Trusting Open Source for Production...



  • So I just had a thought, which is simply when do you trust open source (freeware, community "edition") anything with any portion of your disaster recovery plan in IT(or business in general). For example, I am currently running several VM's at work on a solution that is 100% built on "community edition" software.

    Now yes, the base software (Xen Server) is built* and backed Citrix and Community, which is fully open source now. As well is NAUBackup (the current solution I use to create full VM exports weekly). I'm comfortable with this, but when did I (you) become comfortable with it, and why?

    When did it become acceptable to trust software that I (you) can't sue someone over if it fails?

    Why must we purchase software (or more specifically support for a software solution) when the very same solution is offered for free, as any rational being, I would have to say that giving up something for something offered completely free of charge seems...... insane. I'd take my chances with the free, unsupported option.

    I can carry my grocery bags to the car just fine, but if an employee offered to carry them for me at no charge, I'm almost certain I'd take that offer.

    If you wanted to give me $100 for the holidays, why would I refuse? Much like the same, why would any business refuse the benefits of free software. Free to develop.Free to F*** ones company over with software. (for less of a better expression). Or specifically choose to pay someone else to manage it / configure it and what have you.

    Why must a business or person pay money for support, if support is offered willingly by wonderful communities of people free of charge, when software is developed and improved free of charge, when issues can be troubleshot free of charge? Albeit potentially with a delay.

    But on the other hand, there is a very small promise of support in a timely manner. The norm 24x7x4 as warranty terms go, but still, is 4 hours reasonable compared to free (live with it attitude). A 4 hour delay might very well cripple a small company in the worst cases and at the bear minimum inconvenience a large one.

    Even with "promises of a timely response" a business might get a response of "Assigned to support engineer 5" and still not hear back from SE5.

    Since open source solutions are as capable as they are, why does any business pay for software, when the open source and free to use solutions are often as capable if not as good the paid versions. (lets exclude ESXi because, well come on...)

    Sure the entire part of having someone to yell at when things go belly up might be comforting, but the "support team" is no more at fault for the issue(s) you're experiencing as the dog who took a dump in your yard is for having to take a dump. They are simply there at the time.

    Does having someone to scream at or make the case seem that much more critical really improve your odds of recovering any more quickly? I'd have to say no, sure it entitles you to an expert for a set amount of time, or number of issues, but that expert likely will think you / your company are a bunch of ____________ (put something in). Now this expert would very unlikely lead you into more trouble unless they really wanted to cause harm, but that aside of community support I've asked for, I've never once been purposefully misguided. Or lead to cause more damage to a system.

    Which brings me back to my original question if you effectually could speak to the same experts in an open forum versus a phone call (or even in put) in either case you'd try to be kind, to the point, and express the issue as quickly as possible to find the issue. So why pay for closed source software (or software with support attached, which often is what you're actually paying for). I'd have to correlate it to Insurance, you want it in case something happens, but seldom use it, or seldom get it's value.

    Yes the whole "You can't possibly know everything, or every possible configuration, or this will likely suit your needs the best". But again, if you can get the same things for free why pay for it? Strictly speaking in legal terms (US legal for simplicity, I'm not condoning theft etc.)

    I'm looking forward to seeing your responses.

    PS maybe it's just the wine talking...



  • @DustinB3403 said:

    When did it become acceptable to trust software that I (you) can't sue someone over if it fails?

    When profits were valued over internal politics and finger pointing. Being "able" to sue someone is one of those business illusions. Either you actually can't do it because most commercial software has legal indemnification leaving you out on your own if things fail or you pay such a high premium that you've lost the suit before you even start using the software.

    The idea that commercial software or having someone to blame is more important than actually having results and having your business protected is really only something that the SMB worries about. In the enterprise space yes, support is a big deal, but the idea that you are going to go around suing and/or blaming vendors for things not working doesn't fly because at the end of the day, you have to answer to the shareholders about profits and just "having someone to blame for data loss" doesn't cut it.



  • @DustinB3403 said:

    Since open source solutions are as capable as they are, why does any business pay for software, when the open source and free to use solutions are often as capable if not as good the paid versions. (lets exclude ESXi because, well come on...)

    Enterprises often pay for that free software because they want the support team that goes with it. For example, while CentOS is super popular in the SMB space in the enterprise companies really do opt for the RHEL version. Why? Because they get a level of support that you get nowhere else. Not support like the SMB means, though.

