Debian hardened, and a bit about new Sun hardware

[n0cmonkey]

Here

From /.:
"Debian Hardened is a new project that wants be an official Debian sub-project. It aims to provide a complete tree of hardened kernel and software packages for a standard Debian distribution, without changing to another like Adamantix and making easy the hardening of any machine running Debian GNU/Linux. The hardened kernels use the grSecurity patch and some of the Adamantix kernel patches; also, its packages are compiled with the ProPolice/SSP gcc extension and some libraries to prevent and trace buffer overflow attacks. Also, and as a second project, we are working on some enhacements against the Linux Entropy Pool engine, using an external TRNG (True Random Numbers Generator) device which uses thermal noise and also the atomic decay from a Geiger counter, making true unpredictable random numbers."

I tried to post something more flamatory, but decided to stop myself. It's good to see someone doing this with Debian though.

 

[drag]

Debian needs a little bit of hardening. I don't think that this has a chance to be integrated into mainstream Debian, but anything helps.

Debian is pretty good about this sort of thing normally, but only in traditional senses... Unix permissions, suid stuff, and all that. But propolice and stuff like that would be nice.

 

[n0cmonkey]

Originally posted by: drag

Debian needs a little bit of hardening. I don't think that this has a chance to be integrated into mainstream Debian, but anything helps.

Debian is pretty good about this sort of thing normally, but only in traditional senses... Unix permissions, suid stuff, and all that. But propolice and stuff like that would be nice.

I don't see why it couldn't be another branch of Debian. Stable, testing, unstable, hardened...

I'm glad someone is doing it so I don't have to try out hardened gentoo.

 

[drag]

Why have another branch? Just pick tools/technics that work across all platforms and integrate them into Debian unstable after some time in a experimental branch.

Debian already has plenty of little experimental branches (I've installed experiment branch of X before), this could be another one.

Then when they get it down, then integrate the patches into newer versions of GCC and stuff like that.

Why should OpenBSD be the only people a secure by default/design operating system?

 

[n0cmonkey]

Originally posted by: drag
Why have another branch? Just pick tools/technics that work across all platforms and integrate them into Debian unstable after some time in a experimental branch.

Debian already has plenty of little experimental branches (I've installed experiment branch of X before), this could be another one.

Then when they get it down, then integrate the patches into newer versions of GCC and stuff like that.

Works for me, but it just seems a bit radical for Debian.

Why should OpenBSD be the only people a secure by default/design operating system?

In unrelated news, Here's a picture of a 32 way Ultra SPARC processor.
That's also why we changed tack with SPARC, to move away from the single thread approach, to truly parallelized multi-core computing. And not just a tepid two core approach - the internet is one massive, multi-threaded application environment. Every user is, for all intents and purposes, his own thread - whether they're shopping for chandeliers on eBay, or managing wealth at Lehman Brothers. So if you want to see what multi-core computing looks like, allow me to help. It looks like this:

It'll surely run that open source solaris they keep talking about.

 

[Sunner]

I think the idea of a hardened branch sounds good, I'm sure installer CD's would show up as well.
As for that 32way SPARC, remember that it's really an 8-way CPU with 4-way SMT per core, so not a "real" 32-way.

Cool nevertheless, will be interesting to see how things turn out, I think Sun made a wise decision in partnering up with Fujitsu for their CPU business, high performing CPU has never been Sun's strong point.
Of course the SPARC64 CPU's aren't up there with POWER5 or Itanium either, but the SPARC64 V seems like a good performer.

Sorry for the hardware rant, what can I say, I'm a hardware nerd

 

[n0cmonkey]

Ooooh, it's only 8 cores! :|


Sun's never really focused on CPU speed, but maybe fujitsu can inspire them a bit. Their throughput computing idea seems interesting.

 

[Sunner]

Originally posted by: n0cmonkey
Ooooh, it's only 8 cores! :|


Sun's never really focused on CPU speed, but maybe fujitsu can inspire them a bit. Their throughput computing idea seems interesting.

I don't remember where I read it, but apparently Sun has hired quite a few "n00b" CPU architects(if such a thing exists) which in turn resulted in piss poor documentation for their system/software people.
That does seem to fit the situation with US-III well, seeing as they took their sweet time getting systems out the door.

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey
Ooooh, it's only 8 cores! :|


Sun's never really focused on CPU speed, but maybe fujitsu can inspire them a bit. Their throughput computing idea seems interesting.

