In the coming week's SonataWeb is going to begin offering Fully Dedicated Servers. Almost all the details have been figured out, prices determined, and specifications ready to go. However, a thought that I'm continously jumping back and forth between is giving root access to the owner of the servers.

On one hand, we have the thought that these are true fully managed servers. By giving the customer root access, and they break something, we have to fix it on our tab. No matter how experienced a user is, they'll likely break something, especially if they're not responsible for fixing it.

On the other hand however, we have the guy who whispers in my ear that these guys are paying for the dedicated. It's theirs, they should be allowed to do what they want with the server. Restricting them is only inhabiting them, and limiting the ability for their growth potential.

One possible solution I have thought of, is creating one large reseller account for the customer on their server, since these will be on WHM/cPanel only, and then giving them almost full access, but still restricting some minor details. If they need shell access, we can setup some kind of super user, that way they have the ability go browse the system, but still can't access root files. That still however is extremely limiting.

I'd be interested in hearing some thoughts and opinions from other WHT users.

Thanks.

It depends on how good your managed service is going to be really. What type of response times are you planning on honestly achieving? I consider myself capable of managing a machine just fine, but I would enjoy having a managed machine to know that if for some reason I am away, it is in good hands. In the event that I needed something done at the root level, and I knew the techs would get on it and get it done really quickly, I would be just fine without root access.

Originally posted by justadollarhostin
It depends on how good your managed service is going to be really. What type of response times are you planning on honestly achieving? I consider myself capable of managing a machine just fine, but I would enjoy having a managed machine to know that if for some reason I am away, it is in good hands. In the event that I needed something done at the root level, and I knew the techs would get on it and get it done really quickly, I would be just fine without root access.
It will be a strong offering to say the least. I refuse to offer a product unless I know that it is of the highest quality, and strive to continously boost the confidence that my customers have in the services we offer. Needless to say, my overall goal is to raise the bar as to what a "Fully Managed" provider is considered.

Well in that case I would most likely not offer root password to the account. If you wanted to you could create a special setup where the owner can have the root password, but damages created by them are either billed such and such amount (make sure this is clear to them so you don't get called a fraud) or fixing what they break comes as low priority.

I'm sure since these are fully managed, you'll be securing them as well before you turn them over to a client. That said, the client shouldn't be logging in as root anyway.

Create a user account for them with permissions to anything they can't break on a system level, and then provide the root password for things they can.

If they can accomplish whatever they need to under their user account, they'll probably never even su to root, even though they can if need be.

That's most likely what I'd do if I were in your situation, because there really is no easy way out of that one. If you restrict root access all together, you're going to have people that aren't happy about it, just because they're paying for a server and feel they should be entitled to it.

Don't most people want what they can't have, whether they need it or not? Human nature I suppose. By the above suggestion, you're not "holding out" on the client, but merely detering possible problems, and helping secure the box in the process. :) People (in general) are lazy, use it to your advantage.

if they only have access to a reseller account on their server, eventually a customer will wonder if there are other accounts on their server. and if the customer wants to set up reseller accounts for other people, it may become complicated.

Although the idea of Full Service Management for Servers sounds good, it places a lot of responsibility on you, the DC. Basically you would be responsible for everything so I can see the cost for this Service being quite high.

Everyone has their own idea of 'sevice level' but for something like Full Service Management, and off the top of my head, you are looking at:

- fully securing the Server, this includes prevention for any kind of hack or making things right (whatever it takes and at your cost) if the hack is X% destructive

- monitoring the Server load and once the norm is established, taking necessary steps to reduce load when high (implies 24 hrs. load watching)

- updating of all Server services and Control Panels (frequency to be determined)

- being at the beck-and-call of the lessee with established time-frame for every response/reply (probably 15 minutes or 30 minutes max.)


I'm sure there is a niche market for this type Full Service Management but you take on so much responsibility, the cost might be quite high in order to justify the Service. Best of luck though, in this endevour. You could start quite the trend. :D

why not offer them the option of the 2???? root access but you break it you buy it...or no root access and we handle everything....you just have to make sure there is someway they can offer reseller accounts but i believe it can be done without root access somehow, dont quote me on that though.

We have many dedicated server clients (all fully managed) and we give out root access as standard. 5/10 will never even login via SSH and do what they need to via Plesk Admin or Root WHM access. Occasionally someone will break something. We had a client do "rm -rf /" once. That was an easy fix though. Reformat, lol.

