

Simple, right? Well, you should never underestimate a human being’s ability to make the simple difficult.
Read more

DNS and iTunes and other streaming media

There are reports floating about regarding third-party DNS affecting downloads of movies and other media, particularly from iTunes.

So, if tweaking DNS settings used to be what all the cool kids are doing, maybe it’s about to become less trendy, thanks to advice circulating to ditch third-party, centralized DNS providers like Google and OpenDNS, because they “defeat the distributed nature of DNS itself.”

The answer of what DNS to use and why is more complex than that.
Read more

Weekly roundup: 6 Oct 2010

I used to do a weekly roundup every so often, just doing short takes on stuff that interested me as I found it. I haven’t done that in years; I thought I’d give it a whirl again. I don’t know how often I’ll do it, but it was fun.

Ars Technica says Intel’s neutral stance on Atom in servers is a mistake. Absolutely. A dual-core Atom gives plenty of power for infrastructure servers like Active Directory DCs, print servers, and other similar roles. Atoms could even handle many web server tasks.

Xeons are appropriate for database servers and application servers, but throwing them at everything is severe overkill. A lot of server tasks are more disk-bound or network-bound than CPU-bound.

I worked in a datacenter facility for several years that was literally at half capacity, physically. But they didn’t have enough power or cooling capacity to add much more to it.

The only way anything can be added there is to take something away first. Right-sizing servers is the only way to fix that. If they would yank a Xeon, they’d be able to replace it with several Atom-based servers and get a net gain in functionality per square foot and BTU.

Virtualization, a la VMWare, is an option, but one isn’t necessarily a drop-in replacement for the other.

Or, of course, Intel can sit back and wait for ARM to come in and save the day. ARM provides even more functionality per watt. And even though ARM doesn’t run Windows, it does run Linux, and Samba has reached the point where it can stand in for an Active Directory domain controller.

Is there a market out there for a domain controller that fits in a package the size of a CD/DVD drive and consumes less than 20 watts? I’m sure there is. And if Intel doesn’t want to deliver it, ARM and its partners can.

There may be some resistance to ARM, since some decision makers are nervous of things they haven’t heard of, but it should be possible to overcome that. Maybe you haven’t heard of ARM, but guess what? Do you have a smartphone? It has an ARM CPU in it. That PDA you carried before you had a smartphone? It had an ARM CPU in it. It’s entirely possible that your consumer-grade network switch at home has one in it too. Not your router, though. That’s probably MIPS-based. (MIPS is another one of those scary RISC CPU architectures.)

Put a solid operating system on an ARM CPU, and it can run with anything. I have ARM devices that only reboot when the power goes out. If it weren’t for tornado and thunderstorm season causing the power to hiccup, those devices could run for years without a reboot or power-down.

And speaking of ARM, I have seen the future.

Pogoplug is an ARM-based appliance for sharing files. You plug it in, plug USB drives into it, and share files on your home network and the Internet with it. At least, that’s how it’s marketed. But you can hack it into a general purpose Linux box.

Inside, there’s a 1.2 GHz ARM CPU, 256 MB of RAM, and another 256MB of flash memory. Not a supercomputer, but that’s enough power to be useful. And it’s tiny, silent, and sips power. You can plug it in, stash it somewhere, and it’ll never remind you that it’s there.
I’ve actually considered picking up a Pogoplug or two (they go on sale for $45 occasionally, and the slightly less powerful Seagate Dockstar is available for about $30 when you can find them) to run this web site on. Considering how surprisingly well WordPress runs on a 450 MHz Pentium II with 128 MB of RAM (don’t ask me how I know), I think a Pogoplug could handle the workload.

What stops me? I can build an Atom-based PC for less than $150, depending on what I put in it, and run Turnkey Linux on it. Under a worst-case scenario, Turnkey Linux installs in 15 minutes, and it doesn’t take me any longer than that to drop a motherboard and hard drive into a case. So I can knock together an Atom-based webserver in 30 minutes, which is a lot less time than it would take me to get the LAMP stack running on an ARM system.