I don't remember where I read it, but apparently Sun has hired quite a few "n00b" CPU architects(if such a thing exists) which in turn resulted in piss poor documentation for their system/software people.
That does seem to fit the situation with US-III well, seeing as they took their sweet time getting systems out the door.

It wouldn't surprise me. Documentation is apparently impossible to get a hold of for the US3 systems.

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: Sunner

Originally posted by: n0cmonkey
Ooooh, it's only 8 cores! :|


Sun's never really focused on CPU speed, but maybe fujitsu can inspire them a bit. Their throughput computing idea seems interesting.

I don't remember where I read it, but apparently Sun has hired quite a few "n00b" CPU architects(if such a thing exists) which in turn resulted in piss poor documentation for their system/software people.
That does seem to fit the situation with US-III well, seeing as they took their sweet time getting systems out the door.

It wouldn't surprise me. Documentation is apparently impossible to get a hold of for the US3 systems.

Well, that could very well be because of big business bureaucracy

 

[n0cmonkey]

Originally posted by: Sunner

Originally posted by: n0cmonkey

Originally posted by: Sunner

Originally posted by: n0cmonkey
Ooooh, it's only 8 cores! :|


Sun's never really focused on CPU speed, but maybe fujitsu can inspire them a bit. Their throughput computing idea seems interesting.

I don't remember where I read it, but apparently Sun has hired quite a few "n00b" CPU architects(if such a thing exists) which in turn resulted in piss poor documentation for their system/software people.
That does seem to fit the situation with US-III well, seeing as they took their sweet time getting systems out the door.

It wouldn't surprise me. Documentation is apparently impossible to get a hold of for the US3 systems.

Well, that could very well be because of big business bureaucracy

And bugs in the US3 processors. :Q

 

[drag]

According to stuff I've read about it Sun has sacrificed cpu speed for parrellell proccessing. A Opteron should be able to run circles around that chip in single threaded-based benchmarks.

However it's like torque vs horsepower...

(The formula for horsepower is: torque * rpm / 5250 btw)

If the you take a Chevy v8 at 400 horsepower and stick it in a Camaro it will run circles around a semi truck with a 400hp Cummins inline six turbo deasel.

This is because the Camaro will max out at 6500 rpm with peak torque of around 380-420 ft. pounds of torque at 3500rpm..

The Diesel turbo six will max out a 400 HP at around 2000-2500 rpms.

Thus the camaro doesn't have to change gears until after it hits 25-30, and they will still be screaming down the road at a 120 mph.

However the difference is that at 1420 rpm the semi will be having 1200 ft pounds of torque and the camaro will have 120 ft pounds. So the semi truck can move 20,000 pounds of crap hauling ass down the road at 85 mph due to the fact that it has something like 24 or more individual gears, while the camaro has 6 at the most and wouldn't even make it out of the driveway with that load. (6 gear gearbox = linux, 24 multiple gearbox's gearing combination = solaris 10, or so I figure Solaris hopes.)


The Sun sparc is like the Semi's motor. It can do a hell of lot of stuff, just slower. And the opteron can't do nearly so much, but what it can do it can get done very fast.

The trouble is that Sun is making a gamble. Will people be suitably impressed by being able to float massive databases with no sweat, or will everybody be to busy laughing at the miserable benchmarks and huge price to notice?

Simultaniously handling 32 individual threads is some major major hardcore action. Especially when you can have dozens of these chips in one computer...

I suppose the real test of it's worth is weither or not a handfull of these chips can get more done by doing 32 things at the same time vs the Power5/Itanium getting 4-8 (however many threads they can do) things done at the same time, but at a much more rapid pace.

These massive multicores are definately the future... as the ability to get purer and purer silicon crystals on bigger and bigger wafers increases, so will transister count, but the Ghz problem is going to catch up realy fast on everyone. Parrellel proccessing is the obvious answer to increasing performance.

And Sun isn't the only one to get this. Look at what IBM is doing with the Blue Gene computers and their work with Sony and the cell proccessors (very related), they are going to get something like 4 chips in the Sony's playstation (although it may not be playstation 3) with up to 16 cores each in a sort of simplified PowerPC-style core setup.

Look at they BlueGene, IBM is using embedded style PowerPC cores in a MASSIVELY MASSIVELY parrellel computer and it is sitting at #4 in the current top 500 list.

And it's only experiemental.

And the cpus are only running at 500mhz.

