Monday, February 28, 2005

Zones in anger

One of the great features in Solaris 10 is Zones: isolated instances of the Operating system hosted - somewhat like a virtual machine or FreeBSD jails - by a master instance of the Operating System.

We've been using zones for a variety of tasks for the best part of a year now. We had our main webserver running in a zone on my workstation for a few days last summer when the original server got hit by a disk failure. Whipping up a quick zone with the same IP address and name as the ailing hardware was much easier and quicker than finding a spare box and setting it up to suit.

Another major use for zones is for development - particularly for websites. You want to run apache/tomcat/mysql, and these want to use standard ports, so you can only run one instance on a host. But you can run this sort of setup in a zone, and the zones are isolated. It's so much easier (and cheaper) to set up a zone than to build up a separate machine (even though whipping up a machine is pretty trivial using jumpstart). And it's easier than futzing the port numbers to get multiple instances coexisting on one system. My own workstation currently has several zones set up for exactly this purpose.

We have a number of servers that are pretty well open to end users. So we're putting these in zones for isolation - if they're compromised then the underlying systems are less exposed and have an extra layer of protection.

The final use of zones that we're deploying - at present - is as a simple form of redundancy. What we have is a service running in a zone on one machine. Then we have an identically configured zone, with the same name and IP address, on a second machine, but not booted. We can switch the service between machines in seconds - that's all it takes to shut the one zone down and boot the other one.

These scenarios have all been tested for the best part of a year; we're now starting to move to live deployment on the full release of Solaris 10.

Saturday, February 26, 2005

Open source, open binaries, or open distribution?

Just to reinforce the point I was making in my previous blog entry, take a look at IT Manager's Journal | Why distribution -- not low cost -- is real advantage of open source.

(And it's predecessor.)

Sun could learn from this. OK, so they've notched up some pretty impressive statistics for Solaris 10 so far. But they're stil very restrictive and in control of the distribution channel, which hurts them (for all their software - not just Solaris, but Java too).. You can't get Solaris from mirrors, you can't get it from the torrent, you can't get it on Magazine covers. And, because you can't redistribute it, Sun can't use other people to promote its software.

Wednesday, February 23, 2005

Open Source or Open Binaries?

Why is open source - or specifically Linux - successful?

Is it the ideals behind the license? Is open source better software? Or is it simply that most people are cheapskates and want something for nothing?

I think that it's not really any of those. I think it has a lot to do with ease of access.

And getting hold of a copy of Linux is as easy as falling off a log. There are mirrors of dozens of Linux distributions all over the net. So you can download it, for free, without a nag screen or any application process. Or you can get it on the cover of any of half a dozen magazines in your local bookstore. And you can install it - and there's a good chance it will mostly work, after a fashion - on pretty well anything and have a play with it.

And that's the point. It's not that it's got a license that allows you to see how it's done and change it. Most users couldn't care less. It's not that it's better or worse than commercial software. It's not even that it's free - most people will happily pay for something if they think it's worthwhile - but that includes trying it out for free. The important thing is that the barriers to entry - to trying it out - are essentially zero.

Of course, the more people who try something the more are likely to use it. (I find the same thing with games. I'll happily fork out large sums of cash for a PC game if I know I like it, and I find that out by installing the demo version. No demo - no sale.)

And there are other recent open source success stories. Firefox is being used by millions of people, and I'm willing to bet that only a vanishingly small handful have used the source or built it themselves. It's not access to source that matters here, it's being able to get hold of the binaries with ease.

Increasingly, as well, source access is becoming useless. I build a lot of software from source. Or try to, anyway. And it's hard work. Trawling through prerequisites and resolving the dependency hell is almost impossible. (Haven't open source deveoplers heard of the concept of stable APIs?) Then you have to watch configure make a large bunch of wild and unsubstantiated guesses about the state of your system and then libtool demonstrate how not to build software. And (at a time when the diversity of systems used to be much greater) we used to manage without all this. It used to take a simple make and you were done. No more. Failure is now more common than success.

There are initiatives that aim to address these issues. For Solaris, Sun supply some software with the OS itself, and additional material on the companion CD. Then there's sunfreeware and blastwave. In both cases someone else has had to suffer the pain (and the build time...). Then gentoo and portaris aim to automate the build process. And Eric Boutillier is actively investigating pkgsrc based solutions.

With these last few exceptions, though, it seems that the source part of open source is becoming irrelevant, and what matters is open access to binaries.

