[conspire] Quiet, Freedom-compatible NAT/firewall/misc box?

Rick Moen rick at linuxmafia.com
Mon Apr 27 15:39:27 PDT 2015


Quoting Daniel Gimpelevich (daniel at gimpelevich.san-francisco.ca.us):

> On 03/16/2015 03:38 AM, Rick Moen wrote:
> >At the most recent CABAL meeting, Dana Goyette ( /me waves from Hilo,
> >HI) suggested that the AMD Kabini SoC (socket FM1) on a mini-ITX form
> >factor motherboard might meet my needs for a multi-purpose silent, small
> >machine on our inside network:
> >http://www.newegg.com/Product/Product.aspx?Item=N82E16813157574&cm_re=mini-itx_amd-_-13-157-574-_-Product
> 
> Actually, if memory serves, the board he suggested that night was
> Geode-based.

What I'm referring to is where Dana strongly recommended I search on
'Kabini' and 'hudson' to find the sort of AMD-based solution that he
felt would meet my needs.  Yes, we did also speak of AMD Geode-based
things, but that wasn't my present point.

 You seem to have found something else. Here is a WiFi
> version of it: http://www.superbiiz.com/detail.php?name=MB-Q1500IW
> The most oomph in an AMD SoC appears to be in the CompuLab fit-PC4
> Pro, which has dual Ethernet and is currently orderable.

The fit-PC4 series is quite new, and to my mind quite a bit better than
the fit-PC3 one, specifically in the area of CPUs, which used Geode CPUs
resulting in the earlier series being to my way of thinking too
RAM-limited (just like conventional Atom-based systems).

The specs say 'Jaguar', which is the umbrella architecture name for
AMD's 2013 low-power SoC platform that divided into Kabini as the
higher-power subfamily and Temash as the lower-power one (seldom seen
outside smartphones, and rarely in tablets and compact subnotebooks).  

The fit-PC4 series divides into two categories according to which CPU 
they use:

Model    TDP  Family
--------------------
A4-1250   8W  Temash
GX-420CA 25W  Kabini

Some motherboards with 'Temash' CPUs max out at relatively low amounts of 
RAM, e.g., 6GB.  To my knowledge, all motherboards with 'Kabini' CPUs 
max out at 16GB, which I consider adequate futureproofing for a home
server.


> Intel has offerings where Gigabit Ethernet and hardware crypto are on
> the SoC instead of video:
> http://www.superbiiz.com/detail.php?name=MB-A1RI25

See, this is interesting because it's Intel Atom (and not server-grade
Atom, either) but isn't seriously RAM-limited unlike most of that ilk:
Manufacturer claims it maxes out at 64GB.  TDP is said to be 15W.

That is interesting in that it's the first Atom-based board to evade the 
pervasive 8GB RAM ceiling other than the server-grade units Dana pointed
out as an (expensive) edge case.  This board isn't in that extravagant
price league, but I notice it's about 3x what a good bundle of a
mini-ITX board and a Kabini SoC costs at Newegg.

Anyway, just to be really clear, my interest in CPUs is primarily as a
marker indicating what total system RAM capacity is likely to be.  Since
I'm talking about running Linux and not doing molecular biology, weapons
design, or ray-tracing, CPU oomph per se is of secondary importance as
it is not likely to be a significant factor in perceived system
performance over the usage lifetime.  The usual Linux attitude to CPUs
is 'Gee, anything in the last five years is fine.  Other factors are
more important.'


> There are also AMD offerings without video:
> https://www.deciso.com/netboard-a10/

Max. RAM 8GB.  I am disinclined to accept that in 2015 absent special
circumstances or special roles (such as network router, which is what
this board is for).  The pity of this is, with that CPU, they could have
made it support 16GB, but decided to provide only one SODIMM socket.
I'm not _that_ fixated on ultra-small.


> The new version of Beema and Mullins is Carrizo, used in the Acer
> Aspire E5-422G and the HP 255 G4.

A quibble:

Bobcat architecture (2011): Ontario, Zacate, Desna, Hondo
Piledriver architecture (2012):  Trinity, Richland
Jaguar architecture (2013): 'Temash' low-power, 'Kabini' higher-power
Steamroller architecture (2014):  Kaveri 
Puma architecture (2014):  'Beema' low-power, 'Mullins' higher-power
Excavator architecture (2015):  Carrizo, Carrizo-L.  Will support DDR4.