That computer is faster then that PowerMac g5-based network, it's only beat out by a Itanium2 linux cluster (1.4ghz), the Ascii Q (1.25ghz), and the Japanese's Earth Simulator. That bluegene design is suppose to eventually be 2-3 more powerfull then the Earth Simulator when they finally get finished with it. (but I'd bet you that it couldn't run Doom3 worth a crap)

But to many people are exited about benchmarks. And good multithreading real-world style benchmarks are increadably hard and expensive to do, and the results are always questionable.

Sun is doing the right thing, maybe not the correctly marketable thing though...

edit:
here is a older artical explaining Sun's CMT concepts for niagra

 

[n0cmonkey]

One of the things to look at is Sun's current install base. Where are they? What are they doing?

The US government is a large Sun customer. I can't say what all they use Sun machines for because I don't know some, and can't say others.

Of course there are databases, webservers, and other usual tasks. Intel's P4s had issues with Anandtech's database when SMT was enabled, but we can't definitely say SMT is a bad idea for databases. It might help out with big dynamic web content, or maybe LDAP services.

But besides IRIX, Solaris is one of the biggest scalable OSes out there. I'm thinking if anyone can do it, it's Sun. Although, it would be _very_ interesting to me to see DragonflyBSD's light weight kernel threads on one of these big multithreaded CPUs.

But Sun probably thinks that it needs to keep these customers happy before they'll start to break into other sites. If they can increase speed when dealing with databases (ugh oracle :|), webserving (not increadibly processor intensive though), etc. they might not die.

 

[Sunner]

Sun didn't really bet on Niagara because they didn't like the idea of processors with good single thread performance, but rather because they had no chance to keep up with Intel and IBM.
Also, doing badly financially while having such a large division dedicated to MPU R&D probably isn't a good idea, don't know about present time, but a few years ago, Sun had the second biggest team in the valley working on their CPU's, second only to Intel.
They did after all can Millennium, which would have been US-V.

But with their constant lackluster per CPU performance, it makes sense to go somewhere else for the CPUs IMO, especially seeing as Fujitsu already had their own line, no need to start up an entirely new operation, and Fujitsu will benefit as well.

One good question though, is if Sun will be able to ship Niagara systems in time? 2006 is the current shipping timeframe IIRC, by then they'll likely be fighting POWER5+ and Montecito/Tukwila, will a 1.3-1.5 GHz Niagara be able to compete with those even in heavily multithreaded applications?

 

[drag]

I wasnt' ever to impressed with Intel's hyperthreading to begin with. I think it was more of a crutch to compinsate for very inefficient chip design, more then boosting multithreaded applications.

That application webserver is definately what Sun is aiming for. That has to be it.

The only way your going to be able to handle large databases with people connecting on 10mbit/s lines is going to be massive parrallelization. Plus it's one of the few things that is going to grow...

Sun's current customers are fine, but unless they are aiming for new customers they have no future. Lots of stuff they are able to do in the past was because they were the only ones that could do it. Now you have IBM competing directly with them, as is Intel. They have MS flailing violently trying to get into more big databases and large storage arrays (and failing mostly thankfully).

And even though Sun's execs like to dog on Linux and x86, there are just some things that clusters do BETTER then a high end machine with 64 proccessors.

Take Live Journal blog's. It's one of the more popular and massive things out there. And it runs Linux and almost ALL content is dynamicly generated. Right now they have 1,858,285 active users, and 4,000,000+ total users. Right now it's averaging 104 posts per minute. want to see the latest posts?

Of course security sucks, but it has more to do with that attitude of the guy more then the actual setup. How often do you suppose Live Journal people get "Jrun"-type errors (oh and it runs Mysql)?
here for slide show

It's all thru disposable commodity computers working in parrellel with memory cached everything, and multiple redundent master and slave databases and seperate multiply redundent diskless webservers, and all sorts of hocus pocus.

That and IBM, and Intel. That's what Sun is up against.

What this would be good at is the big database. Big big application databases running solaris. Big hulking databases that have their information updated on almost continious basis, buy hundreds of other smaller databases running on lesser computers and connected to the internet in a dozen different places. Dozens of different front-ends running on dozens of different commercial websites.

Maybe the core of a intranet. Everything running on big Unix servers, java applications galore. The desktop becomes mostly just a place to get into the intranet. Stuff like that is what I figure Sun wants.

Targetting big heavily structured interanets and internet web application servers. Lots of compitition...

