Over a barrel.
Now.... bend over. A nice little earner for Microsoft.
Microsoft is officially charging customers at least $600 per server to safely run Windows Server 2003 after its July 14 support cut-off date. The number has come to light from Microsoft licensing expert Paul DeGroot of Pica Communications, who told The Reg he knows customers who’ve been quoted this figure. The price is for …
"You can't compare the two."
Well I can - they mostly can do similar things. Lots more security patches to evaluate and deploy for RHEL though than Windows Server which takes more of my time, and it's a lot harder to manage. Windows Server 2003 just works and is much more user friendly.
"but if you're price sensitive you wouldn't be paying for RHEL in the first place."
I presume you refer to CentOS. Maybe if you run the IT for Fred Blogs Corner Shop you can deploy that, but those of us in the enterprise world need proper support.
Citation needed. And please don't count the patches for components not used in a server configuration, unless you count the same for Windows 2003, that is: MS Office, Media Player, etc.
Well, you have to tally the IE patches for Windows 2003 as the browser, according to MS, was an integral component of the OS, while you don't have to do the same for RHEL.
No problem in proving me wrong, but really sceptic about this statement.
Here is one from not too long after the launch of Server 2003:
Here is a another from 2007:
There are loads more, but the general message is that Windows Server had fewer holes than an enterprise Linux distribution (As per Jeff Jones even if feature matched) for most if not all years in the last decade...
"The full report confirms that Microsoft funded the study"
Nice links. Did you read them? They're sales bullshit aimed at non-technical people, like you or my boss.
Counting the number of vulnerability fixes isn't an accurate methodology. One could say that the one with the most fixes is more secure.
A system is as secure as the idiot using it. I've never worked on Linux, but I've worked with plenty of idiots in the Windows world.
You post two links:
- A blog entry on Microsoft's own msdn where someone says "according to my own calculations", I suppose that this means that you accept their word verbatim.
- An informationweek article that does not even break down by OS the vulnerabilities. Querying the linked NVD database from CERT using the keyword RHEL reports 78 vulnerabilities in total, for everything that is in the database since the dawn of time.
With the above two facts in consideration, and "according to my own calculations", your statement of RHEL having more security patches is false. And of course, my methodology is wrong, flawed, and lacks credibility. But equally wrong, flawed, and missing credibility as the two sources you quote.
"Querying the linked NVD database from CERT using the keyword RHEL reports 78 vulnerabilities in total, for everything that is in the database since the dawn of time."
Presumably your query term is a fail then:
Vulnerability Report: Red Hat Enterprise Linux Server 5
Affected By 2307 Vulnerabilities
This post has been deleted by its author
"Vulnerability Report: Red Hat Enterprise Linux Server 5"
Affected By 204 Secunia advisories 2307 Vulnerabilities
Indeed for 2014 (for example) there were (from your ref) 29 'adv - all in Flash & Java
Indeed for 2013 (for example) there were (from your ref) 35 'adv' - all in Flash & Java & Acrobat
Indeed for 2012 (for example) there were (from your ref) 24 'adv' - all in Flash & Java
Indeed for 2011 (for example) there were (from your ref) 25 adv' - all in Flash & Java
Indeed for 2010 (for example) there were (from your ref) 29 'adv' - all in Flash & Java
Indeed for 2009 (for example) there were (from your ref) 26 'adv' - all in Flash & Java & SAMBA !!
Indeed for 2008 (for example) there were (from your ref) 25 'adv' - all in Flash & Java
Indeed for 2007 (for example) there were (from your ref) 7 'adv' - all in Flash & Java & elinks ?
None between 2003-2007. I unfixed vuln. for RealPlayer (giggle)
Shabby, shabby ....
Whereas the 400-odd MS 2003 server advisories are almost all MS code related and 22 are not yet fixed.
This post has been deleted by its author
Chemist, of what relevance whatsoever are the number of advisories? Unless you are complete moron, it would be obvious that this is simply the number of communications on the product from Secunia (which might each document multiple holes). It has no relationship at all to the number of vulnerabilities which is what is being discussed here...
