2199 posts • joined Monday 31st May 2010 16:59 GMT
How can you prove that what you see is correct? Your optic sensors are fallible. The transmission architecture to your processing centers is fallible. The processing apparatus that post-processes the imagery is fallible.
Worse, that processing apparatus does not even have the capacity to process the imagery in real time; it substitutes imagery from previously stored data to compensate for the extremely low resolution imagery available from the sensors anywhere excepting the very center of their scope.
Thus the image you “see” is actually a composite of what truly exists. It is a mishmash of sensor distortions, transmission errors, filter bugs, memory retrieval errors and recompositing glitches that you choose to accept as reality. There is no scientific evidence to back up the claim that “what you can see” in fact represents reality at all.
All things being equal, there’s a reasonable chance that “what you can see” is a closeish approximation of “what is.” But it is not now and never will be a completely accurate representation of reality.
So if your standard for “what is real” is “what you can see,” then you have abjectly rejected science (and the fundamental principals that it is based upon) in its entirety.
[i]You[/i] are an entirely fallible piece of equipment.
@Phoenix50 lots of MS fanboys here. Lots of neutrals who like many of MS's 2012 lineup. (Powershell 3, SMB 3, Hyper-V 3, SCVMM 2012, etc.)
But Metro is outright fucking garbage. So when we talk about Microsoft, we can - and do - talk about the good things. We also crap all over the descisions and corporate attitudes that crap all over us.
Turnabout is fair play.
Win9 development started last year
"We see vehicle and home automation as an important emerging market. IN order to unify the interfaces between our PC*, Entertainment* and Mobile* offerings (to which we still retain a strong commitment!) we are undertaking the most expensive Windows development project ever to completely reimagine the interface. Now you will be able to use a Mouse*, Keyboard*, Stylus*, Fingers*, Voice*, Steering Wheel, Wall Sliders, Thermostat and Television-mounted Kinect all as "first class citizens" on the latest Microsoft Windows!
To further our efforts to unify the look and feel of Windows across all devices, we will be optimising our operating system for 30-charater displays common on most household thermostats. Rest assured however, we will continue to support alternative display devices such as monitors or tablets. All data will be syncronised with the cloud using Microsoft’s new Windows BlueSkypeBee 60ghz high-capacity home-area-networking.
To smooth the transition to this new model, we have unfortunately had to deprecate all high-level programming languages. Win RT will still be supported on some device classes, however the only universally supported development platform is building your own scanning tunnelling microscope and flipping bits on our new Microsoft FAT Flash one atom at a time.
We have created a series of Microsoft Virtual Academy videos to help you embrace the power of this new development model. Users drive the need for great products, but it is developers, developers, developers who make those great products come to life.
Windows 9: what do you want to run Windows on today?
*Please note that these form factors and input types are only available with purchase o an Office 365 L5 or higher monthly subscription. (Minimum 10 users, $55 USD per user per month, subject to change. All users agree to be bound by the laws of the United States of America and the laws of the state of Washington. Service is provided on a “best effort” basis and is not guaranteed. Patents pending.”
--Redmontian PR flak transmitting via Windows 9 Temporal Interface from BUILD 2015. (Thanks to the new Microsoft Quantum Tunnelling STM; buy now on the Windows Store, only 10E72 Windows Points!)
Re: funny that
Scripting is easy. Basic OOP development is easy.
Good development...that's hard. I'd say being a real developer - the kind that worries about maintainable, modular code, knows the ins and outs of the language, understands things like polynomial versus logarithmic execution times for sorts and seraches - that takes as much time, effort, skill and experience as learning Deep Sysadmin stuff.
Of course, the devs are better paid and earn far more respect than the "digital janitors." But that's another rant...
Re: Things move in GUI's.
I wonder, does Lotus 123 from back in the day count as a CLI spreadsheet? No mouse interface on that...
"Engineering culture" isn't all its cracked up to be either. IF you allow the engineers to tun the asylum then they don't nessecairily think about little things, like real world implementation, transition from extant technologies, privacy, etc. They just make the most technically fantastic protocol they can, and to hell with all the people who have to deploy, administer or use the thing.
Then they go on holy jihads against anyone who dare consider anything outside of the technical purity. Because the technical purity of something is all. Assuming of course you agree with the design goals of the engineers in the first place.
See IPv6 for an example.
Me, I’d rather have had a protocol with privacy and anonymity being major considerations. Instead IPv6 is attaching a target to my forehead…and presenting every single device to the whole world.
But – aha – for criticising it, I will most assuredly get a bajillion downvotes and more hate mail claiming I “just don’t understand IPv6.” Because disagreeing with various design decisions automatically means I am irrational. Who wouldn’t want IPv6 exactly as implemented?
The take home from this is:
Netflix stock is undervalued; buy now.
Three Cheers for Minty (and minions)!
Thanks for keeping El Reg running. +1 syadmin awesomeness.
Nice unicorn factory. In the real world, business demabds a solution, informs you the budgef is zero and assigns one of your staff to shipping because the shipper just left. Two months later they call you lazy and incompetent because you haven't delivered on the 9 projects you have, and your regular maintenance is falling behind. Then they reassign another staff member and fire a third.
Re: Teenager? More like pre-teenager.
I don't know. I think you're mixing CE and corporate IT up. My experience seems to be that most companies (including our governments!) seem to push their systems at least to the 6 year mark. At that point, entropy takes over and the hardware's rate of failure starts dictating replacement schedules.