Wednesday, February 16, 2005

Diversity, Choice, Competition

In a LinuxInsider Linux News Commentary, Open-Source Projects Are Not All the Same, Frank Hayes makes the important point that, while both Linux and OpenSolaris are both really Open Source, they differ in important ways. Different models, different communities, different licenses. Diversity is good; competition can only improve both.

The article has a couple of errors though.

The first error is the statement that:

But those patents can only be used with Sun's code. Changing the code means losing the patent protection.

Which is plain wrong. The patent protection stays with the code. That's the whole point of the CDDL.

The second is the statement that both are competing for the attentions of the same developers. They aren't (and it continues the myth that Linux is a volunteer project - interestingly, the OpenSolaris community outside of Sun does have a lot of individuals rather than being largely corporate).

In the same vein, James Governor makes the point that there is no single Open Source Community. There are lots of communities. And, when asked

Don't other open source communities wonder at the vocal minority of Linux fans talking for them?

Yes, we do! But it's not Linux fans, as such - it's just a noisy minority who presume (incorrectly) to speak for the community.

There's not just choice and diversity in code and licenses. There's choice and competition from different products. Like the recently released Solaris 10 and Red Hat's RHEL4. Our friend SJVN builds this up as a great battle with this provocative quote:

"It's the beginning of the end for Solaris in the enterprise,"

The reality is somewhat different - Solaris is wildly popular, while RHEL4 isn't exactly bowling all reviewers over. The reality is that both are going to be around, and have success, for a long while.

Technorati: - Technorati:

Saturday, February 12, 2005

I bought the book

Today, I bought the book.

Not just any old book, the book.

I've been meaning to get down the shops and buy it since getting some cash over Christmas, but what with a busy life and a bout of the flu, it's taken a lot longer than I planned.

For those of you not paying attention, we're talking about this book.


Thursday, February 10, 2005

SMF setup for postfix

As promised in my last blog, we've put up an article on setting up our mail system using the new Service Management Facility in Solaris 10. Includes a brief description, and the method and manifest files that were created.


57 up

So I now have 57 machines running Solaris 10, including most of our compute farm.

The latest machine was our mail server. It's a complicated beast, running postfix, spamassasin, amavis, sophos, sophie, clamav, freshclam, pop, imap, pop-before-smtp, gld, mysql, TLS, SASL...

You get the idea. It's a fairly complex setup. And it's all managed by smf. We're going to do a little writeup of this - stay tuned!

We did have one glitch. Looks like lockd (the nlockmgr service) doesn't always register properly with rpcbind. This caused command line mail clients like mail and mutt running on older machines to hang. (Solaris 10 clients were fine because they're using NFSv4 which handles the locking itself.) Having identified this, a quick

svcadm restart svc:/network/nfs/nlockmgr:default

brought everything back to life.


Monday, February 07, 2005

Solaris mirror resyncs

Most of our servers have mirrored root disks, and so when I install them (which I've been doing a lot of this last week) I need to resync the mirrors (set up during jumpstart). The default settings in Solaris Volume Manager can lead to pretty long resync times, and the way to speed it up [taken straight out of the metasync(1M) manpage] is to add the following

* speed up mirror resync
set md_mirror:md_resync_bufsz = 2048

to your /etc/system file (I do this in my jumpstart finish script). This works for Solaris 10 (which is of course what I'm installing eeverything with now!).

This speeds up the resync quite nicely. In fact, the data rate during resync seems to be almost the same in megabytes/s as the disk size in gigabytes (this might just be a coincidence and valid only for the restricted range of hardware I've tested). But this leads to the resync time being pretty well constant.

With the default SVM settings, I almost always saw 8 megabytes/s, which is pathetic for modern disks, and the resync could take hours. Now it's nice and quick.


Friday, February 04, 2005

Solaris 10 installs rolling

Having finally managed to haul Solaris 10 across the network, installs are proceeding well. I've now got over 30 machines running Solaris 10. It's gone pretty well without a hitch so far. More machines are being installed in a steady stream.

(The only irritating thing is that JDS now does wireframe window moves rather than opaque window moves. Anyone know how to switch this around?)


Tuesday, February 01, 2005

Way too popular

Solaris 10 is way too popular. I've been fetching it all day and not got halfway yet. I'm getting a measly fraction of my normal download speed. Not good. (For me, that is - obviously it's good for Solaris to see so many downloads.)

Loooks like I'll have to leave it overnight.