FreeBSD Security Survey

[Doug Hardie]

On May 21, 2006, at 22:41, David Nugent wrote:

> A good failover strategy comes into play here.
>
> If you have one, then taking a single production machine off-line  
> for a short period should be no big deal, even routine, and should  
> not even be noticed by users if done correctly.  This should be  
> planned for and part of the network/system design. Yes, it  
> definitely requires more resources to support, but I'll rephrase  
> the same problem: what happens when (and I mean *when* and not  
> *if*) a motherboard or network card fries or you suffer a hard disk  
> crash (even 2+ drives failing at the same time on a raid array is  
> not particularly unusual considering that drives are quite often  
> from the same manufactured batch)?
>
> Lack of a failover on mission critical systems that *can't* be  
> offline is like playing russian roulette.

Failover sounds good in theory but has significant issues in practice  
that make it sometimes worse than the alternative.  Take mail  
spools.  If you failover, mail the user saw before has disappeared.   
Then when you "fail back" it reappears and newer messages disappear.   
This is hardly unnoticable.  My users do not find that at all  
acceptable.  Putting the mail spools on a different machine just  
moves that problem to the different machine.  Trying to keep multiple  
spools consistent has problems also.  I have watched raid system lose  
their data too.  A nice power spike - 1.5Kv from a lightning strike  
in the local area will do it.