    In the SMB space, support generally means "I don't know what I'm doing and I want the vendor to do the IT work for me." It's a weird "passing the buck" kind of support that most of the time just means paying for someone else to do our jobs. It's just another way of hiring an MSP or whatever.

    But in the enterprise space the things that are being paid for, generally, are pretty hard core support. Not "I don't know how to configure this" but "we need the kernel to be modified to handle this specific feature. When I worked at the one bank, they paid (an arm and a leg, let me tell you) to be on the veto board for Java. Yeah, they could use Java for free. But they wanted to have the right to veto any Java release before it went public to make sure that versions that didn't meet their needs didn't make it into the wild.

    Enterprise support includes access to the developers in additional the immediate response support teams. And those support agreements, with companies like Red Hat, Canonical, Suse, Oracle, etc. generally means responses measured in minutes or real time, not things you wait for someone to get back on.

    Long term support response issues are typically associated with the "bundled" support that SMBs try to get. SMBs don't like to pay for support, they like to buy software and feel like support is free. Enterprises typically get their software for free and pay for the support. When you pay for support you get a completely different experience because the vendor has to provide good support or you don't pay. But in the SMB the goal is to convince you to stop calling support because every call costs them money. They want you to stop calling and stop depending on them. The way that different organizations buy support changes how the interaction between them and the vendor works.



  • You know, having been the guy on the other end of the support line for some huge vendors, one of the things that I think customers rarely understand is that the commercial support person that they are calling is very often just a random IT pro who happens to know something about that product. Many times they have no special training. I've worked for some of the biggest vendors and literally had less access to resources than the customers I was supporting did. Customers often feel like the person from the vendor must have been born and raised with the vendor, have unfettered access to the deep corridors and lunch with the CEO every day. But the reality is is that those support people are underpaid, IT pros who got brought in three months ago because they were understaffed and have no more expertise specific to the product than the people in the forums.

    This changes when you get to talk to developers rather than support people. When you are interfacing with the people who actually make the products. In that regards, open source projects like Xen Orchestra, HA-Lizard, NodeBB, Snipe-IT, ownCloud, etc. actually blow most commercial products totally out of the water as far as support. You want to know how to fix something? The people who actually make the product come into the forum (this forum, in fact) and help out. Literally no one knows the product better than they do. Go to Microsoft for Windows support and you can't get anything like that. You get someone who can't speak English who doesn't know Windows at all that can't even get you access to people who know how to support it. Even if you have insider connections you often struggle to get basic support.

    There is really no comparison on support. And that's before you consider things like "you can fix it yourself." Can't really do that with closed source software. But open source, if you need to you are free to start fixing or modifying things. People act like that is a ridiculous thing to say but companies really do this, all the time. And it provides a level of value that closed source simply can't touch.


  • Banned

    99.5% of our Vertical applications are internally developed.. while not opensource the support is no different. We can't go to anyone else for it. We can't blame anyone else. We actually have less the open source, we can't google solutions and we can't search/ask on forums.



  • @Jason said:

    99.5% of our Vertical applications are internally developed.. while not opensource the support is no different. We can't go to anyone else for it. We can't blame anyone else. We actually have less the open source, we can't google solutions and we can't search/ask on forums.

    Excellent point. In the enterprise space the idea of working with the source for things and maintaining repositories is second nature. Pretty much every large organization is doing that stuff already.



  • @scottalanmiller and I were having a similar conversation the other day.

    I feel like you are more protected by using a product like Windows, and he is trying to convince me (and mostly doing so) that my thinking is backward on this.

    So I will be following this thread with interest.


  • Banned

    You are generally less protected by windows.. Heck if windows has an issue it's closed source so even if you knew how to fix it you couldn't in many cases.



  • @DustinB3403 said:

    I can carry my grocery bags to the car just fine, but if an employee offered to carry them for me at no charge, I'm almost certain I'd take that offer.

    But it's not free - the store is paying that employee, and that cost is made up in higher cost of goods to you.



  • @Jason said:

    You are generally less protected by windows.. Heck if windows has an issue it's closed source so even if you knew how to fix it you couldn't in many cases.

    I guess my "argument" is that I trust MS more than a community to fix issues.

    The whole community thing is what I need to come to grips with, I think.


  • Banned

    @Dashrender said:

    @DustinB3403 said:

    I can carry my grocery bags to the car just fine, but if an employee offered to carry them for me at no charge, I'm almost certain I'd take that offer.

    But it's not free - the store is paying that employee, and that cost is made up in higher cost of goods to you.

