May 10, 2013

Understanding and Implementing Coding Standards

Coding standards provide a consistent framework for development within a project and across projects in an organization. A dozen programmers can complete a simple project in a dozen different ways by using unique coding methodologies and styles, so I like to think of coding standards as the "rules of the road" for developers.

When you're driving in a car, traffic is controlled by "standards" such as lanes, stoplights, yield signs and laws that set expectations around how you should drive. When you take a road trip to a different state, the stoplights might be hung horizontally instead of vertically or you'll see subtle variations in signage, but because you're familiar with the rules of the road, you're comfortable with the mechanics of driving in this new place. Coding standards help control development traffic and provide the consistency programmers need to work comfortably with a team across projects. The problem with allowing developers to apply their own unique coding styles to a project is the same as allowing drivers to drive as they wish ... Confusion about lane usage, safe passage through intersections and speed would result in collisions and bottlenecks.

Coding standards often seem restrictive or laborious when a development team starts considering their adoption, but they don't have to be ... They can be implemented methodically to improve the team's efficiency and consistency over time, and they can be as simple as establishing that all instantiations of an object must be referenced with a variable name that begins with a capital letter:

$User = new User();

While that example may seem overly simplistic, it actually makes life a lot easier for all of the developers on a given project. Regardless of who created that variable, every other developer can see the difference between a variable that holds data and one that are instantiates an object. Think about the shapes of signs you encounter while driving ... You know what a stop sign looks like without reading the word "STOP" on it, so when you see a red octagon (in the United States, at least), you know what to do when you approach it in your car. Seeing a capitalized variable name would tell us about its function.

The example I gave of capitalizing instantiated objects is just an example. When it comes to coding standards, the most effective rules your team can incorporate are the ones that make the most sense to you. While there are a few best practices in terms of formatting and commenting in code, the most important characteristics of coding standards for a given team is consistency and clarity.

So how do you go about creating a coding standard? Most developers dislike doing unnecessary work, so the easiest way to create a coding standard is to use an already-existing one. Take a look at any libraries or frameworks you are using in your current project. Do they use any coding standards? Are those coding standards something you can live with or use as a starting point? You are free to make any changes to it you wish in order to best facilitate your team's needs, and you can even set how strict specific coding standards must be adhered to. Take for example left-hand comparisons:

if ( $a == 12 ) {} // right-hand comparison
if ( 12 == $a ) {} // left-hand comparison

Both of these statements are valid but one may be preferred over the other. Consider the following statements:

if ( $a = 12 ) {} // supposed to be a right-hand comparison but is now an assignment
if ( 12 = $a ) {} // supposed to be a left-hand comparison but is now an assignment

The first statement will now evaluate to true due to $a being assigned the value of 12 which will then cause the code within the if-statement to execute (which is not the desired result). The second statement will cause an error, therefore making it obvious a mistake in the code has occurred. Because our team couldn't come to a consensus, we decided to allow both of these standards ... Either of these two formats are acceptable and they'll both pass code review, but they are the only two acceptable variants. Code that deviates from those two formats would fail code review and would not be allowed in the code base.

Coding standards play an important role in efficient development of a project when you have several programmers working on the same code. By adopting coding standards and following them, you'll avoid a free-for-all in your code base, and you'll be able to look at every line of code and know more about what that line is telling you than what the literal code is telling you ... just like seeing a red octagon posted on the side of the road at an intersection.


May 7, 2013

Tips from the Abuse Department: DMCA Takedown Notices

If you are in the web hosting business or you provide users with access to store content on your servers, chances are that you're familiar with the Digital Millennium Copyright Act (DMCA). If you aren't familiar with it, you certainly should be. All it takes is one client plagiarizing an article or using a filesharing program unscrupulously, and you could find yourself the recipient of a scary DMCA notice from a copyright holder. We've talked before about how to file a DMCA complaint with SoftLayer, but we haven't talked in detail about SoftLayer's role in processing DMCA complaints or what you should do if you find yourself on the receiving end of a copyright infringement notification.

