Menu Content/Inhalt
Software articles, reviews, downloads.
Home


User Login
Lost Password?
No account yet? Register

Syndicate

Choosing and Using Open Source Software for Production Environments
User Rating: / 3
PoorBest 
Written by Jon Schutz   
Sunday, 28 January 2007
There are advantages and disadvantages to using so-called "free" and open source software.  This article outlines what to look for when considering taking an open source project and deploying it in your production environment.
Personally I am a die-hard supporter of using Open Source.  I won't lie; it's about the money, or more correctly, the absence thereof.
 
OK, I lied.  It's not just the money.  It's really the power.  The power of knowing that if anything ever goes wrong - even if the software vendor has since gone to the grave - I have the source code and it is within my power to fix the problem.  I may not want to fix it, nor understand the code that well, but still, the option is there for me.  This is the ultimate insurance policy and probably the Number One reason for wanting to roll out Open Source into a critical production environment.
 
I think the first open source software that I ever tried was the TCP wrappers package.  Back in the early days of the Internet our whole internal computing network was more or less directly exposed to the rest of the world.  One morning I woke up and decided that this was probably not a good thing, and someone who should know told me that I should at least throw in some TCP wrappers to improve security.  Some time later we progressed to having a firewall running the open source TIS Firewall Toolkit.  Somewhere along the way I stumbled across the GNU project, and started using the Emacs editor.
 
I recall one day having some problems compiling Emacs.  I ended up emailing this guy called Richard Stallman whose name was in the distribution files somewhere.  A few minutes later he responded with a fix to my problem, and literally a few more minutes thereafter had uploaded a whole new release of Emacs, including the patch to address the problem I raised.  At the time I had little appreciation that I was in email contact with the founder of the Free Software Foundation and one of the greatest contributors to the open software movement at large.
 
That was all in the early 90s - since then I have used and abused innumerable open source packages.  I'm not one to download and try software just for the fun of it; I will only do that when I have a specific purpose in mind - so what I'm looking for is usually destined for some sort of production environment - delivering services to internal or external users.  Here I hope to share some of the lessons that I have learned.
 

Lesson 1: Don't believe the hype

I think that open source project developers sometimes feel compelled to over-sell what they're building because they are, or feel that they are, in competition with commercial vendors. In a sense that's fair enough; a good sales pitch is important to attract interest.  
 
As a result, their project descriptions often say in the present tense what they hope their project will be achieving at some time in the future.  This puts a different bent on the hype compared to a commercial organisation; any legitimate commercial organisation will craft their messages so that they sound good but when analysed carefully, they will not claim to do more than they can actually deliver.  Fair trading laws around the world ensure this.  In contrast, when looking at open source projects, it's important to ascertain which capabilities are in the current feature set and which are on the "To Do" list.
 

Lesson 2: Look for signs of life

freshmeat.net is my favourite place to look for open source software.  It currently contains descriptions of around 50,000 projects.  Not surprisingly, not all of those projects are under active development.

The key signs of life are:

  • Longevity - has the project been active for more than a couple years?
  • Maturity - has the project been through several release phases?
  • Activity - has there been a recent release?
  • Community interest - is there some evidence of an active community, such as a mailing list or forum?
  • Broad developer base - is this a one man show?
These are, of course, interrelated - you don't get maturity and community interest without some degree of longevity.
 
Longevity proves that there is a need for the software to exist, for whatever niche it fills.  So many projects fall by the wayside, victims of developers who get bored or get kids.  Adopting software in its early phases is risky on several fronts - lack of features, lots of bugs, and the potential for the whole project to fall apart.  The latter risk is mitigated if there is an active community and broad developer base.
 
Maturity can be hard to gauge.  There is a tendency in open source projects to keep the leading "0" in the release number for a long time, like a perpetual beta, or universal caveat.  Take the DRBD project, for example - stable releases are 0.6.x, 0.7.x, 0.8.x.  The shift from 0.6 to 0.7 to 0.8 signifies new major releases, which are incompatible with previous releases and/or provide significant new features. 
 
Release activity is a sign of active maintenance.  On one hand, a lack of releases might be taken as a sign of stability - "finished" software!  Software is rarely "finished".   Be it bugs, enhancements, or upgrades to keep compatibility with other changing software (such as the Linux kernel, for example), a steady stream of releases should be expected in all but the most trivial software.  Take, for example, the 'mt' (magnetic tape control) command packaged with Linux; tapes have been with us for over 50 years (magnetic tape was first used to record computer data in 1951 on the Eckert-Mauchly UNIVAC I) yet mt still gets updated once or twice a year.
 
Community interest is important on two fronts.  Firstly, it keeps the project going; the chances of developers taking early retirement are much diminished when they have a fan club urging them to bigger and greater things.  Secondly, the community provides de-facto support; when you have a problem, go to the mailing list and ask for help.
 
The number of developers involved in the project is another variable in the equation that is connected to the risk of project termination or suspension, and to software quality.  The effect on project termination is fairly obvious - the more active developers there are, the less chance that the departure of one will cause the project to disintegrate.  The effect on software quality is more subtle.  A project driven by one person is guaranteed to be less well tested, less well documented and to have more shortcuts taken, than when there is a team of programmers involved.  The reasons for this are many - part of it is the inherent competition between developers and the extra efforts they make when they know their code is under close scrutiny; part is the need to set agreed quality standards when several programmers are working together;  part is the ability to delegate different roles amongst the team; and of course, many hands make light work.
 
