Open Source

Insights into Linux Web site deployment from the Linux Quick Fix Notebook

In an interview, Peter Harrison, author of the Linux Quick Fix Notebook, discusses the Web site hosting decision making process and shares his thoughts concerning the future of Linux, what is holding it back, and what can be done about it.

Although great strides have been made toward making the Linux operating system easier to install, complexity remains a major hurdle for many network administrators. Many information technology professionals are too busy meeting the immediate demands of their enterprise to fully consider, plan, and then deploy a new operating system and all of the backend software such a deployment will require.

In his book, Linux Quick Fix Notebook, Peter Harrison presents a detailed reference book for many of the common configuration and installation processes required for the deployment of a Linux network and/or Web site. No matter how many times you have configured a network or a Web site under the Linux operating system, there will likely be features you forget to implement if you don't have some form of reference. This is where the Linux Quick Fix Notebook comes in handy. Chapter 2, Introduction to Networking, is available for download from TechRepublic.

In the following interview, Peter Harrison discusses the 'host your own Web site' decision making process and presents his thoughts concerning the future of Linux, what is holding it back, and what can be done about it.


Title: Linux Quick Fix Notebook
Author: Peter Harrison
Chapter 2: Introduction to Networking
Publisher: Addison-Wesley Professional
www.phptr.com/title/0131861506

This chapter is excerpted from the forthcoming new book, 'Linux Quick Fix Notebook', authored by Peter Harrison, scheduled to publish in late March. The chapter is reprinted with permission from publisher Prentice Hall PTR.


Interview

[TechRepublic] In your book, you ask the question Why Host Your Own Site? That chapter lists and discusses the pros and cons of hosting your own site. Do you have a general rule of thumb for when an organization would be best served by self-hosting? Which beneficial aspect should carry the heaviest weight when making a decision on self-hosting versus virtual hosting?

[Peter Harrison] The decision to do self-hosting for your business should be strictly based on business needs. Embark on it when your service provider threatens the future growth of your company. Plan well, only use proven stable technologies, go slowly, have a backup plan, inform your customers and minimize your exposure to downtime risk at every step of the way.

The business strategy of a virtual hosting provider is to reduce their costs as much as possible via standardization. Each Web server handles hundreds of Web sites, each with access to only a single type of application server, database, shopping cart, blog, Web mail or message board forums software suite. Customization usually occurs through a standard Web GUI interface which is usually geared towards altering the work flow features of the software and not its overall performance. Support is usually only given through instant messaging.

For a simple Website with the aim of providing supplemental information to newspaper or Web advertising then basic virtual hosting services, which start at about $10 per month, should be sufficient. The cost advantage of this service declines as you require additional high end services or customization.

There are two broad scenarios where self hosting for small businesses starts to become desirable:

Online product searches with shopping carts:

Sometimes you want visitors to be able to search your Website for a list of available products by name, by category, in a particular price range, or from a specific manufacturer. This requires Web pages to be generated dynamically using application server software that queries a database. This can cost about $100 per month, and if you need the person to buy the product using a shopping cart, then the price can reach as much as $150 for an entry level service. You can lease a dedicated server for $200 per month in a collocation data center and if you choose to use Linux, your software procurement costs would be negligible. Self hosting in this scenario can become desirable if you already have a capable IT staff with sufficient resources to complete the project within your budget and on time.

Customized services and support:

There are many combinations of factors that can make a virtual hosting provider become unsuitable for your business.

With virtual hosting you are at the mercy of your service provider to provide software updates or patches to fix security, performance or functionality problems. You may find that the completion time for your request may be long if you are one of a hundred customers on a server. The service provider also has to ensure that the upgrade won't affect any of the other Websites and this can add delays.

There will be times when you need to implement software that needs to be installed external to your home directory and that isn't supported by your hosting provider. Examples of this include a new database product and centrally managed server logins using LDAP.

With hundreds of Websites on a server, you run the risk of slow response times due to one of the URLs owned by another company suddenly becoming popular. The cause of this latency is often difficult to determine, and correct especially in a shared environment where you don't have access to many systems tools.


