I see a few people^W^Weveryone here talking about security. If you didn't read the whole blog post, you might not have noticed the new Linode manager that we're working on being mentioned. Check it out, it's open source: https://github.com/Linode/manager
If you haven't been present in other discussions about Linode security, one of the major factors (in my opinion) is the current manager. It's a large and old ColdFusion codebase, and it's hard to maintain. The new manager is backed by the new Python API and the whole system is significantly easier to reason about with respect to security. I think that the new manager should help ease some concerns, and it's going to be pretty great in other respects too. Hit me up with any questions you have, I'll do my best.
In other news, I run a bunch of Linodes myself and I'm stoked to see these upgrades, even though I get my Linodes for free ;)
I think most people are concerned about the response to security incidents around as much as they're concerned about the security incidents themselves.
Improving the manager is certainly a good step but there's a lot of work to be done to regain users' confidence.
That's very much true. We've been pushing for more transparency company-wide as a result. It's hard to demonstrate that we'll handle this better without another security incident to be transparent about (and let's all hope we don't get there), but we've been pushing for more transparency overall. On my team this means that we're doing our development in the open, we've switched from an internal Jira to a public waffle.io backlog: https://waffle.io/linode/manager (it's just been prioritized too, we're doing sprint planning in 10 mins).
> I see a few people^W^Weveryone here talking about security. If you didn't read the whole blog post, you might not have noticed the new Linode manager that we're working on being mentioned. Check it out, it's open source: https://github.com/Linode/manager
Open sourcing the UI while keeping the actual portion that manipulates the data + handles authentication ( the API ) doesn't have substantial security benefits since its largely available to the end user already.
While I am sure you are correct that the rewrite in Python is easier to reason about and more secure, I feel the way you've presented it might imply it is secure because the source is available which is not the case.
I don't think I'm implying that by making the manager open source we are making it more secure. The place where security gains come into play is things like the new design of a stateless API talking to a static frontend app, which I think is a much less fragile system in terms of security.
And yeah, the Python API is much easier to reason about security-wise in general.
I am looking forward to the updated interface and happy to see you are moving away from ColdFusion.
I have been with Linode for many years and have always been happy with the service. Thank you and thanks to the Linode staff for everything they do.
If there was one thing I would like to see come back, it would be the 1024 or 1536 nodes (1 or 1.5GB ram). I understand the overhead or scaling issues might not make it worth while for Linode, but I would be interested.
My team has nothing to do with that sort of decision, so forgive me for being vague, but I believe it's on the radar. The changes done today definitely help the odds.
:) I probably wouldn't know what to do with more then one or two hosts, but I am envious to know you can have as many as you want (within reason, I am sure)
Congrats Linode. I have been a customer for many years.
Why could there not be a $5 1 GB plan? I have quite a few instances for which I don't need even 1 GB, let alone 2.
Doubling the RAM is great but what about storage? Why is RAM and storage still coupled? It's a pay for what you don't use system, having to upgrade to a 24 GB, 8 core box just to get some decent drive space. Ridiculous.
I have been with Linode for many years now but it's lack for even some basic modularity will see me leave to AWS soon.
Once Digital Ocean launches their block storage feature, it will probably put some pressure on them. Honestly, it's something I've been looking forward as well.
Linode has been a monumental disappointment. I signed up with them in 2005, when they were 2 years old and AWS didn't even exist. They were reliable and the support was phenomenal. The Linode Manager was powerful and yet simple to use. I used them for all my personal and professional hosting needs.
In 2013, the support started going downhill. Then there were a series of security breaches, with absolutely abysmal responses from Linode. I now expect to be off of Linode by the end of 2016 (mostly to AWS, with some DigitalOcean), even though in many aspects I still prefer Linode.
I've been a Linode customer since January 2009 (so over 7 years now) and would recommend them to anyone. I have been concerned about some of the security issues, but at the same time impressed with other work from the team (the KVM switchover, large scale server upgrades, support experience has always been great for me).
I'm gun-shy of Linode's many security issues, but hopefully this further drives down RAM prices of competitors. I'd love a $10 2G DigitalOcean instance.
> I'm gun-shy of Linode's many security issues, but hopefully this further drives down RAM prices of competitors. I'd love a $10 2G DigitalOcean instance.