The most important thing to understand when it comes to the way the abuse team handles DMCA complaints is that our procedures aren't just SoftLayer policy — they are the law. Our role in processing copyright complaints is essentially that of a middleman. In order to protect our Safe Harbor status under the Online Copyright Infringement Liability Limitation Act (OCILLA), we must enforce any complaint that meets the legal requirements of a takedown notice. That DMCA complaint must contain specific elements and be properly formatted in order to be considered valid.

Responding to a DMCA Complaint

When we receive a complaint that meets the legal requirements of a DMCA takedown notice, we must relay the complaint to our direct customer and enforce a deadline for removal of the violating material. We are obligated to remove access to infringing content when we are notified about it, and we aren't able to make a determination about the validity of a claim beyond confirming that all DMCA requirements are met.

The law states that SoftLayer must act expeditiously, so if you receive notification of a DMCA complaint, it's important that you acknowledge the ticket that the abuse department opened on your account and let us know your intended course of action. Sometimes that action is as simple as removing an infringing URL. Sometimes you may need to contact your client and instruct them to take the material down. Whatever the case may be, it's important to be responsive and to expressly confirm when you have complied and removed the material. Failure to acknowledge an abuse ticket can result in disconnection of service, and in the case of copyright infringement, SoftLayer has a legal obligation to remove access to the material or we face serious liability.

DMCA Counter Notifications

Most DMCA complaints are resolved without issue, but what happens if you disagree with the complaint? What if you own the material and a disgruntled former business partner is trying to get revenge? What if you wrote the content and the complaining party is copying your website? Thankfully there are penalties for filing a false DMCA complaint, but you also have recourse in the form of a counter notification. Keep in mind that while it may be tempting to plead your case to the abuse department, our role is not to play judge or jury but to allow the process to work as it was designed.

In some cases, you may be able to work out a resolution with the complaining party directly (misunderstandings happen, licenses lapse, etc.) and have them send a retraction, but most of the time your best course of action is to submit a counter notification.

Just as a takedown notice must be crafted in a specific way, counter notifications have their own set of requirements. Once you have disabled the material identified in the original complaint, we can provide your valid, properly formatted counter notification to the complaining party. Unless we receive a court order from the complaining party within the legally mandated time frame the material can be re-enabled and the case is closed for the time being.

While it might sound complicated, it's actually pretty straightforward, but we urge you to do your research and make sure you know what to do in the event a client of yours is hit with a DMCA takedown notice. Just as we are unable to make judgment calls when it comes to takedown notices or counter notifications, we are also unable to offer any legal advice for you if you need help. Hopefully this post cleared up a few questions and misconceptions about how the abuse department handles copyright complaints. In short:

Do take DMCA notifications seriously. You are at risk for service interruption and possible legal liability.
Do respond to the abuse department letting them know the material has been disabled and, if applicable, if you plan to file a counter notification.
Don't refuse to disable the material. Even if you believe the claim is false and you wish to file a counter notification, the material must be disabled within the time period allotted by the abuse department or we have to block access to it.
Don't expect the abuse department to take sides.

As with any abuse issue, communication and responsiveness is important. Disconnecting your server is a last resort, but we have ethical and legal obligations to uphold. The DMCA process certainly has its weaknesses and it leaves a bit to be desired, but at the end of the day, it's the law, and we have to operate inside of our legal obligation to it.


May 2, 2013

Startup Series: wind2share

I'm amazed by the people who work at the startups that work with Catalyst. If you could somehow bottle the enthusiasm, creativity and passion that entrepreneurs and startup teams have on a daily basis, you'd have an energy drink worth billions of dollars. It's impossible to describe in a blog, but because I'm surrounded by people with those characteristics, I'd be doing the blog audience a disservice if I didn't try to express what I've experienced first-hand. Instead of trying to generalize, a better approach would be to give you an example of what I'm talking about, and for that, I just need to turn the spotlight on wind2share.

I first met the wind2share team at TechCrunch SF in the fall of 2012, and I was immediately taken aback by their energy and the genuine kindness they exuded as people. At the time, the team had been slowly making the transition of having employees work in three different cities on two different continents, but it was clear that they shared a unified willingness to work hard and create a meaningful solution for their clients. As my boy Iggy Pop said, they had a "lust for life" that is as magnetic as it is uncommon. And if that weren't enough, their vision for wind2share is innovative and intriguing:

wind2share is a social business network specially designed for people to make referrals to leading institutions and companies and receive cash rewards based on successful referrals. Businesses seeking to enter new markets can lean on hundreds of ambassadors worldwide to offer their services to new audiences, and expand their client base in new markets.

