Submitted by “Like most people that create networks I did not realize that the Mac Mini includes 3 high speed network interfaces and that with a little bit of work and the right architecture they can be used to operate in much the same manner one would see in a high-end network operations centers. I manage one such NOC and I wanted my home network to function like most companies who do serious business online.”
I understand the “geek factor” and all, but wouldn’t you still be better off buying an Xserve to do this kind of thing? (assuming you wanted the “mac” environment on your servers – I love apple, I run OSX, but damn – they really don’t seem to give a crap about enterprise servers. I had to live with a broken mysql/php config, or fix it myself for patch after patch. They finally sorted it out. That’s a glaring bug, they were well aware of. That is one of MANY issues I have with OSX Server. I had to ditch it and return to my FreeBSD/Solaris roots.)
To get back to topic (just making sure it’s really your choice to go with OSX Server), all those mac minis still won’t even come close to performing as well as a G5 Xserve, nevermind the Intel-based model that I’m sure isn’t far off. Not to mention all the time you spent (I suppose you could count some as learning experience) is worth something. I don’t know what NOC you work at, but most of the NOC managers I know make 100-400k/year. Even at 100k, that’s 50 bucks an hour.
So all that time “converting” something that really has no place in a data center into a hacked together semi-cluster, plus the upfront cost of the three minis, plus whatever was spent on parts for upgrades/etc.. yeah… not a financially viable project. Not to mention I wouldn’t trust that equipment in production (WIRELESS NETWORK??) any more than I’d trust 3 year olds to build a DSP out of legos.
All of that being said, if you did it as a learning experiment or just out of boredom and the “let’s see if I can do it” factor, then more power to you, nice writeup. If you did it seriously intending on having production quality service, I suggest you put the minis back to original condition, sell them on eBay, and go buy an Xserve (or even a used G5 tower or something.) If you really want something production stable, go buy a nice true server from a good vendor (Sun sells some good cheap hardware) and slap *BSD, Linux, Solaris, or whatever you fancy. Learn from my mistakes, OSX Server isn’t there yet. I hope 10.5 makes Apple change their policy and actually produce a usable, production quality Server OS. If all you want is AFP, OSX Server 10.4 will work admirably. Start getting into heavy web services and so on, and you’re going to be sucking your thumb in no time, rocking in a corner, waiting on Apple to fix enormous bugs (and then it never happening.)
I’m also a Solaris/FreeBSD guy and don’t understand the economics of it either. For the price of three minis and two mini port devices, he could have purchased a very powerful workstation or server and run the software on some Solaris 10 zones or FreeBSD jails. In the process, he may have actually learned something useful in a real business environment. Oh well. At least it was geeky and well presented and an exercise he likely enjoyed anyway.
Note to anyone else. Look into Solaris 10 zones/containers or FreeBSD jails, a much more elegant, and powerful, solution.
he could have purchased a very powerful workstation or server and run the software on some Solaris 10 zones or FreeBSD
I think part of this project was to show to people without technical know how of these OSes, that with a few minis and an afternoon, they can make the leap into serving.
I have no idea how to admin FreeBSD or Solaris or even set them up. (I have no idea how to do this for Ubuntu, either.)
On the other hand, getting to and setting up the server tools in regular OS X can be done in about 15 minutes and requires no trips to the command line to get a basic (and secure, provided you know what you’re doing there) server up and running.
There are home users or small shops that could take advantage of this.
Plus, it’s just kinda cool and fun … like setting up a floppy RAID.
“Plus, it’s just kinda cool and fun … like setting up a floppy RAID.”
or a Beowulf cluster of Apple IIGSes.
Well, that was the intent of my post. To show people there are better alternatives, and give them some direction. If you don’t have the technical know-how, the whole point of the project would be to attain it! You’d open yourself up to a whole world of possibilities job-wise, and you’d gain a lot of valuable insight in real world situations.
For the home users/small shops, again – you wouldn’t run anything production on three minis! Get a used Xserve and go for it if you want OSX Server!
Floppy RAID – lol. No comment.
P (But it would be REALLY funny to see a picture of that thing!)
Here it is:
http://ohlssonvox.8k.com/fdd_raid.htm
Also Apple page with mac mini cool ideas, not 101 ways but a start:
http://www.apple.com/macmini/bigideas.html
I am not trying to bash you here ormandj so please don’t take this as such.
You kinda missed the point.
He is not assembling something to run in a data center. He wants a small NOC knock-off (heh heh) that he can run from his desk. I had a spare dual G4 lying around, but if I didn’t I think this would be a great solution.
Also, the current cheapest XServe you can get right now is 3K US. How is this not more economical, even with the investment in time?
Edited 2006-02-10 23:11
No offense was taken! I certainly understand your standpoint, but that kind of “cluster” can be done relatively easily in software. (some other posters mentioned zones/jails, that’s pretty much the theory. It’s like having a totally seperate machine, including it’s own ip/range of ips.)
About the Xserve, you can find them used for much less.
Even a dualie g4 would be better suited to this, because of the level of hw/sw interaction, he’d have full fault monitoring etc.
As he works in a NOC, he should be familiar with unix as well. I don’t know any NOC management who haven’t worked on unix boxes extensively. Unless he works at a mac only data center (????) which I’m not sure even exist.