But if I had more time than money, I’d be all over this.

A device similar to this with an operating LAMP stack on it ready to go is probably too much to ask for. A ready-to-go image running the LAMP stack, similar in form to the DD-WRT or Tomato packages that people use to soup up their routers, might not be. I think it’s a good idea but it isn’t something I have time to head up.

I don’t think I’ve mentioned Turnkey Linux before. I’ve played with it a little, and I’m dead serious that it installs in 15 minutes or less. Installing off a USB flash drive, it might very well install in five.

And it’ll run pretty happily on any PC manufactured this century. More recent is better, of course, but the base requirements are so modest they aren’t worth mentioning.

I’ve built dozens of Linux servers, but this is fantastic. Spend a few minutes downloading an image, copying it onto installation media, and chances are the installation process will take less time than all of that does.

It’s based on Ubuntu LTS, and comes in literally 38 flavors, with more to come after the next refresh is done.

They haven’t built their collection based on the current version of Ubuntu LTS yet because they’ve been distracted with building a backup service. But that’s OK. Ubuntu 8.04.3 still has a little life left in it, and you can either do a distribution upgrade after the initial install, or build a new appliance when the new version comes out and move the data over.

And if Ubuntu isn’t your thing, or you really want 10.04 and you want it now, or worse yet, Linux isn’t your thing, there’s always Bitnami (bitnami.org).

Linux appliances took a little while to get here, but they’re here now, and they work.

Analysis of the Apple Mac Xserver

Given my positive reaction to the Compaq Proliant DL320, Svenson e-mailed and asked me what I thought of Apple’s Xserver.
In truest Slashdot fashion, I’m going to present strong opinions about something I’ve never seen. Well, not necessarily the strong opinions compared to some of what you’re used to seeing from my direction. But still…

Short answer: I like the idea. The PPC is a fine chip, and I’ve got a couple of old Macs at work (a 7300 and a 7500) running Debian. One of them keeps an eye on the DHCP servers and mails out daily reports (DHCP on Windows NT is really awful; I didn’t think it was possible to mess it up but Microsoft found a way) and acts as a backup listserver (we make changes on it and see if it breaks before we break the production server). The other one is currently acting as an IMAP/Webmail server that served as an outstanding proof of concept for our next big project. I don’t know that the machines are really any faster than a comparable Pentium-class CPU would be, but they’re robust and solid machines. I wouldn’t hesitate to press them into mission-critical duty if the need arose. For example, if the door opened, I’d be falling all over myself to make those two machines handle DHCP, WINS, and caching DNS for our two remote sites.

So… Apples running Linux are a fine thing. A 1U rack-mount unit with a pair of fast PPC chips in it and capable of running Linux is certainly a fine thing. It’ll suck down less CPU power than an equivalent Intel-based system would, which is an important consideration for densely-packed data centers. I wouldn’t run Mac OS X Server on it because I’d want all of its CPU power to go towards real work, rather than putting pretty pictures on a non-existent screen. Real servers are administered via telnet or dumb terminal.

What I don’t like about the Xserver is the price. As usual, you get more bang for the buck from an x86-based product. The entry-level Xserver has a single 1 GHz PowerPC, 256 megs of RAM, and a 60-gig IDE disk. It’ll set you back a cool 3 grand. We just paid just over $1300 for a Proliant DL320 with a 1.13 GHz P3 CPU, 128 megs of RAM, and a 40-gig IDE disk. Adding 256 megs of RAM is a hundred bucks, and the price difference between a 40- and a 60-gig drive is trivial. Now, granted, Apple’s price includes a server license, and I’m assuming you’ll run Linux or FreeBSD or OpenBSD on the Intel-based system. But Linux and BSD are hardly unproven; you can easily expect them to give you the same reliability as OS X Server and possibly better performance.

