The ‘root’ of all evil?
Thursday, May 15th, 2008 9:23AM UTC
Is root, “superuser”, or in the world of Microsoft “administrator” access needed? One of our competitors posted a recent blog about this subject. To paraphrase their posting, “We give you root so you have the flexibility to do anything you want on your Accelerator”. In case you are wondering, their Accelerator service is just marketing speak for an unmanaged VPS.
IMHO they completely missed the point and some of the blog commentators caught this. Regardless if their service is open, what they failed to mention, you are the system administrator. With that you have the responsibility of installing software, proactive monitoring, patch management, security, hardening and backups. This is fine if you are a full time system administrator; bad if you are a developer.
Cloud computing is about abstracting the technical details of your SaaS (Software as a Service) or PaaS (Platform as a Service). My favorite statement, “It just works!” applies here. What they are calling “open” is really a myth. Regardless if you have root access or not you still are locked into a specific hosting provider, OS, and the software applications you choose. Anyone that has switched dedicated server providers can attest this isn’t a small task. In addition, with the large amounts of SSH, FTP, IMAP and POP3 attacks we see its obvious proper system administration on a large scale isn’t already happening. What makes them think giving root access will make these other issues better?
Developers, for the most part, care about their development environment. In some cases yes, OS flavor does matter, but in most cases it does not. Developers typically want an environment that works and don’t have to worry about how to install and configure software packages. What’s important then? The development language and the tools that aid in the development. Giving root access to each developer (each on their own mind you) install to and configure a software package wastes time. Wading through docs, wikis, forums, and other online info trying to get a package configured, can be time consuming and frustrating experience. In some cases this requires a lot of technical skill. There has to be a better way. The better way is to offer pre-built configurations of services, programming languages and applications. This is what we offer with our HostCube service. Why reinvent the wheel each time you need a LAMP stack installed? Tools like Puppet automate this process and make it consistent.
Let me sidetrack for a minute and discuss the differences between system administrators and programmers. I’ve worked on both sides of the fence and from my experience, most developers make poor system administrators, as do many system administrators (sysadmins) make poor programmers. The mindsets are completely different. Developers care about how quickly they can develop their code and bring it into production. Sysadmins care about the stability, reliability and security of the service they are responsible for. As you can see, these two mindsets are always at odds with each other.
To solve this conflict, I believe in the traditional three tier development methodology. They are:
- Development – code that’s in flux and to “try out” new things
- Staging – some state of code that is stable and in testing before production
- Production – live code that’s being used by users, customers, vendors, etc.
This tiered environment allows for the best of both worlds and is recommended when a customer wants root access to a production server. Unfortunately I have seen many developers perform all of these tiers on their production system! In all of but the smallest of projects, this can lead disaster on many levels.
Creating a VPS for development is where I personally believe developers should/could have root. Let them play in their sandbox, break things and test out new code. Staging (which should mirror production configuration) and production should be managed by system administrators. In my opinion, developers, at least with production, should not have root access. At HostCube the value added is we perform the software installs, proactively monitor, patch management, security, hardening and backups. That’s what we’re experts in and have invested many years developing tools to automate this process. We also do realize unmanaged VPSes serve a valuable niche.