Speeding up the Web: a new protocol

14 November 2009 ddouthitt Leave a comment

Google has revealed a new protocol – SPDY – that has been part of a research project to speed up the HTTP protocol that makes up the Internet. The speed increase is amazing – and sorely needed.

There is already a development version of Google’s Chrome browser available that supports SPDY; the branch is code-named Flip.

This new protocol requires a modified web server; this will be forthcoming from Google in the future. This is an exciting development that bears watching.

Categories: Networking Tags: , , , , ,

Laissez-faire Security – A Good Thing

9 November 2009 ddouthitt 1 comment

Bruce Schneier wrote today about a paper that describes something it calls laissez-faire security: the idea that tight role-based security (RBAC) will lead to situations where the security prevents people from doing what they need to do for their jobs, which subsequently leads to normal people finding ways to circumvent (and weaken) security.

The proposal presented in the paper Laissez-faire Security (by two researchers from Columbia University and two from Microsoft) suggests that rather than tightening things down, one should audit strongly instead. One of the authors, Steven M. Bellovin, is a luminary steeped in the history of the Internet, in the security arena, and one of the founders of Usenet.

The results of RBAC can be seen by every administrator sooner or later – many times, experienced personally. SELinux is a perfect example: despite its acknowledged security benefits, it is commonly disabled or left in an “advisory” state only because of the problems in implementing such a restrictive policy.

From a user perspective, there are numerous examples of people bypassing security in efforts to share data or to utilize tools to get work done.

Laissez-faire Security is about letting users select the appropriate security rules within a framework of policies – which they can ignore (after notification and auditing) – at their own peril. The policy violations can then be handled outside of the computing environment in other ways if needed.

The paper compares computer security to an economy and to the workings of the free-market economy in particular. This paper is very interesting reading and would be worth reading for any security-minded administrator.

Categories: Security Tags: , ,

The Domain Name System (DNS), Internationalization, and More

7 November 2009 ddouthitt Leave a comment

The DNS service has been in the news recently, most specifically when ICANN held the 36th ICANN Conference in Seoul, South Korea and decided to allow internationalized country code top-level domains (abbreviated as ccTLDs). The Russians and the Chinese have been after ICANN to do this for some time – and not with any real resistance from ICANN either. Over at the CircleID blog, they have a nice recap of the meeting.

The biggest problem was technological, and over the last several years ICANN and the DNS powers-that-be have worked diligently to implement a method of supporting Unicode domains – the approved method was the Internationalizing Domain Names in Applications (IDNA).

The biggest problem – which unfortunately hits the Russians and other users of the Cyrillic alphabet hardest – is that some of the domains will look like Roman (alphabet) domains. The most prominent example is the counterpart to the current .ru domain; the equivalent cyrillic example would be .py (which is the Republic of Paraguay). Of course the computer has no problems – the letters are different – but the human user could confuse the two, making a new angle to phishing attacks.

The presence of new internationalized domains may make a difference to you if your company is international – especially if it is located in another country. Countries such as France and Canada and Mexico won’t be affected, but many others will be – Japan and China and many Middle Eastern countries come to mind (with Japanese, Chinese, Arabic, and Hebrew domains coming to mind).

Getting a new international domain will mean making sure that all programs can handle the internationalized domains – such as mail clients, mail servers, local DNS servers, and more. Unless a complete conversion is mandated, it can be done alongside of the current working DNS service. Make sure that you brainstorm and work with as many affected individuals as possible to make the new DNS domain work; this becomes especially critical during a total conversion.

On the heels of the wrap-up of the meeting in Seoul is Paul Vixie’s article in the ACM Queue entitled What DNS is Not. He talks about how DNS is not a policy-making protocol, but rather an expression of facts (mapping names to addresses).

Categories: DNS, Foreign Language Tags: ,

Test Plan Charlie: 41000 Linux Servers on One Box

2 November 2009 ddouthitt 1 comment

There was a test done many years ago by David Boyes, an engineer working out of Virginia.  The test was simply to run as many Linux servers on one IBM zSeries mainframe – and to keep adding them until something broke.

The test hit the limit at 41,400 Linux servers – and nothing ever “broke.” This project was widely reported at the time, though it seems to be forgotten now. However, the test caught my fancy. That’s a lot of Linux machines.

