Posts by Nate Amsden

Re: Ever heard of a UPS?

It would probably surprise many, but there are some data centers that don't use any UPSs. Not to say they don't have power protection. They rely on a newer(??) technology known as flywheels that provide backup power without batteries. However these flywheels while on paper they look cool and they are nice in that they don't need batteries, their critical failing is they have generally very short runtimes (measured in seconds, maybe 30s tops). Supposed to be plenty of time for generators to kick in and take the load if everything goes smoothly.

But what if things don't go so smoothly and human intervention is required? That's my problem with the runtime of flywheels, they don't give people enough time to react to solve an on the spot problem or even get to the location of the problem before they run out of stored capacity. Maybe that problem is perhaps the automatic transfer switch fails to switch to generator, so generator is running and ready to take the load but requires someone to go force that switch to the other position to transfer load to the generator. That just scares the hell out of me and would not want any of my equipment hosted at a facility that used flywheels instead of UPSs. I was at one facility in probably 2004, very nice AT&T facility I liked it my first "real" datacenter experience. I was in the reception area when the grid power failed. All lights and computers etc in the reception area went dark. On site tech staff came rushing in to get to the data center floor(from their on site offices had to go through reception area to get to the DC) and reassured me the power was fine on the data center floor(it was, no issues there), though they struggled to get to the floor since the security systems were down I think?, but they did get in after maybe 30 seconds. I don't know where they were rushing to exactly maybe they had to go do something to the generators! I didn't ask but they sure were in panic mode. Power came back a few minutes later.

I wouldn't even trust redundant flywheels. I want to see at least 5-10mins of runtime available for generators to kick in. Ideally 99% of the time you won't need more than 30 seconds. I'm just paranoid though.

My first true system admin job in 2000 I built out a 10 rack on site server room. I equipped it with tons of UPS capacity (no generators). Had two AC units too. I was so proud. I hooked up UPS monitoring and everything. big heavy battery expansion packs on our APC SmartUPS systems, enough for probably 60+ minutes of runtime. Then one day the power kicked off on a Sunday morning I think it was, I got the alert on my phone. Yay the alerts work. Then reality set in about 30 seconds later. Systems are running fine on battery backup great. But...THERE'S NO COOLING. Oh shit, I drove to the office(5 minutes away) to initiate orderly shutdowns of the systems(doing it remotely at the time was a bit more sketchy). In the end no issues, but my dream of long runtime on UPSs had a fatal flaw there..

Flywheels were more the rage back maybe 15 years ago, for all I know perhaps the trend died off(hopefully it did) a long time ago and I just never heard since it's not my specialty.

Re: Who in their right minds would invest in new Db2's?

Company I'm with used to use Percona MySQL support, maybe until 2014/2015 or so. They were pretty good. Used their percona MySQL distribution as well. Didn't have to call support often at all. Then one year they increased their prices probably by 700%+ and we dropped them immediately(didn't replace them with anyone else externally anyway). I could see adjusting our budget for a 200% increase in cost but the company wasn't willing to accept that much larger increase especially since we didn't engage them often.

Re: And that is why…

Not sure why the down votes for you. As someone who switched exclusively to Debian in 1998(from Slackware), I switched to Ubuntu for laptop/desktop use cases in probably 2006ish time frame I don't recall the first Ubuntu version I used(mostly for the drivers). About 18 months after Ubuntu 10.04 LTS went EOL I switched to Linux Mint (MATE) to keep my Gnome 2 UI which I still use today.

I continued to use Debian on my personal servers until Devuan came out I dist-upgraded all my systems to Devuan (never having had the pleasure of using systemd in Debian as the version I upgraded from didn't have it).

I manually maintain my browsers in /usr/local/browser-version where I have firefox esr, seamonkey, and for a while I was running Palemoon too, until they broke all my extensions earlier this year and I switched back to firefox. I run the browsers under different user accounts for perhaps a tad more protection. I run a dedicated copy of firefox esr under a dedicated account for work webmail and atlassian products. Then I have another firefox esr in a VM connected to VPN which is mostly used for internal company services/sites.