To be fair, unless you are running critical infrastructure and/or processing things involving money...Linode's quality of security is adequate. (i.e. For hobbyists and small businesses that don't touch take payments but rely on ad revenue )
Security is pretty terrible everywhere in the hosting business unless you colocate your own stuff in a locked cage or pay the tier-1 vendors who cost 100% more than Linode.
> unless you colocate your own stuff in a locked cage
How much is a locked cage really needed?
To me the risks are really someone messing with your cables and taking you off line, or accidentally pulling a power plug, which is QOS really. Not security. Can't remember when I heard of someone carting off a server or plugging in a cable to the console port (once they have gotten even into the racks and are on cameras) and doing any harm. Even if this does happen it seems fairly remote and not a concern unless you are really doing something so important that you need to lock up the servers. Sure price not being an object why not lock them up.
You can definitely run PCI compliant infrastructure on services such as AWS. Stripe runs on AWS IIRC. Many (most?) AWS services are PCI compliant and using them won't prevent you from being PCI certified.
they've had issues with security around their own systems (payment info leaked, IIRC). And if their systems are compromised, because they have the ability to touch my systems (root password reset, for example), there's a potential breach there.
and they had their own massive DDOS attack which went on for days last winter (dec 2015?)
Their DDOS was so bad that we had to migrate all of our servers from Linode to Google, which wasn't particularly fun during the weeks of intermittent connectivity. I think it was on the order of weeks, rather than days.
Atlanta seemed to be the primary target. We had something at LA and never had a problem. Servers in Atlanta were down for days, then up for a bit, then down for days again. I do believe in total it was probably 2ish weeks...
London was affected too. I have since moved on to other VPS providers and would suggest Linode ONLY for hobby projects. It's not just their security issues, it is mostly their disclosure policy...
You're right, and the downtime was inexcusable. We've learned from what happened and are continuously working to upgrade and better protect our network, and periodically report on our progress on our blog: https://blog.linode.com/2016/05/02/network-status-updates-ap...
I'm in a rather good situation to answer this. I have a Vultr VPS and a Linode VPS. Both are on $10/month plans.
Linode I use as an rsync server, fossil server, and for IRC. It's running Arch Linux. I would like to run FreeBSD on it, but I didn't know you could when I got it. The Vultr one is a Postgres server running on DragonFlyBSD that I use as a database for various hobby projects. I experiment with various distributed computing projects with the two of them.
I'm very happy with both of them. I'd like to unify on one for ease of payment and maintenance, but I can't decide which. :(
Linode pros:
- Recently the $10/mo plan went from 1GB RAM to 2GB! EDIT: So apparently I should've read the link… that was what this is about. Thanks for the extra RAM!
- 4GB extra disk space (20GB vs 24GB).
- I like their management panel better.
- liXXX-YY.members.linode.com is an alias for your instance. It's much easier to remember than my Vultr IP.
Linode cons:
- I'm worried about security.
- Installing OSes other than the available images is hard.
Vultr pros:
- Custom ISOs are nice for those of us who vastly prefer BSD servers.
- So far no security breaches?
- May be slightly faster, but it's hard to say given the OS difference. I suspect it's just DragonFlyBSD being DragonFlyBSD.
Vultr cons:
- Web management is mediocre; Linode's is better designed and shows me more information.
- Young, who knows what their security is actually like.
- A little more expensive for what you get. I don't mind much though.
If any Linode people are reading this, I think I would settle on Linode _IF_ I can get some assurance about security practices. It's a nice service. I like you. It would be extra nice if you roll out some custom ISO thing eventually.
EDIT: Obligatory "not affiliated with either company". Just a dude that wants to host some place for his fossil repos, rsync, and Postgres server. One of these days I'll just maintain my own server on a Free platform (not Intel, not x86_64) and not use any VPS provider.
I loved Linode and used them till about 2014 or so, but switched to Ramnode and then to Vultr. I needed storage more often than performance, I use them to tar mirrored package repositories mainly, and a Linode or Ramnode with double the space of one of those costs a fortune.
I hated everything about Ramnode, but I can't remember specifics. I stuck with Vultr after just setting up some storage instances because it was nice having everything in one spot. I've been able to host some wargames/CTFs as well because of the custom ISO support.
Seems like there's a lot of tinfoil around eye-level here; FYI not a shill and definitely accepting suggestions for other VPS with root, big storage, and custom os/iso options.
I love Vultr. Pretty consistently performs better than competition (like DigitalOcean) for the same price, cheap, haven't had any issues with reliability.
