Posts by Nate Amsden 2438 publicly visible posts • joined 19 Jun 2007
HP 3PAR adaptive sparing(2014, maybe earlier) closely integrates the SSD with the array, returning a chunk of space otherwise reserved for the SSD for bad blocks etc to the array. The array then uses it's own algorithms(which it was using regardless) to mark stuff as bad when there are read errors etc. Then there is adaptive read and write caching which optimizes the data going to the SSDs so they get the data in the most efficient means possible(reduces wear).
I believe more recently I have read other companies deploying similar tech in their arrays.
Obviously such tech generally hasn't been available to servers with internal storage(which is what the article seems to be targeting with software RAID etc)
I just checked again the oldest SSDs in my org's first AFA are from 10/2014, cMLC media, and the array is reporting still 95% of wear life left(2TB media), with an average of ~80% write workload to the controllers. This tech has been a lot more durable than my expectations.
as someone who has worked at several different startups over the past 17 years, all of which I would consider software companies, I'd have to agree. The new fad of break early/often is quite frustrating, much more so for mature products (lookin at you firefox from a palemoon browser).
The whole concept of SaaS I believe now is because the software is such a piece of shit that customers CAN'T operate it on their own. My first SaaS gig(before SaaS was even a term) had me on a project to prove to their largest customer that the software could be run by them, I completed the project and the customer paid the company I was with $1 million as part of the contract, but they saw first hand how shitty the experience was to manage the software and so continued to opt for the SaaS offering (that company I was with was later bought by a much much bigger company).
It's really sad how quality has gone out the window in so many cases in exchange for the new shiny.
"Don't fix what isn't broken" is my new saying I guess.
I had to rebuild a vcenter server last year due to OS corruption in windows. Database for vmware lives on separate linux host with oracle. Used same vcenter version but the process itself was straight forward(reinstall and connect hosts). No complications. No issues with VDS or anything else. I spent a lot of time trying to repair main vcenter since i was quite paranoid about rebuilding it live(never had to do it before ). But once i gave up on that the process took just a few hrs.
I'm sure it's not perfect but for me I use the firefox(now palemoon) per-site cookie stuff, and have been for as long as I can remember, I'd say at least 10-12+ years now. I do use an ad blocking extension on firefox/android just because it is less flexible. Sometimes I have to spend some time to undo one of my cookie choices, but I'm used to that.
Currently I have 19,830 sites in my permissions.sqlite file which goes back to the beginning (migrating to palemoon had to do some manual data injections into the sqlite as the full profiles weren't totally compatible, something I had done with one or two firefox upgrades over the years).
Tried to use waterfox but the cookie stuff there was broken too.
Palemoon is a good setup for my main browser anyway. I have firefox 5x ESR in a windows VM which I can leverage in the very odd case where Pale moon doesn't work (maybe 0.01% of the time so far in the past month). 99% of the stuff in that VM is work related(VPN etc).
Haven't noticed anyone talk about this yet, but given the hit is much harder on systems that do a lot of syscalls I am curious the impact to hyperconverged systems.. Standalone storage systems that primarily leverage CPUs for storage stuff could do without the fixes since they are generally tightly controlled running only trusted software. Hyperconverged of course doesn't quite have that luxury in a typical deployment scenario.
Of course if your hyperconverged system isn't pushing much I/O then you probably won't see a big impact.
The lustre results are interesting.
I really like palemoon myself, just started using it, was able to migrate the bulk of my really old firefox ESR (which I'm sure I used for far too long - eventually several common websites I use stopped working) profile settings (mostly by directly injecting them into the sqlite dbs).
I tried waterfox, really wanting to keep the cookie accept functionality that firefox killed though it was broken in waterfox too. Waterfox told me every single extension I have(close to 20) are legacy and not supported with the newer firefox stuff. Currently have nearly 20,000 records in permissions.sqlite for cookie permissions going back at least 10-12 years now.
Fortunately palemoon is working nearly perfectly.
Much of the at least early complaints online about net neutrality came down to "don't throttle my netflix" (people saying that generally didn't know or care whether or not there was actual congestion on the pipes).
But for me I keep going back to look at DSL, for a long time (I think even now) many/most/all telcos have to open up their networks for 3rd party network connections for things like DSL or even bigger lines like T1 etc(obviously not suitable for home use). I recall one of my early jobs I was dealing with 3rd party network providers on top of Qwest lines if I recall right.