    Also do you trust the employee to Safely put them in the car like you would too prevent damage? They don't care. and if it's a truly "free" service you have no recourse if something gets damaged.


  • Banned

    @scottalanmiller said:

    Enterprise support includes access to the developers in additional the immediate response support teams. And those support agreements, with companies like Red Hat, Canonical, Suse, Oracle, etc. generally means responses measured in minutes or real time, not things you wait for someone to get back on.

    Usually they can get to you in 2 min or less if you open a ticket, or near immediate if you call. It isn't cheap though.



  • @scottalanmiller said:

    Long term support response issues are typically associated with the "bundled" support that SMBs try to get. SMBs don't like to pay for support, they like to buy software and feel like support is free. Enterprises typically get their software for free and pay for the support. When you pay for support you get a completely different experience because the vendor has to provide good support or you don't pay. But in the SMB the goal is to convince you to stop calling support because every call costs them money. They want you to stop calling and stop depending on them. The way that different organizations buy support changes how the interaction between them and the vendor works.

    Interesting.

    Would support be more expensive for SMB if the vendors gave the product away and only charged for support? Of course SMBs probably would rarely be calling upon the vendor to make kernel fixes, etc, they would be asking for break fix support.

    But perhaps that's just not really possible, because as you said, SMBs are using this support more for augmented IT because the SMB doesn't know the product and are simply relying on the vendor to support the product (I'll admit I've done that with Cisco before - have them write the config for me when I needed a change).



  • @Jason said:

    @Dashrender said:

    @DustinB3403 said:

    I can carry my grocery bags to the car just fine, but if an employee offered to carry them for me at no charge, I'm almost certain I'd take that offer.

    But it's not free - the store is paying that employee, and that cost is made up in higher cost of goods to you.

    Also do you trust the employee to Safely put them in the car like you would too prevent damage? They don't care. and if it's a truly "free" service you have no recourse if something gets damaged.

    If that person is a store employee, then I'm sure they would be covered by the store for any damage they cause, though if they put a gallon of milk on top of your bread in your trunk... yeah you'll get nothing for that.


  • Banned

    @Dashrender said:

    though if they put a gallon of milk on top of your bread in your trunk... yeah you'll get nothing for that.

    That's what I was referring to.



  • Thank you for the responses, but still no one besides maybe @scottalanmiller has posted why / when businesses choose Open Source over closed source.

    Lets take for example Xen Orchestra, I just yesterday compiled the system in my home lab (running on my Xen Server Hypervisor as a VM)

    Now I doubt many people would be willing to implement and use Xen Orchestra in a business environment because well, there is no paid support. It's the community edition.

    But why not, the software is simply configured by you, supported by you, and at a substantial saving to you. Why is a solution as heavily adored by many professionals looked down upon because it's the "community edition"?


  • Banned

    @DustinB3403 said:

    has posted why / when businesses choose Open Source over closed source.

    Closed/Open source is never the determining factor when choosing a solution. You have a business need and you fill that with the best solution that makes business sense. Opensource or closed source doesn't really play into it unless the goal is for customization..

    Of course I won't go into that, because it's often better to make your own solution than highly customize a pre-made one.



  • I think Jason is right.
    That's probably the long and the short of it.

    Finding a solution that provides what you need. For the SMB, that generally means a complete full product - rare is the situation when and SMB is going to code anything themselves - or outsource to have it done.

    Dustin, you also mentioned that SMBs can probably suffer a 4 hour outage but a large company can't? Maybe that's true, maybe it's not. Again depends on the situation.


  • Banned

    @Dashrender said:

    Dustin, you also mentioned that SMBs can probably suffer a 4 hour outage but a large company can't? Maybe that's true, maybe it's not. Again depends on the situation.

    We had a four hour outage from the DC to All South Carolina and Indiana Locations last week. It was because of a backbone failure. Four hours is a pretty quick repair.. Yes it costs us hundreds of thousands of dollars in lost revenue. But to have the infrastructure to prevent that kind of very rare outage all the time would cost us far more. It's a solely a business decision, not an IT one.


  • Banned

    @Dashrender said:

    Finding a solution that provides what you need. For the SMB, that generally means a complete full product - rare is the situation when and SMB is going to code anything themselves - or outsource to have it done.

    Outsourcing Application development is probably one of the worse decisions you can make. You get locked into something that will never be updated and no one can really support. If you don't have a in house development team custom applications are not the way to go.



  • @DustinB3403 said:

    Thank you for the responses, but still no one besides maybe @scottalanmiller has posted why / when businesses choose Open Source over closed source.