Additional white paper resources

An Introduction to Managed Hosting
Real World IT: TechRepublic's Guide to Dedicated Hosting
Web Hosting: Tool Box


Many businesses rely on a Web presence for the majority of their revenues and cannot afford to have extended periods of downtime. With the use of load balancing devices it is possible to spread your Web hits across two or more servers. The load balancer regularly probes your servers and automatically steers traffic away from any server that appears to be malfunctioning or down. This is a useful offering if you need to take an application offline for maintenance. Many virtual hosting providers don't offer such a service to individual customers.

You may want your applications to run on unique TCP/IP ports and be accessible only to certain IP address ranges or you may want communications with these ranges to be fully encrypted over a virtual private network (VPN). This will usually require some form of VPN or firewall service that your provider may not offer. Your security policy may open a vulnerability to other Web sites. For example, allowing FTP access to the virtual server allows this access to all sites on the server, this may be viewed as a security risk for your neighbors. If you don't want to risk this type of exposure, then consider self-hosting.

You may require highly customized reporting or have complicated inventory listings which have to track parts, sub assemblies and finished products. There may be the need to link your shopping cart order entry system with the inventory system of a supplier which your virtual hosting provider may be able to do, but it may expose more of your business to this provider thereby increasing your risk.

If you decide to do self-hosting, you should also consider its consumption of your business resources, namely time, talent and money. The financial cost of the equipment is obvious, but there are resource costs related to installation, training, staff shortages, consulting, security and long term maintenance. With an existing IT staff, the strain would be less but if the company has less than a dozen employees the price of customization could be a high proportion of your business overhead expenses.

If you are a small company with limited IT staff, or have capable staff who would be better utilized expanding the business, then it may be best to adjust your requirements so that they can be easily managed by a virtual hosting service. As the customization needs of the company grow consider self hosting. Create a pilot project using only the most essential customization and if successful, gradually migrate over to a production version of the pilot site. Convert your pilot to general testing and staging area and then add modifications to the production site when you are satisfied they work.

Sometimes businesses should accept the fact that self-hosting, though desirable, may be beyond the budget and capabilities of their organizations. Switching from a virtual hosting operation to a more expensive fully managed hosting provider that specializes in customizations may have to be considered. Replacing your virtual hosting provider with a fully managed service may be required if virtual hosting hinders the growth or survival of your company and you feel you would be incapable of completing a successful self-hosting operation on your own.

802.11g/n

[TechRepublic] In the book, you discuss the configuration of 802.11a/b wireless networks in Linux using either Wireless Tools or Linux-WLAN. Are there similar packages for 802.11g/n? Are the configurations similar to those you outline?

[Peter Harrison] There are a number of ways to get 54 Mbps 802.11g/n cards to work with Fedora, but most open source references focus on the Prism54 and NdisWrapper projects.

Though it works, the Prism54.org software suite has a number of limitations. It requires you to apply kernel patches and then recompile the kernel. It is also only compatible with a limited number of wireless cards. This can be a daunting process even for experienced Linux users.

Windows uses the Network Driver Interface Specification (NDIS) as a standardized method for the operating system to communicate with the NIC driver software from various manufacturers. The Linux NdisWrapper software suite, available from ndiswrapper.sourceforge.net, allows you to run your Windows NIC card's drivers under Linux by creating a software wrapper around the Windows driver to trick it into thinking that it is communicating with Windows and not Linux. The compatibility range is therefore much wider and in cases where you need to recompile your kernel, the project's Website has links to RPM packages of standard kernels with NdisWrapper support. Installation instructions on the project's Web site are reasonably clear and a proficient Linux user should be able to get their NIC card working within an hour or two on their first try.

NdisWrapper has some limitations too. It only works on hardware architectures supported by Windows, the very useful iwspy command isn't supported and the wrappers add a layer of software complexity that would not exist normally. There is a commercial competitor to NdisWrapper called DriverLoader created by the Linuxant Corporation which readers may also want to consider.

NDISwrapper transparently interfaces with Linux wireless tools which makes configuration very similar to that of 802.11b. The higher speed 802.11g capability is activated by placing the string 'RATE=54Mb/s' in your /etc/sysconfig/network-scripts/ifcfg-eth* file. You also have to deactivate your 802.11g NIC in the /etc/modprobe.conf file and instead list the NDIS driver. I have a brief tutorial of how to do this on my Website.

