Open Source Tools in Data Centers

An anonymous reader writes "There is a nice presentation on the L.A.S. Linux site entitled "Managing Data Center Functions with Open Source Tools" which was presented at Comdex 2003. It covers everything from IPtables to OpenNMS. As well as covering some less known but nice tools like NeDi, which lets you easily manage Cisco routers and swiches from a web browser."

Re:vservers

[Anonymous Coward]

you want user mode linux
google for it, mighty isp owner

Re:vservers

[Anonymous Coward]

FreeBSD's chroot jails are a much better and more efficent solution

Re:vservers

[Anonymous Coward]

No, you want vserver. It is more flexible and powerful than FreeBSD's jail and just as efficient (only a system call away).

http://vserver.strahlungsfrei.de/tiki-index.php
http://www.linux-vserver.org/
http://www.solucor p.qc.ca/miscprj/s_context.hc

Re:vservers

[DDumitru]

Your definately want UML.

http://user-mode-linux.sourceforge.net [sourceforge.net]

UML has a number of differences when compared to chroot environments.

• Resource usage is higher because less is shared.
• Each virtual needs a real network, and usually a real public IP
• Network configuration can become nightmareish as the number of virtuals grows unless you write some signifigant config scripts that run dynamically.
• You really need a good understanding of networking and especially routing and how ARP works.

Re:vservers

[DDumitru]

In one sense, hacking a virtual is as good as hacking the real thing. On the other hand, hacking a virtual is quite dangerous on the part of the hacker.

UML virtuals have the ability to log a bunch of stuff "outside" the virtual. This can include keystroke logging on devices (including the pty's that ssh allocates). Plus you have a 100% sniffable network from the outside and the "owner" of the UML can "give" the virtual to the hacker at almost no cost and watch and learn.

If you are concerned about a hacker launching a DDOS using your virtual, this can happen, but you can also stop or mitigate it without tipping your hand against the hacker. You can firewall the virtual from the host side and silently block all (or most) of the attacking packets. You can even rate-limit the damage that they can do with 'tc'.

The amazing thing about getting a UML hacked is that most hackers don't even realize they are being watched. While /proc/cpuinfo and a bunch of device setups are unique to UML, most hackers have no clue and trudge on blindly. If you want to be more "stealthy" and setup a honeypot, the honeypot /proc and /dev filesystems change all the names to match a "normal" physical server. If your purpose is a "honeypot", you will probably need to only run a single UML with enough memory to seem realistic. Even then, if the hacker knows the internals of Linux, he can tell, altough it might require writing/loading a kernel module to see that the address space is not quite right.

Xen

[mihai]

You may try Xen http://www.cl.cam.ac.uk/Research/SRG/netos/xen/

Re:IPtables

[fmileto]

Wait, didn't Paul Russell write Netfilter/Iptables?

My favorite use of OS

[afidel]

in the enterprise datacenter has to be Cisco Enterprise Printing System of CEPS for short. With CEPS Cisco has over 10K printers in thousands of sites around the world with only 2 print admin's!! CEPS is based around SAMBA and CUPS and allows windows, linux, and unix clients to print to printers in a way that is unmatched for redundancy in any other product commercial or otherwise. Remote print servers can take over controll of print queues quickly in the event of a print server failure and queues can be rerouted to a new print device should a physical printer fail all without client reconfiguration! Cisco was nice enough to give the system back to the world. They have a sourceforge [sourceforge.net] project available for anyone interested.

Re:My favorite use of OS

[Space cowboy]

I wonder what the TCO figures look like :-) I'd love to see a comparison done with a Windows administration system for 10,000 printers :-)

Simon.

Re:My favorite use of OS

[AndroidCat]

10K printers in thousands of sites around the world with only 2 print admin's

They must be awfully busy putting paper in the printers! :^P (Yeah, you'd think most people should be smart enough to figure that out, but you'd be wrong.)

It does sound like a cool setup.

Here is Microsoft's competition:

[Futurepower(R)]

Here is the closed source competition: Microsoft OTG Reduces Print Servers--From 30 Down to 4--By Consolidating with Windows Server 2003 [microsoft.com].