Since I met them, they've made incremental improvements in their user experience, incorporating Facebook and Google+ accounts to streamline signups and launching a new site design to clearly and succinctly convey the business model and the platform's features.

After a successful pilot run in 2012 which generated more than $1.7 million in revenue, wind2share is strategically ramping up their marketing efforts to continue the viral growth of their disruptive referral model. Given how easy they make the process of connecting and interacting with businesses and top-level professionals around thew world, it's not a surprise that the startup has been so successful, and I have no doubt that their success will continue.

The beauty of the network wind2share created is the diversity of its functionality. Your social network trusts you, and your referrals are valuable, so wind2share provides a medium for businesses to reward you when you recommend them. Beyond that use-case, if you're an entrepreneur or you have an idea, you can connect with investors who share your interest and may be of some help. The way I think of it is that it's a social community with a business purpose. Members are provided with all the information, tools and resources they need to "Make a Wealth of Referrals."

Companies like wind2share are a glowing successes in our Catalyst. Our team has solved numerous infrastructure challenges for them, and we've had the opportunity to make strategic introductions to investors, business leads and potential business partners as the company has grown and matured. Seeing the work pay off in such a positive way with wind2share is proof positive of the value Catalyst provides startups.

To learn more about wind2share or to sign up, head over to If you'd like to meet the fantastic team of brilliant folks behind the platform, reach out to me directly and I'll happily start the conversation for you.


April 30, 2013

Big Data at SoftLayer: Riak

Big data is only getting bigger. Late last year, SoftLayer teamed up with 10Gen to launch a high-performance MongoDB solution, and since then, many of our customers have been clamoring for us to support other big data platforms in the same way. By automating the provisioning process of a complex big data environment on bare metal infrastructure, we made life a lot easier for developers who demanded performance and on-demand scalability for their big data applications, and it's clear that our simple formula produced amazing results. As Marc mentioned when he started breaking down big data database models, document-oriented databases like MongoDB are phenomenal for certain use-cases, and in other situations, a key-value store might be a better fit. With that in mind, we called up our friends at Basho and started building a high-performance architecture specifically for Riak ... And I'm excited to announce that we're launching it today!

Riak is an open source, distributed database platform based on the principles enumerated in the DynamoDB paper. It uses a simple key/value model for object storage, and it was architected for high availability, fault tolerance, operational simplicity and scalability. A Riak cluster is composed of multiple nodes that are all connected, all communicating and sharing data automatically. If one node were to fail, the other nodes would automatically share the data that the failed node was storing and processing until the node is back up and running or a new node is added. See the diagram below for a simple illustration of how adding a node to a cluster works within Riak.

Riak Nodes

We will support both the open source and the Enterprise versions of Riak. The open source version is a great place to start. It has all of the database functionality of Riak Enterprise, but it is limited to a single cluster. The Enterprise version supports replication between clusters across data centers, giving you lots of architectural options. You can use replication to build highly available, live-live failover applications. You can also use it to distribute your application's data across regions, giving you a global platform that you can update anywhere in the world and know that those modifications will be available anywhere else. Riak Enterprise customers also receive 24×7 coverage, both from SoftLayer and Basho. This includes SoftLayer's one-hour guaranteed response for Severity 1 hardware issues and unlimited support available via our secure web portal, email and phone.

The business use-case for this flexibility is that if you need to scale up or down, nodes can be easily added or taken down as your requirements change. You can opt for a single-data center environment with a few nodes or you can broaden your architecture to a multi-data center deployment with a 40-node cluster. While these capabilities are inherent in Riak, they can be complicated to build and configure, so we spent countless hours working with Basho to streamline Riak deployment on the SoftLayer platform. The fruit of that labor can be found in our Riak Solution Designer:

Riak Solution Designer

The server configurations and packages in the Riak Solution Designer have been selected to deliver the performance, availability and stability that our customers expect from their bare metal and virtual cloud infrastructure at SoftLayer. With a few quick clicks, you can order a fully configured Riak environment, and it'll be provisioned and online for you in two to four hours. And everything you order is on a month-to-month contract.