Even with a lot of replacements happening now (that old Windows XP stuff is at the end, for most folks,) I find that a lot of companies are being pretty smart about things. They care about things like vPro. They want corporate stable models for their purchases; they might be starting replacement now, but they want to know they can still get the last round two years from now. They buy spares.
Maybe it’s a “large enterprise” thing? You’d have more experience in the 2500+ seat range than I do; down in the 25-1000 sat range, 6 year life seems to be about right. Maybe longer, as it’s at about 6 years that people say “I should replace that,” but it can take a while before that replacement actually occurs.
Phones and other CE devices however…they are on a rapid replacement schedule that I just don’t see with desktops and laptops.
So I am curious; where are you seeing this? Across which cross section of corporates? It is region or industry limited, or are you seeing it broadly?
Re: It's even simpler than that.
Not so black and white. Sometimes you just end up in such a poorly run company that yes, the rest of the company is at war with IT. IT can only drive costs down so far. Eventually, refusal to invest by management means that you reach the hard limit of what can be delivered.
In those companies, resources are usually pretty thin on the ground, and everyone jealously eyes everyone else, looking for spare coppers. No matter how servile IT acts, some workplaces are simply toxic for everyone.
While a truly toxic workplace is probably not the norm, the workplace where management and other departments are joined up, “on the same team” and understand their role in business is probably just as rare.
Most companies fall somewhere in between, and the efforts of systems administrators alone are not going to bridge to social and political gaps in management strategy.
Re: Trevor Pott
Actually I agree with this guy in almost every aspect. IT is not about computers, nor the software you choose. It's not about the configuration you use or which brand name you've tribally attached your self worth to.
Too many systems administrator forget the very reason we both investing in computers in the first place: because they can do something for us cheaper than paying a person, more accurately than paying a person, faster than paying a person or some combination of the three.
Risk management is a big element too. “It doesn’t have to be perfect every time.” This is proven by the mere fact that we still use humans to do anything. Humans are fallible; we accept a certain rate of failure by using them for a task. The same goes for computers. You have to look at the specific tasks that computer system is being engaged for and ask yourself exactly how much it is worth?
Do you buy the high availability with-added-blue-crystals version for that task, or will some old beater that needs a day’s worth of poking every year do? How sure are you of that?
It isn’t about the sysadmins, it isn’t about the tech, it isn’t about egos or glory or “new for the sake of new.” IT is about money. Specifically making more money than you invest into it. Without the business, there is no reason for IT to exist.
…most management are complete fucking morons who don’t understand the above any more than the jihadist sysadmins in love with their new shiny. They either fall into the camp of “demanding the impossible as soon as they read about it in a magazine” or “treating IT like a cost center and pinching every penny until they can’t do the job they are assigned properly.”
So while I agree with the dude in this article’s take on things – I’ve written articles and comments to this effect more than once – reality rarely allows this sort of focus to exist. Human nature simply gets in the way.
When management treats IT poorly, IT becomes defensive. The nerds become jealous of what little they have, and are loathe to expend resources to solve a problem, fearing that when they need resources to solve a larger problem they won’t be made available.
Systems administrators designing and implementing IT solutions in a fully management-integrated and business-aware fashion relies on a level of cooperation and trust between management and IT that exists only in the best run companies in the world. The chances are exceptionally high that you, and nearly every single one of my readers don’t work in such a company.
Therefore I believe it is far more relevant for to discuss coping strategies for dealing with terrible management than it is to discuss the theoreticals of systems administration in a unicorn factory.
If you work in a place where management have clue; congratulations. Cherish your job; it’s rare. The rest of the world has to deal with inadequate budgets, corporate politics, hostile management and worse.
Attitude adjustment on behalf of systems administrators can only go so far towards alleviating those issues. It must be something all parties engage in. You don’t do yourself any favours by being completely servile any more than you do by being overly aggressive and hostile.
By hey, in a forums where absolute polarisation and binary thinking is the norm, why examine shades of grey? There’s black and white to worry about!
Re: "as long as they understand the fundamentals of how a computer works"
I would consider most of that "fundamentals," yes...but that's just scratching the surface.
I'd add understand file layouts. Specifically how files are organised on a hard drive; the difference between a block of data and and file system information. (Raw storage versus indexes, journals, etc.) The basics of various partition types, limits, features, etc. Why you have to "eject" removable storage on most systems (delayed write!)
Understanding how applications use tiers of memory, from L1 up to (at least) a basic understanding of ASLR in main memory. The concepts of tiered storage, deduplication (memory in re: virtualisation and block storage/file storage for the physical stuff.) DAS versus NAS versus SAN.
ON the networking side being able to say "synchronisation, synchronisation, enquire" is cute, but I want an understanding from my PFYs regarding "buffer bloat," and what the various different "experts" in the field are still arguing about. (Yes, buffer bloat is still a debated topic.) I want them to be able to explain spanning tree, network reconvergence, broadcast domains and VLANS.
They need to know about MAC addresses. Specifically that they are emphatically not globally unique, that the manufacturer is part of the beginning of the address and that virtualisation generates virtual MACs for each vNIC. They need to be aware of issues surrounding MAC address conflicts and what the symptoms are.
I want an understanding of system services, scheduled tasks, how to avoid resource starvation cascades (system-local, but especially in auto-failover virtualised environments!) This carries over from the simple system utilisation into networking of course; an understanding of everything from link saturation to overloading network gear with too many connections is pretty “fundamental.”