"of what relevance whatsoever are the number of advisories? "
Simple AC, once you dig into the details they show that of the ~2000 'vulns' reported in RHEL almost all were in 3rd party software and only one hasn't been fixed. Whereas the 684 Server 2003 vulns where almost all MS code and 22 still haven't been fixed.
The fact that you used the link to Secunia to shoot yourself in the foot, as usual, is par for the course
" of the ~2000 'vulns' reported in RHEL almost all were in 3rd party software"
Erm no. They were ALL in the Red Hat Linux distribution, as shipped and supported by Red Hat. That Red Hat might obtain many of the components from third parties isn't relevant. That's like claiming IE stats don't count because Microsoft got the original code from Spyglass...
"That's like claiming IE stats don't count because Microsoft got the original code from Spyglass.."
Um. No. It's really not.
Red Hat do not 'own' all of the packages. They do not claim that they maintain all of the packages. You are falling into the same trap that I showed was false in a previous post. Please refer to that.
But to re-iterate. Red Hat own the compilation and packaging of many of the packages in their repositories. They do not own the maintenance of the packages themselves. They could fork a package if they wanted (it's Open Source after all), but in most cases they don't want to for perfectly valid reasons. Use Firefox as an example, which is in the distro, but is maintained by the Mozilla Foundation.
In contrast, Microsoft claim IE as their own package. They maintain it. They employ staff explicitly to maintain it, and they would be super-pissed if someone else tried to publish a derivative of IE, or claim some IP over it.
It appears to me that you are deliberately trying to confuse the issue, unless you really have a fundamental mental block about what Open Source is all about.
Like Chrome, isn't isn't a Google rewritten version of OpenSource Chromium ?
The "wheel/mousetrap" is NOT being reinvented lately, mostly, just merging of "products" thru shared idea's/views, there only so many ways to watch a cat video ..
"the general message is that Windows Server had fewer holes than an enterprise Linux distribution (As per Jeff Jones even if feature matched) for most if not all years in the last decade..."
Why is it OK for this post/poster to claim that Jeff Jones is authoritative on this subject, and yet it is not OK (as in, posts will be rejected) for anyone (e.g. me) to point out that Jones is a long term senior Microsoft employee (and before that, Mcafee, as far back as 1998). Given that history, he's not exactly an independent authority on the subject, is he? So in many people's eyes it might be considered entirely fair to point out that he's linked(in) with MS and McAfee.
What kind of wording might be acceptable to you, if it was permissible to point out that Jones isn't an "independent witness"?
Would you be offended if anyone suggested that your selective censorship might have the appearance of (even if not the intention of) double standards?
If you fancy replying, you have my personal email address but I can't access it from work as the nice IT people have blocked access to external email and bypassing the blocks is a sacking offence.
Have a lovely day.
but those of us in the enterprise world
"us"? Your comment suggests that you know very little about the "enterprise world".
RHEL is completely different to Windows Server. It's like comparing a BMW with a horse, because they both take you to the shops and back.
btw, I'm a Windows user, so calm down fan boy.
"RHEL is completely different to Windows Server. It's like comparing a BMW with a horse, because they both take you to the shops and back."
Well yes I give you that. Windows is nice and easy to use and comes with loads of extra luxury features like a BMW, where as Linux takes a lot of time and skill - and is much harder and more time consuming to use, and comes with just the bare essentials, but evetually gets the job done like a horse.
I note for instance that Linux still doesn't have basic security features like constrained delegation. And last time I checked it still didn't have fileserver basics like file de-dupe and storage tiering out of the box either...
Having just read a Technet description of Kerberos constrained delegation, it would appear that Microsoft have implemented a service using a fundamental feature of Kerberos - which appeared on a number of platforms including UNIX before it was added to Windows, and have been presumptuous enough to have given it a name.