Performance of DSL based connections is obviously pretty poor compared to most cable modem connections, though it seems many people who want this regulation toss away DSL as a viable option because it is generally far slower than cable (I think an argument could be made it is that way because they lack incentives to improve it in many cases). Myself I gave up on DSL probably around 2007(1Mbps up and 1Mbps down) when the 3rd party ISP I had was sold for the Nth time and they were going to be changing all of my static IPs. I have had my "server" stuff living in co-location facilities ever since(at a higher cost of course - currently $200/mo for 100meg unlimited, and 200W of power for my 1U vmware server).
For me I'm not really for or against net neutrality, it doesn't really matter to me. the internet worked fine for me before the rules in 2015 (first went online I think in 1993 or '94), and I haven't noticed anything different that I thought I could attribute to net neutrality that impacted how I use the internet since the rules went into effect(and no I really don't stream much of anything).
I have read that AMD has similar technology (though haven't noticed that they have similar security issues with it yet).
Myself I have always been interested in the Intel AMT going back maybe 12 years when I first heard about it. My current and previous laptops have the features I see but are not "enabled" (as in don't have the software/licensing which seems to be enterprise specific). Though that may not stop the security stuff from being exploited.
I am kind of assuming that most servers don't have this stuff enabled?(I also think that some server board makers like Supermicro or Tyan may sell boards with this ability) At least I have never noticed anything related to this tech in my HP servers, ever. They have iLO of course which is similar though not as tightly integrated. I have read that it needs Intel NICs, but am not sure if that is the case or not, if it is, then may explain why I've never seen it on my HP systems all of which seem to have broadcom NICs as their onboard interfaces, going back at least 10 years now.
I certainly could be wrong (never used any Pi ) but I thought I had read the ethernet on the Pi was running off the USB bus ?? (not sure if still the case), but as you say, probably not a very good setup beyond a simple toy - the exception may be for setups that aren't network bound (e.g. download a batch of data to work on and then work on it from local storage/memory).
Even if it's only 100Mbps, as long as it's on the PCI bus (not USB), I'd think would be a major improvement over anything running on top of USB.
Almost no IaaS cloud charges for close to utilization. They charge for provisoning. Exceptions typically include object storage.
Go provision 100 8 cpu vms let them sit at 99% idle and see how much it saves vs running at 80% utilization.
Go provision 30TB of amazon EBS storage and write 10gb to it, do they charge for the 10Gb? (my main storage arrays operate at about a 10:1 over subscription model and that approach has worked fine for me for a decade).
If you have a real solid handle on utilization and capacity requirements and ongoing capacity testing then public cloud can be good. Otherwise your most likely either going to be paying out the ass (previous company peaked at 500k/mo roughly 10x what was needed), or you will be having a lot of problems.
Certainly it is possible to "get it right", seems very few and far between though.
Last I checked certs had nothing to do with encryption just identification. And even worst case if it used http. It's a remote control device, hardly anything that needs top grade security.
Suppose there must be more to the story but I haven't seen it in any of the articles I've come across
(Never have used Logitech remotes myself i just deal with the multiple remotes from the devices themselves, I don't have a lot of devices so not a big deal)
What makes you think Qualcomm will be better than Intel with regards to buggy chips ? If Intel chips were so buggy there would be a lot of people complaining, and there doesn't seem to be(outside of some vocal people complaining about that AMT stuff). I certainly haven't been alarmed by any recent Intel bugs, and I certainly don't think I am in the minority(though I keep my HP servers fairly up to date with Proliant Service packs so they get whatever HP may put in there to fix issues).
The Intel f00f bug was a bad one, as was the FDIV bug.
When it comes to existing Qualcomm CPUs, one of their biggest markets I'd assume is phones/tablets, and there seems to be at least as many complaints about Qualcomm in that space. Looks like several root exploits against qualcomm CPUs released last year.
AMD Epyc sounds interesting though it seems to have quite limited availability at the moment from OEMs. I remember being very excited about Opteron 6000 when it came out and still have a bunch in production even today(HP DL385G7s)
amazon has how many developers and support staff to hack KVM and Xen to be something viable for them?
KVM or Xen are more of technologies rather than a product (the product would be Redhat KVM hypervisor whatever they call it these days, or Citrix Xen hypervisor etc..)
KVM looks interesting (Xen never has to me), though I haven't seen anything that makes me interested in trying it over ESXi (currently running 5.5).