Quote: "Here's the story of how they consolidated print servers from 30 servers running Windows NT Server to only four servers running Windows Server 2003 Enterprise Edition."

Re:Here is Microsoft's competition:

[afidel]

Looks good but it's 1/10th the size and not nearly as flexible. For instance when we shut down one facility we just moved the physical printers into the area the employees would be occupying in the new building and transfered the queue's and DNS assignment to the new locations existing print server, almost no client side changes and very little muss on the printer side, I know the MS solution wouldn't be that easy =) But really going from 6 admins for one campus to one and all for only 1K printers isn't tha

Re:My favorite use of OS

[lisany]

Remote print servers can take over controll of print queues quickly in the event of a print server failure and queues can be rerouted to a new print device should a physical printer fail all without client reconfiguration!

I can see it now...

Boss: Hey Lloyd! Where's that document I printed twenty minutes ago?
Lloyd: Umm, its not here--ah. the printer was broken and sent off for servicing
Boss: FIND IT!
Lloyd: Well, boss, I found the document--
Boss: Great! Where is it?
Lloyd: Well, that's the thing,

Re:Open Source

[Anonymous Coward]

"I would contribute a lot of this money myself towards a 100% open-source, stable, secure distribution specifically made for web hosting."

Would always could but never did. I've seen this type of comment made so many times, but it's rare to see someone actually put money where their mouth is.

Re:Open Source

[protektor]

You might want to look at FreeVSD ( http://sourceforge.net/projects/freevsd/ [sourceforge.net]). It used to be a commerical package and many ISPs have used it over the years. It hasn't been updated in a few months though since the company went under in Jan. 2003.

It has all your virtual server stuff and even has a web interface to manage everything as well, like the creation of new virtual servers, etc.

I don't see why the Open Source community couldn't pick up on it and update it for the last releases of Linux distributi

Samba is King of the Free Software World

[the man with the pla]

Admit it. With the exception of Apache, Samba is the number one reason that Linux (and BSD, too!) has been able to invade the datacenters of companies the world over.

Without Samba, Linux et al would be in a much less pretty position.

Perhaps we should call it Samba/GNU/Linux? :)

Kudos to the Samba Team, Tridge, and all Samba developers/testers/users!

Re:Samba is King of the Free Software World

[Rick the Red]

I'm not so sure. Yes, from an administration standpoint it's far easier to make the server (Linux) conform (Samba) to the client (Windows) than it is to force all the clients to conform (NFS) to the server, but if Samba did not exist I believe NFS would have stepped in and filled the gap. Samba has reduced the need for a good open NFS client for Windows, but I'm sure someone would have written one if Samba did not exist.

Indeed, I predict that someone will write one should Microsoft succeed in shutting down Samba (via patents or whatever -- you know killing Samba is on their to-do list).

Re:Samba is King of the Free Software World

[wfrp01]

The problem with NFS is that it presumes the clients are trusted. SMB is not the most secure network file system, but it's more secure than NFS, and ubiquitous. Perhaps the next version of NFS will be better in this regard, I'm not sure.

Don't kid yourself, NFS can be secure.

[Ayanami Rei]

But no one wanted to set up GSS or Kerberos 5 years back, so it never caught on.

Lot more complicated than /net/machine/share...

Re:Samba is King of the Free Software World

[Captain_Chaos]

Perhaps the next version of NFS will be better in this regard...

It is. [nfsv4.org]

Re:Samba is King of the Free Software World

[carpus]

Perhaps AFS and/or CODA will provide enough diviersion that Microsoft is unable to nail either of them. The Distributed filesystems like CODA and AFS, while not well known by the general populace, would probably provide as much quiver down Bill's spine as Samba, not because they are better than Samba, but that they represent some very cutting-edge, future competition. Is M$ focuses on Samba too much and not on the other high-tech alternatives, they may just get handed their hat from behind...

Re:Samba is King of the Free Software World

[Glamdrlng]

(via patents or whatever -- you know killing Samba is on their to-do list).