Linux implementations of Kerberos will have the same fundamental technologies, but nobody has given it s specific name except Microsoft, who are trying to cash in on other people's work. I'm pretty certain that all Linux distro's will have Kerberos 5 support in their repositories. RHEL6.5 certainly has.
There are also several deduplication facilities available for Linux, including a number of filesystems like btrfs and ZFS. You just have to use a search engine to find them. ZFS also supports tiered storage (before Windows 2012, btw), as does IBM Elastic Storage, although Elastic Storage (aka GPFS) is commercial software.
I admit that it's not out-of-the-box, but it's hardly difficult to come by.
"Linux implementations of Kerberos will have the same fundamental technologies, "
But Linux doesn't use Kerberos features to control OS user access rights. You have to use kludges like SUDO - which must at least initially execute as ROOT. This is a massive fail. With Windows though you can allocate JUST the rights needed on a fully granular basis.
"I admit that it's not out-of-the-box, but it's hardly difficult to come by."
Quite - so much more difficult to support if you are installing 3rd party packages, and of course you have to install (compile?!) and configure the product. In Windows I just need to make a few mouse clicks....
> You have to use kludges like SUDO - which must at least initially execute as ROOT. This is a massive fail. With Windows though you can allocate JUST the rights needed on a fully granular basis.
Ever heard of UNIX ACL's ? Thought not.
Besides, you do not necessarily have to use sudo, you can use su, you know ? I do not understand your issue with sudo INITIALLY running as ROOT ... do you even know what sudo does ? Go read up on sudoers file, you can adapt it quite some bit, how can you do that one windows ?
>Quite - so much more difficult to support if you are installing 3rd party packages, and of course you have to install (compile?!) and configure the product.
I cannot remember the last time I was obliged to compile some 3rdparty app ... must be 7 or 8 years - and I use Linux on my primary workstation. I know kernel modules need to be recompiled when a new kernel is installed and the system rebooted, but that happens "transparently".
There are quite a few apps in my app repositories, like Java, mysql, postgres etc, etc, etc that I can install in a few clicks as well, however, no "Goto google > type app name > skip ads > locate website > locate download section > locate correct platform/bittiness > find download button, no, really watch out here, there are 5 on this screen > wait, wait, wait > execute file > Next > untick unwanted toolbars and/or adware > Next > untick startup when system starts > untick litter my desktop > reboot > done" bullshit ... for me it is just "Software (link on my dock/panel) > fill app name > click install > wait, wait, wait > done".
Actually, that is for mom and pop, I use aliases ..." $ get [app_name] > wait, wait, wait > done."
"Ever heard of UNIX ACL's ?"
Sure - and it is only recently with NFS 4.1 that you actually got proper granular ACLs in Linux like Windows has had for years. And still not as flexibly or powerfully implemented. And that still doesn't fix delegation of rights, so your point was?
"do you even know what sudo does ? Go read up on sudoers file, you can adapt it quite some bit, how can you do that one windows ?"
Sure. And it's big potential hole that doesn't provide only the minimum rights needed at all times like Kerberos constrained delegation can. You can do far more than that in Windows. For instance claims based ACLs. How would you do access control like this in Linux then? http://windowsitpro.com/windows-server-2012/enable-claims-support-windows-server-2012-active-directory
"cannot remember the last time I was obliged to compile some 3rdparty app ... must be 7 or 8 years - and I use Linux on my primary workstation."
Well for me it was last week when I installed a Sip server. And if you claim that then you must hardly use Linux other than as a PC you don't change much on.
"There are quite a few apps in my app repositories, like Java, mysql, postgres etc, etc, etc that I can install in a few clicks as well"
I just click on the icon for any available software and it installs on demand via App-V and can launch before it has even finished installing via a streaming App-V install...
Don't for a second think that ACLs are a feature introduced by Windows.
The earliest I remember ACLs being discussed was in Multics, whose design goes back to the 1960's, before Microsoft was even a company. Multics had a very complete security model for it's time, which included control over processes and services as well as the filesystem.