 

[n0cmonkey]

Originally posted by: drag
I wasnt' ever to impressed with Intel's hyperthreading to begin with. I think it was more of a crutch to compinsate for very inefficient chip design, more then boosting multithreaded applications.

I disagree. I think Hyperthreading (SMT, which wasn't developped by Intel) is a good idea. You have all of those wasted cycles, so if using them on something like this can help, go for it.

That application webserver is definately what Sun is aiming for. That has to be it.

The only way your going to be able to handle large databases with people connecting on 10mbit/s lines is going to be massive parrallelization. Plus it's one of the few things that is going to grow...

Sun's current customers are fine, but unless they are aiming for new customers they have no future. Lots of stuff they are able to do in the past was because they were the only ones that could do it. Now you have IBM competing directly with them, as is Intel. They have MS flailing violently trying to get into more big databases and large storage arrays (and failing mostly thankfully).

To expand on my "focus on the existing customers" point: Some of the current customers aren't happy with performance. If Sun can keep those customers happy, the word will spread. Management and the grunts will move on to new jobs, get relocated to different positions, etc. They will bring their "Sun is great!" attitude with them, and possibly expand Sun's market share.

What this would be good at is the big database. Big big application databases running solaris. Big hulking databases that have their information updated on almost continious basis, buy hundreds of other smaller databases running on lesser computers and connected to the internet in a dozen different places. Dozens of different front-ends running on dozens of different commercial websites.

Network Solutions (when they were still the evil Network Solutions) switched from an IBM box (can't remember which one) to an E10k a few years ago for their registrar services. Think about how a box with a couple of these Niagras could handle DNS lookups, whois lookups, etc. It could be amazing. Big, expensive (not that DNS servers are expensive or anything) applications that are the infrastructure of the internet.

Maybe the core of a intranet. Everything running on big Unix servers, java applications galore. The desktop becomes mostly just a place to get into the intranet. Stuff like that is what I figure Sun wants.

Targetting big heavily structured interanets and internet web application servers. Lots of compitition...

I wonder how these would perform for the backend server of a thin client network? Maybe Sun should push their sunrays a little harder.

*BTW, I'm adding a bit to the title of the thread since we went waaaay OT.

 

[Sunner]

Network Solutions (when they were still the evil Network Solutions) switched from an IBM box (can't remember which one) to an E10k a few years ago for their registrar services. Think about how a box with a couple of these Niagras could handle DNS lookups, whois lookups, etc. It could be amazing. Big, expensive (not that DNS servers are expensive or anything) applications that are the infrastructure of the internet.

Probably quite well
Unfortunately Niagara isn't SMP capable, unless that's changes recently.
Big cluster of Niagaras perhaps

*BTW, I'm adding a bit to the title of the thread since we went waaaay OT.

I take credit for that

 

[n0cmonkey]

Originally posted by: Sunner

Network Solutions (when they were still the evil Network Solutions) switched from an IBM box (can't remember which one) to an E10k a few years ago for their registrar services. Think about how a box with a couple of these Niagras could handle DNS lookups, whois lookups, etc. It could be amazing. Big, expensive (not that DNS servers are expensive or anything) applications that are the infrastructure of the internet.

Probably quite well
Unfortunately Niagara isn't SMP capable, unless that's changes recently.
Big cluster of Niagaras perhaps

Multiple cores is SMP, isn't it?

But with 8 cores, multiple processors aren't really necessary right away...

*BTW, I'm adding a bit to the title of the thread since we went waaaay OT.

I take credit for that

I technically started it.

Debian's boring anyhow. They're just doing old OpenBSD/hardened Gentoo stuff anyhow.

 

[drag]

I wonder how these would perform for the backend server of a thin client network? Maybe Sun should push their sunrays a little harder.

Exactly. That's what everybody is aiming for. They are going to beat MS, not by making desktops that are better then microsoft's, but by simply making expensive desktop OSes obsolete.


All good software lasts for ever. It mearly gets cheap. Look at compilers for instance. How much 10 years ago would a company have to pay to get a good C compiler? Hell, now even MS gives theirs away.

Look at Mono, look at IBM's "run 20 Linux servers" (X client servers?) on their mainframes/big servers.

Look at Java. Look at all this stuff.

Redhat's new "stateless" desktops. Instead of having plug and play hardware. You have entire plug and play computers.

Buy a new desktop, plug it into a network. Boot it up. Instant "fat" client, everything automagical pulled down from a server.

