Seriously Linode? 30 minutes of data retention on the free version? You could have at least set it to 7 or even 3 days. 30 minutes is not nearly enough.
The software running on your machines is open source. It can be reviewed. Quite important for people not wishing to run closed source software on their machines.
Without custom metrics (for example, via StatsD), I'm unable to use Longview to collect these "Meaningful metrics". It may provide me with an overview of what a system does as a whole, but I definitely need custom events from my applications to show up in the same graphs for it to be useful.
I always get a bit annoyed with paid versions that give you less things that the free version, the free version gives you 10 servers but if you take the first step of the paid, you only get 3.. (I know there is a difference in retention)
So what part is opensource about this? The github page mentions the pro version so I'm not sure that this is entirely open. Would I, for example, be able to run the code on a non-linode box and have access to the full software?
Why is HN still tolerating this disgraceful excuse for a company ? Hacked twice. On both occasions deliberately withheld key information from their customers. Which as VPS providers is pretty much the most important thing they can do (i.e. be transparent about security issues).
It's hilarious for me to watch the hyperbole about the CIA, NSA, Snowden etc and yet tolerate a more direct and clear abuse of privacy and security.
Did you hack it yourself if you are so well informed? If not, what are your information sources? Rumours? I couldn't care less about thing you believe and they have no influence to my opinion about Linode.
BTW, they did not abuse neither my privacy, nor my security.
It was all over HN a while back. They were incredibly cryptic and slow to respond after they got hacked. They tried to downplay what happened instead of saying it straight. So clients didn't know what measures they needed to take to protect themselves. The community response afterwards was that basically these people can't be trusted at all.
Linode wasn't able to disclose information quickly about the case during at least one of the hacks due to the ongoing FBI investigation. They also got bitten by a 0day, so there wasn't really a whole lot they could have done to prepare.
I've been beta testing Longview for a while. It's been kind of nice to have. I most liked the at-a-glance visibility of whether there were any system package updates available.
The pricing structure is disappointing. I would have rather seen per system pricing ($3-5 mo/server is roughly what it would be worth to me). I have 4-5 nodes running. I'll likely never have 10 so $40/mo doesn't seem like a very good value proposition.
Unbelievable how much complaining there is this thread. This is a great, free addition to their service and is very well done for getting a quick overview of a server.
To be fair, this is half a solution for getting a quick overview of a server. You still need thew collector/visualizer, which, at least now, is proprietary.
You could, conceivably, make your own collector/visualizer, but that seems to be the hard part here.
I think you misunderstand it's actually a free add-on limited to 30 minutes of retention at 5 minute intervals. The paid version has 1 minute intervals with unlimited retention.
Edit: the parent has since stealth edited their comment.
Munin seems like it would be a much better choice for most people -- both the server and the client are Free and it stores a year of data. What it doesn't do is allow you to drill down into old data -- it's only got static day, week, month and year graphs. You can graph pretty much anything, though.
The awesome thing about munin is that you can throw together an agent for $METRIC in 5 minutes using shell. Getting high level business metrics in with the system metrics is gold.
Why is it a much better choice for most people? It's tricky to configure and requires you to manage another server. For people who want to go through that and have the flexibility offered Munin is great (I use it), but for "most people" who just want a high level look at their stuff Longview seems ideal. There is almost no setup and no management. I put it on a couple servers yesterday and it seems slick.
only 30 mins of data retention... even AWS gives you 2 weeks at 5min resolution for free (albeit only stuff the hypervisor can measure because they don't run an agent, so no RAM etc).
AWS doesn't give you any minutes of data retention if you aren't paying them by the hour for the server. You can use Longview on any server, it does not have to be hosted by Linode.
If you host with Linode you already get access to graphs going back a year for CPU / Network and IO. Longview is in addition to that offering.
Warning. If you have a high traffic server, Longview will eat up all your CPU. It has a function that iterates through all open file handles to find out which ones are network sockets in an O(n^2) loop. This loop never completed on my system. I had to kill the process and eventually disabled Longview.
Just had it installed. It is much better than the standard log metrics they offer. However what is bothering me is that the whole installation is through a short URL.
Where aBcD is randomly generated. If you visit https://lv.linode.com/aBcD, it contains not just the script to execute but also your API Key. How safe is it to expose your API Key?