The thing about UNIX-like file permissions is that they have been good enough for most purposes for decades. They're a long way from being perfect, and I've said as much many times on these forums, but they can be made to do most of what is required with the right amount of knowledge. This has meant that until recently there was no pressing need to implement ACLs.
Where they were implemented, they were frequently unused because system administrators of the time did not think it necessary. Simpler times, maybe.
ACL implementations have existed in UNIX systems for many, many years. They first appeared in AIX with AIX 3.1 in 1990, and I'm pretty sure that the Veritas filesystem that could be used as the base filesystem on a number of proprietary operating systems also included ACLs.
The Andrew File System had both Kerberos support and ACLs from the early 1990's as well.
If you think that filesystem ACLs are not enough, look at the UNIX and Linux implementations of RBAC (and SELinux). Because most RBAC implementations use PAM, this means that it is possible to have RBAC controlled by Kerberos, and even put LDAP in the mix, and this allows something not that dissimilar to what I read Windows can do. And this has been possible for many years, before Microsoft jumped on the Kerberos bandwagon.
It seems to me that several of the distros include packages like Asterisk and Sems in their repositories, and Glassfish/Sailfin appear to be Open Source packages shipped as jar files that will not need compiling. Now I don't know what you were trying to achieve, but did you look?
I realise that you may have been wanting features that are not in builds of packages in the repositories, particularly if you want interoperability with some commercial products (vendors just love to include proprietary or bleeding edge extensions which often cause problems with Open Source packages).
If the package you were wanting was part of a commercial product, even if it were a free component, then did you try suggesting that the vendor provide the same degree of support for OSs other than Windows as they do for Windows? Sometimes what people see as a deficiency in Linux is really with the vendor of a particular package being unwilling to provide adequate support for Linux platforms, and that is hardly the fault of the distro maintainer, or the Linux community as a whole!
"Now I don't know what you were trying to achieve, but did you look?"
It was SipXecs and the default install takes forever and compiles a load of stuff.
So for Windows I would typically only have to download and run SETUP.EXE
For Linux it's:
yum install git make autoconf automake rpm-build libxslt
git clone git://github.com/SIPfoundry/sipxecs.git
This is why Linux is so crappy to use.
"So for Windows I would typically only have to download and run SETUP.EXE"
Which normally requires a GUI, a waste of server resources. Also, good luck automating that installer process!
"This is why Linux is so crappy to use."
No, it would normally demonstrate a lazy developer who couldn't be bothered packaging their product. However it appears that this is not the case for sipXecs as they provide a Yum repository (I'm assuming by the instructions above that you are using CentOS or RHEL), so it makes the whole process delightfully simple! Refer to http://wiki.sipfoundry.org/display/sipXecs/Installing+on+Fedora+and+CentOS
All that's been demonstrated in the example above is a little lack of appropriate experience between the keyboard and chair.
This way you use the same package management system that installed the entire OS and keeps it up to date, so it can take care of automatically updating sipXecs for you too. It all makes it much easier to track changes made to the host, easier to document the installation process and easier to automate. And time is money, right? :)
Anonymous Coward says: 'But Linux doesn't ... blah, blah, blah."
- So what you're saying is, is that you don't know how to do it. I guess we shouldn't be surprised that PR bots aren't IT specialists.
Anonymous Coward says: so much more difficult to support if you are installing 3rd party packages,"
- Here's a clue for you - Linux is all third party stuff, from the OS kernel upwards. The Linux developers consist of pretty much the entire IT industry outside of Microsoft, Apple, and their hangers-on. Distros put these "packages" together and support them. That's what they do for a living. It's a competitive market, so either they're very good at support, or they go out of business. They can't use vendor lock-in to coast along while ignoring their customers. If you don't like the support you're getting, then you can switch to a different vendor without having to switch to a different OS or applications stack. It's not like the Microsoft world where you have no choice and no influence.