We offer fully managed servers and do not give out root by default. If the client asks for root, and needs it for a specific install, etc... we then grant it on a case by case basis. This policy seems to work well, and only 1 client out of 60 has ever asked for root access, and in this case, they were installing some custom software.


- fully securing the Server, this includes prevention for any kind of hack or making things right (whatever it takes and at your cost) if the hack is X% destructive

- monitoring the Server load and once the norm is established, taking necessary steps to reduce load when high (implies 24 hrs. load watching)

- updating of all Server services and Control Panels (frequency to be determined)

- being at the beck-and-call of the lessee with established time-frame for every response/reply (probably 15 minutes or 30 minutes max.)
I'll agree with the first 3, but the last one is not true even for fully managed, at least in our experience. Our managed server clients are for the most part less support intensive then the average shared hosting client. Of course our offerings start at $200/month and go up from there, so our clients are the more serious business type who want the server to work and not have to worry about security, monitoring, etc...

- John C.

Originally posted by inogenius


One possible solution I have thought of, is creating one large reseller account for the customer on their server, since these will be on WHM/cPanel only, and then giving them almost full access, but still restricting some minor details. If they need shell access, we can setup some kind of super user, that way they have the ability go browse the system, but still can't access root files. That still however is extremely limiting.

I'd be interested in hearing some thoughts and opinions from other WHT users.

Thanks.

Thats exactly how we handle it. We do not give root access to clients who have fully managed servers. If we are "fully" managing a server, they have absolutely no reason to need root access.

If they want root access, we can easily change their service to non-managed dedicated...and then they have the option of contracting with us on an hourly basis for admin work of any kind, should they still need some help.

Too many cooks spoil the soup...and each cook is likely to blame the other. ;)

--Tina

I like the anology there, Tina. I was thinking you should offer semi-managed and fully-managed. The semi-managed should include root access.

Thanks,

Its just too complicated to offer semi-managed - because anyone with root access could screw up just about anything and you'd have to fix it at your set monthly fee. You'd also have a hard time being able to prove it was the client that screwed up the server.

--Tina

Originally posted by AH-Tina
You'd also have a hard time being able to prove it was the client that screwed up the server.

Nonsense.

Perhaps Tina meant that you'll have a hard time being able to prove that it was the client that screwed up the server and make him understand and acknowledge that. :P

I'm actually mulling this over myself. What I'm leaning towards is the following:

* Offering Fully Managed and Self Managed
* FM does not get the root password by default, SM does
* SM gets best effprt support on general things but extenive work is billable.
* FM may request the root password but will have to pay a "security deposit" (the cost of a serve reinstall at my DC) in the event they screw something up to the point we can't fix it. If they screw it up and we need to reload the box then they loose the deposit and need to pay it again if they want root access back. If they don't ever need a reinstall or serious work on the box to fix their blunders they get the deposit back when they close the account.

Has anyone else tried this? What do you think?

I like your idea there, Tim.

Thanks,

Originally posted by elix
I like your idea there, Tim.

Thanks,

np.

Oh and just a question:

Are OS reloads free for the SM plan? I assume you're going to charge for that.

Thanks,

Originally posted by elix
Oh and just a question:

Are OS reloads free for the SM plan? I assume you're going to charge for that.

Thanks,

My DC charges for OS reliads so no. If I am billed so will they be. I haven't actually started offering dedicated yet.

If I am buying FULLY MANAGED servers from someone, I would not want to have root access.

Isn't that the whole point of FULLY MANAGED? The company that is managing the server should be available to do anything that the customer needs..

If something goes wrong with the server, I don't want my management company to turn around and blame me for it. This can ONLY happen if I do NOT have root access.

Of course, this is all contingent on the provider and their support. If they offer crappy support, or slow support, then I would not be happy.. but if they offer fast and excellent support then it should be fine. Need root stuff done? Submit a ticket and get them to do it. That's the whole point of FULLY MANAGED.

:) Just my opinion.

I must be missing something - there must be a reason nobody even suggested using sudo if there is a reason to assign accountability. Give sudo access to the purchaser upon request, when the use the command they will be warned that specific commands/access are all logged. That way, they are aware that the accountability factor is there and you are able to track it if they mess anything up and bill for fixing it. You can have your TOS/AUP state this policy succinctly and effectively.

Originally posted by Plexi_Hosting
I must be missing something - there must be a reason nobody even suggested using sudo if there is a reason to assign accountability. Give sudo access to the purchaser upon request, when the use the command they will be warned that specific commands/access are all logged. That way, they are aware that the accountability factor is there and you are able to track it if they mess anything up and bill for fixing it. You can have your TOS/AUP state this policy succinctly and effectively.

