Re: [Userops] Why is it hard to move from one machine to another? An analysis.

[Jessica Tallon]

Hey,

Firstly, I agree moving from one server to another is difficult. Moving from workstation to workstation is also difficult though. You can just rsync your home directory if you've opened your firewall and know how to use rsync which for both of us and likely the rest of this ML is fine, but not for most people. There is also the problem of moving software which can be a huge problem, you seem not to find this an issue but for me I still find months later I'll be missing software I need. Then you have the problem that systems get very complex, you have postgres running on your workstation, you have several users, wifi network credentials, you probably have a bunch of different repositories enabled, python virtualenv's breaking.

All of the above is just if you're moving to the same distribution or the next version of the same distribution. If you happen to want to take advantage of the amount of choice in GNU linux you then have a nightmare of different incompatible configurations files in your home directory, different package names, strange non-standard configurations when you go to fix it (I'm looking at you Debian). All of this causes a kind of lock-in of a sort as the time it takes to migrate across distributions is really difficult.

Finally and this isn't entirely the problem you're describing here but if you want to have multiple workstations which we do, we have our laptop and our desktop and maybe a test machine or whatever, if you want to try and work between them it's a nightmare, you install and setup something on one computer and then you have to re-invest that time doing it on the other. You have issues having the files synced across both machines you can try and use rsync but I'm not sure it's a great tool for the job especially if you have different sized HDD's and don't want identical drives. Then if you happen to use multiple OS's but for the same things (it happens - I do it all the time for example) then you're really struggle getting it so i can be working on my desktop and then pick up my laptop to go somewhere and be able to just pick up where i left off.

But all of those are problems on the workstation that in my opinion, aren't fixed.

Servers for as difficult as work stations but i'm not sure the problem is actually harder, I think i just find it as difficult because it's a lot worse if I don't so something correctly on my server and also my servers tend to be left a long time so i'll be moving to different versions of the OS with entirely different versions of apache, bind, SELinux, etc. so everything needs changing to work but that would occur on my desktop too if I wasn't so happy to be on the bleeding edge.

In general though i start by moving my configurations across. I do pick and choose out of /etc/ I grab my httpd configs and then usually work just fine. I grab the dovecot and postgres and they require a little changing but not a huge amount for the most part. I copy over the home directories which have the mail and other user files.  I then go through my /var/www and copy my websites and yes dump my databases. A lot of steps but there is often a lot less stuff on my servers than my workstations - so there is that on our side :)

The thing which makes this so hard is if you forget about something with your workstation or do something wrong it's not a huge problem. If you forget anything or make a mistake your services are down for you and the other users you probably support. You often don't know until there is some urgency or lost data or whatever. My proposal to fix this is unit tests for our servers. In code we have them so that we know when you've changed things or everything works, on your server you can use nagios but that doen't deal with all your jabber, postfix, dovecot, IRCd or whatever services you have running. It's usually when the frantic person not able to access their stuff is sending you a bunch of messages that you realise you forgot to setup nagios for your new server you moved to.

There is also the fact you have things like your glue records to update if you're DNS moves unless you bring your IPs with you which then means you can't have a smooth handover and extra configuration. I've had people who don't need to run their mail server as I do it for them but all their mail is bouncing and it's because their MX records ended up pointing at something else so even when technical users don't even need to manage their own server problems can go wrong because you have either external DNS or glue records or whatever which are just one extra thing.

This seems pretty rambley so I think i'll stop here.

TLDR; yep it's hard but so are workstations. We should make unit tests for our servers!

Thanks,

Jessica. 

ons 2015-04-08 klockan 17:22 +0200 skrev Christopher Allan Webber <address@hidden>:

Hello all, For a while I've been considering, why is it so harder for me to migrate from server to server than it is for me to migrate from desktop to desktop? For years, ever since I discovered rsync, migrating between machines has not been hard. I simply rsync my home directory over to the new machine (or maybe even just keep the old /home/ directory's partition where it is!) and bam, I am done. Backing this up is easy; it's just another rsync away. (I use dirvish as a simple wrapper around rsync so it can manage incremental backups.) If I set up a new machine, it is no worry. Even if my current machine dies, it is *mostly* no worry. Rsync back my home directory, and done. I will spend a week or so discovering that certain programs I rely on are not there, and I'll install them one by one. In a way it's refreshing: I can install the programs I need, and the old cruft is gone! This is not true for servers. At the back of my mind I realized this, but until the end of Stefano Zacchiroli's excellent LibrePlanet talk when I posed a question surrounding this situation, I hadn't totally congealed in my head: *why* is it so much harder for me to move from server to server? Assume I even have the old server around and I want to move. It isn't easy! So here are some thoughts that come out of this: - For my user on my workstation, configuration and data are in the same place: /home/ (including lots of little dotfiles for the configs, and the rest is mostly data). Sure, there's some configuration stuff in /etc/ and data in /var/ but it mostly doesn't really matter, and copying that between machines is not hard. - Similarly, for my user on workstation experience, it is very little stress if I set up a machine and am missing some common packages. I can just install them again as I find them missing. - Neither of these are true for my server! In addition to caring about /home/, and even more importantly, I have to worry about configuration in /etc/ and data in /var/. These are both pains in the butt for me for different reasons. - Lots of stuff in /etc/ is configuration that interacts with the rest of the system in specific ways. I could rsync it to a new machine, but I feel like that's just blindly copying over stuff where I really need to know how it *works* and how it was set up with the rest of the machine in the first place. - This is compounded by the fact that people rarely set up *one* machine these days; usually they have to set up several machines for several users. Remembering how all that stuff worked is hard. The only solution seems to be to have some sort of reproducible configuration system. Hence the rise of salt, ansible, etc. But these aren't really "userops" systems, they're "devops"... developer focused. Not only do you need to know how they work, you need to know how the rest of the system works. And it's not easy to share that knowledge. - /var/ is another matter. Theoretically, most of my program data goes there (unless, of course, it went to /srv/, god help us). But I can't just rsync it! There are some processes that are very persnickety about the stuff there. I have to *dump* my databases and etc before I can move them or back up. Nothing sets up an automatic cronjob for me on these, I have to *know* to dump postgres. Hopefully I set up a cronjob! - While I as a workstation user don't stress too much if I'm missing some packages (just install them as I go), that is NOT true of my servers. If my mail servers aren't running, if jabber isn't on, (if SSH isn't running!!!), there are other servers expecting to communicate with my machine, and if I don't set them up, I miss out. - Not only this, assuming I have moved between servers correctly, even once I have set up my machine and it has become a perfectly okay running special snowflake, there are certain routine tasks that require a lot of manual intervention, and I have only picked up the right steps by knowing the right friends, having run across the right tutorials which hopefully have shown me the right setup, etc. SSL configuration, I'm looking at you; the only savior that I have is that I have written myself my own little orgmode notes on what to do the next time my certs expire. - My servers do become special snowflakes, and that is very stressful to me. I will, in the future, need to set up one more server, and remembering what I did in the past will be very hard. - Assuming I use all the mainstream tools, not talking about "upcoming" ones, a better configuration management solution is probably the answer, right? That's a lot to ask users though: it's not a solution to existing deployment, because it doesn't remove the need to know about all the layers underneath, it just adds a new layer to understand. Those are all headaches, and they are not the only headaches. But here are some thoughts on things that can help: - If I recognize which parts of my system are "immutable" and which parts are "mutable", it's easier to frame how my system works. - /var/ is mutable, it's data. There's no making this "reproducible" really: it needs to be backed up and moved around. - My packages and system are immutable, or mostly should be. Even if not using a perfectly immutable system like guix/nix, it's helpful to *act* like this part of the system is pseudo-immutable, and simply derived from some listing of things I said I wanted installed. (Nix/Guix probably do this the most nicely though.) - /etc/ is similarly "immutable but derived" in the best case. I should be able to give the same system configuration inputs and always get the same system of packages and configuration files. - I like Guix/Nix, but my usage of Debian and Fedora and friends is not going away anytime soon. Nonetheless, configuration management systems like puppet/ansible/salt help give the *illusion* of an immutable system derived from a set of inputs, even though they are working within a mutable one. - Language packaging for deployment needs to die. Yes, I say this as a project that advocates that very route. We're doing it wrong, and I want to change it. (Language packaging for development though: that's great!) - Asking people to use systems like ansible/salt/puppet is asking users too much. You're just asking them to learn one more layer on top of knowing how the whole system works. Sharing common code is mostly copy and paste. There are some layers built on top of here to mitigate this but afaict they aren't really good, not good enough. (I am working on something to solve this...) - Pre-built containers are not the solution. Sorry container people! Containers can be really useful but only if they are built in some reproducible way. But very few people using Docker and etc seem to be doing this. But here's another thing: Docker and friends contain their own deployment domain specific languages, which is dumb. If a reproducible configuration system is good enough, it should be good enough for a VM or a container or a vanilla server or a desktop. So maybe we can use containers as lightweight and even sandboxed VMs, but we shouldn't be installing prebuilt containers on our servers alone as a system. Otherwise else you're running 80 heavy and expensive Docker images that slowly go out of date... now you're not maintaining 1 distribution install, you're maintaining 81 of them. Yikes! Good luck with the next Shellshock! - Before Asheesh jumps in here: yes I will say that Sandstorm is taking maybe the best route as in terms of a system that uses containers heavily (and unlike Docker, they seem actually sandboxed) in that it seems to have a separation between mutable parts and immutable parts: the container is more or less an immutable machine from what I can tell that has /var/ mounted *into* it, which is a pretty good route. In this sense I think Sandstorm has a good picture of things. There are other things that I am still very unsure about, and Asheesh knows because I have expressed them to him (I sure hope that iframe thing goes away, and that daemons like Celery can run, and etc!) but at least in this sense, Sandstorm's container story is more sane. So there are some reflections in case you are planning on debugging why these things are hard. - Chris PS: If you haven't gotten the sense, the direction I'm thinking of is more along the lines of Guix becoming our Glorious Future (TM) assuming something like GuixOps can happen (go Dave Thompson, go Guix crew!) and a web UI can be built on top of it with some sort of common recipe system. But I don't think our imperative systems like Debian are going away anytime soon; I certainly don't intend to move all my stuff over to Guix at this time. For that reason, I think there needs to be another program to fit the middle ground: something like salt/ansible/puppet, but with less insane one-off domain specific languages, with a sharable recipe system, and scalable both from developer-oriented scripts but also having a user-friendly web interface. I've begun working on this tool, and it's called Opstimal. Expect to hear more about it soon. _______________________________________________ Userops mailing list address@hidden http://lists.mediagoblin.org/listinfo/userops