Anonymous Coward says: and of course you have to install (compile?!) and configure the product"
- You know you would make a much better PR bot if you actually knew anything about Linux. Compile the product? Why would you do that? The distros compile the binaries and you either just make a few mouse clicks (if you want to use a GUI on your server) or type the relevant "apt-get package-name" if you are running a server without a GUI.
The reason there is no single management system is because there's no such thing as a "one size fits all" solution for anything as diverse as the IT industry. A web hosting business just isn't the same as a widget manufacturer ERP system. If you try to make something "one size fits all", you just end up with something that is massively over-complicated for smaller businesses while being inadequate for larger scale systems.
Have a look at the Microsoft news that you read here in el Reg in recent years. When's the last time that Microsoft introduced some new operating system feature that isn't a clone or port of something from Linux? Oh look - we have PowerShell - now we have something to write OS management scripts in, just like Linux does! Oh look! - we're going to be getting Docker some day, just like Linux already has! Oh look! - we have HyperV - our private label version of Xen just like Linux does! Oh look! - we have "cloud" (sort of), just like Linux does! I would have to go back to the 1990s to find an era when things (Samba) went the other way.
If you want to see the future of Windows sever five years from now, then look at what the major Linux distros are shipping today. If you want to see the long term future of Windows, then look at DEC VMS, because that's the soft of legacy system that Windows is becoming. If you've worked long enough in the IT industry, then you've seen operating systems come and go. I used to think that UCSD P-System was fabulous, but try to find anyone today who even knows what it is (was). It doesn't pay to get too attached to any one of them. IT specialists have to learn new things all the time, because the only constant is change.
"If you want to see the long term future of Windows, then look at DEC VMS, because that's the soft of legacy system that Windows is becoming. "
There's no denying that the world is changing around Microsoft and they're not doing a brilliant job of changing their strategy and products to match (time was when Microsoft *was* a strategy for an IT department; not so now). However...
Maybe you've not noticed, but a few months ago, VMS was resurrected. After years of neglect at the hands of HP (and before them, Compaq), HP handed future development of VMS (including a port to x86-64) over to another company, VMS Software Inc, who have (re-)employed many of the VMS development team that were "let go" by HP and predecessors.
Best of luck doing something similar with Windows NT's successors thirty-five years after NT first arrived.
Well I cheat & install http://www.freenas.org, Apache, EGroupware, a few other things to make windows happy, gets by my server needs in 90% of cases ....
But of course, it does mean "reading manuals" & learning stuff, maybe even a google or 2, to understand, obviously to much trouble for, the Modern IT Pro, who can instruct the Boss who to pay money to, to make up for, being lost, if you need MORE than just need to make a few mouse clicks....
"Quite - so much more difficult to support if you are installing 3rd party packages, "
Nope, just add the repo and use apt or yum to do the rest. Worst-case you get a tarball to unpack but it's still relatively easy to automate in most cases if need be.
On Windows the standard is using crappy binary installers making arbitrary and almost untrackable changes to the system. MSI packages are a slight improvement but still unnecessarily complex if you dare peek under the hood.
Third party software management is so painful on Windows that there exists an entire market dedicated to improving it. It's also the main reason so many corporate Windows shops stick with IE as a browser; it's to much work to try and manage anything that isn't built into the OS or made by MS.
It is perfectly possible to use Kerberos to control access to a Linux system. All distros I know ship a PAM (Pluggable Authentication Module) which allows you to use Kerberos as a primary access control mechanism. OpenSSH has Kerberos support built in, and there is support for Kerberos tickets in sudo to control user commands.
Many years ago (~20 IIRC - before even NTFS 5 and Windows 2000), there was a file system called DCE/DFS for POSIX'y systems that also integrated Kerberos tickets into filesystem ACLs. The Andrew File System (which DCE/DFS was adapted from) still exists and still uses Kerberos tickets to control access. Generally speaking, it's a technology that was regarded as unnecessary, or maybe it was just ahead of it's time. I think that GPFS can also use Kerberos, but that may just be for system-to-system authentication. Thinking about it NFS4 and later uses GSSAPI, and you can plug Kerberos into that as well.