As was mentioned, this report was widely reported: Linux Journal had an article on 1 June titled The Penguin and the Dinosaur from Adam Thornton.  That same day, Daisy Whitney authored an article, Linux on Big Iron – possibly in Datamation. Scott Courtney (the Technical Editor for Internet.com) wrote S/390: The Linux Dream Machine on 23 February and wrote It’s Official: IBM Announces Linux for the S/390 on 17 May. What really stands out?  All of these articles reporting on the S/390 and on Test Plan Charlie occurred nine years ago, in 2000.

Scott Courtney followed his articles up with an interview with David Boyes in 2001.

There is one more thing about David Boyes: following Test Plan Charlie, he went on to create Sine Nomine Associates and showcased OpenSolaris running on the IBM zSeries in November of 2007 – with attendant press releases from IBM. Certainly, David is not one to sit idle – and is a figure to contend with in the IBM zSeries arena. IBM has, since the original announcement nine years ago, pushed Linux on zSeries with vigor.  One irony: Test Plan Charlie was part of a study for an IBM customer that was deciding whether to use their existing S/390 or whether to use a new Sun set up.

There is even an open source IBM mainframe emulator called Hercules, which allows the rest of us to try it out and see what happens – even though you won’t be able to run under z/VM, as that is an IBM product.

Update: there was a nice set of updates about OpenSolaris on zSeries over on DancingDinosaur: Here comes (and goes) the Sun (12 April 2009) and Slow times for OpenSolaris on System z (21 July 2009).

Powered by ScribeFire.

Categories: Linux, OpenSolaris Tags: , , , ,

A Book Review: “Green IT”

27 October 2009 ddouthitt 2 comments

The book Green IT: Reduce Your Information System’s Environmental Impact While Adding to the Bottom Line by Velte, Velte, and Elsenpeter is extremely interesting. Unlike some other books that might go in this direction, this is not a book of theory, nor of political change, nor of persuasion. This is a book for IT staff about how to create a “green” data center and more.

Because of the nature of IT, going “green” can mostly be summed up in one word: electricity. A vast amount of what makes an IT department “green” consists of using less electricity wherever possible. This includes such areas as the corporate data center, the corporate desktops, and much more.

However, the book also gives significant attention to the other big environmental impact of computing: paper. There are a lot of ways to reduce paper use, and this book seems to cover all of them.

The book is in five parts: part I explains why to implement conservation in IT; part II talks about consumption; part III discusses what we as IT users can do individually to help the environment; part IV covers several corporate case studies; and part V expounds on the process of becoming “green” and how to stay that way.

It would have been nice to see more information about how the authors exemplified their suggestions during the creation of the book. The only hint of any environmentally sound practices is the recycled paper logo on the back cover (100% post-consumer fiber). That leaves more questions: did they use thin clients? Did they work from home? Did they use soy ink? Perhaps lastly, where is the e-book?

There is a web site that is set up for the book, but the current breadth of the site is disappointingly anemic. Some of the best web sites for Green IT would be Dell Earth, Intel, as well as IBM’s Green IT and Energy, the Environment, and IBM web sites.

It was interesting to note that HP’s Eco Solutions web site is “heavy” compared to the others – that is, it requires much more processing power to display, and requires a lot more time to download – which translates into more power consumption to view the web site. In addition, IBM and HP are the #1 and #2 in Computerworld’s list of Top Green-IT Vendors – whereas Dell is #6… HP also topped Newsweek’s 2009 list of Greenest Big Companies in America (along with IBM, Intel, and Dell in the top 5).

Categories: Book Review, Data Centers, Green IT Tags: , , , , , ,

New programming blog: Programmagic!

24 October 2009 ddouthitt Leave a comment

As a programmer, I have found that system administration benefits from a lot more programming than most people realize. Scripting languages are not limited to just the UNIX shell – nor to Perl.

There is a new blog, a sister blog to this one, entitled Programmagic! which will focus on programming. It will focus on lesser used languages like Lua, Scala, LISP, Smalltalk, and many others.

Recent posts are on Scala; there are many more to come. Why not come visit?