Thanks to the hard work done by the SoftLayer development group and Basho's team, we're proud to be the first in the marketplace to offer a turn-key Riak solution on bare metal infrastructure. You don't need to sacrifice performance and agility for simplicity.

For more information, visit or contact our sales team.


April 29, 2013

Web Development - Installing mod_security with OWASP

You want to secure your web application, but you don't know where to start. A number of open-source resources and modules exist, but that variety is more intimidating than it is liberating. If you're going to take the time to implement application security, you don't want to put your eggs in the wrong basket, so you wind up suffering from analysis paralysis as you compare all of the options. You want a powerful, flexible security solution that isn't overly complex, so to save you the headache of making the decision, I'll make it for you: Start with mod_security and OWASP.

ModSecurity (mod_security) is an open-source Apache module that acts as a web application firewall. It is used to help protect your server (and websites) from several methods of attack, most common being brute force. You can think of mod_security as an invisible layer that separates users and the content on your server, quietly monitoring HTTP traffic and other interactions. It's easy to understand and simple to implement.

The challenge is that without some advanced configuration, mod_security isn't very functional, and that advanced configuration can get complex pretty quickly. You need to determine and set additional rules so that mod_security knows how to respond when approached with a potential threat. That's where Open Web Application Security Project (OWASP) comes in. You can think of the OWASP as an enhanced core ruleset that the mod_security module will follow to prevent attacks on your server.

The process of getting started with mod_security and OWASP might seem like a lot of work, but it's actually quite simple. Let's look at the installation and configuration process in a CentOS environment. First, we want to install the dependencies that mod_security needs:

## Install the GCC compiler and mod_security dependencies ##
$ sudo yum install gcc make
$ sudo yum install libxml2 libxml2-devel httpd-devel pcre-devel curl-devel

Now that we have the dependencies in place, let's install mod_security. Unfortunately, there is no yum for mod_security because it is not a maintained package, so you'll have to install it directly from the source:

## Get mod_security from its source ##
$ cd /usr/src
$ git clone

Now that we have mod_security on our server, we'll install it:

## Install mod_security ##
$ cd ModSecurity
$ ./configure
$ make install

And we'll copy over the default mod_security configuration file into the necessary Apache directory:

## Copy configuration file ##
$ cp modsecurity.conf-recommended /etc/httpd/conf.d/modsecurity.conf

We've got mod_security installed now, so we need to tell Apache about it ... It's no use having mod_security installed if our server doesn't know it's supposed to be using it:

## Apache configuration for mod_security ##
$ vi /etc/httpd/conf/httpd.conf

We'll need to load our Apache config file to include our dependencies (BEFORE the mod_security module) and the mod_security file module itself:

## Load dependencies ##
LoadFile /usr/lib/
LoadFile /usr/lib/
## Load mod_security ##
LoadModule security2_module modules/

We'll save our configuration changes and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

As I mentioned at the top of this post, our installation of mod_security is good, but we want to enhance our ruleset with the help of OWASP. If you've made it this far, you won't have a problem following a similar process to install OWASP:

## OWASP ##
$ cd /etc/httpd/
$ git clone
$ mv owasp-modsecurity-crs modsecurity-crs

Just like with mod_security, we'll set up our configuration file:

## OWASP configuration file ##
$ cd modsecurity-crs
$ cp modsecurity_crs_10_setup.conf.example modsecurity_crs_10_config.conf

Now we have mod_security and the OWASP core ruleset ready to go! The last step we need to take is to update the Apache config file to set up our basic ruleset:

## Apache configuration ##
$ vi /etc/httpd/conf/httpd.conf

We'll add an IfModule and point it to our new OWASP rule set at the end of the file:

<IfModule security2_module>
    Include modsecurity-crs/modsecurity_crs_10_config.conf
    Include modsecurity-crs/base_rules/*.conf

And to complete the installation, we save the config file and restart Apache:

## Restart Apache! ##
$ sudo /etc/init.d/httpd restart

And we've got mod_security installed with the OWASP core ruleset! With this default installation, we're leveraging the rules the OWASP open source community has come up with, and we have the flexibility to tweak and enhance those rules as our needs dictate. If you have any questions about this installation or you have any other technical blog topics you'd like to hear from us about, please let us know!