So don't think that Microsoft invented these things in Windows. They're playing catchup, but no doubt they will try embrace, extend and extinguish again as they have tried with LDAP/Active Directory and DNS.
Windows is nice and easy to use and comes with loads of extra luxury features like a BMW
And the users are wankers?
Before any BMW owners get offended, I used to own one. I also used to use Windows. Both were expensive to run, and you were screwed if anything broke.
Bastard Microsoft Windows.
MS is getting itself into problems, the only vendor who asks money for its operating system.
People who bought it should have life time support by definition of the act of buying.
Or else they should provide free upgrades, as in fact since NT4 all versions have been upgrades, look at the kernel core, none was radical new.
"MS is getting itself into problems, the only vendor who asks money for its operating system."
Getting money doesn't sound like a problem to me. And you must have never heard of Apple, Red Hat, SUSE, Ubuntu. etc. etc.
"People who bought it should have life time support by definition of the act of buying"
They do - free online support for the supported life of the product for Server 2003.
"Or else they should provide free upgrades, as in fact since NT4 all versions have been upgrades,"
How would they pay for developing these upgrades then? nb - you do get 'free' upgrades if you pay for full support (Software Assurance).
"look at the kernel core, none was radical new."
There have been thousands of kernel related changes since NT4.
Let me ask you this... what was RedHat's response to the latest Ghost exploit for RHEL4 boxes? We have 5000+ RHEL 5+ servers and 2-300 still running RHEL4 (legacy apps we don't have code for from companies we purchased, etc). We were paying for a license on all the boxes (including 4 so they could be upgraded) but not extended RHEL 4 support. Redhat made a binary rpm for the security fix, but only was available if you purchased extended RHEL4 support for ALL old boxes, we couldn't even find the SRPM on their ftpsite multiple of days afterwards (also tried the can we buy a few licenses call they rejected it). Looked at CentOS, but they don't have any updates for RHEL4 anymore. RHEL4 was released in 2005, multiple years after Win 2003 and you've had to pay for security updates before one had to for Microsoft. If anything MS is showing how much better they are at long term support then linux is.
what was RedHat's response to the latest Ghost exploit for RHEL4 boxes? We have 5000+ RHEL 5+ servers and 2-300 still running RHEL4
I don't know about RH's response - but RH aren't the only ones who can support RHEL4.
I had an RPM rolled within about 20 minutes. It's not hard. My support customers all had it within a couple of hours.
Does this $600 per year per server including charging to not fix the recently reported networking security hole which they said they weren't going to fix in MS Server 2003 because it was "too hard"? They fixed it on their more recent versions, but not this one even though it is currently under support and customers have already paid Microsoft real money to fix problems like this.
Microsoft can't use the excuse that "it's almost at end of support anyway" for two reasons. The first is that it isn't at end of support yet, and people have already paid Microsoft good money for security support on this software. The second reason is that Microsoft are offering to extend support in return for additional money. Unless they are making the offer in bad faith, there is a support team in place whose job it is to fix problems like this.
If they're not going to fix security holes like that one, then just what are people going to be getting for their $600 per year (for the first year, escalating upwards from there)? Or are they going to hold back the fix until after the July support expiration date and then release it for the people who paid extra? I bet current customers are going to love that one.
No they won't be fixing it. Apparently the underlying architecture of WS2003 makes fixing it impossible (according to MS). It does make you question the point of paying so much money for 1 year of additional support though. I wouldn't be surprised if a patch miraculously materialises after the July deadline...
>>Does this $600 per year per server including charging to
>>not fix the recently reported networking security hole
"the recently reported networking security hole" is a security hole for roaming clients. Unless you have your copy of server 2003 on a laptop, to take offsite, it probably isn't going to be a problem for you.
Enterprises running Linux are using it for critical tasks and they take the effort to plan and execute upgrades. *nix is higher up the critical-hardware list with mid-range systems with load-balancers and enterprise-experienced admins which make life easy. The apps also tend to be mission critical which means they play nice with HA configurations.