Re: Confusing mess

Linux user here since 1996. Your story reminded me of when I installed SuSE for a computer I let my sister use when she lived with me back in 2002 maybe? SuSE was one of the early distros to have a real slick installer and interface. I used Debian on my personal systems at the time(today use Devuan on my personal servers and Linux MATE on my main laptop).

Anyway SuSE, linux right. So imagine my surprise when I came home one day to see her running Yahoo IM on SuSE. Yahoo from WINDOWS. I couldn't believe it. I mean she just downloaded the windows installer(she was never much into computers even now I'd rate her computer skills as entry level at best), clicked on it did the install and it worked, even put an icon on the desktop I think.

Obviously I know all about WINE used it off and on for ~10-15 years, but was not expecting any distro to have it integrated to that level(exception may be for Corel Linux perhaps), especially back then.

Even today I find it hard to believe. She had no idea she was installing software designed for an entirely different operating system. And the damn thing installed and ran. I was impressed, shit still am.

Back on topic I've never used snaps or flatpacks or whatever, I immediately uninstall all of that after a system gets installed if it is there to begin with. I can imagine it has some value for some folks out there. The only containers I use are ones I've built myself with LXC (so that means no docker either). Some people get upset they can't run the latest greatest version of some software package, because the distro packaged version X to include and they want version Y because it's better(it may not even make a difference for the user they just see a higher version number and want it). 95% of the time for me I just use version X even if it is older since it is good enough, the trade offs to get to version Y aren't worth it. Snaps etc are for those folks I think.

I gave up trying to pitch Linux as a desktop replacement probably about the time OS X started hitting it big(2007ish?). I can recall of only 1 person that I've worked with in the past 15 years that uses linux on their desktop as their daily driver(my work is generally with companies with in house internet facing website stuff so developers, server/network admins etc etc). Some run windows(mainly the windows IT staff), but seems everyone else is comfortable with Mac. I don't think I could ever use Mac, I tried it a couple times and it's just not for me.

Re: Adieu but not goodbye XP

Curious which Netbook? I have a ASUS Eee PC 1000HE 10.2" Netbook that I just dug up the purchase receipt on and I bought it in May 2009 so 12 years ago. It has been running Windows 7 home for several years, originally came with XP.

I didn't upgrade(windows) it, but installed clean from a Win7 home CD I bought through a friend who worked at MS at the time. I don't use the netbook often(few hours/year), but it is super handy in some situations with it's small form factor. Memory maxed out at 2GB I think and has a Samsung SSD in it now. Battery still seems ok too. My only real complaint about this eee pc I suppose is the weak CPU, being able to get more than 2GB of ram would be nice too but the cpu holds it back more than anything. I have a bunch of old games on it too from GOG that work fine(games that were built for 486s originally)

I also had the original Asus eee PC with linux and a 4GB flash storage or something? That thing was terrible by contrast. Whether it was the screen, or slow storage, or lack of storage, lower memory(I think it was less than 1GB). I gave my original eee pc to someone else 10 years ago.

Re: @msobkow

To me, ECC alone hasn't been enough for real servers for a long time. I remember reading this more than a decade ago regarding HP's "Advanced ECC"

http://service1.pcconnection.com/PDF/AdvMemoryProtection.pdf

The document is so old they reference generation 2 servers, of which I was deploying back in 2004 (2005 at the latest) maybe?

from the pdf

"To improve memory protection beyond standard ECC, HP introduced Advanced ECC technology in 1996. HP and most other server manufacturers continue to use this solution in industry-standard products. Advanced ECC can correct a multi-bit error that occurs within one DRAM chip; thus, it can correct a complete DRAM chip failure. In Advanced ECC with 4-bit (x4) memory devices, each chip contributes four bits of data to the data word. The four bits from each chip are distributed across four ECC devices (one bit per ECC device), so that an error in one chip could produce up to four separate single-bit errors."

I've always wondered how well Advanced ECC does against these attacks. I have read ECC alone is enough to defeat them as they stand today, but have not noticed if Advanced ECC has any further benefit beyond regular ECC in this security scenario.