I would also expect a basic understanding of scripting, even if they aren’t very good at it (yet.) This would include the concept of data extraction from one application, parsing that data for another application, injecting it and analysing the result. (Chaining.)
I think knowledge of how a hypervisor works, including a basic understanding of things like VT and IOMMU are pretty fundamental. An understanding of basic electrical theory (including digital to analogue and analogue to digital signalling) is pretty important.
I’d also toss in an understanding of how graphics are output from display subsystems; why some remote applications are “screen scrapers,” while others can use “mirror drivers” and still others actually send raw data and expect the client application to construct a graphical representation locally instead of dragging imagery across.
Without the above knowledge as a bare minimum, I don’t think you can survive proper SME systems administration. You need to know the fundamentals of “computing.” Not just “that application, shell or OS.” You don’t have a team to rely on; there are no storage specialists, network specialists and so forth. As SME sysadmins, we’re it.
Oddly enough, I find the above level of information pretty common for sysadmins in their second year out of our local polytechnic. I’d say the city of Edmonton produces these folks at a rate of about 30 per year. (From a graduation size of about 90 per year.)
Oh, and yes, they are almost universally GUI-grown. They know some command line, but the young folk I encounter who know all of the above things to a reasonable degree aren’t steeped in the dark arts of Bash. They don’t run slackware on their home PC, and most of them use an iPhone.
Get one that’s willing to learn, teach them the power of the command line…and you’ve got a right proper sysadmin there.
Re: Real simple for me...
Re: Would prefer admin gui's not to exist unless complemented by equally full-featured CLI
I have no problem with folks having different opinions than me. I have lots of problems with people who take those opinions and use them for homenim attacks.
I enjoy debating things with commenters. Many commenters can and do hold a fantastic debate. Several have taught me new things. Others have pointed out mistakes, shown me when I was wrong and I am grateful for all of them. I love The Register's commenttards...most of them at least.
But I do reserve the right to take up the debate when I disagree. Most especially when I feel that the commenter in question is turning purely professional or philosophical arguments into ad homs against myself or others. (Or when the person who evidences a difference of opinion does so with multiple easily pointed out logical fallacies.)
If you are particularly objectionable in your conversation, I will call you on it. If you’re a dong, I’ll call you on that too. If you repeat ad homenims against me, personally – especially if you back them up only with logical fallacies, rhetoric and baseless assertions – I am going to treat you like the complete twatdangle that I believe you to be.
Why would I do otherwise? I see absolutely no reason to take crap from you or anyone else.
I can and do respect the experience of the commenttards on El Reg. What I don’t do is blithely accept that your experience makes you “superior” simply on your say so. I don’t accept your opinion or life experience as more valid than my own or as more valid than those of the other systems administrators I have the pleasure of working with.
If you advocate something different from what I advocate, back it up. With solid evidence (primary research is best) and no obvious logical fallacies. Certainly no appeals to completely unverifiable authority. Above all; don’t cap your debates with snide comments about how I should “stick to Windows articles” or other such tripe.
Who – exactly – are you to tell me what to do? Who – exactly – are you that your experience, opinion and philosophical beliefs are automatically superior to mine, or that other guy over there with 30 years under his belt, or these million sysadmins over here?
You are a block. The validity of your arguments will flow from the evidence you provide. Nothing more.
Re: They use butterflies, stupid.
I am now determined to somehow make a butterfly into a systems administration tool.
Thoughts on how this can be done?
Re: Thanks, Trevor
@eulampios You are absolutely correct; until PowerShell, there wasn't anything grep-like. PowerShell 2.0 however...it'll take grep on.
In the Windows NT 4.0 world (which was the context of the original question,) nothing from that era of Microsoft software can match a modern grep command.
Re: Windows - Every single thing ... you can also do from the command line.
@eulampios FINDSTR might do you...http://thesystemguard.com/TheGuardBook/CCS-Ext/helptext/FindStr-NT.txt.htm
Re: Windows - Every single thing ... you can also do from the command line.
UMOUNT/MOUNT = MOUNTVOL http://ss64.com/nt/mountvol.html
FSCK = CHKDSK
CRYPTSETUP = CIPHER
MKFS = FORMAT
LVREDUCE/LVEXTEND = FSUTIL (Is this in Windows NT??)
Re: However, on FreeBSD
"Each with some shell/awk/find/etc quirk."
Some diverge more from "what you're used to" than others. The beauty of learning bash and other POSIX-like shells as "baby's first CLI" is that there are just so many that more-or-less follow the same rules. You don't have to relearn an entire CLI interface to get the job done (like moving from bash to CMD.) You mostly just have to internalise the exceptions and differences.
PowerShell is different for me here I think largely because a lot of the tools I got used to using with *nix operating systems aren't there. Chaining also works slightly differently, with the weird emphasis on OO shell structures, there are just some things that require a different headspace. (Linear scripting and I are just fine, but OO starts to wander outside my bailiwick.)
More to the point, some of the fundamental assumptions about system usage are different in Windows versus most POSIX systems. Flat-text configuration as one example. (Though I must point out that more and more I can just feed XML into PowerShell-compliant apps and that works. It’s a start.)
Where I start really getting outside my comfort zone though are programming-language CLI shells. Cshell, Rhino, etc.
That’s all a really long way of saying “I think it really matters which CLI is your first.” You never forget your first, and it deeply influences how you view and interact with CLIs forever. Using something like Bash is grand, because it’s close enough to all the other POSIX shells that you can adapt quickly.
Using a real outlier on the POSIX branch might not be as good; the mental list of “exceptions” to what you perceive as “normal” might be significantly higher than otherwise.