But I'm sure it can work fine for many folks otherwise.
hopefully 7 comes out and 6.5 will be stable at that point, I looked again at the feature set for 6 and 6.5 and see nothing that interests me, though 5.5 goes end of support next year I believe so will have to upgrade.
My track record for vmware support cases averages 1 or 2 per year for the past 5 years, would like to keep it that way (running around 1,200 VMs today).
Strange to me to see/hear about so many people talking about how they want their device locked, or encrypted, fingerprint sensors etc, but then so many of the same people install apps on their phone with slurp their data or spy on their location etc.
The only reason my Galaxy note 3 daily driver has a pass code on it is because I needed to install a 3rd party cert to sync with my personal server, and android requires installing a lock in order to do that (not sure why). It also reminds me (on bootup) that my device could be snooped on because I installed this cert (a cheap wildcard ssl cert from comodo).
I never do any banking on my phone, and any purchase activity is typically limited to the google store(pretty rare these days) where I use virtual credit cards generated on my laptop (Bank of America uses a Flash app to generate them).
I've never lost my phone, never had it stolen, last phone that broke down for me was 2005. So I'm more concerned about remote data slurping than I am someone physically getting at my device. I use my 2nd Note 3 (and Note 4) for apps that I'm curious about that ask for more permissions than I'm willing to give on my main device (and neither device has access to my internal networks, my wifi is on a separate port on my firewall - also those devices are not linked to my personal or work email/etc). If I need the 2nd Note 3 with me and it needs network access then I fire up the hotspot on my primary device to get it online.
Just bought a Sony XZ1 (Pink) for my girlfriend - and while it apparently has a fingerprint sensor Sony disables it via software in the U.S. Her current and previous phones had no fingerprint sensors either(no pass codes either), so I guess we agree on that bit.
Only reason I'd use just swipe to unlock is to help prevent accidental unlocks.
How about for VMs running in VMware ?
Windows makes up a tiny part of the 1200 or so VMs I have, but I do have about maybe a dozen or two Windows 2008/R2/2012R2 Standard servers (each individually licensed today).
I know the changes don't affect the older versions of Windows, but if I have 48 physical cores on the VMware host, and I want say 2 x 2vCPU VMs on that host (with the rest of the VMs being linux), what is the license? Is it like Oracle DB processor licensing where I have to license the 48 cores on the VM host even though I'm only using 2 x 2 CPUs ? And/or am I having to license 8 CPUs even though I'm only going to allocate 2 CPUs to the VM?
The biggest Windows VMs I have are 4 CPUs, most are 2 CPU, with a couple 1 CPU and a couple 3 CPU.
I think large scale graceful shutdowns in this situation is probably really complicated as they operate as a cluster, as systems shut down likely other things kick in to try to restore availability maybe moving resources to other nodes or something. At some point you probably have to set a flag in the entire system saying it is down and take it all offline(at which point graceful from a customer standpoint is out the window)
I think this happened during that semi recent big S3 outage.
Not as if these are just racks and racks of standalone web servers with local storage.
Most likely those folks know that architecting for failure in cloud is a pretty rare thing just look at how many customers have outages when cloud goes down.
Hell I have seen developers complain about tcp connections being dropped during a LB failover(takes about 1 second ) because their app couldn't even handle that without restarting it. And this is for a new application stack, not something designed 10 or 15 years ago. I could go on and on for other real scenarios easily.
Building apps with single points of failure is very common still.
I remember what was it a decade ago or so, fire at data center in seattle, a facility that had at least annual power outages for 2 or 3 years prior. Bing travel site was in that data center. Was down for a long time. Maybe MS got it onlinr before the datacenter came back online with external generator trucks about 40 hrs later not sure (this was a colo facility not a MS datacenter).
Point is 10 years ago isn't that long and a company with the size and resources of MS wasn't willing or able to do it for bing travel at the time(hell even I had the foresight to move the company I was with at the time out of that DC 2 years before the big outage), doesn't surprise me that companies the fraction of the size still can't figure it out today. It's not as if it's impossible, it is just very difficult to do and most talk the talk but won't walk the walk when it comes down to it.
Same situation applies to security of applications.
Sonicwall customer for about 5 or 6 yrs now mainly for site to site vpn but recently deployed in combo l2 l3 bridge mode for inline firewalls.
