The Lone Sysadmin

“What, you just sit around all day browsing Wikipedia?”

“Excuse me?”

“What are you looking at in Wikipedia?”

“The article on X-Men.”

“Tough day at work, I suppose.”

“Um, I’m trying to figure out a naming scheme for the 10 new servers I’m bringing in. That okay with you?”

“Oh, sorry.”

Just because you think I’m not doing work doesn’t mean you’re right.

(also, great site for naming schemes: namingschemes.com)

My friend Terry’s slightly unorthodox take on cloud computing:

To hell with cloud computing. Clouds are puffy crap that float lazily by. Is that what you want out of your service provider? Just floating by without a care in the world?

It is time for tornado computing. Or hurricane computing. Real wrath of God type stuff. I want an architecture that knocks me off my feet, whips my apps around and hurls them half way through a tree. I don’t want my data intact for some script kiddie to steal. I want it like a frog in a blender; unrecognizably processed with a taste only I care for.

So to that end I am setting half of my air handlers to “Freakin’ Steaming,” the other half to “Ice Storm,” and locking the doors until the screaming stops. By this time tomorrow you should have some form of cloud computing in the data center, maybe a squall somewhere over the mainframe if you’re lucky. Viva La Revolucion!

Interestingly enough, that pretty much sums up my feelings, too. Service providers don’t seem to address the DR, legal, privacy, and security concerns that corporations have, don’t seem to care, and even go so far as a Microsoft rep telling a coworker of mine that “it’s no big deal as every bit of information about you is practically out there already.” Given that sort of attitude how can I do anything but build my own cloud?

You know, if you’re a system administrator there are a few things you should know (and probably do). One of those things is why you should have backups.

If you can’t figure out why perhaps you should find a different profession.

Seriously.

I’m fine if you don’t keep backups because you’ve thought about it and you are taking a calculated risk. However, having to explain why backups are valuable to someone who, until this moment, I considered a peer is ridiculous.

It’s like having to explain what DNS does to someone who calls themselves a network administrator. I’ve done that, too.

How do I know that it’s time for Apple to give birth to the 3G iPhone?

Because my officemate has started to refer to it as “the second coming of Jesus.”

I wrote the new phone a haiku:

Dear 3G iPhone
Wish you were here already
So people shut it.

Not that I’m tired of hearing about it. Nope.

I hear it will have infinite battery life. And it will read your mind. And it will have 1 TB of storage. And it will find your keys when you lose them. And it will feed your cats. I can has 3G iPhone.

Arggh.

/etc/hosts is a nice way to temporarily convince a host that certain DNS mappings exist, for testing, troubleshooting, or just temporarily working around oddities. However, I’ve seen a resurgence in using /etc/hosts for more than just temporary purposes. This, in my opinion, is bad.

I’ve always been a huge fan of tip #6 in “The Pragmatic Programmer:” Don’t Repeat Yourself. As soon as you repeat yourself you risk the different copies getting out of sync, which causes problems and confusion. Putting a fully-qualified domain name (FQDN) in /etc/hosts as well as in DNS means that at some point later in life the two will be out of sync.

“It’s only on a couple of hosts, for testing.”

First, if it’s on more than one host you are repeating yourself. Second, testing is fine but now it’s another thing to remember to fix when you roll into production. It also means that production will potentially be different than your test environment.

“We don’t need to put this in DNS.”

Why not? DNS is a database built to solve the host name to IP mapping problem and it’s good at it. Perhaps you have more of a political problem with whoever runs your DNS.

“You have automated tools that can maintain synchronized copies of /etc/hosts on multiple machines, so what’s the big deal?”

Just because we can doesn’t mean we should. Plus, you’re still repeating yourself. The machines can still get out of sync with each other and/or with DNS.

“If we don’t put this in DNS then it won’t get hacked.”

I’m pretty sure hackers know how to use IP addresses. This is security through obscurity, which doesn’t work.

“Well, they won’t know that the server is our database/app/web server if they can’t resolve the name.”

A quality port scanner can often tell what services are on what ports, even if you are running services on non-standard ports. In short, if you are relying on the lack of DNS to prevent hacking you’re in trouble.