I'd say RamNode is also decent (they do very well in benchmarks) but their support, management and infrastructure is terrible. They were pretty heavily compromised (personal information, passwords etc. leaked) due to a SolusVM vulnerability and refused to remove personal information to prevent it being compromised in the future.
I've had a few instances up on Vultr for nearly a year now and have nothing but good things to say about them. The OS images they use for their instances are, in my experience, almost completely plain-vanilla (which leads to fewer surprises) and the custom ISO functionality is great if you need to launch an instance on an otherwise unsupported OS.
Their instance performance is better than DO in my experience, though I don't know how they compare to Linode.
IME, DigitalOcean performance is usually a little lower than Linode, but some zones seem(ed) to be particularly bad. However, on the zones I do use, reliability on DO in 2016 has been the best of the three. I can hardly remember any outage at all.
Edit: Vultr has been reliable as well, but I've experienced a few outages (not lasting many minutes I think) in the 6 months I've been using them.
I've been running one of their dedicated instance plans (2 CPU / 8GB RAM) for nearly a year now as my play environment.
Overall I've been happy with it, the instance performs up to spec and has had only one downtime event over the year (was down for just over an hour).
Though I don't spend a ton of time using their interface or APIs, it does seem that they are continuously improving them and delivering helpful features.
It is not officially supported, but you can run FreeBSD on Linode. I have been able to get FreeBSD (with ZFS), OpenBSD, and NetBSD running on my Linodes. I tried getting SmartOS working but I haven't gotten the configuration right yet.
I have not checked lately, but there have been two major features lacking in Linode that have compelled me to move away to AWS:
1. Managed firewall service, such as AWS Security Groups. I really do not want to have to manage hundreds of iptables scripts.
2. Easy point and click, yet advanced private network management such as AWS VPC. Last I checked, I had to run OpenVPN on top of my Linode setup, which really was not ideal.
I really Hope Linode could improves its image on security.
On other front, Why is it the bigger the instance the small the "upgrade" discount. On lower level you essentially get double the Memory. On Higher end you get 30 - 50% only.
And any plan to upgrade to Xeon-E5 v4?
I would love to see Compute and Memory Instances.
If you have concerns about astroturfing in HN threads, the thing to do is email us (hn@ycombinator.com) so we can look into it. Casually accusing others in the threads, like you've done repeatedly here, is definitely not allowed, so please don't do that again.
I have multiple posts in my history praising Vultr, but I'm not a shill and I don't even currently use them. I just had a really good experience with them and their support team early last year.
Opposing view? I worked there you stupid shit. Keyboard commander, email me if you want proof of the astroturfing. Otherwise fuck right off back to whatever game you were playing :)
I assure you, I'm no shill. Like I said, RamNode does very well in benchmarks.
My problem with them is that after being hacked, exposing my personal information, they refused to remove it, citing nebulous "legal reasons" compelling them to retain it (which similar hosts had no issues with).
Frankly I haven't had another exchange with their support, so I can't comment on their service beyond good benchmarks, terrible privacy/security (they're still on SolusVM as far as I know).
Here's a ticket conversation between the CEO of ramnode and a customer where the CEO Nick essentially attempts to extort the customer for information on one of his friends (me)
Wow, that's appalling behaviour from the CEO of the company. I can't say I'm surprised though, that was roughly what I expect from him after my own interactions.
We're just customers with bad experiences. There are even screenshots of emails with the RamNode CEO. Is it really that surprising to you that not everyone is happy with RamNode?
We didn't say that RamNode is an illegitimate provider either. If you're happy with being blackmailed by your hosting company's CEO and surrendering your personal information indefinitely, then RamNode may be the company for you!
And is it really surprising that people unhappy with RamNode would find and be happy with a competitor? It's not like they suddenly decide they don't need servers anymore.
I see a few people^W^Weveryone here talking about security. If you didn't read the whole blog post, you might not have noticed the new Linode manager that we're working on being mentioned. Check it out, it's open source: https://github.com/Linode/manager
If you haven't been present in other discussions about Linode security, one of the major factors (in my opinion) is the current manager. It's a large and old ColdFusion codebase, and it's hard to maintain. The new manager is backed by the new Python API and the whole system is significantly easier to reason about with respect to security. I think that the new manager should help ease some concerns, and it's going to be pretty great in other respects too. Hit me up with any questions you have, I'll do my best.
In other news, I run a bunch of Linodes myself and I'm stoked to see these upgrades, even though I get my Linodes for free ;)