April 26, 2013

Catalyst at SXSW 2013: The Startups Speak

SoftLayer listens to customers. There's no marketing spin or fluff on that statement ... I'm a former client, so I can attest to that from a customer perspective and from an internal perspective. When I joined the company as part of the community development team to work with startups in Catalyst, I knew my role was going to be more relationship-based than project-oriented, and that was one of the most exciting aspects of the job for me.

In my last blog about mentorship and meaningfulness, you heard from George Karidis and Paul Ford about the vision to make Catalyst a part of the startup ecosystem, committing to helping participating teams with more than just their hosting needs. While we attended SXSW Interactive, I ran into a few of our phenomenal customers and had the opportunity to sit down with them and talk about their businesses, their connection to SoftLayer and what the future holds:

Over the next few weeks, we'll add video interviews to that YouTube playlist to show off all of the startups that stopped by the Catalyst Startup Lounge at SXSW 2013. When a new video is published, it'll be added to the embedded playlist above, and we'll send some social media shout-outs via Twitter and Facebook.

With SoftLayer's 7th birthday coming up on May 5, we still feel like a startup, and a lot of that has to do with how closely we work with our customers ... Their energy is contagious, and it only encourages us to keep innovating and building our platform for the future. That's why entrepreneurs like the ones you meet in these videos choose SoftLayer. The fact that we have better technology and provide a more powerful cloud infrastructure winds up being a fringe benefit.

A big "Thanks!" goes out to the folks from Epic Playground, Flowmio, Medved, Urbane, YouNoodle, KeenIO, Cloudability and Preferred Return for taking time out of their busy SXSW schedules to chat with me. We love you guys!


April 23, 2013

Server Challenge II: How SoftLayer Saves the World

SoftLayer made our way to San Francisco for another great year of digital marketing fun at ad:tech. This event is always a blast because it allows us trade show roadies to change up our usual dialogue and talk about SoftLayer in a unique way ... Instead of fielding technical questions about our platform, we get to talk about our cloud hosting solutions from a "big picture" perspective. This year, the bridge between those "big picture" discussions and the hardware and technical side of our business was the Server Challenge II.

This isn't the first time the advertising-focused crowd at ad:tech has seen the Server Challenge, but with the competition's new retro arcade game design, it was much more of a focal point this year than it has been in years past ... And it didn't hurt that we were in an awesome location right at the entrance of the expo floor:

Server Challenge II - ad:tech

Given the fact that most people who stopped at our booth were drawn to us as part of a crowd around the Server Challenge, the first question we heard was subtly different than the "What does SoftLayer do?" question we're used to answering at ad:tech. This year, most of my conversations started with an attendee asking, "What in the world does this game have to do with SoftLayer?" Luckily, the graphic on the front of the Server Challenge with three simple objectives provides a great outline for the competition's relevance to our business:

  1. Load the Data
  2. Connect the Network
  3. Save the World

1. Load the Data

Game Application: Insert all 24 of the drive trays into the drive bays of two Supermicro servers.
SoftLayer Significance: We have more than 100,000 Supermicro servers in our 13 data centers around the world. When you walk into one of our facilities in Dallas, Houston, Seattle, Washington, D.C., San Jose, Amsterdam or Singapore, you'll see racks filled with servers just like the ones in the Server Challenge II, and those servers are loaded up with the hard drives you choose when you order from us.

2. Connect the Network

Game Application: Connect the 18 network cables into the three network switches.
SoftLayer Significance: The three different colors of network cables are the same colors you'll see in our data centers. The red cables carry public network traffic, the blue cables carry private network traffic, and the green cables carry out-of-band management network traffic. This is a huge differentiator for SoftLayer because those three physical networks allow for much greater flexibility for our customers. While the public network is serving public traffic to your websites, games and apps, you could be running an off-site backup of your database over the private network (where you don't incur bandwidth charges), and you can manage your server over SSL, PPTP and IPSEC connections via the out-of-band management network carried by the green cables.

