[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

RE: Look for help on windows server platform

From: <Steve.Craft_at_sungard.com>
Date: 2006-06-08 17:46:31 CEST

"Andy Levy" I'm not 100% sure why "linux as a subversion server is

better". As far as I know, Apache==Apache, Subversion==Subversion,

etc. Can someone elaborate on that? wrote:

>>>> I'm not 100% sure why "linux as a subversion server is better".


>>>> As far as I know, Apache==Apache, Subversion==Subversion, etc.


>>>> Can someone elaborate on that?


> There are still a bunch left: finding all the services to turn them

> off is amazingly painful. And go ahead, try to turn off the

> read-write sharing of C:$, which is carefully not mentioned as being

> exported by default if you have Windows file sharing turned on at

> all, even if you try to set it up only as a client. That is such a

> blazing level of stupidity that most other shared resources pale in

> comparision.

. I think "amazingly painful" is a stretch. Setting the Server

  service and Computer Browser service to Manual Start

  and set the Registry

  HKLM\System\CurrentControlSet\Services\Browser\Parameters to "No"

  pretty much does it.

> If you have to reboot to do an update, you have to wait until a safe

> time to do so. For core servers, it may be days or even weeks before

> it can be scheduled. This delays security updates. And it's very

> difficult to tell, in advance, which Windows updates will require a

> reboot, so you can easily wind up with a "I can't do the next

> security update because it's awaiting a reboot for the last one."

> It's gotten better, but it is most certainly not fixed.

. With Automatic Updates set to download but not install, the lists of

  the patches come down and can be looked up on the MS Technet site.

  It would be nice if the list had the patch URI embedded though.


> Also, rebooting is one of the most likely times for a system to fail

> altogether and should not be done lightly on a core server. On a

> desktop, where downtime is less expensive, it can be a useful

> debugging tool. But on a Subversion server, or a core server of any

> other kind? You do *NOT* want to interrupt someone in the middle of a

> checkout!

. In a large environment, there is a planned maintenance window when

  servers are generally unavailable, regardless of OS. In a

  small environment, in my experience it's easy to communicate with

  "everyone" that the server has to be taken down. The only time

  I have seen a server restart be at issue was with a 6-year-

  old NT4 cluster server that had been on for years, and there was

  a fear that the disks had "sticktion" and might not come back.

>>> Security, since tools like SSH and sudo allow much safer and easier

>>> management of user accounts and administrative privileges.


>> These facilities exist with Windows, it's a matter of administrators

>> using them and applications not assuming you've always got Admin

>> rights. Active Directory allows an insane level of control.


> Which almost no one knows how to implement to that level, and thus

> winds up badly setup and easily subverted. I've got stories and

> scars: we should talk off the list if you're curious: the number of

> careless Windows admins who just give their user accounts domain-wide

> "Administrator" privileges, simply to deal with software

> installations or other system level operations on a set of machines

> without having to log in as another user and wind up without their

> bookmarks and profiles, is amazing.


. Yep.

>> Office tools (and most other desktop applications) would have no

>> place on a Subversion server in the first place, so I don't see how

>> this is relevant.


> You've never logged directly into the system to write the report,

> present screenshots as part of a training document, walk other admins

> through core operations, and to get cut&paste operations on the

> configurations to work for your document? Or to run spreadsheets

> showing licenses or component numbers? Or needed to open up the Word

> document or the calendar tools on the server itself while doing the

> work they called for? Admittedly, some of the Word viewers have

> gotten a lot better, and you can install OpenOffice or StarOffice for

> better security of the actual tools. But you'd better believe people

> use office suites on servers!

. I've never logged onto a system to write a report. The servers serve.

  I have used VNC or RDP or ICA on the server for screen shots,

  copy+paste to Word on my desktop. Ditto for accessing spreadsheets or

  anything else that is not a PDF or text file. Actually, for text

  files I like UltraEdit's ability to read/write over SFTP, so with

  Cygwin SSH running on the server I use UltraEdit to modify config

  files, so now I don't even use Notepad on the server.


> If not, you've had a lot better success with remote desktop tools and

> writing documents with them than I've had.


>>> Vastly easier duplication of a server setup to new or replacement

>>> hardware.


>> Tools exist for Windows to make a master image and "clone" it to set

>> up multiple boxes quickly.


> Yes, and they're notorious for not working well across even slightly

> differing hardware platforms. The Windows registration itself

> constitutes a serious problem for which there are workarounds, but

> they're painful. And I dare you to image one Windows machine with a

> different SCSI controller to another. It's fraught with adventure.