My experience with NdisWrapper in the home has been very good, but like Prism54 and even Linux-WLAN, you have to reinstall the product each time you upgrade your kernel. This may not be tolerable in a mission critical business environment where maintenance related downtime needs to be kept to a minimum and where all software used needs to be 100% Linux compatible to ensure stability.

When 802.11g WiFi technology becomes more mature it will indubitably be supported natively by Linux Wireless Tools without the need for additional software, but there will always be NICs that don't support Linux and knowledge of NdisWrapper will be invaluable.


Additional download resources

Support and Configuration Checklists for Small/Midsize Networks
Linksys wireless access point: Lock it down in 10 steps
EAP Authentication Protocols for WLANs


Securing systems

[TechRepublic] When an organization places a server of any kind on the Internet, it becomes responsible for the security of that node. More than just a few of the security vulnerabilities exploited by the nefarious members of society stem directly from small operations that simply do not keep up with the latest server-software security patches. What are the essential steps an organization self-hosting a Web site should take to secure their systems?

[Peter Harrison] Security is really a broad topic and should be considered as anything that can potentially affect the availability of your site. I have included some general categories that come immediately to mind:

Restrict network access

A good rule of thumb is to try to make HTTP traffic the only unencrypted traffic to hit your Web site from the Internet. Remote access by employees or satellite offices should be done via encrypted VPNs or using secure login clients such as SSH.

This requirement demands a firewall to easily support VPNs. Most entry level units start at about $400 making them reasonably affordable and often use a Web GUI to make them easily configurable. I generally prefer the use of a single firewall to protect a network as the management of firewall applications running on individual servers can quickly become unmanageable.

Other servers that support your Website via mail and DNS services can't have encryption, but have inbound Internet access limited to these ports only. Remote access to them by employees should be over secure channels.

When you install your servers, you should also ensure that they are only listening on the expected TCP/IP ports. Direct access from the Internet to database servers should be severely restricted. Internet based SQL queries should only come via VPNs. The less of your site that's visible, the better it is for security.

Be proactively informed and patch accordingly

There are many vulnerability email notification services such as CERT and newsletters provided by SecurityFocus.com that help you keep abreast of the latest events.

You should patch whenever you can and be aware that this activity may cause your application to stop working. Always have a means to revert to the original configuration when doing this.

Patching shouldn't be the only means of application security. Most software vendors provide tools to reduce the risk to attack and have their own security mailing lists to inform you of required upgrades. These should be taken utilized at every opportunity.

Bolster physical security

Your servers should be in a secured, cool, clean area with access limited to only authorized personnel. Power should be reliable and protected by a UPS. The location should have water free fire suppression equipment as a first line of defense. Your data should be backed up regularly. If you cannot afford a tape unit, then disk to disk backup within your server or to another server on your network should be considered. Make sure you have redundant infrastructure whenever possible. This should include dual routers, switches, firewalls and servers with preferably automatic failover.

Improve user management

Force the changing of passwords regularly. Be judicious with providing super user capabilities, and use the sudo utility whenever privileged access needed. Disable user accounts and all network access to employees who have left your organization.

This short list should be sufficient starting point for most small self-hosting operations and should reduce your vulnerability to attack significantly. Last but not least, assign the role of IT Security Expert to one of your members of staff so that the topic is given the attention it deserves. Make this person train and inform staff of security issues so that the entire organization can participate in making the entire organization more secure.

Linux toolbox

[TechRepublic] The Linux/MySQL/Apache setup is arguably the most-popular Web site server system in use today. In addition, open source software continues to grow in popularity. What Linux and/or open source software would you like to see develop in the next year? Is there a particular piece of software or a service you feel is missing from the current Linux toolbox?

[Peter Harrison] The growth of the open source movement will be stunted unless software developers seek new sources of inspiration for usability. It may seem odd, but life's lessons learned in your kitchen are very applicable. Linux needs to be microwaveable.