I can’t find much empirical research into the difficulties of learning (specifically) shells – nor the deltas imposed on cognition by different POSIX shells – but there is plenty into similar areas. GUI design – as one example – has had billions put into fundamental research on “how far from what someone first learned” you can stray before they get really uncomfortable or have a hard time. Similarly, keyboard design…even the design of musical instruments.
How much those “little differences” matter amongst similarly structured CLIs really could boil down to “which CLI you learned first!"
Just so we're clear here - and I think it's important to be - I don't have a problem with a Linux administrator who decides he wants to run his own Linux systems in a GUIless fashion. In certain circumstances (embedded, high-density-every-MB-of-RAM-matters, ultra-high security requirements) I can understand why it might be necessary or desirable.
But I do take issue with those administrators who feel it is necessary to lash out against others who choose to maintain a different set of tools on their servers. I especially have issues with those – like yourself – who can offer nothing excepting rhetoric to back up your decision.
Your arguments are consistently based on unproven assumptions about human learning patterns that simply don’t hold up to empirical testing. You even trot out appeal to authority without defining that authority in anything but the vaguest of terms. “More experience than me” is one you use…except there are plenty of Linux administrators in senior positions with decades more experience than me who agree with my take on this.
You bust out the “no true Scotsman” fallacy by implying that anyone who doesn’t agree with you isn’t a “real” systems administrator and – by virtue of disagree with you – obviously doesn’t know what they are talking about. That borders carefully on merging no true Scotsman with argument from personal incredulity.
Other sysadmins can do whatever they want. If however they want to belittle the rest of us for choosing not to limit our options, I believe it is incumbent upon them to do a damned through job of explaining their position, and backing it up with primary sources.
The whole debate has certainly devolved into ad homenim on both sides. Separate from my professional disagreements – and they certainly appear to be pretty fundamental – I believe your approach to this has been pretty damned douchey. You repeatedly assert yourself as superior in knowledge, character and professional capability without offering anything to back it up.
You attack me and my credibility based on assumptions and your own personal predjudices. I think that’s pretty damned douchy. Instead of attempting to have a rational debate about the topic you have made assertions grounded in obvious logical fallacies followed by personal and professional ad homs.
So if I obtain the impression that you, personally, may be unwell please understand that this analysis is entirely separate from the professional disagreement occurring regarding the use (or not) of GUI administration tools in various circumstances.
I am perfectly willing, capable of (and in fact, rather enjoy) having the CLI/GUI/Both debate in a dispassionate, professional setting backed by plenty of evidence, experimentation and so forth. That said, when I believe that you personally are a giant dong, don’t be surprised if I troll you.
After all, I have to do something amusing while yum runs 1064 package updates...
And I completely disagree with you on your points.
A GUI is a tool; it has a place, even on production servers. You haven't offered anything to explain why it shouldn't be there excepting your own personal bias.
Your arguments are based entirely off the base that "proper sysadmins use the CLI." The GUI thus being equivalent in your version of the universe to training wheels. Again; I disagree. Your entire perspective on the GUI vs CLI debate is pretty cracked. Listen carefully here: GUIs are perfectly fine things for administering servers, production, testbed and otherwise. So are CLIs. Better to have the option of both.
Quit limiting yourself, and for the love of His Noodly Self, quit advocating the limitation of others, just because you want to believe in the sacred power of your secret nerd club. No, the CLI is not "what a proper sysadmin uses, to the near exclusion of the GUI." I fundamentally reject that premise. I also reject the idea that you need to be tossed into the CLI deep end to learn the CLI.
More to the point, I reject your unspoken assertion that people are only "experienced administrators" when they agree with your views on how systems administration should be done. Seems to me there are quite a few very experienced administrators - myself included - who disagree with you.
So I’m back to “I want to know how your brain works.” Preferably with some DNA samples so I see if the issue is socialised or genetic.
Re: Mr Pott...
But...but...this was my trolling article! Chris even came up with the most trolly possible title!
Clearly I need to spend more time under my bridge.
Why would clients have to "run things" at all? Excepting under exceptional circumstances - such as a power outage during a certain type of cron job - everything from Windows to Linux "just works."
Why should they use Windows and not Linux? I flat out don't understand the difference here other than your own prejudicial snobbery about keeping Linux "pure." I can – and do – walk users through Webmin on Linux just as easily as Windows. I will use the best tool for the job, not whatever tool makes narrow-vision nerds feel less “polluted.”
You make the argument that in order to learn Linux, one needs to learn ALL of Linux, from the ground up. You go from knowing nothing to knowing damned near everything with no stops in between. There should be nothing to help you, nothing to guide you, nothing to ease your transition. You simply study really hard, memorise everything and it is one, or it is zero.
I say bullshit. Your entire argument is bullshit. There is no requirement for that. A GUI can – and does – help someone learn the differences between operating systems. It can ease the transition.
What’s more, I know your argument is bullshit because I have seen dozens of living, breathing, regular human beings make the transition form Windows to Linux because of GUIs. GUIs helped them learn about things like “the differences in file structure” and “different naming conventions” while still using a relatively familiar environment.
GUIs – Webmin, Gnome, Unity or otherwise – have never in my experience prevented someone from learning the command line and continuing on to a more in depth knowledge of Linux and its fundamental differences from Windows. Quite the opposite; they made the transition a hell of a lot less intimidating.
