April 2012 Archives

The NJ Chapter of LOPSA is graciously letting me do a dress rehearsal of my Ganeti presentation that will be presented at the PICC Conference next week. http://picconf.org If you can't make it to the conference or just want to be able to attend one of the conflicting sessions, this is a great opportunity for you.

Complete details are on the www.lopsanj.org website.

Topic: Ganeti Virtualization Management:Improving the Utilization of Your Hardware and Your Time

Date: Thursday, May 3, 2012

Time: 7:00pm (social), 7:30pm (discussion)

If you are planning on coming please RSVP so we have the right amount of pizza.

Complete details are on the www.lopsanj.org website.

I don't think I really understood SSH "Agent Forwarding" until I read this in-depth description of what it is and how it works:

http://www.unixwiz.net/techtips/ssh-agent-forwarding.html

In fact, I admit I had been avoiding using this feature because it adds a security risk and it is best not to use something risky without knowing the internals of why it is risky.

Now that I understand it and can use it, I find it saves me a TON of time. Highly recommended (when it is safe to use, of course!)

Tom

http://yfrog.com/keassywqj

The PICC committee is excited to announce our opening keynote speaker:

Bill Cheswick, Security guru and co-author of "Firewalls and Internet Security"

Topic: Rethinking Passwords "We've known that passwords have been inadequate for over thirty years and they have only gotten worse. Can we escape the varying 'eye-of-newt' password rules that plague everyone's online lives? Can we get grandma safely to the other side of the authentication street? I will review some of the many research ideas that have been proposed, and offer some suggestions toward getting us out of this thicket."

DINNER will be provided to all attendees on Friday at 6pm; Bill's talk will begin after dinner (8pm).

We're very excited to have Bill speak at PICC. He is a NJ local, a fantastic speaker, and was unavailable the last few years. We finally got him!

Register for PICC here: http://www.picconf.org/registration/#event

   (NOTE: Tutorial seats are running out!  Register NOW!)

[first draft]

Someone asked me about "The Internet Needs a New Pair of Pants" and I thought it would be a good chance to post some thoughts I've had.

For the most part he's asking the wrong questions. Only #10 and #11 really matter.

But first a quick tangent...

We don't "store data" on the internet. You can 'store data' by putting it on a hard drive and then powering it off. That's easy. Anyone can do that. What you do on the internet (or "in the cloud") is you make data available (either to everyone, a restricted group, or just yourself). To make it available it uses a constant amount of power, upkeep, maintenance, backups, etc. Backups is often 9x the cost of hard drive you bought to store the data.

That said...

In the future we will store more and more of our information on other people's computers simply because it is cheaper. Energy is very expensive and typical data centers are built where power is cheap. There are efficiencies of scale to power one big data center rather than a million hard drives, each in that person's home. The power in data centers will always be greener than what you get in the home not because cloud providers are pollution-hating hippies but because when you do things at big scale it becomes cheaper to do things green. Lastly, at big scale things like backups, upkeep, maintenance, etc. all become much cheaper. The cost of a huge robotic tape backup system may be millions of dollars, but the cost of millions of homes each doing backups is hundreds of millions. More and more of our data is being stored in the cloud not just because it is easier that setting up a home system to do it for us but because we can't afford to do it any other way.

That said...

If we are going to put more and more of our data in the hands of other people, we need a "bill of rights" that protects us and the providers:

Users should:

1. be able to know what data is being stored about them (example)
2. be able to get a complete copy of all their data in a format that lets them change providers any time they want, no fees or penalties (example)
3. users should be able to grant access to their data to other people, easily see who has access, and revoke it (a good start)

Providers should:

1. Have a clear procedure to determining when a government subpoena for a user's data is valid (not a fishing expedition or witchhunt)
2. Not have all their computers confiscated due to a single user; even if user's data is mixed with others.
3. Should be required to publish statistics about which governments are making subpoena and take-down requests, how often, and whether or not they were rejected (example)

That list is just a start.

As system administrators we are probably the most aware of these issues. Sadly these decisions are generally made at the CEO level where we have very little influence, or in smokey, dark rooms where political decisions are made (and we have even less influence).

The problem is that the current laws are insufficient, new laws tend to be written by people that are against the things listed above, and nobody knows how to deal with data in one country being stored by a person in another county that breaks the laws of yet another country.

I've linked to services that do the things I talk about. I'll gladly add links to other services that have these features (email me or post a comment). I think everyone should go to their providers and ask (demand) all of the above, and we should ask (demand) our elected officials create laws that make these things possible, if not required.

But who has time for that, right? I mean... we're sysadmins! We're too busy to get political.

Usenix is sponsoring the first Women in Advanced Computing (WiAC) Summit to run during Federated Conferences Week in Boston. WiAC will be all day June 12th, 2012.

