Slashdot Mirror
Open Source Tools in Data Centers
An anonymous reader writes "There is a nice presentation on the L.A.S. Linux site entitled "Managing Data Center Functions with Open Source Tools" which was presented at Comdex 2003. It covers everything from IPtables to OpenNMS. As well as covering some less known but nice tools like NeDi, which lets you easily manage Cisco routers and swiches from a web browser."
Interestingly, Harald Welte (creator of IPTables) will be giving a talk at Linux/Bangalore 2003, among 100s of others.
When anger rises, think of the consequences.
Confucius (551 BC - 479 BC)
in the enterprise datacenter has to be Cisco Enterprise Printing System of CEPS for short. With CEPS Cisco has over 10K printers in thousands of sites around the world with only 2 print admin's!! CEPS is based around SAMBA and CUPS and allows windows, linux, and unix clients to print to printers in a way that is unmatched for redundancy in any other product commercial or otherwise. Remote print servers can take over controll of print queues quickly in the event of a print server failure and queues can be rerouted to a new print device should a physical printer fail all without client reconfiguration! Cisco was nice enough to give the system back to the world. They have a sourceforge project available for anyone interested.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
As an adiministrator at one of the midwest's largest isps/data centers, I am always looking for better ways of administration. Currently, we use plesk for all our client server administration. However, this costs us a fortune... which is passed on to our clients. I would contribute a lot of this money myself towards a 100% open-source, stable, secure distribution specifically made for web hosting. Features like virtual private servers, a control panel comparable to plesk, and completely secured ssh access would be ideal. In addition, kernel mods to protect security (keeping people out of resources they shouldn't be in) should be done. I could do this myself, but I just don't have the time to keep it maintained myself.
Admit it. With the exception of Apache, Samba is the number one reason that Linux (and BSD, too!) has been able to invade the datacenters of companies the world over.
:)
Without Samba, Linux et al would be in a much less pretty position.
Perhaps we should call it Samba/GNU/Linux?
Kudos to the Samba Team, Tridge, and all Samba developers/testers/users!
The linux hacker
Offtopic but true...
you want user mode linux
google for it, mighty isp owner
I would include Zabbix to the Monitoring and Administration section. This is out-of-the-box application that takes care of monitoring of our network consisting of more than 400 nodes. It is not as mature as Nagios or MRTG, but its stability and feature set makes it extremely useful. Native high-performance agents cover most of platforms: Solaris, AIX, HP-UX, MS WIN, Linux, *BSD, OS X. Could be installed in a 5 minutes, this is big advantage over Nagios or OpenNMS.
As far as I'm concerned HP switches that have web GUI built in are much better for Medium (up to 500 clients) deployment than Cisco crap. Cisco makes money on training, books etc and I feel that they purporsley make their interface (command line only) hard to use. Even the prompt commands aren't intuitivley named. There is just to much money in the books, and training for Cisco to give it up and the price they pay is that people who need to deploy medium LAN's rather quickly will opt for HP and 3Com. Its good to see NeDi taking that vacum and getting Cisco IOS badly needed...uh...common sense.
OpenBSD has PF - a really cool packet/nat/authentication/bandwidth limiter/port forwarding system that is really, really, cool
You can do clever things, like allow a certain amount of bandwith for sombody, but if they log in, the bandwith limit disappears.
Or parse the spam blackout litsts and block all incoming packets from them (spam trype networks have more that their fair share of crackers)
All withouht crypic config files.
I *REALLY* hope, for Linux's sake, that after FreeBSD ports PF (to replace their IPF), a Linux port will be forthcoming.
IPTables is just fine for simple firewalls, but PF has a much more sane syntax, and it can handle really complex networks without a headache.
PF is sooo good - it's worth learing a bit of OpenBSD to get it. If you're good at Linux - it will take to half a day to learn all you need to get PF on OpenBSD working, and that includes installing OpenBSD.
It's not hard at all - I came from a Windows background and dident even know VI and it only took me three days to learn enough about OpenBSD to get it working.
Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.
Another tool to monitor a Cisco-based or other networks is JFFNMS
:)
It can monitor TCP Ports, Network cards, CPU, Memory, Disks, all using standard SNMP, with no client side scripts.
You can integrate it with your OSS using various RPC methods, everything is stored in MySQL or PostgreSQL.
Its very extensible too...
Javier
It's my own project.