So, yes Carrizo followed Beema/Mullins, but not directly.

What I hear is that OEms over the last couple of cycles have been
maddeningly slow to actually ship product for AMD low-power SoCs, e.g.,
that fitlet unit that sold out instantly because it furnished the
highest-end 'Mullins' SoC, the A10-Micro 6700T, had been awaited by
enthusiasts for a long time, who kept wondering why nobody was offering
motherboards for it.


> Here is another A4-5000 offering:
> http://www.superbiiz.com/detail.php?name=MB-A68N-5K 

$68 for that is a hell of a deal.

It's funny that they call that an 'AMD Fusion APU'.  AMD stopped using
the word 'Fusion' in 2012 for its effort to integrate CPUs and graphics
processors in a single chip (a System on Chip or SoC) after trademark
litigation by the Swiss firm Arctic, which sells a 'Fusion' brand of
power supplies.

Since then, AMD claims to call this concept Heterogeneous Systems
Architecture (HSA) or sometimes APU = accelerated procesing unit, but
the former term has been ignored completely by everyone else, and I'd
rather say SoC than the latter AMDism.

> As I understand it, you want a machine in sleeping quarters to
> eliminate location as a single point of failure on the inside
> network. Since you talked about deploying virtualization and
> possibly containerization on the Intense PC you purchased, the
> software solution for this use case that stands out is Swarm, which
> is to Docker containers what RAID is to data.

Well, that omits one important item from my objectives.  

I think the house needs an infrastructure machine for several back-end
needs -- online backup, network intrusion detection system, network
monitoring, configuration management -- that imply that it would be a
high-security host.  A Puppet or Chef master that is also a primary
backup target and also monitors the network is inherently
security-sensitive.

I'm a bit old-school on security, in that I think security is best
approached by simplicity (Unix-style simplicity embodied in deliberately
limited functionality of components, not Windows-style simplicity
embodied in limited functionality of user-accessible controls) and very
careful attention to process and choice of tools.  Newfangled,
all-singing, all-dancing anything strikes me as a bad way to start, and 
everything based on Docker has been security-problematic from the ground
up.  

My understanding is that Swarm clusters a pool of Docker hosts.  I have
no intention of having a pool of anything, let alone Docker hosts -- but
especially not for a high-security household infrastructure role.

It is entirely possible if not likely that I will _also_ want to
experiment with software that doesn't fit the high-security model, such
as OpenStack.  If so, that would be a different host.


> Having redundancy for your Internet presence in sleeping quarters
> still does not address the single point of failure that is
> connectivity.

Yes, we live with some acknowledged SPoFs: the aDSL service, the copper
pair to SBC, the aDSL bridge, the RJ11 cable to the demarc, some
ethernet cables that could fail (but also be easily tracked down and
replaced), and inside-network and outside-network simple ethernet
switches.  We're not a colo, and Mike Durkin's level of service
availability is good enough for our needs.

FYI, on two separate occasions over a period of nine years at 1105
Altschul Ave., the aDSL bridge has gone into a navel-gazing state where
it loses link status and needed to be power cycled.  The most recent
time was about a month ago, and this happens so very seldom that it took
us a few hours to remember that the aDSL bridge device had to be
included as a suspect (and power-cycled).  It's now higher up in our
consciousness as a suspect when the DSL is not merely super-slow but it
appears that literally nothing is crossing the gap. 

We gave Comcast the heave-ho for cable television service with a hearty
'Good riddance' in August 2011:

http://deirdre.net/getting-rid-of-cable/
http://deirdre.net/cable-the-final-insult/
http://deirdre.net/cord-cutting-netflix/
http://deirdre.net/cord-cutting-antenna-ho/
http://deirdre.net/on-the-funding-of-television/
http://deirdre.net/why-television-pricing-is-broken/

People in the S.F. Bay Area, please note 4th link, which is praise for a
local antenna installer, AV Solutions Pros of Mountain View, which came
highly recommended and we can't say enough to support.

At the time that we cut the cable cord, we yanked the CableCards out of
the TiVo, and hooke it up to WiFi.  More recently, I put that on wired
ethernet instead.




More information about the conspire mailing list