3. Save the World

Game Application: Win a MacBook Air!
SoftLayer Significance: SoftLayer provides the flexible, scalable platform on which you can build your application, run your game or push an advertising campaign. The fact that all of our servers are racked, networked and ready for your order means that we're ready to "Save the World" for you by provisioning on-demand bare metal cloud servers and virtual cloud computing instances.

At least four or five times per show, I hear attendees talking about how the Server Challenge is the most fun game at the conference (even at GDC ... where the entire expo hall is filled with gaming companies). While it draws crowds for being fun, the best part of the competition is that it helps us tell our story and creates memories at the same time. When Server Challenge competitors hear that their companies need a new server, they're going to have a flashback to stepping up to a SoftLayer server rack and learning what makes SoftLayer the best choice as a cloud hosting provider. With the crowds we see at every show, that means we've got a lot of future customers:

Server Challenge II - ad:tech

Thanks to all of the ad:tech attendees who took on the Server Challenge II this year. The show actually had one of the most dramatic conclusions of any we've ever had before! Yuki Matsumoto broke the one-minute mark early on Day 2 of the expo with his first attempt of the day, and John Li managed to squeak by him with a time of 0:58.05 less than five minutes before the show floor closed:

Yuki had one shot at redemption as the last competitor of the show, but he wasn't able to beat John's 58-second completion, so the MacBook Air went to John Li! Keep practicing your server-building skills and come look for SoftLayer (and the Server Challenge) in an expo hall near you!


April 22, 2013

Going Global: How to Approach Expansion into Asia

Asia is an amazing place for business, but companies from outside the region often consider it mysterious and prohibitive. I find myself discussing Asian business customs and practices with business owners from other regions on an almost daily basis, so I feel like I've become an informal resource when it comes to helping SoftLayer customers better understand and enter the Asian markets. As the general manager for SoftLayer's APAC operations, I thought I'd share a few thoughts about what companies outside of Asia should consider when approaching new business in the region.

Before we get too far into the weeds, it's important to take a step back and understand the Asian culture and how it differs from the business cultures in the West. The Asian market is much more relational than the market in the United States or Europe; significant value is placed on the time you spend in the region building new networks and interacting with other your prospective customers and suppliers. Even for small purchases, businesses in Asia are much more comfortable with face-to-face agreements than they are with phone calls or emails. Many of the executives I speak to about entering Asia argue they don't have time to spend weeks and months in the region, and they make whistle-stop trips in various countries to get a snapshot of what they need to know to make informed decisions. Their businesses often fail at breaching the market because they don't invest the time and resources they need to create the relationships required to succeed. Books, blogs (even this one), consultants and occasional visits aren't nearly as important to your success as investing yourself in the culture. Even if you can't physically travel to your target market for some reason, find ways to plug into the community online and become a resource.

Asia is not homogenous. There are 20 distinct countries and cultures, dozens of languages and hundreds of dialects. There are distinct legal systems, currencies, regulatory frameworks and cultural norms. From a business perspective, that means that what you do to appeal to an audience in Singapore won't be as effective for an audience in Japan ... This is not the United States of Asia nor is there an Asian Union. Having partners in Hong Kong does not get you into China; if you want to access markets in China, you need to build relationships with partners and customers in China. One of the biggest reasons for this in-country presence to understand and avoid a "death by a thousand cuts" situation where minor, seemingly insignificant questions and problems cumulatively prevent a business from successfully entering the market. Take these questions from customers as an example:

  • When I buy from your office in Bangkok, where is the contract jurisdiction?
  • I'm in Hong Kong. Can I pay in Hong Kong Dollars? Who takes the currency risk?
  • Corporate credit cards aren't common in Vietnam. Can I pay for my online purchase in cash?
  • If I sign up for a webinar, is it at a time convenient for me (i.e. repeated for other time zones), or do I have to be at my PC at 3am?
  • If you invite me to a meeting on 12/4, is that April 12th, or December 4th?
  • When I print whitepapers from your website, do I need to resize to a different paper size?