In the end, they don’t use only one or the other interface. They use both. GUIs and CLIs. If that makes you – or anyone else – feel put upon because there are people who didn’t learn as you learned, didn’t suffer as you suffered…cope.
A hammer is for nails, a screwdriver for screws. Use all the tools in your toolkit; don’t limit yourself, or others.
Re: That argument doesn't stack up
Special bonus question: where exactly am I making a "value judgement" in my post?
I do not consider the GUI “better” than the CLI. I do not consider the CLI “better” than the GUI. That means I am not making a value judgement about either of these tools; I believe they have their own separate and distinct uses.
Where exactly am I making a value judgement there?
Re: That argument doesn't stack up
Okay, even before I sit down to really nitpick this...can I get a dime bag of whatever you're smoking? I cannot connect any of your statements to reality.
“Combined bouquet of MCSE, RHCE and A+ Networking?” Um…what? I have two MCP exams? I think? They were necessary to get a discount on Microsoft Action Pack licensing.
At what point have I ever "fawned over powershell?" I loathe powershell. I think it's fantastic that powershell is something Microsoft is investing real resources in...but how - unless you are engaging in some serious mental gymnastics - does that translate into "fawning over ?"
“Liking my vendor too much?” Who is “my vendor?” I like to believe I am an equal opportunity offender, thank you very much. I criticise and employ cynicism in the general direction of everyone. Except possibly Intel; Intel haven’t actually done anything I consider overly stupid, malicious or anti-consumer in at least three or four years.
Regarding “claiming to write for Linux admins,” I don’t write the titles. The sub-ed does. That aside; a Windows admin who is dipping their toes into Linux is now a Linux admin, albeit a junior one.
Regarding GUIs, well…I wrote an article on that. Just for you.
TL;DR on that future article: I think people who limit themselves to “CLI OR GUI” without the mental capability to conceptualise “CLI AND GUI” are placing themselves at a complete disadvantage. But hey, if you want to cut off your happy bits because your religion told you so, far be it for me to tell you otherwise.
But if you want to spend yoru days spraying your religion around to the detriment of others, don't get all shocked and shaken if I think you're a complete twatdangle.
@dz-105 well, your solution doesn't work for everyone. Most of my customers don't have local IT staff. They're too small. As for me, I don't live in front of a PC. So when I'm out socialising, I do rather enjoy the ability to not have to either leave where I am to get to a PC or try to fix something in bash from a smartphone.
But hey, if you get a real kick in the knickers from punching bash commands into a touch screen, you go right ahead. Me, I’ll accept the ~25MB of RAM per VM that running Webmin costs me.
My free time is just worth more to me than the “purity” of eschewing GUIs for…what exactly? I still haven’t gotten a good reason from anyone that wasn’t pure rhetoric.
“I love Apple because they’re just better than Microsoft” sounds exactly the same to me as “GUIs are evil because command lines are just better.” I’ll keep on using both, not limiting my options, and see where that takes me…
@dz-105 I don't see what that's odd. Vic has a good point. Sometimes you are just walking someone through something over the phone. Usually when you are *gasp* not in front of a computer (Maybe you discovered members of your preferred gender and decided to experiment with organic entertainment.)
If you are on call, you have to provide support; but the ability to provide said support wihtout having to remote in and do it yourself can be sanity-saving.
Actually...now that I look at a fully up-to-date Sendmail module, it might be that only two sections of twelve are "dangerout/useless." From what I can see "Sendmail Options" and "Network Ports" directly edit the .cf. The rest seem to edit include files that don't get clobbered every time I regenerate the M4.
That's actually doing better than I remember...
Webmin's other big use for a production server is management of the crontab and log rotation. You can easily do both from the cli, but I find the visual representation of information easier to parse large amounts of data "at a glance."
Re: postfix or something else?
Webmin module for postfix is quite good...unless you want to use LDAP...
I think we have a misunderstanding here; I don't use the Webmin module to edit any part of sendmail that would typically be part of the .cf. I use the M4 generator in the webmin module to exit those. I use the aliases and virtuser and so fort to edit those parts of the config that are in includes.
But you are correct; there are widgets in that sendmail config module that are flat out bad. They edit the .cf directly. And I would not ever recommend using those chunks of that module. It's useless! As soon as you touch the M4 config - which is how all config changes are "supposed" to be generated - then it wipes out our .cf; including any changes to the cf that you made with the sendmail module.
So just don't use those bits. I don't. But I do find it a convenient way to edit M4, edit "include-filed" items like aliases and virtuser, as well as manage the queue.
We are both right here, I think. There is value to the Sendmail module; but not ALL of it. It does edit the cf directly, which it should not do…but there are still other parts of the thing that work properly. I see no reason to throw the whole module away based on that; you just need to know it – and Sendmail – well enough to know what bits you cannot use.
I’d be far happier if they’d just pull the section that directly edit’s the cf out altogether…but I’ve simply ignored that for so long I just don’t notice it any more.
Maybe I need to do an article on that? "Webmin's sendmail module; which areas are safe, which break the rules."
Re: "All other things being equal it is much easier to hack Linux."
A) I have hacked the current Windows Servers. 2008R2 (fully patched) as well as 2012. (They fixed the bug.) Sometimes you just dtumble across zero-days...
B) Considering Linux systems are oftem left unpatched as "fire and forget" systems, sure, I'll buy that more people manage to bust into a webapp on a Linux system than compromise Windows. Busting out of that web app to compromise the Linux system? I doubt that.
It also still isn't comparing like for like. Compare a modern Windows to a modern Entriprise Linux. Out of the box, fully patched...firewall off. That is not a contest Windows wins.