Windows is left to rot. Even the mission critical stuff is often tagged onto the desktop support team. They don't get the experience in dealing with mission critical systems, so things don't go well with upgrades. Windows is often put in because it appears cheap. In the service catalog, "Wintel" support is less than "Unix" support. That means resourcing is probably not up to the same standard that *nix enjoys.
Linux also doesn't do "tight integration" between the OS and applications. That means you can upgrade the kernel without upgrading the GUI and it probably won't break a server application. I run openSUSE and I find that distro version upgrades can actually downgrade me from my current versions (if I forget to ask the installation routine to pick up patches on installation) as I've acquired patches along the way, so I'm current even before I do a distro upgrade. The fluidity of versions means that Linux devs tend to code for robustness and minimal impact.
The whole VMware thing is mostly based around Windows being too hard to manage within the OS. Too much happens invisibly behind a wizard so no-one knows what's going on. Knowing what's happening is discouraged, therefore we wrap it up and treat it as a blob. You don't hear Solaris admins clamouring for VMware to make their life easier.
I suppose the summary is, it isn't all MS' fault that Windows upgrades get so much bad press. However, their business strategy involves deliberately not playing nice, so they can hardly complain when they accrue hatred and disdain. Their competitive practises have created a lovely little garden in which they can play all alone. They're welcome to it.
"Enterprises running Linux are using it for critical tasks"
Most I know just use it for webservers that no one cares much about as it was all the web developers knew how to work with...Real work like authentication, databases, email, file servers, content sharing, unified comms, etc. etc. usually runs on Windows boxes.
"The whole VMware thing is mostly based around Windows being too hard to manage within the OS"
LOL at the ignorance. VMWare allows consolidation of many systems of any OS onto less hardware. You still have just as many OS instances to manage. nb - I note that VMWare have now ditched their UNIX type front end interface and went with Powershell...
I guess from the lame tone of your rant that you must be one of those old fashioned UNIX midrange admins whose farm of boat anchors got replaced by an SQL server cluster...
This post has been deleted by its author
"LOL at the ignorance. VMWare allows consolidation of many systems of any OS onto less hardware. You still have just as many OS instances to manage. nb - I note that VMWare have now ditched their UNIX type front end interface and went with Powershell..."
It is your ignorance what is being exposed by this comment. Yes, VMWare has many advantages, one of them being that you can run many logical machines on a single physical machines. For doing that you're paying a price in terms of resources and performance, depending on the application at hand.
This gives a number of advantages: it simplifies management of the instances as there are less physical things to deal with, and allows for some nice tricks that provide fault tolerance without the upper layers even being aware of it.
But remember, you're paying a price for that in terms of CPU and memory. Now, ask yourself, why pay this price? Why one could not run the same application instances in a number of smaller machines?
Simply, because Windows is very, very bad at isolating applications and managing resources. Windows by itself does not have good way of avoiding a single program gobbling up the whole machine, be it in memory or CPU terms, and this lends itself to a model of 1 OS instance running 1 application component because otherwise one app is going to eat the other one, even if it is not necessary (for example, by allocating memory that is not needed but reported as available by the machine)
As a fix, you put each app into a single OS instance and that at least isolates them from one another. And if you want to do that with a single physical machine, you need an hypervisor to manage the OS instances. Hence VMWare. Which is a patch on top of a broken system that leaves you with the original number of OS instances as before but the added overhead of having to manage also the hypervisor. Logic says that you don't make your life more difficult if you're not expecting to make it easier on some other front.
Unix has a number of lightweight virtualization technologies, quotas and other features that can perform the resource management part and prevent one program to gobble up the whole machine. VMWare is still useful in these contexts because the easy fail over, but not because it wastes resources.
"I guess from the lame tone of your rant that you must be one of those old fashioned UNIX midrange admins whose farm of boat anchors got replaced by an SQL server cluster..."