But the other thing that makes me uncomfortable is Apple’s experience making and selling and supporting servers, or rather its lack thereof. Compaq is used to making servers that sit in the datacenter and run 24/7. Big businesses have been running their businesses on Compaq servers for more than a decade. Compaq knows how to give businesses what they need. (So does HP, which is a good thing considering HP now owns Compaq.) If anything ever goes wrong with an Apple product, don’t bother calling Apple customer service. If you want to hear a more pleasant, helpful, and unsuspicious voice on the other end, call the IRS. You might even get better advice on how to fix your Mac from the IRS. (Apple will just tell you to remove the third-party memory in the machine. You’ll respond that you have no third-party memory, and they’ll repeat the demand. There. I just saved you a phone call. You don’t have to thank me.)

I know Apple makes good iron that’s capable of running a long time, assuming it has a quality OS on it. I’ve also been around long enough to know that hardware failures happen, regardless of how good the iron is, so you want someone to stand behind it. Compaq knows that IBM and Dell are constantly sitting on the fence like vultures, wanting to grab its business if it messes up, and it acts accordingly. That’s the beauty of competition.

So, what of the Xserver? It’ll be very interesting to see how much less electricity it uses than a comparable Intel-based system. It’ll be very interesting to see whether Apple’s experiment with IDE disks in the enterprise works out. It’ll be even more interesting to see how Apple adjusts to meeting the demands of the enterprise.

It sounds like a great job for Somebody Else.

I’ll be watching that guy’s experience closely.

Vintage PCs and bubblegum and Unix and Windows server crashes

Mail. Svenson wrote in, a little bit disturbed at the “vintage” label I hung on Pentium IIs this week. Here’s what he said:

What you call a Vintage PC is about what I got as a "new" box at work!

OK, it's a P2/400 but the 128Meg is not EEC and the drive is a standard 10GB 5400rpm thing. No SCSI anywhere. That is the kind of hardware being installed here.

Oh, and, BTW, it has to run Win2000.

To which I replied my “vintage” label was at least slightly tongue-in-cheek. I’ve got a Celeron-400 here that’s still in heavy use. My P2/266 laptop doesn’t get much use anymore because my employer provided me with a P3-800 laptop late last year. There are people who call even that P3-800 passe. They’re idiots, and I have zero respect for them, but they’re out there, and unfortunately people listen to them. Today I’m hearing P2s mentioned with the same disdain that 286s were in 1993 and 386s in 1996. They’re still fine computers. As my workplace is well aware–our workhorse machine is still a P2-350 or 400 with a 5400 RPM IDE drive, and that looks to remain true for another couple of years.

It’s a buyer’s market. If you know someone who needs a computer, buy one of these. They’re built much better than a $399 eMachine, and the models with SCSI drives in them will outperform the eMachine for household tasks.

Absolutely nuts. If you’re in the market for Luis Gonzalez’s bubblegum (Gonzalez is the Arizona Diamondbacks’ slugging left fielder), it’s for sale. I got a bit far out there on my baseball collectibles, but never that far.

Absolutely funny. I’m so glad that the people at Microsoft and Unisys are incompetent. They set their sights on Unix with their “We Have the Way Out” campaign. Then someone noticed the Web site was running on, uh, well, FreeBSD. I see. Unix is good enough for them, but not for the rest of us. Word got out in a hurry, and they hastily moved the site over to Windows 2000. Within hours, the site was down. And down it stayed, for two days.

See what happens when you abandon Unix in your datacenter for Windows 2000? I gotta get me some of that. I’ll charge into my boss’ boss’ office today and tell him we need to migrate our VMS and Digital Unix and Linux systems to Windows 2000. He’ll ask why, and I’ll tell him the truth:

The systems we have now work too well and I need job security.

Wehavethewayout.com is working now, but Gatermann visited it yesterday and noted its form didn’t work right in Mozilla. So I guess you can only get information on Microsoft’s way out if you’re running Internet Explorer.

Maybe these guys are smart, but they have about as much common sense as the chair I’m sitting in.

That’s just as well. If their experience is any indication (trust me, it is), they can keep their information. I’ve seen more useful information written in bathroom stalls.