Incidentally, with its first service pack, Windows Server 2003 is supposed to have a "feature" whereby it can check to see of connecting client machines conform to a patch/service pack policy, and deny them access if they don't. What do you suppose will happen when a linux machine tries to connect to one of these servers using smbclient or smbmount?

Re:Samba is King of the Free Software World

[hendridm]

I love Samba, but in a data center? I guess my idea of a data center is the likes of Rackshack and DataPipe, of which have no use for Windows shares, but I suppose if your data center has a need for thousands of Windows shares... :/

SCP is the way for me.

Re:Samba is King of the Free Software World

[rizawbone]

I've worked in 2 major datacenters and samba is no where to be seen. Do you even know what a datacenter is?

Missing software

[Anonymous Coward]

I would include Zabbix [zabbix.org] to the Monitoring and Administration section. This is out-of-the-box application that takes care of monitoring of our network consisting of more than 400 nodes. It is not as mature as Nagios or MRTG, but its stability and feature set makes it extremely useful. Native high-performance agents cover most of platforms: Solaris, AIX, HP-UX, MS WIN, Linux, *BSD, OS X. Could be installed in a 5 minutes, this is big advantage over Nagios or OpenNMS.

Re:Missing software

[Anonymous Coward]

He states in the article on the website 'Fear and Loathing at comdex 2003' [localareasecurity.com] that, "Being that there are so many tools that can fit into that catagory which are Open Source. I did my best to give a high level overview of what there is available and to mention the less known, but equally good tools available. So please don't send me hate mail as to why X, Y, or Z was not mentioned."

So with limited time he was only trying to give people unfamiliar with Open Source tools a tasting of what there is to offer. . .

Re:Open source in the data center?

[El Cubano]

With all the recent security issues surrounding open source (Debian, anyone), I would think twice about using open source in my data center.

Please get a clue. The Debian compromise was because of a lost password. Every OS/App is equally vulnerabne to this.

When it comes to centralized management of your IT assets, Microsoft products are unbeatable. An excellent reason to be an MS only shop, IMHO.

Now I get it, you're trolling. MS may have some good tools, if you need point-and-drool and don't try to do anything the system or tool was not explicitly designed to do.

In my case, I admin a research lab with 12 workstations and two servers, all running GNU/Linux. I spend no more than 15 minutes per week on routine admin tasks, all of it from home. I can also remotely install any software the researchers need. The only reason I ever need to physically go there is to replenish the office supplies (toner, paper, bsank CDs). That sort of a setup would be difficult, if not impossible, with an MS-only setup.

Ugh... IPTables....

[zulux]

OpenBSD has PF - a really cool packet/nat/authentication/bandwidth limiter/port forwarding system that is really, really, cool

You can do clever things, like allow a certain amount of bandwith for sombody, but if they log in, the bandwith limit disappears.

Or parse the spam blackout litsts and block all incoming packets from them (spam trype networks have more that their fair share of crackers)

All withouht crypic config files.

I *REALLY* hope, for Linux's sake, that after FreeBSD ports PF (to replace thei

JFFNMS

[szysz]

Another tool to monitor a Cisco-based or other networks is JFFNMS [jffnms.org]

It can monitor TCP Ports, Network cards, CPU, Memory, Disks, all using standard SNMP, with no client side scripts.

You can integrate it with your OSS using various RPC methods, everything is stored in MySQL or PostgreSQL.

Its very extensible too...

Javier
It's my own project. :)

HP OpenView

[topside420]

HP OpenView is what we use to manage thousands of network nodes/hubs. Everything is displayed in a hub/spoke fashion and it easily intigrates with all your equiptment using the SNMP (Simple Network Management Protocol). Not open source, however this tool would be easily adopted by any *nix lover. Everything is easily scriptable, and the GUI is based 100% off command-line apps. So, anything you can do in the GUI can be scripted and alarms can be HIGHLY customized, reports generated on site statistic, you can even view real-time graphs of performance, packet-rate, utilization, etc of any single interface, or multiple interfaces on the same graph.