Categories: Personal Notes, Programming

Why I Use Korn Shell Everywhere

19 October 2009 ddouthitt 6 comments

The first thing I do when I log into a system, including Solaris, HP-UX, FreeBSD, and Linux is exec ksh. Whatever for?

Consider this fact: the root shell on FreeBSD defaults to C shell; HP-UX defaults to the POSIX shell (without history); Linux almost everywhere defaults to bash. All of these shells are different in various ways. It is possible you might log into three separate machines and get three separate shells with three different ways of handling things.

Using Korn Shell means that all of these systems will be standardized on one shell, and every system will act the same when you interact with it. There will be no surprises – and surprises at the root command line often translate into disastrous errors.

On HP-UX, using ksh has the additional benefit of enabling history for root – although the security risks of this make this a dangerous benefit: best to erase history after you log out and to make sure that history is independent for every root shell.

What makes this possible is that the Korn Shell is available virtually everywhere, including FreeBSD, Linux, Solaris, and HP-UX – whereas other shells are not (which includes C shell, Bourne shell, and bash).

Categories: UNIX Tags: , , , , , ,

HP Instant Capacity (iCap)

17 October 2009 ddouthitt 1 comment

One of the things that may affect any clusters you have – or other systems – is that management does not want to spend enough to handle any possible load.  With a cluster, this means that you may not be able to handle a fail-over because there is not enough spare processing power to handle the extra load when it happens.

HP’s Instant Capacity (“capacity on demand”) is an answer to this dilemma.  The base idea is that you have extra hardware already in the data center that is not available for use until it is necessary.  The switch that will enable this expanded capacity can be automatic or manual; when some portion of the extra capacity is enabled, you pay for it and it can be used from then on.

Yet, Instant Capacity (iCAP) is more flexible than this.  The capacity may be enabled only temporarily instead of permanently – this is known as TiCAP (temporary iCAP).  Thus, you can save even more by buying extra hardware but enabling only a small portion of it.  During the recent HP Tech Days that I attended in San Jose, California, a situation was described where an HP Superdome could be purchased with a large amount of the hardware already in place – but only a small amount of the hardware enabled.  When the extra power is needed, for example, a cell in the Superdome could be enabled until such time as the power is no longer necessary.

There is also Global Instant Capacity (GiCAP) which even allows the movement of power from one system to another.  For example, if a CPU on one system is underutilized and another system needs the resource more – then the CPU resource can be “logically” moved from one system to the other through GiCAP.  Alternately, if one system dies and another system needs its power, the dead system’s resources can be used by the active system by moving them through GiCAP.

iCAP and TiCAP are available for HP-UX (on PARISC and Itanium) and for OpenVMS (only on Itanium). GiCAP is only available for HP-UX. 

I find iCAP and TiCAP to be very interesting.  From a cost perspective, you pay only a minimal amount to keep the resource; when it is enabled, you then pay for it for the duration – or buy the hardware outright for permanent use as needed.

Powered by ScribeFire.

Categories: HP-UX, Hardware, OpenVMS, Supercomputing Tags: , , ,

Blog Action Day 2009: Climate Change

15 October 2009 ddouthitt Leave a comment

Every year, blogs around the world center on one topic for a day; this year, climate change is the focus. What can IT staff do about climate change?

A lot, it turns out. The data center is a huge user of electricity, and there are a lot of things that can be done to reduce power usage. A lot of electricity comes from polluting sources and contributes in other ways to a global change in the climate.

One thing that can be done is to pull old machines out entirely and replace them with newer more power efficient models. Often, older models are hoarded because of the cost to the organization in getting a new computer. Newer computer models with newer processors can use half the electricity of older models; just make sure that you actually get efficient servers instead of getting one which is not efficient.

Another possibility is to go with blade servers. These are servers that are thin and small, permitting a higher density of servers in a rack than ever before. Blade servers are typically designed to save power; for instance, HP claims a 25% power savings with their c-class server blades (which can run HP-UX, OpenVMS, Linux, or Windows).

Alternately, you could run several machines on one server using a virtual machine. HP-UX 11i offers something called Integrity Virtual Machines (or IVM). IVMs are full virtualized Integrity machines; currently supported are HP-UX 11i, Red Hat or SUSE Linux, and Microsoft Windows Server. OpenVMS 8.4 (expected in the first half of 2010) will support running as a guest operating system in an IVM as well.