IBM has/had a similar technology called ChipKill:

https://en.wikipedia.org/wiki/Chipkill

(update)

Came across a PDF linked in above article from HP:

http://ftp.ext.hp.com//pub/c-products/servers/options/Memory-Config-Recommendations-for-Intel-Xeon-5500-Series-Servers-Rev1.pdf

Which puts things into plainer english

"Note that Advanced ECC is equivalent to 4-bit ChipKill. Lockstep gets us to 8-bit ChipKill. ChipKill just indicates that an entire DRAM chip can die and the server will keep running.

Negatives of Lock Step Mode:

- You have to leave one of the three memory channels on each processor un-populated, so you cut your available number of DIMM slots by 1/3.

- Performance is measurably slower than normal Advanced ECC mode.

- You can only isolate uncorrectable memory errors to a pair of DIMMs (instead of down to a single DIMM)."

I do remember turning on "Advanced ECC" in a Dell server(was happy to see the option appear in the bios at the time this was back in 2010 I think), however was sad to see when it disabled a bunch of the dimm slots, I assume for fault tolerance. HP has a similar option called something like "Online spare memory" where some banks are kept in reserve(on my 384GB systems it lowered addressable memory to 320GB). I don't know any info on Dell's implementation if it was just online spare memory and they called it Advanced ECC or if it was some other approach. And perhaps they have improved it a bunch in the past decade. (update) I am guessing Dell's "Advanced ECC" was Intel Lockstep.

I have been quite surprised that others haven't come up with similar technology (thinking Supermicro and other smaller players). Or perhaps they have and I'm just not aware of it.

Re: "Windows' registry doesn't need cleaning"

by the time I jumped ship to Linux on the desktop in about 1997-1998(at home anyway) I was reinstalling windows about twice a year(perhaps more). First Win95, then I jumped to NT 3.51(hoping for more stability), then NT4. I was super frustrated with the lack of stability on windows at the time.

My first paying job in 1998 was helping develop "embedded" computer systems for video surveillance that ran proprietary software(built on VB3 I think??) that required Win98, so I had my fair share of time messing with that as well, though only at work. I wasn't doing any software development, it was more of a integration position, I worked on the software end(in collaboration with the software vendor), and another guy worked on the hardware, then the company built custom chassis for them. Years later after I left my co-worker told me every single system they sold was returned at least once for some failure/problem. That was a good laugh.

XP and later windows seemed to last longer in my experience but I haven't seriously used windows as a daily driver anyway since about 2005(and that was only on a work laptop, had XP on it, and replaced the shell with "Litestep", and used a lot of cygwin - the IT staff could never figure out how to use my system). I certainly have had Windows 7 systems that lasted longer than a decade and did not need reinstalling however they were also never intensely used.

Re: Palemoon, check. Seamonkey, check.

I used Palemoon for a while, couple years at least(gave some donations too). I held on to Firefox 37? I think it was for as long as I could, tried Waterfox at the time, none of my extensions were compatible(this was years ago). Then I found Palemoon, and it worked with everything.

I had Palemoon as my "main" browser (excluding internal work stuff which runs on a VM), and I used Seamonkey as a dedicated browser for Logicmonitor SaaS monitoring(no real reason other than I just wanted to keep that seperate from browser restarts or whatever).

Fast forward to earlier this year(?), Palemoon put out an update that killed my extensions, every single one was shot down as incompatible. Looking at my /usr/local where I keep my browsers, it was probably Palemoon 29. Palemoon 28 was working fine.

I had been using those extensions, some for over a decade without updates, they were simple, and worked fine, perhaps they were obscure. Extensions such as Live HTTP Headers(miss that one a LOT), Cloud to Butt(made me laugh, miss that a lot too), Old location bar, Prefbar(miss it), RememberPass, Remove It Permanently(miss a lot), Save Link in folder, Tab utilities fixed, Zoom page. Looking at Palemoon 29 now and it lists all of those as incompatible(with the only option given to remove them). At the time I tried finding replacements, found some for other extensions but could not find any for things like Prefbar, Live HTTP headers for example.

Anyway I came across the forum post which highlighted the changes. So Palemoon removed the last reasons I had for wanting to use it (earlier they removed the cookie management that Firefox had withdrawn years earlier, I had more than 10k sites in my firefox/palemoon sqlite cookie permissions db). I understand the reasoning, I'm not mad at them. Just sad to see an end of an era for browsing for me.