Since the randomly generated value is only 4 characters long, it shouldn't be hard to find other people's API keys by brute forcing it.
#!/bin/bash
echo "Invalid Installer Session"
echo "Please see the Longview details page to start a new session"
echo "OR if you would like to install Longview manually please see:"
echo "http://library.linode.com/longview"
I added a client, got a shortlink, and checked as well. Then I removed the client and the link persisted for a few minutes (even after clearing cache). Now my link redirects to the error message like your example. Short period, but since there are so few options I would think this is indeed an issue that could be exploited.
Yup it seems the link only persists for a few minutes. But given the knowledge that a lot of people are currently installing longview and that it takes only less than a minute to iterate though all the possible combinations of the 4 character token, it could still be exploitable. They should definitely increase the token length to a safe number.
Exploited how? It's only used to send data in and it should be a pretty simple matter to not accept traffic from multiple machines for one API key. I accidentally used the same shortlink to install on two servers last night and saw a "there are multiple servers sending data, check your configuration" error (while the stats stayed correct).
I believe the fear here is that if you can guess URLs, and one of those URLs works and provides you with a script that contains an API key, you could use that API key to perform other, non-Longview-related API calls to Linode's management API.
That's a pretty decent fear. I don't know if there's any other controls on the API key that prevent it from being as vulnerable as this suggests...
It's a different API key for every Longview machine. I set up 3 and the keys are different in each case (which is also why the short URL changes for each machine, the API key is part of the response and is different for each machine).
I'm a fairly happy Linode customer and have been for 3 or so years. (Yes, security/transparency could be better). We've got a nodebalancer and ~10 nodes. What longview lacks for me is a mechanism for notification & alerts. The value of monitoring is only half the equation. Step two is something that either has sensible defaults or easily adjusted settings and notification when limits are exceeded or below acceptable limits. I don't want to have to constantly watch longview to see a problem.
Anyone know if it provides this, or if there are better monitoring tools or services that do?
Rackspace Cloud Monitoring has an API driven way to manage notifications (people) and notification plans (groups of people) that can be flexibly tied to specific checks and alarms. It runs very similarly to this, with an open-source agent running on the host, or remote checks that try to connect from the outside.
I really want to try this, munin is awesome but I find quite hard to configure and some stats hard to understand, longview's design seems much more friendly.
60 comments
[ 2.9 ms ] story [ 89.3 ms ] threadSurely Linode isn't giving you an evaluation that handles 6 data points. What does the basic version actually do?
https://library.linode.com/assets/1406-lv_network.png
The software running on your machines is open source. It can be reviewed. Quite important for people not wishing to run closed source software on their machines.
Yea, if you're hosting with them, trusting them is handy.
This Longview agent can be run anywhere though, doesn't have to be on a Linode machine. Not entirely sure why you'd want this setup, but still..
disclaimer: I'm the founder of Event Fabric
It's hilarious for me to watch the hyperbole about the CIA, NSA, Snowden etc and yet tolerate a more direct and clear abuse of privacy and security.
These weren't small incidents. You can find plenty of information on them.
Even their wiki mentions that they got hacked http://en.wikipedia.org/wiki/Linode
The pricing structure is disappointing. I would have rather seen per system pricing ($3-5 mo/server is roughly what it would be worth to me). I have 4-5 nodes running. I'll likely never have 10 so $40/mo doesn't seem like a very good value proposition.
You could, conceivably, make your own collector/visualizer, but that seems to be the hard part here.
Edit: the parent has since stealth edited their comment.
http://munin-monitoring.org/
If you host with Linode you already get access to graphs going back a year for CPU / Network and IO. Longview is in addition to that offering.
https://github.com/linode/longview/commit/dc48b6ddce04dc7155...
curl -s https://lv.linode.com/aBcD | sudo bash
Where aBcD is randomly generated. If you visit https://lv.linode.com/aBcD, it contains not just the script to execute but also your API Key. How safe is it to expose your API Key?
Since the randomly generated value is only 4 characters long, it shouldn't be hard to find other people's API keys by brute forcing it.
That's a pretty decent fear. I don't know if there's any other controls on the API key that prevent it from being as vulnerable as this suggests...
Anyone know if it provides this, or if there are better monitoring tools or services that do?
http://www.rackspace.com/cloud/monitoring/