No offense was intended either, as I mentioned in my first post, if he did this to learn or as a “I wonder if I can” project, then most excellent. He did a great job writing it up too. I was just trying to explore a more suitable method for doing this, that would lead to very useful experience in the “Real World”. Nobody would put a 3 mini server setup in a production environment unless they were insane. I just wanted to clarify this for people who were thinking “oh I should go buy 3 minis, and then I can be a webhost!” or something like this. Even if you want OSX, you’d be much much better off getting server-class hardware, even used.
The best alternative (right now) would be to put together a x86/x64 box for less than the cost of those three minis, and be an order of magnitude faster, and much much more stable. You could actually put that in production too.
Not to mention it would look pretty good on your resume to have the associated experience. It really isn’t that difficult. That’s all. 
I think this was very nice, and something I’m sure many of us have been wondering about. Especialy those of us who arn’t Unix types and don’t want to mess with all that, but might want to have a small little setup with a mini. If your someone who say has a small hosting need, this could be the start to something, or a house with multiple users its a good starting point.
A mini is a cheap computer and the more uses people find for it the better. Its a great little platform for so much stuff, and surely will get better when they make an intel version with a bit more grunt, and maybe a eSATA port.
I expect a huge market of add ons over time. Like PVR devices, and routers and such that use the same form factor.
I think apple should leverage this. Put up how to pages on how to do this kind of thing with a mini. A website (101 ways to use a mini). And give people all sorts of ideas and how too’s to get them buying them. I’m thinking someday apple will create a dotmac@home app where people can buy a mini and run a setup just like .mac but at home for there home network.
Can someone tell me what those things are between the Mac minis? I don’t really keep track of Apple hardware accessories, and to me the backs of those things look like the backs of computers smaller than the minis but with more ports.
They’re newerTech miniStacks. Essentially, an external 3.5 inch hard drive enclosure with extra firewire and usb ports to also act as a hub.
I’m not sure I follow, is he simply using “public” and “private” interfaces on each of his boxes as a form of isolating traffic from the private and public (internet) networks?
‘Cause if so then, wow, that’s a bad design.
For someone that works in a NOC, I would have expected to see the publically-accessible servers physically isolated from anything on the internal network. That’s the whole point of a DMZ. Why not strip down the services on one of those Mac Minis so that it is strictly running firewall with NAT capability, and filtering traffic into and out of the DMZ whether it’s coming from the internal network or the internet. I think that would have been a more useful example of deploying the different network interfaces simultaneously (internal/external/DMZ), which I think was the whole point of the article.
The reason is that if one of those machines accepting internet connections ever gets compromised, it can’t be used to launch an attack against the internal network. His design, unless I’m missing something, would open his network to attack if one of those systems was hijacked. Even small business networks, let alone a NOC, would never allow a public machine to directly touch the private network. Bad bad bad. The cheapest SOHO firewalls will usually even physically isolate the DMZ.
I dunno. I guess it served fine as a “why not for the sake of it?” article, but I’d hope the average naive home user would take it with a grain of salt and not try and expose their home systems this way.
Just my 2c.
I’ve often been curious how to isolate the private/public network sectors. You had mentioned it isn’t good practice to allow a pubic machine to touch the private network. Can you elaborate on how to avoid this in a small business or even home network setup?
pd
I’ve often been curious how to isolate the private/public network sectors. You had mentioned it isn’t good practice to allow a pubic machine to touch the private network. Can you elaborate on how to avoid this in a small business or even home network setup?
That’s where the DMZ comes in. You need a firewall with three interfaces: public (main internet connection), private (internal network) and DMZ (public servers, web, ftp, mail, dns etc.).
The firewall should be configured appropriately to direct incoming connections from the internet into the DMZ only, but not into the private segment. It should also allow connections from the private network into the DMZ. But connections from the DMZ into the private network are blocked.
That way if somebody hacks your web or mail server, for instance, the firewall would still prevent them from accessing your private network. Yet connections from the private network to the DMZ are allowed unimpeded.
That’s it in a nutshell; some companies, particularly enterprises, go further and actually segment networks within the organization, and prevent them from touching each other directly or only specific services, as a method of preventing worm/trojan outbreaks. For extra security, the firewall should be configured to only permit services that are expected, whether coming from the internal network or the internet, and drop all others.
You can do this with a hardened version of *nix running on an applicable platform as long as you have enough network ports. But frankly, proper SOHO firewalls (not to be confused with cable/dsl routers) are cheap enough that they are a valuable investment for any net-connected business nowadays. Of course they also scale up into tens or even hundreds of thousands of dollars, but even a $500 firewall operates basically the same as a $50,000 firewall. The principles are the same.
In the context of the article, one of the mac minis could have been configured in a similar manner; three ports, one internal, one external and one DMZ. May even work well enough, as long as the services were all shut down and there was no method of compromising the box; would be a bit of a waste though, when even a ten year old pentium box has enough horsepower to run a small business/home office firewall. When deploying a software based firewall, you should *never* run any additional services, it should dedicated solely to firewalling (hence my comment that it would be a waste to use a mac mini for that purpose), extra services risk opening additional attack vectors and can bottleneck the network by wasting cpu cycles.
Anyways, hope this helps. Google is your friend, there are a ton of resources on the net to help you out as well.