So at least for the time being I went back to Firefox ESR and the only addons I have are Tab session manager, ublock origin(never used it till recently), and zoom page. It's certainly a lot faster than Palemoon though I'd take my old extensions back over the performance any day.

I now run 2 firefox instances in linux in different user accounts, one is dedicated to outlook web access and atlassian products for work, the other is my regular browser(I keep the UIs/themes different to tell them apart, and they run on different virtual desktops, of which I use 16). Then still have seamonkey, AND still have another firefox ESR in a windows VM for internal work stuff. I switched off google search to bing several years ago(just because), and noticed when using bing and outlook web access it kept me logged into bing, which I did not want(if I logged out it would log me in again). So I introduced the new firefox instance (on a different account run via sudo) dedicated to OWA and similar work things. Configuring pulse audio to work with these firefox instances running under sudo wasn't easy(had to configure PA for network which isn't the default many head scratching moments at the time trying to figure out why audio wasn't working). Not that I need audio often in my browser just a few times a week at most.

I have read bad things about recent firefox UI changes (those haven't hit ESR yet I don't think), but maybe I will switch again when they do.

My laptop has 48G of ram, I should only need no more than 16G, currently using 12(including a VM that is allowed to use 10GB, though guest is using 4GB). I was "forced" to upgrade to 32G 2-3 years ago because of newer linux swapping bugs which would cause it to swap like crazy when I still had a few gigs of ram left. System would be unresponsive(even with SSD). Older laptop did the same workload with 8G of ram that newer one needed 16 for just to account for newer versions of software. Upgraded again to 48 for no reason, probably will upgrade to 64GB once prices come down a bit again for no reason.

Side note on linux swapping/memory issues I have been tracking what are to me massive memory leaks in linux 5.4 and 5.8(Ubuntu 20), vs 4.4 (Ubuntu 16) this year. Really annoying. I went as far as to install the Ubuntu 16 kernel on a few test Ubuntu 20 systems so the ONLY thing different was the kernel for the exact same workload(systems behind a load balancer), and the memory leaks slowly over time, eventually swapping, then have to reboot. I sort of gave up trying to find a real solution it's just easier to reboot every once in a while. The leaks are in the kernfs_node_cache and buffer_head caches (flushing the caches has no effect on the overall trend). Been using linux for just about 25 years and have never come across this kind of situation before. I see the same trend on another system running backups over NFS, I more than tripled the memory from 2G to 6G and it still swaps every night(I have crons that clear the swap every hour and flush buffers). It never swapped on linux 4.4 or earlier going back the past 6 years.

I read Waterfox was acquired by an Ad company? or something else kind of shady I don't recall off hand, maybe that info was wrong but kind of surprised me when I read that post. I never used it for more than 10 minutes years ago since it didn't work with any of my extensions at the time.

Re: Poor training....

apparently writes aren't the only issue

https://kb.vmware.com/s/article/2149257

"High frequency of read operations on VMware Tools image may cause SD card corruption (2149257)"

dates back to 6.0 and 6.5

other issues

https://kb.vmware.com/s/article/83376 Connection to the /bootbank partition intermittently breaks when you use USB or SD devices

(note applies to 6.7 too with no resolution available)

https://kb.vmware.com/s/article/83963 Bootbank cannot be found at path '/bootbank' errors being seen after upgrading to ESXi 7.0 U2

probably others too just 3 that I saw in a recent thread elsewhere.

Also vmware seems to be suggesting, perhaps requiring over 100GB of disk space for the boot disk, which probably factors into their decision to stop SD/USB support:

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.install.doc/GUID-DEB8086A-306B-4239-BF76-E354679202FC.html

* A local disk of 138 GB or larger. The disk contains the boot partition, ESX-OSData volume and a VMFS datastore.

* A device that supports the minimum of 128 Terabytes Written (TBW).

* A device that delivers at least 100 MB/s of sequential write speed.

* To provide resiliency in case of device failure, a RAID 1 mirrored device is recommended.

Not sure if there are any USB or SD cards that have 128TBW life spans and 100MB/sec sequential write speed.

I have yet to touch vsphere 7 myself, maybe next year.