Sudo is a good TECHNICAL solution, but it is not very practical because of the amazing amount of administration required to PROPERLY get it working and:

1) Give enough access to please the customer who "wants root", but gets sudo instead.



Also, the fact here is that even with SUDO it is still possible for the customer to screw up the apache conf files, and other system files. So then they call and need help because they screwed up their system.

So they say:

You should fix it for free because this is FULLY MANAGED hosting. Of course, this costs the supplier time and therefore money to fix this problem.

Do they fix it for free? Do they charge the customer?

It is not a good situation, because the customer probably wants it fixed for free, and now the supplier is not making money because they must provide more support for this stupid customer.

Thus, all sudo really does is help you to track who did what and when.

But the fact remains that the customer can still really screw things up, and then someone must fix it... and that someone is likely going to be the supplier, who is in business to make money, not to provide free support to stupid customers who don't know what they're doing.

:)

Originally posted by mrzippy
Sudo is a good TECHNICAL solution, but it is not very practical because of the amazing amount of administration required to PROPERLY get it working
I disagree. Any sysadmin worth their salt can get it set up PROPERLY (edited to add the same emphasis so we were on the same page) without requiring an additional degree in rocket science.

and:

1) Give enough access to please the customer who "wants root", but gets sudo instead.

It can give enough access, but you have the control to give or not give "enough"

Also, the fact here is that even with SUDO it is still possible for the customer to screw up the apache conf files, and other system files. So then they call and need help because they screwed up their system.

So they say:

You should fix it for free because this is FULLY MANAGED hosting. Of course, this costs the supplier time and therefore money to fix this problem.

Do they fix it for free? Do they charge the customer?

It is not a good situation, because the customer probably wants it fixed for free, and now the supplier is not making money because they must provide more support for this stupid customer.

Thus, all sudo really does is help you to track who did what and when.

But the fact remains that the customer can still really screw things up, and then someone must fix it... and that someone is likely going to be the supplier, who is in business to make money, not to provide free support to stupid customers who don't know what they're doing.

:)
Did you not read the part I wrote stating "you are able to track it if they mess anything up and bill for fixing it. You can have your TOS/AUP state this policy succinctly and effectively." That should cover this point. They know that if they mess something up they are going to be billed to fix it.

I hope you don't often refer to customers as "stupid" in public forums, as that's a great way not to get them.

He didn't say all customers were stupid. He said "stupid customers who dont know what they're doing". Big difference.

--Tina

Fair enough, not wanting to get into semantics here but I didn't accuse him of such either. There was that quote you mention, Tina, and "this stupid customer" so no it was not meant as a generality and I did know/realize that - didn't mean to imply otherwise. I saw I know customers can do silly things from time to time for sure but was just giving my prerogative that I wouldn't call any singular customer (or their actions) stupid in a public form. Didn't mean to take it offtrack - sorry inogenius, hope some of the debate helped though :) IOU two minutes of your life back.

Originally posted by mrzippy
If I am buying FULLY MANAGED servers from someone, I would not want to have root access.

Isn't that the whole point of FULLY MANAGED? The company that is managing the server should be available to do anything that the customer needs..

If something goes wrong with the server, I don't want my management company to turn around and blame me for it. This can ONLY happen if I do NOT have root access.

Of course, this is all contingent on the provider and their support. If they offer crappy support, or slow support, then I would not be happy.. but if they offer fast and excellent support then it should be fine. Need root stuff done? Submit a ticket and get them to do it. That's the whole point of FULLY MANAGED.

:) Just my opinion.

I tend to agree but there are those who feel slighted if they don't have root access (sort of like those who want 100Mbps nic cards but don't really need them). I don't even like giving out ssh access, but with a dedicated server customer is hard to avoid that no matter how good the control panel is. My idea accomodates those customers but makes them think twice because of the extra cost.

Originally posted by Plexi_Hosting
I must be missing something - there must be a reason nobody even suggested using sudo if there is a reason to assign accountability. Give sudo access to the purchaser upon request, when the use the command they will be warned that specific commands/access are all logged. That way, they are aware that the accountability factor is there and you are able to track it if they mess anything up and bill for fixing it. You can have your TOS/AUP state this policy succinctly and effectively.

The only advantage of sudo over direct root access is they can't actually change the root password and lock you out of the box and the password is not sent out directly. Sudo still has the ability to screw up the box.

TOS and APU's are great, but good luck collecting the fees if a customer isn't willing to pay them unless you take them to court.