Re: When I set out and learned Unix[tm] back when, I freed myself from windows.
I get the difference between GUI and CLI. I just don't make the value judgement that one is "better" than the other. I don't see the point in writing long treatises on CLI apps or CLI systems administration largely because of the community attitude issues.
I spend months at a time neck deep in the command line, getting work done. Then I’ll spend months working on GUI-based systems. I don’t see the difference, really. The CLI is more powerful and far more flexible, but a GUI is easier and obfuscates a lot of the scut work that – frankly – I couldn’t give a rat’s ass about micromanaging.
So when I write things for a sysadmin blog I have some choices about who I target. Unix/BSD admins are few and far between. Even given that this is a tech site of some repute, they will still only make up a tiny fraction of the readership. I could write things aimed at them…but would they – or anyone else – care?
My experience with most Unix/BSD admins falls into a one of a small number of categories. They discount what I have to say because (one or more of the following):
1) I’m too young
2) I didn’t go to the right school and/or get the right degree
3) I choose to also work with Linux and Windows
4) I use a version of Unix they don’t approve of
5) They are crotchety old coots who just don’t listen to anyone.
So I could target this small niche of my potential audience who won’t listen to anything I have to say no matter what…or I can target someone else.
So what about Linux admins? Why not target them? Every now and again I make the attempt. Truth be told though, it’s a pain in the ass.
In truth, the majority of Linux admins I meet are actually good people with good critical thinking skills and the ability to function in society. They are rational and able to socialise in an acceptable manner.
Unfortunately, the Linux community attracts a highly disproportionate quantity of irrational individuals, tunnel-vision OCD folks and paranoids. They ruin it for everyone.
Take the absolute hatred that some have for GUI administration tools. There is no rational reason for the vitriol that these people spew against this class of tool. I have never encountered rabid ad hominem attacks against a gardener for using an automated sprinkler instead of watering every inch of the lawn by hand; yet within the Linux community it is everyday practice to attack people for using a GUI, the “wrong” distro, a given package rather than another…even tabbing conventions regarding comments in a config file!
I would want to deal with these people on a regular basis why, exactly?
So yeah, I’ll talk about GUIs. I’ll talk about Windows. I’ll discuss interfaces and applications instead of my favourite new way to combine grep with a neat new regex I discovered. I do that because I get more out of the community feedback writing about the GUI-enabled world than I do the CLI-only world.
Windows, Apple and mixed GUI/CLI Linux admins seem pretty open to careful, considered debate of a problem. They will come up with helpful – even novel – solutions to problems. I learn as much from commenters in these threads as I do from documentation.
A Linux article or forum thread is just bickering. Endless, circular, heated, hostile bickering. It's fun once in a while...but really, I'm starting to get too old for it.
That said, I will say what I have said many times before: I am entirely open to requests and suggestions regarding what I write about. If someone has a particular topic in mind that they would like me to address, I would be entirely willing to do so if I felt it were within my capabilities.
To date, I’ve had several requests for looks at virtualisation, Windows apps, Apple administration and so forth. No formal requests for Linuxy anything. Just a lot of complaining that I’m “biased,” “a Windows loving Microsoft shill,” and even some conspiracy theories about how I’m part of “the machine” designed to keep Linux in the shadows.
Re: @postfix or something else?
Thank you for the link; I will give it a more in depth look tomorrow. At first glance, it looks like a walk-through focused on creating a postfix filterserver using a local LDAP setup. I'll poke at it some and see if I can figure out how to tie it back to Active Directory instead of a local LDAP setup. If I can figure it out, I'll do up a howto.
It would be nice to have a simple way of front-ending an exchange (or other) mail system using Active Directory as the user interface. Easy in Sendmail, but so far I've never made it work without Postfix using PAM to do LDAP lookups.
If I can make it as simple as sendmail...that's a huge step forward!
"All other things being equal it is much easier to hack Linux."
If you honestly believe this - honestly and truly - please go back to the article proper and select "email the author." I will post for you a CentOS 6.2 Virtual Machine DEFAULT INSTALL hosted on an external IP address. I will use *NONE* of the security measures mentionned in this article. I will even turn the firwall off.
You can hack away to your heart's content. I will monitor all of the packets in and out (naturally) to see exactly how you "hack" my off-the-shelf, completely unsecured virtual machine. I will bet you a barrel of ale you cannot do it.
On the other hand, I could post a Windows 7 system (fully patched) default install to an external address and with the firewall turned off I don't even need you to hack it. Within a week an IP address from China will have done it for you.
Hell, there are a few hundred IRC servers where you can buy zero-day software to do exactly that for $100 USD.
"Easier to hack Linux" my ASCII.
Re: For [Insert Diety here] sake
In situtaions like this - where I happen to know what IPs that most people are coming from - I whitelist the IPs. In fact, I generally have the DNS names whitelisted alongside some dynamic DNS deployments for remote/home users.
Works wonders for more than just SSH. SIP phones for example…
Re: @postfix or something else?
Postfix seems to work out-of-the-box if the LDAP server is located on the same system as postfix itself, and that system is configured to talk to it, etc.
In my experience, getting sendmail to talk to an LDAP server is two lines in the M4 configuration. I don't have to configure PAM, the LDAP config file or anything else. Sendmail can be set up to talk to a remote LDAP server without having to involve or configure another thing on the Linux box.
Postfix only ever seems to work with a remote LDAP system if the Linux box is itself configured to authenticate against that LDAP domain. I prefer to not have to join my servers to the domain in order to do simple lookups.