Re: "an upgrade will have to happen in the coming months or years"

a good reason to change the version is breaking changes like these new hardware requirements. Imagine how many more would be upset if they couldn't upgrade to the next Win10 because so much hardware was retired from support(which has happened to some users over the years at some points I recall articles popping up), but obviously not this scale of retired hardware.

hopefully Win10 from here on out behaves more like LTSC as in minimal feature changes, as MS shifts to focus on Win11.

"If they weren't logging those IP addresses and connection strings, there was nothing to seize."

It sounds like they have the ability to log based on user account. So perhaps while they don't log normally, if such a request comes in that they have to get the IP then they can flip a flag in their code/config to start logging for that particular user account, then assuming the user logs in again they have the information.

If you are that paranoid about hiding your IP etc then you shouldn't be trusting a single provider like this, should be routing traffic over multiple different places to further obscure your information, and not wait for some news event like this to start doing it. Also of course use a dedicated browser that is not used for anything else except that service, if your even more paranoid perhaps use a dedicated VM with that browser.

Seeing the anonymous relay service they offer in the article reminds me of my early internet days using the I think it was anon.penet.fi (??) email relay, sometimes took days for email to be processed through that. I have been hosting my own personal email(around 350 different addresses for different purposes at the moment) since about 1997(along with web, DNS and anything else I want). Though of course doing that is not for 99.999% of people out there.

Re: Why were they even thinking about ESXi on Mac Pro?

Can't tell but I think you missed the obvious use case of being able to legally run lots of OS X VMs on top of the system since it is really beefy in hardware vs the other options. Though have read reports OS X runs like crap in a VM(crap as in user interface very slow etc), am not sure if that is because they were using unsupported hardware or if the OS just doesn't play well without say mapping GPUs to the VMs (something ESXi can do but as far as I know the desktop/workstation VMware products cannot - personally have never had a need to map a GPU to a VM, though understand that VDI is the main purpose for that).

What I'm curious of(not that I have a need for it) is does ESXi work at all? Is this them just saying they won't support it, or were they actually getting drivers together etc for it to work in the first place. Since there seems to be lots of folks out there running unsupported ESXI configurations without formal support and are happy. Hell even the free ESXi doesn't include support.

Given it is a Xeon system I would be kind of surprised it wouldn't be possible to build a configuration that didn't work with ESXi being that you can add in (I assume) another NIC or something in case on board is not supported since it has a bunch of PCIe slots.

Re: Silicon shortage

Edge case for sure, but I was looking into updating end of life for equipment for the company I work for. I had thought some of our Extreme Networks X670V 10G switches were going end of life next year, but I read the end of life notice wrong(one specific version of the switch goes EOL next year). Turns out they are going software end of life in 2023, and hardware end of life 2026. Which just blows my mind considering we bought some of them in November 2011(blows my mind as in I expected a shorter life span). I knew they were new at that time but I looked into it further and it turns out we bought them just 4 months after they hit the market. So just lucky timing to some extent I guess. I do have several 1G Extreme switches going EOL mid 2022, some of which will hit 10 years of operation in mid December.

I know 10G to many is old school, but at this rate I could run 10G for another decade and not need to upgrade. 40G uplinks from the 10G switches, super low utilization. Dedicated fibre channel network for storage.

By contrast, unlucky timing when our IT department bought a pair of Arista DCS-7050SX-72-F 10G switches several years later, they only had about 3-4 years until end of life/support at the time. I can only assume whomever sold them screwed them in that manor to get the cost down by selling an older model.

Until this company I hadn't worked at any company longer than about 3 years so never really had to be concerned about end of life. Here I am in this position for just over 10 years now, so end of life is certainly something I have to deal with now.

I have read bad stories mainly about EMC (though I'm sure others do too) jacking up the renewal prices for things to encourage customers to upgrade to the point where renewal support can cost almost as much as buying new. I haven't experience that with HP at least, going into the 5-7th year of support on several 3PAR systems and support costs have been fairly consistent. We do have an EMC Isilon system as well(very small) bought 3 years of support originally but moved to hardware only 3rd party on year 4, the EMC renewal cost wasn't too bad at that point just needed to cut some costs.

Re: Is Intel the new IBM?