They work well. My biggest complaints are doesn't support SNI for server SSL and for SSL inspection for servers requires termination on the appliance which I'm not willing to do. Fortunately these units are site to site vpn only so impact is minimal.
Have had one bug open on my 3500s where i have to reboot them every few weeks due to something in 5.9.1 hopefully will get that fixed soon. Before 5.9.1 on those units they were solid for 5 years straight.
How hard can that be? I froze my credit for the first time the day after the announcement. At least one of them let me use my own pin. Though I think it was limited to 4 digits.
This is the only data compromise that I'm aware of that impacts me that I am concerned about. Compromising credit cards etc doesn't matter to me. I reported a credit card breach to a hotel chain earlier in the year. A virtual credit card I gave to them and only them was compromised (in part because they never charged it so it remained open). They never replied. About a month ago got notifications from the propery management service that hotel uses(among hundreds of other properties) to a mass compromise.
One of them transunion I think I had to call them the website was giving server errors.
Wonder if credit card companies will start including credit monitoring as a more common feature. Certainly seems more beneficial than a lot of the other things offered.
Difficulty is relative of course. One issue that blocks further adoption of some docker containers stuff apparently nfs doesn't work well (or at all?).
I deployed LXC containers 2 and a half years ago in production and they work great. The deployment model isn't remotely what these folks would consider containers though.
Solaris and other unix have been niche for a long time maybe a decade or more? A high value niche. Doesn't mean there is no money to be made still though. I'd say the same applies/applied for very high end storage arrays as well.
Last place I was at that ran unix was 2006(HPUX on itanium and PA RISC before that). Though I work for smaller companies generally.
In the linux space there are quite a lot of options depending on your business model. Ubuntu and CentOS remain very popular, and obviously lots of folks out there running other things that may have less formal support available. I haven't worked for a company that has been willing to pay for Linux support since that company in 2006 either.
If it comes from the store I'd expect them to be able to have a check for malicious things like this. Won't be fool proof but it should catch a bunch of things.
Funny the researchers say most users will want to update. Obviously it will be years before most have the update.
ATT has stepped up their badgering of my note3 on 4.4.x to upgrade to 5.0 but i won't have it. Must've gone 3 or 4 months without a single notification to upgrade now maybe once every 2 or 3 days. Removing the mute menu option after pressing power button is a deal breaker when my phone is also a pager. I read this was fixed in a newer 5.x build but it is not available to att note 3 (have another note 3 with 5.0 and a note 4 with 5.1 i think it is). The 5.1 solution sounds worse (volume button mute thing ) than 4.x. haven't put a sim card in note 4 yet. Even with a new battery the battery life seems significantly worse than note 3 for some strange reason.
I really miss the mute switch on my webos devices as well as the ability to immediately silence the phone just by pressing the power button (no need to look at the screen).
for me anyway, I have been building networks the same way for 13 years now(I'm not a dedicated networking person just a generalist(?) that does networking among other things), works great, so I use it. (and no I have never used STP, and no I don't use Cisco either). The vendor I do use doesn't even actively promote the method I use to build networks(even though it is technically proprietary to their equipment at least at the core switch level), though I find this approach to be great.
Though I'm sure the likes of EA has far more fancy requirements for their networks than I ever have had or will ever have.
I've seen what developers do with shiny things(having worked with developers for the past 17 years), often times end result is not stable. Most developers don't even understand basic networking concepts, so wouldn't let them near networking equipment.
One of my biggest issues was/is cloud players are always screwing with their stuff. Very little means for customers to opt out or postpone changes, probably 95%+ of the changes are not even communicated in the IaaS space(except when there are brownouts etc after the fact). More often they are communicated in the SaaS space at least for the application side of things, though even then it seems to be really rare in SaaS for a customer to have any feedback into accepting such changes.
vs more traditional data center stuff where you basically have power+network links, both of which often times have fantastic reliability proven over a decade or more(anything higher up in the stack is managed by the organization). Add to that the complexity of network routing and providing redundant power is far less complex(and is a very mature technology vs cloud technologies) than an entire cloud application stack(on top of networking and power as well).
Data centers and network carriers (the good ones anyway) are usually very verbose about communications with any maintenance or changes on their systems. The carrier that the organization I work for even communicates things such as events that would trigger BGP route recovergence. Not that we really care about short periods of times when routing may not be optimal, it's not that critical. But the attention to detail is good.
Though I'd wager that this cloud service will be gone within 2 years?