That said, if you happen to have a link to any chunk of the postfix manual (or a decent walkthrough) that can show me how to set up postfix to a Windows Active Directory server without having to get the rest of the Linux system authenticating against AD, I'd be greatly indebted!
Re: postfix or something else?
@eulampios please try someday to front-end an LDAP-based email service with Postfix. Exchange is common, but I have LDAP QMail systems in the wild as well. Sendmail is significantly easier to set-up in as a simple mailfiter for LDAP-backed systems. (You want to be able to have the MTA do LDAP lookups so that you can do simple things like reject mail for addresses that don't exist, and banhammer systems that repeatedly try multiple non-extant addresses.)
Similarly on many Linux distros - CentOS is a great example - you don't need to "set up" sendmail at all. You simply "yum install apache php sendmail" and suddently your PHP scripts can send e-mail out. (In my case, i trap all outbound mail with an edge device and apply whatever filtering I need to there, but the principle of "it Just Works" remains.) If you need to make minor changes in Sendmail, use the M4 config (text-based) or the Webmin module.
Postfix is only easier if you are actually using it to host e-mail, rather than simply to process email. (In which case; Postfix all the way; never use Sendmail to host email!)
Re: For [Insert Diety here] sake
@David D. Hagwood
Would you look at that? Amidst the dross; a sysadmin emerges! Yes sir, someone who understood exactly where I was going with "don't run the thing on a standard port" without having to have it explained. You don't run RDP on 3389 and you sure as all get-out don't run SSH on 22.
Them is the honeypot ports. Security through obscurity isn't security at all...but a minor dollop of obscurity is useful in catching the obvious idiots who like to eat your CPU cycles with their useless TCP packets!
Blows my mind that this apparently needs to be explained to "senior Linux administrators," but what're ya going to do, eh?
Re: postfix or something else?
@eulampios where exactly did I say that postfix couldn't or wouldn't use spamassassin, mailscanner, clamav or other?
I said you didn't need postfix to use them. The implication was not that postfix cannot use these technologies, but that postfix is more complicated to configure than sendmail. The further implication of that statement is that postfix is generally A Better Option, but that using the more complex tool isn't necessarily always required.
I wouldn’t want to run a full-bore business off of Sendmail – though I do admit that my PERSONAL email server is Sendmail – Postfix or QMail are better options than Sendmail for an actual email server.
That said, if I am not using the system to store emails – merely to send them on behalf of a web server, or to filter-and-forward (with or without LDAP lookups) – then I prefer to use the simpler tool. It is kinder to future admins who in most cases won't have 30+ years *nix experience.
Re: postfix or something else?
Postfix isn't required for a great many cases. Such as when the local mail elements are being used to mail reports on behalf of a web application, or when you are using the Linux system's mail subsystem only as a pre-filter front-ending another system. (ClamAV + Mailscanner + Spamassassin, etc.)
They make for good, cheap, easy pre-filters for Exchange, for example.
Re: @ Trevor Pott 's reasoning
@eulampios: ClamAV is actually quite terrible at finding website compromises. It does find some however, and is better than nothing. LMD does a far better job, but isn't included in the primary repositories.
The issues of the type I am discussing are neither "you must be logged on as root and download some Trojan by using Linux as a desktop" issues nor are they 0-days. In nearly every case, malware on Linux occurs because someone forgot to - or couldn't, because of chained dependencies - patch.
In most cases it is a flaw in some PHP application that an admin has installed on their Apache setup. A privilege escalation bug or some other issue allows someone access to the webserver. They then alter the extant CMS/Application/whatever to include links to malware, typically as part of a drive-by-download attack targeting Windows (though increasingly Mac) users.
In general, this sort of malware does not compromise the Linux system itself. IMHO, anti-malware trying to defend the Linux operating system itself is completely pointless. Every available anti-malware package for Linux is so woefully inadequate that if and when your Linux system is compromised you nuke the whole thing are start over. (It’s quicker than defanging the thing.)
No, anti-malware on Linux is almost exclusively for cleaning e-mail and cleaning compromised websites. Generally compromised websites targeting windows systems.
I wouldn’t prescribe anti-malware for Linux for the same reasons as I would Windows. Frankly, Windows anti-malware is far more robust. It has to be; Windows has so many deep flaws (and is such an attractive target due to market share size) that there are many vectors to infect the OS itself.
Linux has a smaller attack surface in getting at the OS + core packages proper. That said, when it is infected, it’s pretty much a total loss. When a Windows system is compromised, even a half-assed Windows admin can clean the thing in ~80% of cases with less than an hour’s applied effort. (Assuming you ignore “the progress bar is going” in the effort calculations; most admins go do something else while waiting for progress bars.)
When a Linux system is compromised, this isn’t really the case. In these instances the malware is generally (by necessity) significantly more complex than your typical Windows software, written by people who know far more about the OS than the sysadmin trying to defend the thing.
Comb through the logs for long enough, test permissions and run fuzzers on enough things and you might figure out what was compromised, how, how many friends it downloaded, what they affected, etc. Then you can kill it pretty easily. In that timeframe however you could just have backed up your core configs/data, reinstalled and been on your merry way. (This isn’t remotely as easy on Windows; even with folder redirection, AD, etc, backing up configs can be a PITA.)
So, to re-cap: anti-malware is generally necessary on Linux for the two most common roles that Linux sees. Namely, e-mail (either as a pre-filter or actual server,) or web hosting. The actual usefulness of anti-malware is different than it would be on Windows, but it is still recommended nonetheless.