AMD thought ARM was the next big thing for servers too at one point

https://www.theregister.com/2016/01/14/amd_arm_seattle_launch/

Cloudflare and ARM

https://www.theregister.com/2017/11/08/qualcomm_centriq_2400/

seems every time ARM gets close to servers it's opportunity is killed. I guess one exception area is for those that are really building their own systems and designing their own chips(and such systems aren't available to purchase by anyone else). Don't really have much hope for ARM on servers in the general market.

It seemed to me as hard as it was for x86 to scale down in power(for mobile) it was as hard for ARM to scale up in performance/scale(for servers), to the point where the costs/power didn't really make a big selling point for ARM at that point. I'm guessing Qualcomm saw the margins Intel was getting and was hoping they could do similar with their server chips but pulled the plug when they realized they would not get those margins(most likely due to competition, and the cut throat nature that the big hyperscalers play by)

Companies tried to work around that to some degree for a while with micro server designs but those never really went anywhere(AMD bought one such vendor Seamicro which looked like a really neat system at the time, and HP still has their Moonshot system though it's been 4-5+ years since I heard them talk about it).

Re: The problem with DevOps . . .

"In my experience, the main problem with DevOps is that it was conceived of by programmers who went to top-tier engineering schools and thus have a reasonably deep background in programming theory and practice and a great deal of comfort with reducing projects to a series of discrete tasks."

That's not devops, that's agile. (emphasis on reducing projects to a series of discrete tasks).

Devops I think came more from programmers who were tired of being "held back" by operations folks(such as myself perhaps being in ops since 2003, and internal IT before that). They wanted more control over things end to end. Which if they know what they are doing that can be effective.

More often then not(90%+) they don't know what they are doing from an ops standpoint and so the result you get is shit(shit composed of massive complexity, tribal knowledge and huge costs associated with cloud technologies).

I literally don't even need two full hands to count the number of developers I've worked with over the past 21 years that had a really good grasp at ops. All of those that knew ops were excellent, worked really well with them. Many other developers know they don't know operations and establish a trust relationship with the operations team to defer to their expertise on those topics, they were great too lots of mutual respect there. Then there are the devs that think they know it all, when they don't and just make trouble. Certainly there are ops folks out there that are similar in those categories as well though in my experience again(limited I suppose to smaller companies) the issue is much more on the dev end of things. Also if you have ops people who don't know what they are doing that can be a big issue too. I've run into several system and network admins over the years who are clueless at times and make it worse by not admitting to it(just like the dev end of things with ops related stuff). I guess the point is you need someone(s) with good operations experience/knowledge(depending on your scale of course) and they are super rare.

At the same time the number of ops people that have a really good grasp at dev stuff is low as well. But I don't typically don't see the ops folks getting their hands dirty on the dev end of things(or even trying to get their hands dirty). If we're approached for an opinion or are in some meeting on design or something we can provide input but ops folks don't generally try to dictate application design and stuff that's not our thing. I remember the first development architecture meeting I attended as an ops person back in 2003. I practically fell asleep and wondered why they hired me at the time so many terms I had never even heard of (enterprise java application). Super complex app stack the most complex I've ever dealt with even to today. I ended up being the company wide expert at that stack I knew everything and everyone knew it, quite a double edged sword burned out hard there. But had a good time and learned a lot too.

Devops isn't for everyone(as it is defined most recently - not for me either), too bad so much marketing bullshit is behind it and other things like public cloud that many people feel compelled to try to adopt it, often with poor results. Same goes for agile as well.

Speaking of cloud usage, both the company I am at now and the previous company started out in public cloud. There was no "lift and shift", as in they had nothing to lift from. Day 1 was in public cloud at both places(app/DB/server/etc designs were set before I started in both cases). I/We did lift and shift the current company out of public cloud(including waiting many hours for a mysqldumps from RDS mysql instances) a decade ago and as a result have been saving easily over $1M/year every year since.

Previous company's(now defunct) board didn't want to move out despite $1.6M savings in the first year alone(had support from all levels of the company but CEO and CTO didn't want to fight the board). Over the years several executives have tried to push for public cloud again as it sounds cool but they couldn't make the math work even remotely.