The way you handle currencies, time zones and how you present information are barometers of how approachable your business is for users and businesses in a particular market. Most users won't reach out to you to ask those kinds of questions; they'll just move on to a competitor who answers their questions without them asking. You learn about these sticking points by having people on the ground and talking to potential customers and partners. Since globalization is "flattening" the World Wide Web, the mechanics of hosting a site, application or game in a data center in Singapore are identical to hosting the same content in Dallas. It's easy to make your data locally available and have infrastructure available in your target market, but that's only a start. You need to approach Asian countries as unique opportunities to redefine your business in a way that fits the culture of your potential customers and partners.

In my next blog, I plan to share a few best practices about management, responsiveness and responsibility, positioning, operations and marketing in Asia. These posts are intended to get you thinking about how your business can approach expanding into Asia smartly, and if you have any questions or want any advice about your business in particular, please feel free to email me directly:


April 16, 2013

iptables Tips and Tricks - Track Bandwidth with iptables

As I mentioned in my last post about CSF configuration in iptables, I'm working on a follow-up post about integrating CSF into cPanel, but I thought I'd inject a simple iptables use-case for bandwidth tracking. You probably think about iptables in terms of firewalls and security, but it also includes a great diagnostic tool for counting bandwidth for individual rules or set of rules. If you can block it, you can track it!

The best part about using iptables to track bandwidth is that the tracking is enabled by default. To see this feature in action, add the "-v" into the command:

[root@server ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 2495 packets, 104K bytes)

The output includes counters for both the policies and the rules. To track the rules, you can create a new chain for tracking bandwidth:

[root@server ~]$ iptables -N tracking
[root@server ~]$ iptables -vnL
Chain tracking (0 references)
 pkts bytes target prot opt in out source           destination

Then you need to set up new rules to match the traffic that you wish to track. In this scenario, let's look at inbound http traffic on port 80:

[root@server ~]$ iptables -I INPUT -p tcp --dport 80 -j tracking
[root@server ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 35111 packets, 1490K bytes)
 pkts bytes target prot opt in out source           destination
    0   0 tracking    tcp  --  *  *       tcp dpt:80

Now let's generate some traffic and check it again:

[root@server ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 35216 packets, 1500K bytes)
 pkts bytes target prot opt in out source           destination
  101  9013 tracking    tcp  --  *  *       tcp dpt:80

You can see the packet and byte transfer amounts to track the INPUT — traffic to a destination port on your server. If you want track the amount of data that the server is generating, you'd look for OUTPUT from the source port on your server:

[root@server ~]$ iptables -I OUTPUT -p tcp --sport 80 -j tracking
[root@server ~]$ iptables -vnL
Chain OUTPUT (policy ACCEPT 26149 packets, 174M bytes)
 pkts bytes target prot opt in out source           destination
  488 3367K tracking    tcp  --  *  *       tcp spt:80

Now that we know how the tracking chain works, we can add in a few different layers to get even more information. That way you can keep your INPUT and OUTPUT chains looking clean.

[root@server ~]$ iptables –N tracking
[root@server ~]$ iptables –N tracking2
[root@server ~]$ iptables –I INPUT –j tracking
[root@server ~]$ iptables –I OUTPUT –j tracking
[root@server ~]$ iptables –A tracking –p tcp --dport 80 –j tracking2
[root@server ~]$ iptables –A tracking –p tcp --sport 80 –j tracking2
[root@server ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 96265 packets, 4131K bytes)
 pkts bytes target prot opt in out source           destination
 4002  184K tracking    all  --  *  *
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source           destination
Chain OUTPUT (policy ACCEPT 33751 packets, 231M bytes)
 pkts bytes target prot opt in out source           destination
 1399 9068K tracking    all  --  *  *
Chain tracking (2 references)
 pkts bytes target prot opt in out source           destination
 1208 59626 tracking2   tcp  --  *  *       tcp dpt:80
  224 1643K tracking2   tcp  --  *  *       tcp spt:80
Chain tracking2 (2 references)
 pkts bytes target prot opt in out source           destination

Keep in mind that every time a packet passes through one of your rules, it will eat CPU cycles. Diverting all your traffic through 100 rules that track bandwidth may not be the best idea, so it's important to have an efficient ruleset. If your server has eight processor cores and tons of overhead available, that concern might be inconsequential, but if you're running lean, you could conceivably run into issues.