Getting into a business that is a race to the bottom(this particular player seems to be pricing already at the bottom) isn't fun.. So many such(cloud storage) companies have already gone bust or widdled back their offerings trying to pin their hopes on business class service.
The article isn't quite clear to me - seems as if this is specific to DNSSEC ? if I just grep for the word key in my bind 9.8 config there are 0 matches(and I have never ever worked with DNSSEC - yes have run authoritative DNS since 1996(for personal stuff, company I work for uses dynect for external DNS hosting) as well as caching DNS for internal stuff)
I read an interesting(perhaps amusing?) post by someone earlier this year that talked about how bad DNSSEC(it went into quite a bit of technical detail why DNSSEC was basically worthless) was and to just not bother with it. Can't find the link at the moment, it was good. Not that I needed convincing to (not) use DNSSEC.
edit: I think this is the link:
https://sockpuppet.org/blog/2015/01/15/against-dnssec/
Unlimited just seems to get people upset. I remember back in the 90s how upset I was when I was on dialup on "unlimited" plans and ISPs would cut me off(because I was on 24/7 basically). All I was asking for is some clarification what the allowed usage was. At the time, the ISPs that I was using(all local ISPs) had no policies they were just arbitrary decisions "oops this person using too much kill that account". I was happy to pay more or get multiple ISPs if needed. Finally found an ISP at the time that actually told me what they allowed and I stuck with them until I moved out of the state.
So for me anyway I don't get upset with unlimited, as long as those terms are clearly spelled out, and Verizon seems to be doing so. I use AT&T and switched to their unlimited plan a few months ago (was on a 5GB plan before that). AT&T will throttle video as well but you can opt out (I did). I checked my mobile usage for the past 2 months under 2GB each month (I haven't turned wifi on since I got unlimited since it prevents AT&T from upgrading my Note 3 to Android 5 - last time I said that someone didn't believe me but the update screen specifically says wifi is required, and I have intercepted the update in the past by killing wifi and it stopped).
AT&T will throttle as well(like T-mo and Verizon) after some number, maybe 15GB or 20GB or something I forget.
Anyway I got unlimited mainly because I didn't want to worry about overage charges. Which as long as I stay in the U.S. (and maybe Canada but haven't been there in a long time) I'm good. Last year I went to Asia and even though I did my best to constrain usage (turned off data on my phone entirely most of the time) and had an international plan (800MB/month of data allowed phone calls were still $$), still managed to get bills in the $250-500 range for the 3 months I was away. (normal was $150/mo at the time, now is $99 with unlimited).
Seems some folks just want to have unlimited LTE speed, be able to download 10GB/day if their speeds permit it, and only pay $50/mo or something. While that would be nice, I just don't believe it's really scalable at that level of cost.
Shit 99% of the time I'd love to have a steady 5Mbps, carriers and stuff are talking about 5G and new CPUs fancy screens etc, and folks still haven't got good coverage on 4G yet, several busy places I go in a city of 200k and my data reception is basically 0(as in even DNS times out).
Windows kernel can handle a lot more too. And I'm sure you realize it is 4 socket not 4 cpu.
Though hard for me to imagine if you needed ao many sockets and TBs of memory just get the server version of the OS. The cost of the software will be a rounding error on such a system anyway.
Just checked redhat workstation and it seems to top out at 2 sockets. That would be perhaps the closest comparable product in the linux world.
(Linux user on server+desktop+laptop mostly debian since 1996)
Lotsa folks. Even cybersource who is a credit card processor isn't turning tls 1.0 off in production until feb 2018.(which is pretty close to the limit for pci I believe )
I just went through disabling tls 1.0 on a few production services for pci not long ago. Ran into issues immediately and had to turn it back on in a few cases, fortunately none of those cases impact pci for us.
Though i have yet to see a serious threat against 1.0. Sure it is not as strong as 1.1 and 1.2 but the press make it out to being completely cracked which last I heard was far from the case.
I really dislike how this works though. Services should be able to accept tls 1.0 in order to give a human readable error. Getting a low level ssl error is almost always a pain to diagnose(even for technical users like myself). The ciphers are even more confusing. Seems everyone has different varitions on names for the same ciphers. Had to spend a bunch of time experimenting with ssllabs testing and retesting until I found a cipher setup that was rated right.