- Smells Like Open Source Code
Let me guess, you were that kid in art class that always drew pictures of people being torn to bits by a guy with a chainsaw -- so disturbing, in fact, that the teacher had to take you aside at the end of class and have "that talk."
Another tool of use is the Cisco Transport Controller...we use this to monitor a fiber network up in MA.
FreeBSD's chroot jails are a much better and more efficent solution
UML has a number of differences when compared to chroot environments.
On the other hand, UML is good enough to fool even the hackers (I have had UMLs hacked and the hacker didn't realize they were in a virtual).
We run public webservers, and mailservers on UML. We are at the point where we just assume that you use one UML per application. The manageability of running single-application servers is just too good to pass up.
Let's not forget that Microsoft.com was down friday night :)
Now, if you're looking for someone to blame, Microsoft is sure the way to go. Hard to get away with blaming open source if you have advocated its' use. Funny how the opposite can easily be done for Microsoft products.
-Justin
I've been using NMIS (http://sins.com.au/nmis) for about 2 years and it's better than any commercial NMS I've seen and used. Even our management turned down the likes of OpenView and Patrol in favor of it (of course cost helped that as well :). It's got it quirks, and isn't very modular unless you know perl reasonable well, but oob in a cisco network it's great with support for other vendors slowly growing. The developers are supportive via their email list as well. If you're in the need of an monitoring platform and your PHB's aren't afraid of open source apps, NMIS should definately be given a look.
--mb
Knowledge is power. Power corrupts. Study hard, be evil.
that's a pretty lame troll. If I had to list all the windows systems that were broken into the last 5 yrs from personal experience, it would far out weigh the Debian incident. The diference between open source and corporations is the Open source community is transparent about it. You're obviously not a system administrator. My own personal guess (which is based on first hand experience), is that windows only networks are compromised more than 3x in the corporate world than the equivalent unix network.
Seriously, I want some of that.
With all the recent security issues surrounding open source (Debian, anyone), I would think twice about using open source in my data center.
Please get a clue. The Debian compromise was because of a lost password. Every OS/App is equally vulnerabne to this.
When it comes to centralized management of your IT assets, Microsoft products are unbeatable. An excellent reason to be an MS only shop, IMHO.
Now I get it, you're trolling. MS may have some good tools, if you need point-and-drool and don't try to do anything the system or tool was not explicitly designed to do.
In my case, I admin a research lab with 12 workstations and two servers, all running GNU/Linux. I spend no more than 15 minutes per week on routine admin tasks, all of it from home. I can also remotely install any software the researchers need. The only reason I ever need to physically go there is to replenish the office supplies (toner, paper, bsank CDs). That sort of a setup would be difficult, if not impossible, with an MS-only setup.
Why would you consider someone hacking a virtual server to be a fool? It's as good as the real thing to a hacker in many cases. And by the way: a simple cat /proc/cpuinfo will do the trick of identifying user mode linux.
You may try Xen http://www.cl.cam.ac.uk/Research/SRG/netos/xen/
In one sense, hacking a virtual is as good as hacking the real thing. On the other hand, hacking a virtual is quite dangerous on the part of the hacker.
/proc/cpuinfo and a bunch of device setups are unique to UML, most hackers have no clue and trudge on blindly. If you want to be more "stealthy" and setup a honeypot, the honeypot /proc and /dev filesystems change all the names to match a "normal" physical server. If your purpose is a "honeypot", you will probably need to only run a single UML with enough memory to seem realistic. Even then, if the hacker knows the internals of Linux, he can tell, altough it might require writing/loading a kernel module to see that the address space is not quite right.
UML virtuals have the ability to log a bunch of stuff "outside" the virtual. This can include keystroke logging on devices (including the pty's that ssh allocates). Plus you have a 100% sniffable network from the outside and the "owner" of the UML can "give" the virtual to the hacker at almost no cost and watch and learn.
If you are concerned about a hacker launching a DDOS using your virtual, this can happen, but you can also stop or mitigate it without tipping your hand against the hacker. You can firewall the virtual from the host side and silently block all (or most) of the attacking packets. You can even rate-limit the damage that they can do with 'tc'.
The amazing thing about getting a UML hacked is that most hackers don't even realize they are being watched. While
Why is it bad if someone posts an informative comment?
No, they aren't much better. They're much worse and consume less resources because you don't get half of the features.