The easiest way to think about making efficient rulesets is to think about eating the largest slice of pie first. Understand iptables rule processing and put the rules that get more traffic higher in your list. Conversely, save the tiniest pieces of your pie for last. If you run all of your traffic by a rule that only applies to a tiny segment before you screen out larger segments, you're wasting processing power.

Another thing to keep in mind is that you do not need to specify a target (in our examples above, we established tracking and tracking2 as our targets). If you're used to each rule having a specific purpose of either blocking, allowing, or diverting traffic, this simple tidbit might seem revolutionary. For example, we could use this rule:

[root@server ~]$ iptables -A INPUT

If that seems a little bare to you, don't worry ... It is! The output will show that it is a rule that tracks all traffic in the chain at that point. We're appending the data to the end of the chain in this example ("-A") but we could also insert it ("-I") at the top of the chain instead. This command could be helpful if you are using a number of different chains and you want to see the exact volume of packets that are filtered at any given point. Additionally, this strategy could show how much traffic a potential rule would filter before you run it on your production system. Because having several of these kinds of commands can get a little messy, it's also helpful to add comments to help sort things out:

[root@server ~]$ iptables -A INPUT -m comment --comment "track all data"
[root@server ~]$ iptables -vnL
Chain INPUT (policy ACCEPT 11M packets, 5280M bytes)
 pkts bytes target prot opt in out source           destination
   98  9352        all  --  *  *       /* track all data */

Nothing terribly complicated about using iptables to count bandwidth, right? If you have iptables rulesets and you want to get a glimpse at how your traffic is being affected, this little trick could be useful. You can rely on the information iptables gives you about your bandwidth usage, and you won't be the only one ... cPanel actually uses iptables to track bandwidth.


April 15, 2013

The Heart of SoftLayer: People

When I started working for SoftLayer as a software engineer intern, I was skeptical about the company's culture. I read many of the culture posts on the blog, and while they seemed genuine, I was still a little worried about what the work atmosphere would be for a lowly summer intern. Fast-forward almost a year, and I look back on my early concerns and laugh ... I learned quickly that the real heart of SoftLayer is its employees, and the day-to-day operations I observed in the office consistently reinforced that principle.

It's easy to think about SoftLayer as a pure technology company. We provide infrastructure as a service capabilities for businesses with on-demand provisioning and short-term contracts. Our data centers, portal, network and APIs get the spotlight, but those differentiators wouldn't exist without the teams of employees that keep improving them on a daily basis. By focusing on the company culture and making sure employees are being challenged (but not overwhelmed), SoftLayer was indirectly improving the infrastructure we provide to customers.

When I walked into the office for my first day of work, I imagined that I'd be working in a cramped, dimly lit room in the back of the building where I'd be using hand-me-down hardware. When I was led to a good-sized, well-lit room and given a Core i3 laptop with two large monitors and a full suite of software, I started realizing how silly my worries were. I had access to the fully stocked break room, and within about a week, I felt like part of a community rather than a stale workplace.

My coworkers not only made me feel welcome but would frequently go out of their way to make sure I am comfortable and have the resources I needed to succeed. While the sheer amount of new information and existing code was daunting, managers assigned projects that were possible to complete and educational. I was doing useful work building and improving a complex production system rather than the busy work offered by many other employers' internship programs. I learned several new techniques and solidified my understanding of software engineering theory through practice. The open-door policy and friendly people around me not only created a strong sense of community but also allowed more efficient problem solving.

You may have noticed early in this post that I joined the company on a summer internship and that I also told you it's been about a year since I started. While summers in Texas feel long, they don't actually last a full year ... After my internship, I was offered a part-time position as a software engineer, and I'm going to be full-time when I graduate in May.

It's next to impossible to find a company that realizes the importance of its employees and wants to provide an environment for employees to succeed. The undeniable runaway success of the company is proof that SoftLayer's approach to taking care of employees is working.



Subscribe to news