Re: beginning of the end

I'd wager the beginning of the end was probably close to a decade ago. Might of been when they did their initial big investment for OpenStack. Not that OpenStack was a bad idea at the time(had a lot of promise though to me promise has fallen flat the past 5-7 years mainly due to complexity), but it was a serious shift in technical strategy.

https://www.theregister.com/2010/07/19/nasa_rackspace_openstack/

Couldn't find the article(think there is one) of when Rackspace was essentially pulling out of OpenStack.

I was never a customer of theirs but did price their stuff out on a couple occasions ~10 years ago the cost never made sense. Not that public cloud is any better(actually worse in many respects but some still eat it up because it's sexy I guess). Absolutely astonishing how much money is wasted in public cloud, just makes me sad.

Re: Inside info?

You failed to mention the fact that if such a critical bug was reported publicly without "responsible disclosure" yes the bug would of been fixed faster, but it is much more likely that such a bug would be exploited even faster(faster than the bug could be fixed). I have no idea how this VSA software even works but even if a patch was released fast would the customers have been quick to patch? (or are their patches applied automatically?)

You can see this in real time right now with the "print nightmare" stuff from MS. Fumbling about releasing patches that don't fix the issue and cause other major issues(reports of people not being able to print with certain kinds of printers) etc. And in that case the disclosure of the bug if I recall right was an accident with the reporter thinking it was already fixed.

It is very unfortunate though that security plays such a low priority in software development for the vast vast majority of organizations out there. Add to that security plays such a low priority in the operation of such software in the vast majority of organizations out there just look to how many times there are reports of compromises because of some issue that had a patch released but never applied, assuming they were even aware such software was in use(if you are running an insecure vpn appliance it should be obvious(obvious = patches available from vendor), but if you have code running insecure libraries it may not be obvious). Or even worse, organizations that expose systems such as databases directly to the internet, or "cloud" file shares that are meant to be private.

I don't know what the solution is, if there even is one. The cost of security issues hasn't gotten to the breaking point where companies are willing to invest more in security seems like anyway.

Re: CDN useless

Not sure where you are coming from but it has been common practice for CDN to terminate SSL for over a decade now(probably much longer). Most(maybe all) of the major CDNs are PCI compliant as well(contacted several last year as I was expecting to have to jump CDNs again our previous CDN went out of business early last year). So they have visibility into everything traversing them from a protocol perspective anyway. Even if you encrypt individual files to transfer they can still be cached in encrypted form since the CDN will see the raw data as it decrypts the SSL/TLS on top.

Really can't imagine many customers out there not trusting their CDNs to decrypt the traffic. Servers are faster but in my experience at least servers have rarely been the bottleneck when it comes to traffic, servers are eaten up by app transactions. It's origin bandwidth and latency that CDNs help in the most simple use cases. Not too uncommon to get more than a 90% reduction in origin bandwidth with CDN.

But they can do more if your developers are willing to leverage them, one useful function several provide is automatic image resizing. Tried to get the devs to use it at the org I am at for years but they never wanted to, instead they wanted to store ~15 copies of each image(pre generated in advance regardless if any of those copies would ever get used) in different resolutions, just a waste of resources, made worse seeing some images on the size be super sized only to be reduced dynamically by image tags in the browser.

CDNs do offer a nice protection from (D)DOS attacks as well at least some varieties of them just because they have such massive capacity.

CDNs certainly can go down, so for those that is super critical that their CDN does not go down then use multiple CDNs either dumb round robin DNS or use an intelligent DNS provider that can do health checks on the backend and automatically re publish DNS entries to point to an alternate provider(in the past I was at a company that did this not with CDN but with our own multiple backend systems(app stack was entirely transactional no static content nothing could be cached) and we kept the TTLs to 60s or less I believe using an anycast DNS provider this was ~11 years ago. Prior to that they used BGP to fail over between sites but that was quite problematic so we changed to DNS failover).

Re: Still brickin'...

Very confused.. as a Debian user (well until switching to Devuan) since 1998, if you are not familiar with Linux and are not looking to get familiar with it, Debian is nowhere near the top of the list of distros you should use. Really only more technically inclined people would of even heard of it.