If you use the M4 config editor, it will indeed blow away all other changes in the .mc. I don't know that I'd ever "ignore that fact," Vic. It's pretty much the way M4 is support to work. If you use tools that edit the .mc directly - or you enjoy going in and editing the .mc by hand - then do not use the sendmail module in webmin. Period.
That said, I was taught emphatically to never edit the .mc file in sendmail directly. In fact, I have been berated and mocked by sendmail devs for doing so. If I go onto a sendmail forum for help, or I try the mailing list, etc...I am repeatedly and forcefully told that I am never to do anything outside of M4. M4 is where configuration changes are "supposed" to be made, and so I make them there.
Things like virtuser and aliases as generally include files nowadays, so I can use the Sendmail webmin module to edit those without clobbering my config every time I touch M4. This means that the Sendmail module will allow me to do things “properly,” which means that when I need support from the community, I have at least a snowball’s chance in a neutron star of getting it.
That said, I would never berate someone for editing the .mc directly. There are so many different ways to do something in Linux that I don’t feel it’s my place to tell someone that their method is “wrong,” so long as it works consistently for them. I don’t have the jihadi attitude about such things that is so prevalent amongst Linux nerds.
So if you are following the “rules” as laid out by the Sendmail devs, you are using M4 to generate ever config change, with aliases, virtuser, generics etc pulled out as includes so they don’t get clobbered by M4 regeneration. In that case, I highly recommend the Sendmail module, because it works…even when something else edits the M4 or the includes.
If however you edit the .mc directly, the sendmail module in Webmin will screw up your Sendmail something fierce and you should stay away from it!
Re: @ Trevor Pott 's reasoning
Linux systems never get compromised? That's a larf. They most certainly do; almost always through some badly coded PHP something or other. (To be fair, they also tend to compromise windows systems.)
Yes, you generally need anti-malware on Linux systems. If for no other reason than to ensure that your web applications haven't been hijacked by someone looking to poison the rest of the net. Or do you have even the remotest shred of evidence to say that every single compromised website is IIS based? How do you dismiss a decade's worth of evidence that shows several thousands new LAMP systems compromised every month?
I’m legitimately curious.
Re: @Trevor and your technical honesty
@eulampios the point of the list is to allow you to do your own homework. I do have a few other things to do with my time. Suffice it to say that should you go feature-for-feature Debian to Windows and set up that Debian install so that the repo files for all of those possible features were installed locally it owul dbe about the same size as Windows core. I can make most assuredly make a comparably equipped Linux into something smaller than Windows Core…but only if I use the option to leave the repo files on the internet on a “download as needed basis.”
So in short: the point of the list is to point that you are being intellectually dishonest if you do not compare like for like. I do install CentOS systems that are roughly comparable to Windows Core in size all the time. Once the repos are copied locally, (most of these systems are “fire and forget,” and you want your future self to have the repo files 10 years down the road,) it is generally within a few hundred megs of a Windows Core install.
As to trying to back yup your hatred for Microsoft/Dell…are you seriously trotting out product naming as a way of attempting to attack them? Really? There goes your credibility.
Regarding the price that Dell pays per Windows license, I have absolutely no idea which version of Windows that is for. I would have to go back and check to be certain. I am under the impression it is Home Premium, with Pro being $43.
As to supporting links for that information: use Google. This is fairly broadly available information, and I am not remotely inclined to do your homework for you. I am under the distinct impression that I could provide you a contract signed in blood by Michael Dell and Steve Ballmer and you still wouldn’t buy it. It doesn’t fit your conspiracy theory and you aren’t interested in evidence outside that box.
Naturally of course this would make you incapable of believing in my “technical honesty,” because I am able to look at the facts available to me and draw a conclusion that doesn’t involve a secret conspiracy to keep Linux sidelined. Worse, I am able to look at the available evidence and believe that Microsoft’s operating systems may well be legitimate, worthy competition for Linux in most circumstances!
Now, if only both of those opinions weren’t supported by not only the plurality of available evidence as well as the majority of sysadmins serving companies both small and large. I might buy your “oppressed by the man” theories then.
As it stands however, support for the conspiracy theory is fractional at best. Support for “Microsoft is incapable of competing with Linux on a technical level” is slightly higher, but still fractional. You might as well be standing there screaming into the void that Climate Change is a conspiracy and there “is still broad scientific debate.”
The support of less than 5% of subject matter experts does not make for broad debate at all. More to the point, it borders on clinically paranoid to believe that hundreds of organizations and hundreds of thousands of people are all working together to promote climate change/keep Linux down/whatever else.
Instead, you should start looking at the issues raised by the people who make the decisions to fund – or not – front line Linux offerings and ask yourself how they can be resolved. Linux won’t be ready for the desktop – and sold as such – until the issues at hand are dealt with.
Also: for the record…anecdotal evidence when discussing hardware compatibility is irrelevant. “But it works for me!” means nothing. The subset of hardware you’ve worked with is only ever going to be a fraction of what’s available. More to the point, you have repeatedly demonstrated that what you expect from your hardware is different than people like me…and the kinds of people who have to sell and support equipment on the market.
Your life is one narrow slit through which the world can be perceived. What the Dells of this world have to cope with is far vaster. Try to bear that in mind next time you start worrying about the conspiracy.
Re: Who is this article aimed at?
Article is aimed at Windows admins who are cautiously branching out by deploying a few Linux systems.