Let’s look at the Top 500 list – a ranking of the 500 fastest supercomputers in the world. However, this list only focuses on speed and power; with this in mind consider the Green 500 list. The Green 500 takes the Top 500 list and ranks it by computer power per watt used: thus, the most power for the least number of watts (that is, the most efficient supercomputer) is the top entry.

Categories: Uncategorized

HP Tech Day: HP Superdome

9 October 2009 ddouthitt 2 comments

I was recently invited to take part in an HP Tech Day in San Jose, California, celebrating the 10th anniversary of the HP Superdome (the most advanced server in the Integrity line).  This was an event designed to introduce several of us in the blog world to the HP Superdome.  The attendees included David Adams from OSNews, Ben Rockwood from Cuddletech, Andy McCaskey from Simple Daily Report (SDR) News, and Saurabh Dubey of ActiveWin.  This was a quite eclectic and broad mix of perspectives: David Adams covers operating systems; Ben Rockwood covers Sun goings on (as he mentions in his article, he wore a Sun shirt: bold as brass!); Saurabh Dubey covers Microsoft goings on; and I, as loyal readers may know, cover system administration (with a focus on HP-UX, OpenVMS, and Linux – all of which will run on Superdome). Andy McCaskey over at SDR News also had a nice writeup on his experiences.

It is possible I was the most familiar with the architecture and with the capabilities, though I’ve not seen or worked with a Superdome in the past: the capabilities of the Superdome are largely based on the fact that it is cell-based.  The rp7420 cluster which I have maintained over the last several years uses the same technology, though cells from the rp7420 are incompatible with the Superdome.  The software is the same: prstatus, etc.  The System Management Homepage (SMH) was also shown, although it was almost shown as a benefit of the Superdome (it’s actually in every HP-UX since 11i v2, and is an option for OpenVMS 8.x).

There was a lot of talk about “scaling up” (that is, use a larger, more powerful system) instead of “scaling out” (using a massive cluster of many machines).  The Superdome is a perfect example of “scaling up” and is possibly one of the best examples.  I was impressed by what I saw as the capabilities of the Superdome.  There was a lot of comparison with the IBM zSeries, which is the epitome of the current crop of mainframes.  The presenters made a very strong case for using Superdome over zSeries.

They did seem to focus on running Linux in an LPAR, however; this creates a limit of 60 Linux installations.  Using z/VM as a hypervisor, one can run many more Linux systems.  I have heard of a test run in Europe (years ago) where a zSeries was loaded with one Linux installation after another – when the testers reached into the tens of thousands (30,000?) the network failed or was overloaded; the zSeries system was still going strong.  Trouble is, I’m not able to back this up with a source at the moment: I’m sure it was available as part of a print (Linux) journal – it may have been called “Project Charlie.”  Can anyone help?

The usability features of the Superdome were in prime display: for example, the power supplies were designed so that they could not be inserted upside-down.  Another example: the cells for the Superdome are in two parts: the “system” (including CPU, memory, and chip glue) and the power supply.  This makes it much easier to remove in the typical datacenter row and makes each part lighter, making it easier for users. There are innumerable items like this that the designers took into account during the design phase.  The engineering on these systems are amazing; usability has been thought of from the start.  In my opinion, both HP and Compaq have been this way for  a long time.

Speaking of the tour, this system that they showed us was a prototype of the original HP Superdome that shipped for the first time in 2000.  This system was still going and was using modern hardware: these systems are not designed for a 3-4 year lifecycle, but a much longer, extended lifecycle.

There were a lot of features of the system that I’ll cover in the next few days; it was enjoyable and educational.  I very much appreciate the work that went into it and hope to see more.

By the way, if you read Ben Rockwood’s article at Cuddletech, look at the first photograph: your author is center left, with the sweater.

Update: thanks to Michael Burschik for the updated information on Test Plan Charlie, which saw 41,000 Linux machines running on the IBM zSeries back in 2000. I’ll have a report on it soon. Strangely enough, I still haven’t found the article I was thinking of – but of course, a project like that isn’t reported in just one periodical…

Powered by ScribeFire.

Categories: AIX, HP-UX, Hardware, OpenVMS, Supercomputing, Virtualization Tags: , , , , ,