Now get lost, assclown.
Did anybody else find that?
(Was Ok with IE, but rather ironic finding a site on open source tools displays correctly only for a closed source browser.
My rights don't need management.
Oh my god, why don't I have mod points :-)
Good one, really. I bow to your talent.
Here is the closed source competition: Microsoft OTG Reduces Print Servers--From 30 Down to 4--By Consolidating with Windows Server 2003.
Quote: "Here's the story of how they consolidated print servers from 30 servers running Windows NT Server to only four servers running Windows Server 2003 Enterprise Edition."
I'd be curious to hear peoples experiences with OpenNMS compared to Nagios.
And openNMS does what exactly? There's a vague description on the website, but its not terribly helpful. Screenshots anybody?
I've been reading the Open Source Network Administration book by James Kretchmar (review here in fact) and its been a really good read. Really applicable to the subject in my opinion.
Just my $.02 on the subject.
"On a scale from 1 to 10, people are stupid"
SPAM/VIRUS/WORM SCANNING
amavis - http://amavis.org/
qmail-scanner - http://qmail-scanner.sourceforge.net/
dspam - http://www.nuclearelephant.com/projects/dspam/
Ha Ha!
Only a true loser would have recognized that as a Magic the Lamering card!
You might want to look at FreeVSD ( http://sourceforge.net/projects/freevsd/). It used to be a commerical package and many ISPs have used it over the years. It hasn't been updated in a few months though since the company went under in Jan. 2003.
It has all your virtual server stuff and even has a web interface to manage everything as well, like the creation of new virtual servers, etc.
I don't see why the Open Source community couldn't pick up on it and update it for the last releases of Linux distributions. Everyone keeps saying that they would pay to help develop an Open Source virtual server program, well here is your chance to do so with a working program.
If you are looking for a web hosting control panel then you also might want to look at Vishwakarma (http://kandalaya.org/vishwakarma.shtml). It is a nice package and has been around for awhile with a nice web interface and even has support for reseller, and user management options.
You know, you're entirely right. The only thing that discredits you is that you're just an angsty 13-year-old teenager. Grow up and we'll see what you think then. If you still feel like that then, you'll be considered authentic.
The authors of the LAS should have mentioned Cricket.
Which is a much evolved performance trending system. For those looking to trend data from routers, switches, firewalls, servers, sensors, files. Cricket offers a very flexible configuration method. It is all in perl, so very easy to support, extend and integrate. It includes a grapher, a collector and a configuration system.
It does what it does well.
The system also offers easy integration with event management systems open-source or not. It scales well to a great number of devices.
Plus a brand new version just came out! Get it while it is hot.
http://cricket.sourceforge.net
Rick Berman called. He wants his crappy Star Trek plot back!
When it comes to centralized management of your IT assets, Microsoft products are unbeatable. An excellent reason to be an MS only shop, IMHO.
... to better manage the OS they develop ...
... non-sense
I guess that's why they had to license some technology from NetIQ
unbeatable
I really do wonder why an OS like Linux, which is very strong in the server market, does not have professional grade network management software?
The mentioned tools are nice toys but nothing more. Why are there no free professional tools which support network management standards such as RMON, SAA, NetFlow, etc in a decent way?
I know that there is StableNet PME and Infovista announced to bring their tools to Linux next year.
So there seems to be a market. What holds back the open source community to develop free alternatives?
But no one wanted to set up GSS or Kerberos 5 years back, so it never caught on.
/net/machine/share...
Lot more complicated than
THIS THING CAN TURN ON A DIME, MACROSSZERO STYLE ALSO FUCK BETA, ~NYORON
No, you want vserver. It is more flexible and powerful than FreeBSD's jail and just as efficient (only a system call away).
r p.qc.ca/miscprj/s_context.hc
http://vserver.strahlungsfrei.de/tiki-index.php
http://www.linux-vserver.org/
http://www.soluco
n/t
attention is nice, sometimes.
my company uses netbackup for all out backup needs we have evaluated many options, but find due to lack of support from other vendors when used with non supported solutions, OSS is not a feasible solution. Our company is a 99.9% solution provider and if something breaks there must be a chain of monetary responsibility. Veritas gives us the support we need and all of our other vendors support netbackup. we do have a couple linux servers but for the most part we are a sun environment, which takes us full circle to supported configurations and a 4 hour service window.