If you really want you can use ACLs in BIND to restrict who can query certain DNS zones.

“I want entries in /etc/hosts for performance reasons.”

A caching name server on the host may also increase performance and still get its information from DNS, which does not violate the don’t-repeat-yourself clause.

“I want entries in /etc/hosts for reliability reasons.”

Again, perhaps a caching name server locally would fix the problem. And if you have unreliable DNS you are probably having other problems, too. Perhaps you should fix that.

“DNS is tricky to administer, and the files are simpler.”

Maybe, but if you have a service, application, or system that needs DNS entries you should probably figure it out. Eventually you’ll have to know something about DNS. Editing files is simple until you get more than one server, and then the effort to keep the hosts files synchronized is usually better spent keeping DNS up to date.

“We define host names to have different IPs using /etc/hosts, which is how we do load balancing.”

You can do the same thing with round-robin DNS entries.

“We define host names to have different IPs, based on the functionality the server needs. So ‘database’ is 192.168.10.20 if it only reads and 192.168.10.21 if it needs to write.”

That sounds very confusing. Perhaps you could just register ‘database-read’ and ‘database-write’ in DNS and teach your app which one to use?

“Hosts files are a proven, reliable technology.”

*sigh* So is DNS…

I just cleared out my voice mail box, and I made some observations about voice mail messages:

• First, I hate voice mail. Email me instead.
• You don’t have to tell me what time it is. Voice mail is time-stamped, and it usually doesn’t matter that much.
• You do need to say who you are, because voice mail doesn’t record that. Do this in your first sentence. If you are with a vendor you should say that, too, especially if I’m waiting for a call from you.
• Please use your full name. You might be one of my closest friends but sometimes phones make people sound weird, cell phones cut out, and background noise sometimes makes it hard to figure out which “Bob” you are.
• If you called to have a conversation with me just tell me to call you back. A conversation is where two people talk to each other. My voice mail is not me, so you’re just talking. Talking != a conversation.
• Tell me why you called, using one sentence or less. Extra points if the whole message is a sentence or less.
• Tell me where you want me to call you back. Don’t assume my phone or voicemail has a log of your missed call, though if you’re sure I have your number it’s fine to tell me to call your cell, etc.
• Don’t leave me a message saying only that you’re going to try calling me somewhere else. Not useful.
• If the message includes an address or a phone number say it twice, slowly, so I can write it down. The first time you say the phone number I’ll be scrambling for a notepad, and replaying the message just for a missed number sucks.

That’s about it. *Seems* simple. Thanks for listening. :-)

The ever-annoying, ever-moronic[0] Java Updater popped up today and prompted me to update. I indulged it, figuring there was probably some new gaping security hole again.

What did I find as I proceeded? It wanted to install the Google Toolbar. Did I have the Google Toolbar already installed? No. So why is the default action to install it, unless I opt out?

Apple’s taken some heat lately for their decision to push Safari to anybody who runs their Apple Software Update utility. I didn’t want Safari, but unless I opt out of it I’ll get it. Now Sun and Google are doing the same thing with the Google Toolbar. Users know that if they don’t update their software they’ll get hacked, and Sun, Google, and Apple abuse that by pushing unwanted applications (Safari) and spyware (Google Toolbar) to systems that didn’t already have it. It isn’t enough that they allow you to opt-out. They do this knowing that most users aren’t going to opt out, either because they don’t know any better or because they miss the option.

If there was ever a reason for a law to be passed, this is it.

———————-

[0] Ever-moronic because the updater seems to like starting two, three, or four copies of itself, all sitting in my system tray. Maybe they think that I’ll be more inclined to update if the updater takes over the entire bottom of my screen.

I just read this post over at SearchServerVirtualization.com[0]. All I have to say is that I will rejoice when version numbering is the biggest issue facing us in the virtualization community.

I was going to say more[1] but isn’t there some rule that if you can’t say something nice don’t say anything at all?

————

[0] I didn’t want to link to it, but I couldn’t see a way around it.

[1] Those that know me should feel free to speculate. :-)