Even myself I ran Ubuntu on my laptops for several years until 10.04 went EOL then switched to Mint. I run Debian/Devuan on my personal servers (have about 650-700 Ubuntu servers for work).

So you really set yourself up for failure. That is unless you were looking to dig in and learn about things and fix it or find compatible hardware which it didn't seem like you were in the mood for.

Myself when I first setup Linux back in 1996 I chose Slackware(3.0 I think?) specifically because it was more involved to use than Red Hat (the most common distro at the time) and I wanted to get into the deep end. And I did, downloading and compiling tons of things over the early years from source whether it was the kernel, libc, glibc, X11, KDE, Gnome etc etc.. learned a lot. I don't do that too much anymore though. And stay far away from bleeding edge kernels. Last time I installed a kernel directly from upstream was in the 2.2.x days(back when there was a "stable" and "unstable" branches of the kernel once that stopped then I stopped toying with things at that level).

Hell I just started trying to dig into finding why there seems to be some major new memory leaks in linux 5.4 and 5.8 (Ubuntu 20.04) that didn't exist in Linux 4.4 (Ubuntu 16.04). First time really looking at /proc/slabinfo and /proc/zoneinfo in 20+ years of linux usage, hopefully something useful comes of it. Have never noticed this kind of memory leak in the kernel before, my use cases are very typical, nothing extreme so don't encounter problems often.

downhill

It's getting worse? really? wow.

Quick story - back in 2010/2011 I worked for a small startup in Seattle. The CEO's brother was the head of Amazon cloud(now the CEO of Amazon I guess). I met with him and my small team at the time, gave them our list of complaints and their response was basically yeah we know that is a problem and we are working on it(manager at the time said it was their typical response). On paper the startup had upwards of $500k/mo bill with them. I don't know how much, if any was forgiven on the backend given the close relations with the executives(though they did direct us to cut spending by as much as we could got it down to maybe $250k?? per month? -- so $3M/year - actually pushed a project to move them out of the cloud which had a ~6 month ROI but the company board didn't like it despite all management including CTO and CEO being on board they didn't want to fight the board for that).

Anyway, the core part of the story, my director(new guy after original manager left) had a history of working AT amazon for more than a decade. Everyone at the company(especially me) hated their cloud. Non stop problems, outages lies you name it. So my director reached out to their support(keep in mind they were just a few miles away) and said HEY, we spend a lot of money with you, have a lot of executive tie ins between us, and we're in Seattle just like you are. Everyone here hates your cloud. We must be doing something wrong, maybe many things wrong. Can you come on site and help us out.

Their answer? No. Not their model, tough shit. Your problem.

I really struggle to think of any vendor on the planet if you are spending half a million dollars a month on calls to complain and ask for help they would have someone on the plane(if required) the same or next day without question. I remember Oracle flying on site to one of my employers to help diagnose an issue. I recall EMC was a couple hours away from flying someone on site to that same company to fix another issue(which ended up not being an EMC issue at all but a bug in the script the storage person wrote, I remember that call with EMC they were practically panicing to get our processes going again after said storage engineer fucked up the script and went on vacation immediately after). That company spent a FRACTION of the $ per month on that stuff.

Amazon told us to fuck off. Kind of needless to say my director(again he worked at amazon for 10+ years and we had many ex-amazon employees working) was quite surprised at their response.

I left not long after and the company I have been at now(hired by first manager at previous startup) have been saving over $1M/year by moving out of Amazon cloud(bill was over $100k/mo in late 2011/early 2012 for an app stack that launched from day 1 in their cloud and we've grown tons since). So easily $10 million in savings over the past ~9.5 years or so since we moved out. Executives have come and gone and tried to pitch cloud again but they could never come close to making costs work.

I have read over the years their support has improved so quite possibly the support response would not be what it was for us back then for that kind of customer. But seeing your comment reminded me of this experience.

Re: Hey now

yes sorry forgot to mention HA. vCenter HA value is questionable to me it has it's own share of issues and the failover times are absolutely terrible (for my simple setups probably takes a good 6 minutes, I understand why it takes that long due to design of the apps HA is sort of a bolt on thing instead of a design thing). Then there's the times when you have to destroy HA to upgrade with schema changes and stuff. But I hope it is better than nothing...sometimes I wonder though.