CoyotePoint review coming soon
Posted by Sam
A few weeks back I was contacted by CoyotePoint and asked if I would be interested in reviewing one of their load balancers. Naturally I was ecstatic. This was my first request as a blogger and it made this blog feel a little more real and a little more important. I remember looking at CoyotePoint back when I decided on the LoadMaster from Kemp. I don't recall why I decided against it at the time but now I'm hoping that I don't fall in love with CoyotePoint because I have to send it back. The load balancer reviews get consistenly good reviews and there's definitely a lot of room for improvement over the LoadMaster so I'm happy to be able to provide a third possibility for the lower end load balancer space. Look for a review in the next couple of weeks.
Tags: loadbalancer
Compiling Ruby Enterprise Edition on Solaris 10
Posted by Sam
I wanted to try out Phusion's Ruby Enterprise Edition and hopefully Phusion's Passenger. From what I've read I know they are a pretty Linux centric pair of developers so I wasn't surprised at all that their Ruby Enterprise Edition installer didn't actually install on Solaris 10 despite using gnu tools. Fortunately, it was pretty easy to bypass their installer and compile it like I would with MRI. Here's a quick rundown of what I did to get it compiled.
Here's what I did to get Ruby Enterprise Edition compiled on Solaris 10. This assumes you are using gcc from Blastwave.
bash-3.00# wget http://rubyforge.org/frs/download.php/38084/ruby-enterprise-1.8.6-20080507.tar.gz
bash-3.00# gtar xvf ruby-enterprise-1.8.6-20080507.tar.gz
bash-3.00# cd ruby-enterprise-1.8.6-20080507/source
bash-3.00# ./configure --with-openssl-dir=/opt/csw --with-readline-dir=/opt/csw \
--with-iconv-dir=/opt/csw --prefix=/opt/rubyenterprise
bash-3.00# make
bash-3.00# make install
That's all there is to it. I wish Phusion wasn't so Linux centric. I'm going to try and get mod_rails or passenger or whatever it's called this week compiled next, but I don't think it's going to go quite so easy.
Tags: ruby
Images Belong in the Database
Posted by Sam
Logical Reasons
The more web programming and system administration I do the more I'm convinced that images and other forms of uploaded content belong in the database. I've pretty strongly suspected this for many a years but it's becoming more and more clear that this is just how things need to be. There are many reasons. Some are technical and some are logical, but all signs point to loading images in the database. Below are just a couple.
I'll start with the logical reason first and then get to the technical reasons. Logically all other forms of dynamic content will reside in the database yet programmer after programmer insists on putting images and other uploaded content on the filesystem. Now you've got some content in the database and it's tied to content on the filesystem. Suddenly the nice clean line is broken. You've blurred the lines on who does what and where it goes. What usually happens is programmers forget to clean up after themselves so files references are deleted in the database but still exist on the file system. You know why this happens? Because you shouldn't have put it there in the first place. Repeat after me - dynamic content in the database and application files in the filesystem. Got it?
Technical Reasons
So know that we've got the logical reasons behind us what are some of the technical reasons? For starters your database(s) will always be in sync. That's what they are meant to do. That's what they have to do. Your database(s) have to be synchronized. Your site depends on it. It doesn't matter if it's a simple site with a single database server or a huge site with a dozen database servers. You have to keep your database servers in sync. And databases are good at it. It's much much easier to scale out database servers than file servers. Having all your dynamic content in the database keeps everything in sync.
Some people will wrongly argue that having files in the database will cause slowdowns. To that I say....um maybe, but only if you're doing it wrong. Databases are very fast and have excellent caching but it's highly likely that multiple web servers can server images straight from disk faster than a database. Well that's great, but images still belong in the database. And in this case you can have your cake and eat it too. Check out this article about caching images on the file system with Rails. Hrm, one extra line of code lets you cache your image on the file system. Doesn't seem to bad to me. Elegant, simple and lightning fast.
The Reason for the Rant
Time after time I'm responsible for deploying other people's crappy software. They invariably come up with some stupid solution that lets them click the checkbox that says their product will work on a load balancer, but they neglect to tell you upfront what ridiculous hoops you have to jump through to get it work. The most recent product is called Ektron. I can't say what it's like to work with from a programming stand point but from an admin stand point it's a nightmare. Instead of loading the images in the database like they should they instead force you to share out files and do this dumb little virtual directory linking to the other servers. It's just annoying and not even close to elegant, but then I have yet to see a CMS system that is so I wasn't surprised. Thankfully the Ruby on Rails team understands what it takes to scale apps and they provide you with a nice foundation. If only the rest of the world would catch up.
Tags: rubyonrails web rant
The 5 Minute Guide to Securing Solaris
Posted by Sam
Disclaimer
This is a super quick guide to securing a Solaris server. It's not in depth and I highly recommend taking a deeper look at the technologies that are used.
Install Solaris Security Toolkit (formerly called JASS)
- Download Solaris Security Toolkit
- install and run
# pkgadd -d . SUNWjass
# /opt/SUNWjass/bin
# ./jass-execute secure.driver
A ton of stuff will scroll by. If you need remote access be sure to edit the tcp wrappers allow file otherwise you'll be locked out of the box. Also, if you remotely log in to SSH as root you'll need to allow root access and restart SSH. I always double check that I can remotely log in before closing the current console.
Links for Solaris Security Toolkit
Activate BSM Auditing
Auditing will let you watch as little or as much as you want on your box. It's also zone aware so you can see exactly what's going on in a specific zone. Here's a quick run through on how to turn it on and what I'm monitoring on my boxes. Keep in mind if you have a busy box these settings can produce some very large logs and slow down your system. Take a look at the links to learn exactly what these settings do and then decide how much logging you need.
- Edit /etc/security/audit_control so that it looks like this:
dir:/var/audit
flags:lo,ex,ad,pc,fm,fw,-fc,-fd,-fr
minfree:10
naflags:lo,ex,ad - Edit /etc/security/audit_startup so it looks like this:
/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -setpolicy +argv,arge
/usr/sbin/auditconfig -setpolicy +zonename
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
- Run the bsmconv script
/etc/security/bsmconf - Add the following line to the crontab
0 0 * * * /usr/sbin/audit -n - Reboot and check out your newly created logs in /var/audit
Links for BSM Auditing
Showing Blastwave Packages with Upgrades Available
Posted by Sam
I love love love Blastwave. I couldn't imagine using Solaris without it. One of the annoying things though is if you want to see if newer packages are available you have to wade through every package that they have. And they have a lot. So here is a super simple one liner for showing just the packages that need to be upgraded.
pkg-get -c | grep -v "Not installed" | grep -v SAME | \
mailx -s "Blastwave Updates" yourname@example.com
And since you are probably using Solaris Zones here is a simple script that will look in all non-global zones and email out a report. Currently this sends one email per zone but that could easily be changed to send one email per physical box.
#!/usr/bin/sh
for zone in `/usr/sbin/zoneadm list | /usr/bin/grep -v global`; do
zlogin $zone "/opt/csw/bin/pkg-get -c | \
/usr/bin/grep -v \"Not installed\" | \
/usr/bin/grep -v SAME | \
/usr/bin/mailx -s \"Blastwave Updates for $zone\" yourname@example.com"
done