Perhaps you could give them a choice... I.e. if you want root access you won't do certain things, and visa versa.

call it a new type of hosting service: the Full-Server-Reseller ®. :)


Originally posted by TranswarpHos
TOS and APU's are great, but good luck collecting the fees if a customer isn't willing to pay them unless you take them to court.


what fees? where are the dedicated servers that don't require payment up front? it seems that payment is usually provided first, so the provider owes the customer.

while not a ded server user at the moment, there's not much chance I will choose a provider that does not allow me see everything on the server.

also, I feel that managed services people work for me, not the other way around, and I might just log in occasionally to see what's up.

If you need a fully managed server, and want to pay $xxx a month for it, you shouldn't get root.

If you want an admin for hire, so that you don't have to worry about server management, then you should get root and pay $xx per hour for the management services.

If you want root and don't want anyone else touching your server...then get an unmanaged dedicated and DIY. :)

--Tina

If you need a fully managed server, and want to pay $xxx a month for it, you should get root.

No, because fully managed is something that doesn't include root.

Thats like saying "I want a reseller account and because I pay $100 a month, I should get root". Certain services come with certain features.

--Tina

no, it's like you wanting to decide what the definition is. :)


Originally posted by CD Burnt
If you need a fully managed server, and want to pay $xxx a month for it, you should get root.

I only mimicked your statement to highlight that. :)

Originally posted by CD Burnt
call it a new type of hosting service: the Full-Server-Reseller ®. :)





what fees? where are the dedicated servers that don't require payment up front? it seems that payment is usually provided first, so the provider owes the customer.



for the box yes, for support not always. If a customer had a totally unusable box would you say "pay up before I fix it"? Maybe you would, but not everyone would.



while not a ded server user at the moment, there's not much chance I will choose a provider that does not allow me see everything on the server.



Then I doubt we'd ever do business together. :-)



also, I feel that managed services people work for me, not the other way around, and I might just log in occasionally to see what's up.

That's your choice but for every person like you there'd be others who would abuse the privelage or mess things up and not own up to it.

Tim

Originally posted by CD Burnt
no, it's like you wanting to decide what the definition is. :)



I thought that's what we were doing. Deciding what "fully managed" should generally mean and encompass. Of course, different providers will allow different things. Thats like saying "What does a reseller account include?" and expecting all hosts to give the exact same features.

--Tina

I agree with Tina on this point. Different hosts will offer what they want to. However personally If I was paying all the money for managed. IM gonna be lasy and let them do it. I have no need for root if I am paying them to take care of it for me.

Originally posted by Jimerson
.... However personally If I was paying all the money for managed. IM gonna be lasy and let them do it. I have no need for root if I am paying them to take care of it for me.

That's exactly how I feel.

If you go to a car dealership and tell them you want to buy a car with a FULLY MANAGED warranty.. (ie: a normal warrenty), they will quickly inform you that if you open up the transmission and start "fixing" things yourself... you will immediately void your warranty.

You are paying them for FULLY MANAGED warranty so that you don't "have to" fix anything.. and they will not allow you to go into the engine and try to fix anything otherwise you void your agreement/warranty.

I see this situation as very similar. If you are paying for a FULLY MANAGED server, then you can consider it like a car warranty. If something breaks, the company that provides the FULLY MANAGED (warranty) service will fix it as part of your package.

But if it is broken because YOU decided you wanted to get into the engine (log in as root) and start playing around... then this would void your agreement (warranty) and the provider (dealer) will tell you that YOU broke it so YOU fix it. (or they will give you a bill for $xyz / hour to fix it for you...)

Hope that makes sense.

I think that any company that says they provide true FULLY MANAGED servers, and gives away root, is opening themselves up to problems. I'm not saying that it WILL happen.. but I am saying that it COULD happen.

:)

Perfectly said - better than I could.

--Tina

I agree totally with Tina & mrzippy.

We give root access on dedicated servers if requested, however the clients are informed that if they break something we will charge to fix it.

This works well for us and so far no problems :)

call it a new type of hosting service: the Full-Server-Reseller ®.

I like that idea. I mean, if someone is getting a fully managed server for use by their hosting company, that means they dont wanna spend all the time to fix things or add stuff (that or dont know how) as long as they can set up resellers accounts of their own...and can have the company set up the server how they want...and add things as they need it added...etc etc they should be more than happy, so why in the heck would they want root access in the first place?

and if they want to do it their self, and need root access they dont need a "fully managed" server.