    Lets take for example Xen Orchestra, I just yesterday compiled the system in my home lab (running on my Xen Server Hypervisor as a VM)

    Now I doubt many people would be willing to implement and use Xen Orchestra in a business environment because well, there is no paid support. It's the community edition.

    But why not, the software is simply configured by you, supported by you, and at a substantial saving to you. Why is a solution as heavily adored by many professionals looked down upon because it's the "community edition"?

    First of all, understand that my situation is very different from most. The people I work for own 5 different companies, and I'm the lone IT person for all of them. Less than 20 total people throughout those 5 companies (putting the small in small business!) Thinking of it as more of a one man MSP would be about right.

    Only one of those companies would actually have the cash flow to make paid support an option. Also, when the only servers in the places are used boxes from Stallard Technologies (www.stikc.com), the support and/or licensing for a server OS starts at ~2x what the box its self cost. Add to the mix that I had been an IRIX admin previously, and open source is just the way to go.

    So far the only thing that could go wrong from the user side is the internet going down. Which did happen this week due to a hard drive failure and the raid array being in read-only mode on the host while it rebuilt. Yes, the internet routing is being handled by an open source software distribution. The CentOS gives me not only a router, but also IPS, IDS, blind proxy, real-time virus scans, and VPN. Sure a paid solution will offer all those features, but at what price? Especially when I can get it installed and configured in less than an hour.

    Within the next year I'll have them setup on a proper domain and file server as well, also all open source. Making user files available for them whatever computer they happen to be in front of at any given point is kinda a big deal. All done with different open source options.

    I'll grant you that most admins have been trained in the Microsoft way of doing things rather that the UNIX/IRIX/Linux way. So, business wise, paying for Microsoft Server licensing, rather than complete retaining, makes a lot more sense in those cases.



  • Well think about it like this.

    As one option, you have the "we ourselves will support it" on the other hand you have "Microsoft (or whoever) will support it".

    When does having Microsoft there become more of a cost or burden compared to using an open source alternative.

    Back to Xen Orchestra, would anyone here use Xen Orchestra and not specifically XOA (the paid option in a Production system) if the software works just as well. All you'd be losing is the "paid support" aspect which you might never use.



  • @DustinB3403 said:

    Back to Xen Orchestra, would anyone here use Xen Orchestra and not specifically XOA (the paid option in a Production system) if the software works just as well. All you'd be losing is the "paid support" aspect which you might never use.

    Well, considering I spun up a fresh Debian install in VB last night and got the latest test build of Xen Orchestra running, I don't see why not. I've even got it (slowly) uploading to my Google Drive account as an ova so others can easily use it if they'd like. It really should be an option for an all Linux shop.

    Edit: complete thoughts help



  • @DustinB3403 said:

    Well think about it like this.

    As one option, you have the "we ourselves will support it" on the other hand you have "Microsoft (or whoever) will support it".

    When does having Microsoft there become more of a cost or burden compared to using an open source alternative.

    Back to Xen Orchestra, would anyone here use Xen Orchestra and not specifically XOA (the paid option in a Production system) if the software works just as well. All you'd be losing is the "paid support" aspect which you might never use.

    I guess that depends - how much does XOA cost? how much is that support? What does the support get you?
    Then onto the business side - how expensive is downtime?



  • @Dashrender If downtime is expensive (which it is for anyone) and support is still offered (at the SMB size) within the 4 hour window generally, why wouldn't every business or IT professional do everything they could to learn the systems they have an become an expert on them.

    That would make support non-existent. Unless for some reason you died or were otherwise unable to fix the problem.



  • @BRRABill said:

    @Jason said:

    You are generally less protected by windows.. Heck if windows has an issue it's closed source so even if you knew how to fix it you couldn't in many cases.

    I guess my "argument" is that I trust MS more than a community to fix issues.

    The whole community thing is what I need to come to grips with, I think.

    I might have missed things already said as I'm starting from the top so ignore if redundant...

    But you are connecting "open source" to "community." Don't make that leap. Microsoft makes open source software too. When you have open source you get Microsoft AND the community AND yourself to fix it. You never get less, you get more. We are talking about open source versus closed source, not about business versus community. You are connecting concepts that do not have a direct connection.

    You could just as easily say that you trust Red Hat to fix Linux but don't trust the Spiceworks community to fix Windows. Why do you associate one with a business providing support and one without? Your mental connection there is arbitrary.