A big chunk of the issue is it's very difficult to determine what clients are actually connecting with. For me most of my SSL is terminated on Netscalers and there is no logging of that stuff. Even with apache last I recall you had to enable debug mode to get that info. It wasn't available as a logging option for access log. And a webserver is pretty basic imagine all of the more complex apps and clients that speak different protocols.
Back in the '00s I was in the Seattle area with AT&T Broadband, then Comcast bought that(?) and I became a Comcast customer at that point. I used 1Mbps DSL for many years(with 8 static IPs), but the ISPs kept getting bought and sold, at one point my DSL ISP said they were changing my IPs so I said screw it, I cancelled DSL and put in Comcast. I put my servers(email+web+DNS+etc) in a local colo.
Was a Comcast customer for 2-3-4 years, really had no issues. Small outage here and there, my bill was not cheap being that I had a ton of premium channels.
Anyway, in 2011 I moved to the bay area, and got a local cable company(served the city I was in only). Cost and service was comparable (for all of those folks saying cities should invest in municipal services for TV/internet) to Comcast. My only real complaint was I wanted faster upload speed(fastest was about 3Mbps, my download speeds were ~20-30Mbps though they had faster download plans).
Moved to the central valley in California a year ago, back to Comcast territory. Again costs were about the same but internet speed up by 10X (download now ~200Mbps and upload now ~20Mbps). I have had more outages out here, maybe I have noticed 3 or 4 brief outages in the past year (nothing more than a few hours tops??). Since my job is managing remote servers I need internet access, so in the event comcast goes down I use the hotspot on my phone.
Comcast really did screw up the installation of services at my current home. Took their contractors at least 3 or 4 trips. Apparently nobody in this city of 200k people uses Tivo and they lacked the hardware and kept sending people on site without cable cards. They also sold me on a triple play package(only for cost, didn't need the phone) and I told them I wanted to buy my own modem, they told me the website to find compatible modems and turns out the modem I bought wasn't compatible with any voice service. So they ended up having to re-do my order on the fly to a double play (for the same price, originally double play costed more for some reason).
Took more troubleshooting on my old Tivo Series 3 it didn't get several hundred channels, they came on site(and charged me that fee), no resolution. Eventually I learned that those channels were encoded with MPEG4 and Tivo series 3 doesn't support that so the channel remains black (even though the signal strength is very strong, and shows no errors). Annoyed that the series 3 is not as useful as it once was, but it still gets some channels. Series 4 works fine with MPEG4.
I think costs wise people blame comcast because that's who they pay. They don't see the costs of the content(Disney, and other content providers always pushing for more $$) driving the costs up. Other than the occasional big dispute between a cable/satellite and a content provider where they put banners on the channels saying the content may get cut off if they don't come to agreement by some date. I know that's not the whole picture but I bet it's a decent chunk of it. People argue for being able to subscribe to individual channels(no bundling) but many don't realize that will drive the cost even higher in many cases.
I caved in a few months ago and decided to cancel most of my premium channels, I hadn't watched much premium tv in more than a decade. Still have showtime as that is part of my "package". (and no I don't stream media either).
I have no doubt broadband etc costs are more expensive in the U.S. than in many other places (as is several other aspects of life here). And have no doubt that comcast probably does screw up regularly given the size of their customer base.
I'm not a conference person myself(or any event with lots of people). Went to a couple HP discovers a while back they were ok(went for storage/3par, those aspects were fun but the rest wasn't interesting).
Loyal vmware customer for 18 years(no signs of that ending) but never felt interest to attend vmworld.(even when it was in the bay area and I was a 30min drive away.)
Just curious where are these 'loads of security holes' ? Are you referring to undocumented security issues that any product has? Or are you referring to actual security advisories.
I have noticed I think exactly one guest escape security issue on vsphere hypervisor in as long as I can remember(going back to at least 3.5?), and that seemed to affect 6.something (i.e. no impact on my 5.5 stuff).
I have seen some other minor security things here and there, but overall it seems the security of ESXi hypervisor (and vCenter) is significantly better than the competition (that primarily being things like KVM, Xen, Hyper-V), though that is just based purely on casual observation over the years.
Can't speak to the other management stuff that vmware pitches(VSAN, NSX, and management tools), as all I need and use is Enterprise+ and Vcenter (on windows, with Oracle DB back end on Linux).