Another tool of use is the Cisco Transport Controller...we use this to monitor a fiber network up in MA.

Re:HP OpenView

[RicoX9]

I have run both. I like NOT having to mortgage everything to buy the software, then finding out that to run it right, you need to sell your firstborn for the hardware to run it on. For the price of the Sun hardware you need to run OV, you could buy the x86 hardware to monitor and manage a LARGE network.

I used to work as an SE for Cisco, ran a mid-sized ISP's network, owned a computer store, and have run a couple of corporate networks(not bragging, just qualifying my experience, Cisco SE's are highly techni

Re:HP OpenView

[delong]

But OV costs an arm and a leg. And paying people with experience in OV costs and arm and a leg.

Even WorldCom (formerly UUNET) doesn't use OV for its hosting datacenters. Too expensive. They use open source tools on linux.

NMIS

[mikus]

I've been using NMIS (http://sins.com.au/nmis) for about 2 years and it's better than any commercial NMS I've seen and used. Even our management turned down the likes of OpenView and Patrol in favor of it (of course cost helped that as well :). It's got it quirks, and isn't very modular unless you know perl reasonable well, but oob in a cisco network it's great with support for other vendors slowly growing. The developers are supportive via their email list as well. If you're in the need of an monitorin

Link Looks awful in Mozilla

[earthforce_1]

Did anybody else find that?
(Was Ok with IE, but rather ironic finding a site on open source tools displays correctly only for a closed source browser.

Re:Link Looks awful in Mozilla

[Anonymous Coward]

Looks pretty good in OpenCavity [goatse.cx] though. Check it out, it's 100% open source, as you will immediately recognize.

Re:Link Looks awful in Mozilla

[Indy1]

i'll second that. It looked like complete shit, and i pretty much closed the window with in seconds. Piss poor web design.

OpenNMS v. Nagios

[buddha42]

I'd be curious to hear peoples experiences with OpenNMS compared to Nagios.

Re:OpenNMS v. Nagios

[Brian the Wise]

Greetings...

We started using Nagios just over a year ago as something quick and simple while we were building our infrastructure (was still beta in those days). It does the job if you have a small site, but does not scale well. We've just switched over to OpenNMS. It does take a lot more effort to configure and get up and running (especially as we're not running it on Linux), but it's worth it for the additional flexibility and features you get. It helps if you have someone who understands Java for the imp

OpenNMS

[lordrich]

And openNMS does what exactly? There's a vague description on the website, but its not terribly helpful. Screenshots anybody?

Re:OpenNMS

[Ewan]

it's like hp openview, it tries to provide a nice looking interface for managing your network, both monitoring and configuring.

Open Source Network Administration

[BobSutan]

I've been reading the Open Source Network Administration book by James Kretchmar (review here in fact) and its been a really good read. Really applicable to the subject in my opinion.

Just my $.02 on the subject.

more scanning tools

[cnb]

SPAM/VIRUS/WORM SCANNING

amavis - http://amavis.org/
qmail-scanner - http://qmail-scanner.sourceforge.net/
dspam - http://www.nuclearelephant.com/projects/dspam/

MRTG? Upgrade to Cricket

[Anonymous Coward]

The authors of the LAS should have mentioned Cricket.
Which is a much evolved performance trending system. For those looking to trend data from routers, switches, firewalls, servers, sensors, files. Cricket offers a very flexible configuration method. It is all in perl, so very easy to support, extend and integrate. It includes a grapher, a collector and a configuration system.

It does what it does well.

The system also offers easy integration with event management systems open-source or not. It scales well

backup utilities

[m_c_rose]

my company uses netbackup for all out backup needs we have evaluated many options, but find due to lack of support from other vendors when used with non supported solutions, OSS is not a feasible solution. Our company is a 99.9% solution provider and if something breaks there must be a chain of monetary responsibility. Veritas gives us the support we need and all of our other vendors support netbackup. we do have a couple linux servers but for the most part we are a sun environment, which takes us full circ