It is now possible to replace Windows with Linux for basic office tasks. The overall look and feel is purposely similar, the file formats are generally compatible, and as many office applications work on both systems, retraining costs have been greatly reduced. In the very near future the decision to use Microsoft Office, versus a product like Linux's StarOffice, will hinge not only on cost but also on personal preference. User demand for common features and competitive pricing will make the differences in cost and the user experience of desktop operating systems almost unnoticeable.

Similar trends are occurring in the use of open source software in the back office. Linux based applications are being enthusiastically promoted by younger systems administrators who have been exposed to non-proprietary software. They will soon occupy the management positions needed to ensure the acceptance of open source projects throughout the organization. Software aggregators such as RedHat, Novell, Mandrake and Red Flag have created corporate personae with whom binding contracts defining performance, features, warranties and support can be made. It is becoming easier to justify new large scale projects with Linux in businesses, for legal, financial and strategic reasons.

Unfortunately, for the back office, Linux is still too hard to use. Most importantly there is no standardized and simple method for installing software. Why can't all installation programs automatically use a software archive's filename extension to determine and implement the necessary installation steps? Why should you ever need to read an installation README.TXT file when you could be prompted instead? Why don't installation programs prompt you for the parameters most likely to be needed by the application to get it to work? The requesting of an application's administrator password, automatically creating supporting databases, and the prompting for whether the application should be immediately started and/or started on reboot should be standard options. Why can't the addition of network routes or IP addresses on interfaces be done via a series of simple command line prompts? Why doesn't Linux have a series of simple 'show' and 'set' commands to view the system's status and modify configurations?

When I go to the supermarket I have a choice in food. I can buy less satisfying microwaveable food or buy all the ingredients from scratch to create a meal worth remembering. Linux software installation should be the same. There should be two options from the command line; the first should prompt the user for the most likely parameters 80% of the population should need to get the basic application to work. It should be as easy as reheating a TV dinner, you shouldn't have to refer to the README.TXT file. The second option would maintain the default configuration file for expert gourmet editing.


Additional white paper resources

A Guide to Developing an Enterprise Open Source Strategy: The Rise of Open Source and the LAMP Stack
Meeting the High-performance Demands of Industrial Computing


Great strides have been made to create helper applications to make the Linux command line less intimidating. It would be good if each application had its own basic configuration script 'for dummies' with the same naming scheme based on an application's daemon name, so for example, sendmail-guru would be used to set up a mail server and httpd-guru would be used to set up the Apache Web server's daemon. The further development of companion Web GUI interfaces for applications similar to the Samba SWAT and the CUPS printing utilities would also be of great help. Standardized configuration URLs running on HTTPS would help to make things easier. To a great extent this exists already in the Webmin application suite. Basic Webmin style functionality just needs to come bundled with the base software to get the user started and should be easily disabled for security reasons once the configuration is complete.

Linux software installation may be easy using the console GUI, but it can be intimidating from the command line. Unless Linux software installation is as easy as it is in Windows, the resistance from systems administrators that are only familiar with Windows and other proprietary operating systems will continue. This is a large group of technology filters who need to be persuaded to consider open source as a convenient potential business alternative. Their involvement will help to accelerate Linux adoption in businesses.

This need is even more important as Linux is at the center of an increasing trend in the use of commodity operating systems that are cheap enough to fit a vast number of budgets and efficient enough to breathe new life into old hardware. We will therefore see it being used by increasing numbers of people with much less initial exposure to technology and access to financing. Simplicity will be critical for more universal acceptance.

Microwaveable

The Linux community is extremely vibrant, maybe even irrepressible, and thousands of new open source software projects are created each year. I can think of no better feature or product that I feel more strongly about than the need to simplify the Linux experience for the systems administrator and newbie without sacrificing functionality. Only then will Linux be considered as a viable alternative at all levels of the decision making process in homes, schools, governments and the private sector. It's not the product, it's the packaging. Linux needs to be microwaveable.

About Mark Kaelin

Mark W. Kaelin has been writing and editing stories about the IT industry, gadgets, finance, accounting, and tech-life for more than 25 years. Most recently, he has been a regular contributor to BreakingModern.com, aNewDomain.net, and TechRepublic.

Editor's Picks