Carolyn Rowland and Nicole Forsgren Velasquez are co-chairs. Carolyn recently posted on G+ a request for ideas: What would make this a must-attend event? What topics should we cover in order to appeal to women of varying professions and backgrounds: researchers, to developers, sysadmins, IT managers, etc.?

Carolyn wrote "We'd like this year to be the start of a recurring Usenix event that allows people who believe we need to support women in the computing professions to come together to share ideas, meet new people and get inspired."

For more information please visit: https://www.usenix.org/conference/wiac12

You can reach Carolyn and Nicole at [email protected]

RFC 6540: IPv6 Support Required for All IP-Capable Nodes

This new RFC basically says that vendors can no longer consider IPv6 as an optional feature. If you say it supports 'IP' you better include IPv6.

The RFC specifically calls out these best practices:

• New IP implementations must support IPv6.
• Updates to current IP implementations should support IPv6.
• IPv6 support must be equivalent or better in quality and functionality when compared to IPv4 support in a new or updated IP implementation.
• New and updated IP networking implementations should support IPv4 and IPv6 coexistence (dual-stack), but must not require IPv4 for proper and complete function.
• Implementers are encouraged to update existing hardware and software to enable IPv6 wherever technically feasible.

You: If you haven't started using IPv6 in your environment I highly recommend you take the time to educate yourself: Read a book, learn how Google did it, or sign up for the excellent IPv6 training at PICC.

Your vendors: When talking with vendors do not treat IPv6 as a "would be nice". Inform them that anything you buy this year must be IPv6 capable and can't have worse performance than IPv4. New network gear and software purchased this year will probably be in your network until 2020 or longer. If you don't think IPv6 will be in your environment this year, you have to agree it will be by 2020.

Your boss: If you need help explaining this to your boss read this fine article on IPv6 migrations (The "introduction" section is all background and history, after that is all the advice.) TLDR version: Start from your ISP to your external gateway, then work your way in enabling IPv6 carefully at each step.

Lastly... if you want a fun starter project, get it enabled at your house either via your ISP or get a free tunnel.

I'll be giving a talk about Ganeti, the open source virtual cluster manager April 10th @ 8:00pm at the Woodbury Campus of Cold Spring Harbor Lab, in the Woodbury Auditorium.

For more information visit:

http://lilug.org

See you there!

I'll be the guest speaker at LILUG this week. If you've never been to LILUG and live in Long Island this is a great time to check out this great Linux Users Group!

I'll be giving a talk about the Ganeti open source project. Ganeti is a system that manages clusters of virtual machines. In my demo I'll build a cluster right in front of everyone and show off some of its features.

If you use Xen or KVM virtual machines, Ganeti will help you do it easier, cheaper and more reliably.

Tuesday, April 10th @ 8:00pm at the Woodbury Campus of Cold Spring Harbor Lab, in the Woodbury Auditorium. Full into is here:

http://lilug.org/wiki/Template:LilugMeeting2012_04

Hope to see you there!

--Tom

"More than 600,000 Macs have been infected with a new version of the Flashback Trojan horse that's being installed on people's computers with the help of Java exploits, security researchers from Russian antivirus vendor Doctor Web said on Wednesday."

Technical details here: New Flashback Variant Changes Tack to Infect Macs

This is serious, folks. Run your "Software Update" now and reboot. Help your non-technical friends do it too.

This week the USENIX Board announced that Anne Dickison and Casey Henderson have been appointed USENIX Co-Executive Directors effective April 2, 2012. Anne and Casey have been with the Association since 2003 and 2002 respectively. Previous to their new appointments Anne was the USENIX Marketing Director and Casey was the Information Systems Director.

If you've been at a USENIX conference since 2002 you've probably met them or seen them in the registration area. It was a delight to work with both of them when I co-chaired LISA '11 last year. Anne's super-power was not freaking out when I was and Casey's super-power was not being annoyed by my constant flood of technical requests. Both demonstrate the spirit of cooperation that is a great benefit to the the sysadmin, F/OSS, and open systems communities: a trait we should all strive to emulate.

Here's the full announcement: https://www.usenix.org/news/usenix-announces-new-executive-directors

Soon there will be a "live chat" with the candidates. At that time I plan on asking this question:

"I'd like to know about your experience with community-based projects. Please tell us about a project that you took responsibility for seeing through to completion (i.e. did most of the work). Please, only projects that are "done" or have reached a self-sustaining mode only. One or two sentences is fine. It doesn't have to be a project where you thought of the idea, just one where you assured it reached the finish line."

I look forward to reading their answers.

The Baltimore/DC chapter of LOPSA is called CrabbyAdmins (a reference to the crab industry in the Chesapeake bay). I'll be speaking there on Wednesday night about the Ganeti open source project.

This meeting will be in Columbia, MD, hosted at Next Century (across the street from OmniTI). It will run from 7pm-9pm.

If you are interested in inexpensive virtualization or just live in the area and want to meet your local sysadmin community (or me!), please stop by!

Full info and directions here: http://bit.ly/HfiVNE

Tom