Yeah, ask any SQL Server admin how he feels about testing the cluster and if he's sure it will come back up and running as it should if you take one node down. I bet his face will not be one of calmness and confidence.
any SQL Server admin how he feels about testing the cluster and if he's sure it will come back up and running as it should if you take one node down. I bet his face will not be one of calmness and confidence.
Hmm, no. If the ones I've worked with are the trend, they'd stare blankly back at you.
" it simplifies management of the instances as there are less physical things to deal with"
That simplifies management of the hardware, not the OS.
"But remember, you're paying a price for that in terms of CPU and memory"
Erm no. Usually you significantly gain in usable memory and CPU versus many stand alone systems. Because of VMWare memory compression and because of being able to use otherwise unused CPU cycles.
"Windows is very, very bad at isolating applications and managing resources. Windows by itself does not have good way of avoiding a single program gobbling up the whole machine, be it in memory or CPU terms"
Wrong - it does - see https://technet.microsoft.com/en-gb/library/hh997019.aspx
"Unix has a number of lightweight virtualization technologies, quotas and other features that can perform the resource management part and prevent one program to gobble up the whole machine"
Sort of like Hyper-V + App-V + Windows Resource Manger do on Windows..
"Yeah, ask any SQL Server admin how he feels about testing the cluster and if he's sure it will come back up and running as it should if you take one node down. "
Just asked - "The impacted packages would be active on the other node in a few seconds", and "We often fail it over for BCP tests, storage upgrades, patching, etc. Never seen an issue with a failover on an SQL Server."
"That simplifies management of the hardware, not the OS."
Which is still a plus, unless you work in a silo where only see and manage one side of the costs. From a business standpoint, the TCO includes SW and HW so there is no point in saving in some balance sheet line if you lose more in another.
"Wrong - it does - see https://technet.microsoft.com/en-gb/library/hh997019.aspx"
Funny that your link states at the end that the feature is deprecated in Windows Server 2012. If you depend on that perhaps you should start planning to move these workloads to say, some Unix flavor?
"Erm no. Usually you significantly gain in usable memory and CPU versus many stand alone systems. Because of VMWare memory compression and because of being able to use otherwise unused CPU cycles."
Erm... so because Windows wastes memory and CPU and the hypervisor allows you to contend that waste, that makes Windows better? I thought the purpose of an OS was to manage machine resources, you seem to prefer to have another layer on top of that. Me, I prefer an OS that can make a reasonable use of resources and where I can use more than a single daemon without taking over the whole machine.
There's a reason for the predominant model of Windows deployment being one single service running in one single OS instance. And there are valid reasons to virtualize Unix servers, but to contend the OS wasting resources is not one of them.
"Sort of like Hyper-V + App-V + Windows Resource Manger do on Windows.."
You should leave Hyper-V from the list, because that's a heawiweight hypervisor. As for App-V, it is in theory quite flexible because it allows you to do sort of remote desktop or run the binaries on clients, but in practice is mostly used for end user apps and not for servers. Guess that is because of the limitations it imposes on servers (you can't use it on Server Core, for example) and apps (Google for App-V SQL Server limitations)
A chroot jail coupled with a package manager gives you much, much more flexibility, I'd say. True, with some complexity. And Resource Manager is being deprecated as per your link.
Regarding your SQL Server cluster experience, I have to concede that point to you. I have not managed these directly, and in my experience they seem to fail over but then for some reason or another people never add back the failed node and the cluster simply loses a node forever until they rebuild a new node. Since I'm no SQL Server cluster expert, I can't tell if that is due to the inherent risk involved or because I've not had SQL Server admins as good as the ones you deal with.
The main reason I'm seeing companies keep 2003 servers is simply the applications they are running, and the cost of migrating (and potential downtime) means they are still going. I've even seen a few places still running 2000 for dedicated applications.
If the machine isn't running a dedicated application then it can be replaced quickly, its the applications that cause the issue. Maybe there should be less conversation about the best OS and more about a standard application abstraction layer that is OS independent.
Biting the hand that feeds IT © 1998–2021