You know how Knoppix can boot and configure a entire computer and have a running desktop OS in under 5 minutes? Make the same situation workable under a corporate network...

LTSP, all sorts of stuff.

Thats exactly what the targets that IBM and Novell and Sun are aiming for...


I want a entire coporate network of computers, PC's databases, everything. One giant cluster. The Network is the Computer...

 

[n0cmonkey]

Originally posted by: drag

I wonder how these would perform for the backend server of a thin client network? Maybe Sun should push their sunrays a little harder.

Exactly. That's what everybody is aiming for. They are going to beat MS, not by making desktops that are better then microsoft's, but by simply making expensive desktop OSes obsolete.

And instead go with expensive hardware? There's a problem for Sun where they could do much better on the thin client side, especially with the hardware they're using (HYPERSPARCS?!). Those sunrays are like $600+ a piece. Definitely neat though. I only got to play with them for a couple of minutes, but I think it's almost the perfect solution for a corporate network.

But the benefits just aren't there for enthusiasts, like the ones on this site. It's also an issue for home users, until broadband gets bigger.

 

[drag]

You centralize the expensive hardware in the servers. That's were the work goes thats were the effort and reliability come from.

Look, you already need big expensive server farms. That's not going away. That's what those big companies want, big expensive, reliable, secure. Everything centralized. No downtime, reduce costs thru reliability and performance, not server hardware.

If Sun was to sell cheap thin clients, they are going to have to compete against places like wallmart.

I can go and get a 300 dollar computer. 700-800 dollars with Monitor and speakers and free printer.

Is Sun going to be able to compete against VIA's minitx hardware (think high speed encryption....)? I don't think that their ego will allow that.

I figure "Thick" clients are the future. Thin could be in, it will at least led to real compitition in the desktop if it works out...

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: Sunner

Network Solutions (when they were still the evil Network Solutions) switched from an IBM box (can't remember which one) to an E10k a few years ago for their registrar services. Think about how a box with a couple of these Niagras could handle DNS lookups, whois lookups, etc. It could be amazing. Big, expensive (not that DNS servers are expensive or anything) applications that are the infrastructure of the internet.

Probably quite well
Unfortunately Niagara isn't SMP capable, unless that's changes recently.
Big cluster of Niagaras perhaps

Multiple cores is SMP, isn't it?

Bleh, you know what I mean

 

[n0cmonkey]

Originally posted by: drag
You centralize the expensive hardware in the servers. That's were the work goes thats were the effort and reliability come from.

Look, you already need big expensive server farms. That's not going away. That's what those big companies want, big expensive, reliable, secure. Everything centralized. No downtime, reduce costs thru reliability and performance, not server hardware.

If Sun was to sell cheap thin clients, they are going to have to compete against places like wallmart.

I can go and get a 300 dollar computer. 700-800 dollars with Monitor and speakers and free printer.

Is Sun going to be able to compete against VIA's minitx hardware (think high speed encryption....)? I don't think that their ego will allow that.

I figure "Thick" clients are the future. Thin could be in, it will at least led to real compitition in the desktop if it works out...

I just looked and their cheapest thin client is $359.00. But that's with no monitor. It's the cool one too.

"Thick" clients are interesting, but I think a thin client is an even better solution, unless the thick clients updated themselves every time they booted up. Also, the fact I can leave my Sun's thin client equipped cubicle, move to another cubicle, and pick up exactly where I left off is just amazing.

 

[Sunner]

Originally posted by: n0cmonkey

Originally posted by: drag

I wonder how these would perform for the backend server of a thin client network? Maybe Sun should push their sunrays a little harder.

Exactly. That's what everybody is aiming for. They are going to beat MS, not by making desktops that are better then microsoft's, but by simply making expensive desktop OSes obsolete.

And instead go with expensive hardware? There's a problem for Sun where they could do much better on the thin client side, especially with the hardware they're using (HYPERSPARCS?!). Those sunrays are like $600+ a piece. Definitely neat though. I only got to play with them for a couple of minutes, but I think it's almost the perfect solution for a corporate network.

But the benefits just aren't there for enthusiasts, like the ones on this site. It's also an issue for home users, until broadband gets bigger.

Yeah, we bought a bunch of SunRay's when they were relatively new, they were only ~$250 at the time.
Now they're damn near as expensive as the low end boxes we buy(HP with a 2.6 GHz P4, 256 MB and a 17" LCD).
Insane.

 

[drag]

dammit... get back later..