I suppose I am both the best and worst kind of vmware customer, best in that I have been a customer since 1999 running vmware on linux 0.x, later Vmware GSX, then ESX starting with 3.x. At the same time the last major release of vsphere that got me really excited was 4.0(feature wise). Moved from 4.1->5.5 after 4.1 was EOL, and likely will move to 6.x after 5.5 is EOL next year. Their products have literally been easily top 5 of the most reliable big software packages I have ever used, which is the biggest reason I have kept using them, even though I really was expecting(back in about 2009) I would want to migrate to KVM by around 2013. Obviously never happened.
Cost wise it is not cheap, but it is not expensive either, the enterprise + hypervisor is far cheaper today than it was when I started using it in about 2006(and that was standard edition back then, no vmotion etc). The way I calculate that is basically cost per core. With ever increasing core counts and CPU performance the cost per unit resource continues to decline. When I started with ESX I remember our fastest system was I believe a DL380G5 with dual proc quad core, the hypervisor license for standard edition was I believe $3500 for two sockets at the time (Vmware didn't "support" single socket configurations back then). So roughly $450/core. I don't think we even bought support back then, so that is hypervisor cost only.
Very recently I paid about $7800 for a 2 proc license for enterprise + with 3 years production support (through HP- we don't buy a lot so no fancy discounts). Our new systems(DL380Gen9) are 44 cores, so that $7800 cost comes to about $178/core, less than half of what it cost a decade ago.
That's being generous too because the cost a decade ago was very basic ESX, no vmotion, no HA. And no support if I remember right.
Linux admin since 1996(yes linux is primary OS on my laptop too). Still love my vsphere 5.5(about 1200 VMs 99% linux). No reason to upgrade yet. I run a win7 VM for vpn and xenapp to run the good ol .net vsphere client on my laptop(linux xenapp client doesn't play well with vsphere console last I tried ). I remember i hated the .net client originally but learned be careful what you wish for as the web client was obviously worse.
Tried the cloud thing twice at different companies(they had it before I got there), didn't work out. Kept people up at night wondering what the next random failure would take down.
Vsphere and vcenter are so solid that i worry about the day I upgrade. Generally 1 or 2 support requests per year on it for me going back the past 7 years or so.
It just runs and runs.
systemd'oh! DNS lib underscore bug bites everyone's favorite init tool, blanks Netflix
They are not legal i checked abou6 a month ago(powerdns rejected a change I tried to put in with underscore). Many systems will allow them, but strictly speaking they are illegal. I read even in BIND there was a config option to allow underscore but I think it is not default.
But that being said I think that underscore being illegal is dumb and the systems should take it (anyone know the original reason behind that decision? Seems pretty arbitrary, maybe someone thought it would be harder to read or something )
Don't want to start a flame war on top of systemd already. But I do prefer the gnu tools and apt over the bsd way of doing things. I was looking forward to debian freebsd but last i looked that project has been stalled foe years (I installed it once on a soekris box a few years ago).
Also at least with ports and stuff speaking of init, I found myself having to write custom basic init(or rc) scripts for services since so often they did not install any.
Most or all of the BSD folks i know hate linux userland but are ok towards the kernel. Find it kind of ironic i am the opposite. I shouldn't say I hate bsd userland but I prefer linux.
I haven't tried freebsd on a desktop with X11 probably in 18 years. I used to run freebsd on bridging firewalls and IDS, back in 2005 I moved to openbsd (for pf), have thought about going back since freebsd has had pf for a long time now just haven't had a real need.
Quite possible my info on init scripts and stuff is outdated for freebsd these days but as of openbsd 6 (? Last installed maybe 6 months ago), seemed to apply.
As per systemd yes I only interacted with it for a few mins so far (system is still running with systemd haven't rebooted it or anything in a few months). I think the issue was couldn't easily figure out how to get a service to start that wasn't built in. I gave up for the time being and started it manually. Not a huge deal but I can feel a sign of things to come.
And yes if debian 7 had update support for the next 5 years I would not update. I can't think of anything in debian 7 or 6 or even 5 that I felt was important to upgrade for. (Memory is hazy even going back to v5). Drivers for newer hardware is the exception. Though all of my serious systems run in vmware, where the virtual hardware has been stable for a decade
I'd wager most are on public clouds run by people who don't know what they are doing. Which i suspect makes up at least 70% of the public cloud customers out there.
At least with your own facilities even if you don't patch it's highly likely the systems are behind a firewall or at least a NAT device not being directly exposed to the interwebs.
Didn't even know memcache had authentication myself until this article. All the apps i have seen built with it over the past 10 years have not used that ability.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