  • @Dashrender said:

    @scottalanmiller said:

    Long term support response issues are typically associated with the "bundled" support that SMBs try to get. SMBs don't like to pay for support, they like to buy software and feel like support is free. Enterprises typically get their software for free and pay for the support. When you pay for support you get a completely different experience because the vendor has to provide good support or you don't pay. But in the SMB the goal is to convince you to stop calling support because every call costs them money. They want you to stop calling and stop depending on them. The way that different organizations buy support changes how the interaction between them and the vendor works.

    Interesting.

    Would support be more expensive for SMB if the vendors gave the product away and only charged for support? Of course SMBs probably would rarely be calling upon the vendor to make kernel fixes, etc, they would be asking for break fix support.

    But perhaps that's just not really possible, because as you said, SMBs are using this support more for augmented IT because the SMB doesn't know the product and are simply relying on the vendor to support the product (I'll admit I've done that with Cisco before - have them write the config for me when I needed a change).

    SMBs can and once in a while do buy support like this today. In a way, this is what happens when you engage an MSP instead of buying software and hoping that the vendor does your portion of the work for you.



  • @DustinB3403 said:

    Thank you for the responses, but still no one besides maybe @scottalanmiller has posted why / when businesses choose Open Source over closed source.

    Lets take for example Xen Orchestra, I just yesterday compiled the system in my home lab (running on my Xen Server Hypervisor as a VM)

    Now I doubt many people would be willing to implement and use Xen Orchestra in a business environment because well, there is no paid support. It's the community edition.

    But why not, the software is simply configured by you, supported by you, and at a substantial saving to you. Why is a solution as heavily adored by many professionals looked down upon because it's the "community edition"?

    Tons of businesses do that. Tons want support. But those that do would hit up Olivier and pay for support. Trust me, even if there is no official support contract, if you call the developers as a Fortune 500, you can make a deal for special, personal support. If Bank of America called Olivier and said they wanted to pay six figures a year for "instant" support on XO, they'd get it.

    Even ML is large enough that we are talking about getting NodeBB involved directly through custom support channels rather than through their normal ones because we need a type and level of service that isn't common enough to have on a rate sheet. The smaller the vendor, the easier it is to work these things out.

    But that being said, even thought the bulk of the Fortune 500 runs RHEL and pays for support, many also choose CentOS because they find that they don't need support and the cost savings outweighs the risks. I was at the world's largest bank for eight years and never once did we need Red Hat to help us. It was great knowing that they were there "just in case" and they often weighed in to back up our ideas or opinions, but we never needed them. Good IT practices with testing, backups, etc. mean that only rarely do you have a situation where a vendor would be "needed" and that is almost exclusively with patches.

    If you think about what a situation looks like where you suddenly need the vendor involved chances are you had other IT issues leading up to that. I've been in IT for 26 years and I've never once needed to go to the vendors for support of normal IT products. Not once. I didn't even learn that this was a "thing" until I started participating in online communities and realized that lots of companies use their vendors for things that I had always associated with the internal IT department.



  • @Jason said:

    @DustinB3403 said:

    has posted why / when businesses choose Open Source over closed source.

    Closed/Open source is never the determining factor when choosing a solution. You have a business need and you fill that with the best solution that makes business sense. Opensource or closed source doesn't really play into it unless the goal is for customization..

    Of course I won't go into that, because it's often better to make your own solution than highly customize a pre-made one.

    This is very important to understand, what Jason points out here. Except in rare cases where you need to customize the code, actively plan on participating in the code, need to audit the code or similar you should not be considering the source licensing. This is one of those bizarre things that mostly only, again, happens in the SMB. Enterprises don't sit around wondering if the source code is open or not, it's not very important.

    A few core principals that I think people generally miss:

    • Open is always better for the customer than closed, all other factors equal. Period. No ifs ands or buts.
    • Except in the cases mentioned, source licensing is a mostly trivial factor.

    That pretty much sums it up. Open is always better than closed, but source licensing is rarely important enough to even consider.



  • @Dashrender said:

    Dustin, you also mentioned that SMBs can probably suffer a 4 hour outage but a large company can't? Maybe that's true, maybe it's not. Again depends on the situation.

    SMBs are more likely to be able to handle a large outage, but even enterprises do that regularly and it is rarely a huge deal. It's a deal, but it is factored into their thinking. They understand risks, typically, and plan for them rather than assuming it won't happen and freaking out when it does. Enterprises tend to be more driven by logic and path and less by emotion and fear.