Quite a few projects would score highly on each of these metrics.  The Apache web server, the Firefox browser, the Joomla content management system, the GIMP (GNU Image Manipulation Program), the OpenOffice productivity suite and the Amanda backup system are just a few examples.  Ultimately it comes down to a risk equation,  where the chances of a software defect or project failure due to any of the above metrics is traded off against the consequences (or cost) caused by such a failure.  This is where the risk assessment often falls in favour of an open souce solution - because the consequences are diminished or bounded since at the end of the day you have the source code and you can pay someone to fix it if you need to.
 
Of course, with so many Open Source projects out there, there's a good chance that if one solution stops meeting your needs, another will fill the void.  A case in point is CIPE, a network to network VPN solution.  I liked using CIPE as it was lightweight, easy to configure and fairly reliable.  However, the software has not been updated for over four years now.  I found in moving to a later Linux kernel, it would crash the kernel unless I recompiled without certain optimisations; moving to a later kernel again, I found it wouldn't even compile.  I considered trying to fix it, but then tried OpenVPN instead,  which turned out to be slightly more difficult to configure but much more reliable, and now I would be hard pushed to move to anything else.

Lesson 3: Be prepared to get your hands dirty 

This article is written for prospective users of Open Source software, which doesn't mean you have to have a driving passion for the Open Source philosophy.  There are many people out there who do hold this as a passion and who altruistically donate their time and effort for the cause.  As a user of free software, you may or may not feel an obligation to give something back, but you should at least anticipate that you might have to spend some time investigating possible bugs and feeding that information back to the project.

Only today I had a problem getting the Linux bonding driver going; I needed to increase the throughput between two servers that were configured to mirror their disks from one to the other on every write.  I followed the instructions to the letter.  After checking everything several times over, I went to the mailing list and described my problem in detail.  Full credit to Jay Vosburgh, who responded with some ideas on how I could further debug.  After following through on those ideas, and a couple more email exchanges, we came to a solution.  It turned out to be a bug in the ethernet driver, which will now be referred to the driver maintainer to fix. 

So, sometimes things don't work.  The unanswerable question is, would it have been any smoother if you have invested in commercial software?  When we pay money for software there is a much bigger expectation that it will work with minimal fuss, but with so many different types of hardware and different software and networking configurations out there, there's still a good chance that things will go wrong.

 

Lesson 4: Understand the risk equation 

I've already touched on risk in several of the points above.  An overall risk assessment looks at all the possible events that could cause things to go wrong, what the probability of occurrence of each event is, and what the consequences (or costs) are if the event does occur.  The sum of (probability times cost) is your risk exposure.  Some of the risks that adoption of open source software might pose to a production environment include:

  • Lack of documentation - creating a potential risk to deployment schedule
  • Bugs or incomplete features - potentially affecting schedule, user satisfaction, security
  • Lack of immediate support - posing risk again to schedule
  • Project termination or suspension - putting at risk long-term support for the deployment
Compare this to commercial (closed-source) software:
  • Documentation is generally complete and sound
  • Bugs and incomplete features are probably equally likely - commercial software is not necessarily tested any better than open source, the driving requirement for speed to market often means seemingly non-essential features are skipped, the prevalence of bugs is largely a function of the size of the user base, and security issues are rife in both forms of software.
  • First level support is typically next business day, but should a software patch be required, it could take months until the next release.
  • Companies go out of business every day and take their proprietary software with them
It is apparent from the above that both forms of software come with risk profiles which, in summation, would often place open source software ahead of closed source, particularly where the software scores well on the signs of life outlined above.
 
Building on this thought, what about commercial open-source software?  This concept significantly lowers the risk profile by combining the  best of both domains and makes a very attractive offering.  It is unsurprising that companies are more and more considering such strategic moves - the recent announcement of Sun Microsystems to release its Java platform as Open Source under the GPL underpins this.
 

Lesson 5: Understand the cost equation 

Imagine building your own house from materials that you harvest from your own back yard.  It's an enormous undertaking, but at the end you have a house, a permanent asset, which has cost you relatively little compared to buying it outright.  It has also been a fair bit of up-front effort compared to, say, renting.

The first case is analogous to designing and coding your own software, compared to the big up-front cost of buying a perpetual license.  Or, software is often sold on the 'renting' model, where you can only continue to use it as long as you keep paying.

Now imagine that you're planning to buld your own house, and a team of benefactors comes by and delivers tons of building materials to your (still to be constructed) door, and they even put some of the materials together for you - perhaps a few nicely furnished rooms and some kitchen cupboards.  Your job now is just to finish off the remaining pieces and then you have that permanent asset, almost as if you had built it from scratch.  This is the Open Source analogy.

 So, the Open Source route is a fantastic way to leverage existing software without a massive up-front investment.  But it's not for everyone; continuing the analogy above, unless you or your team rank as "home handyman" or better in the software world, you may have no choice but to pay for a fully supported commercial package.

 

Conclusions

As with all engineering choices, do your homework, weigh your options, and make a sound decision based on good information and evaluation.  Make sure you consider Open Source as one of your options. 

 

 

About the Author
 
Jon Schutz is the CTO of YourAmigo, a Search Engine Marketing and Optimisation firm in Adelaide, South Australia.  Jon has a Masters degree in Mathematical Science in Signal and Information Processing and an Honours degree in Electrical and Electronic Engineering.  He has extensive experience in systems and software engineering, network and computer systems management, particularly on Linux.  Previously he has worked in the fields of radar and control systems. 
 
 
 

 
Last Updated ( Tuesday, 13 February 2007 )
 
Next >
[ Back ]