> That's relatively easy iin Linux: edit /etc/modprobe.conf and

> /etc/fstab and /etc/mtab, at most, for most such hardware revisions.

. SCSI as a boot disk is definitely an exercise in Windows pain when

  it comes to moving disks between hosts. I think that applies to

  a very, very, small set of folks though. I think the 99.5% of the

  planet that uses IDE would never know about this problem.

>> Hot failover and high availability hardware costs money regardless of

>> your OS. What stops you from using the same tools to keep mirrors of

>> a repository on Windows? Perl, Python, SVN, rsync, ssh, etc. all have

>> Windows ports.


> Yes, they do cost money. They tend to cost a lot *less* money with a

> modest Linux setup than with the necessarily over-powered and

> expensively licensed Windows setups, for which on various occasions

> I've successfully convinced people to buy or repurpose one or for

> good failover, 2 modest hardware platforms running Linux instead of

> investing in a much more expensive server class Windows system.


> Setting up the hot mirroring turns into a bit of an adventure for

> Windows: my experience there is more with desktop mirroring, but

> rsync is nowhere as fast and effective as I'd like under Windows, I

> assume due to the NTFS file ownership fun and games.

. What is a lot less money? What is the context? In an extremely small

  shop (6 folks) where every dollar was squeezed, and nobody cared

  if/how time was spent in the case of an emergency, two Linux servers

  did the job fine as primary server with rsync'd files to another one.

  For a larger place, where time equalled money, enterprise

  agreements already existed for client access licensing, and the

  hardware platform was standardized, comparing a commercial-quality

  distribution/package Linux to Windows came out to a 10% dollar

  savings, and Microsoft still had an after-sale support infrastructure

  that the other provider could not match.


>> As for the later arguments of "remote administration" and

>> "scriptability" lacking in Windows servers, those may have been good

>> arguments 6 years ago. But not today.


> How about last year? Seriously, there is a plethora of systems

> configuration that is feasible in Windows only with a good GUI but

> which is doable in Linux in very easy text-only editing or simple

> scriptable management tools. These especially include package

> management, and oh-my-stars-and-garters does it include

> spyware/adware/malware management.

. v2.0 of the .NET Framework today gives really, really, good access

  to the APIs that make Windows Windows. I think there is a

  Linux edge in text-file-based and scriptable configuration,

  but it is extremely slim these days. Anyway, If I have to search

  newsgroups for a couple of hours to understand which .conf files

  to edit under a Linux, or search web sites for a couple of

  hours to understand what kind of .vbs I have to write to do the

  same thing under Win32, I still spent a couple of hours.


> I'm sorry, but sometimes a user of a server has to poke websites to

> get software updates and look for relevant information about the

> software. For Subversion, the websites are not adware prone, but for

> numerous sites they are. Quite a few of them will actually screw up

> your DNS operations, and those are nasty pieces of work to

> accidentally wind up with on a server. It's a nasty world out there:

> Windows 2003 Server may be better secured and gotten better than

> Windows used to be about these problems, but I wouldn't compare it to

> a good UNIX or Linux system yet in the features I've mentioned.

. If you were using a *nix host, logged on as root, and went to a

  bad site that silently installed malware, the machine would be

  in just as much trouble. The problem is using the machine as an

  priviledged user, which you probably are if you have a console/

  desktop open on the server.

  One thing I do in my travels is browse the web from my desktop,

  and if there is a download I need I get it on the desktop and

  SFTP it over, or copy download URI to the clipboard and paste

  it to the server in a wget command.

  My desktop has all the browser bells+whistles+plugins+protections,

  installing them on the server (any server) is just a pain in

  the first place.

I know it sounds like I have drunk the Microsoft Kool-Aid,

but really, I've yet to see a Win 2003 server setup by

anyone with a clue in worse shape than a Linux server

setup by anyone with a clue.

A couple of jobs/lifetimes ago, a maverick setup a Red Hat

server for doing FTP and TFTP because "Windows sucks at

hat". Well, it was internet-facing and not secured

properly, and some bad people used it to base an attack

(a bit above a "zombie" attack) against a site in

another country. It was not pretty to have the FBI

in the building asking the management questions.

To unsubscribe, e-mail: users-unsubscribe@subversion.tigris.org
For additional commands, e-mail: users-help@subversion.tigris.org
Received on Thu Jun 8 17:48:14 2006

This is an archived mail posted to the Subversion Users mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.