UDS Intrepid Server Report
Plans for 8.10
Place in this section bullet points of specific intended outcomes for the 8.10 development cycle.
- Get community feedback about the level of testing they're willing to provide.
- Identify what to test.
- Select a testing framework.
- Work on creating tests for common server scenarios.
- Make a decision on which Servlet Container to place in Main, in the next two weeks.
- Find a Calendaring solution for Intrepid.
- Chuck Short will follow up by weighing the pros and cons of several solutions.
Swap File Outcome
- Swap File needs to be in installer for at least a release.
Auto Update Outcome
- Document setting up multiple repositories based on package type.
- Find a way to move/copy packages from one repo to another.
Identity Management Outcome
- Package OpenLDAP for cn=config.
- Directory configuration configured through LDAP objects.
Software RAID Outcomes
1. fix the grub issue 2. improve the logic in intiramfs 3. add the toggle
PIE Hardening Outcomes
- Make default for amd64.
- It's time for beer
- Will contact Upstream and try to build a relationship to stabilize the API.
SpamAssassin will be MIRed.
- vim will be installed by default.
- Further discuss ACLs.
- Install screen by default.
- Talk to Colin about installing updates after installation.
Colin Discussion Outcome
- acl by default
- Keep Root ssh options as they are.
- No full upgrade during post install.
Management Integration Outcome
- Test ipmi and wbem with existing Enterprise Management Systems.
- Rick has access to systems using those management systems. Dmtf
- Talk to Landscape devs and figure out which features are available.
- Ask the questions listed in the notes below.
- Create a Wiki page for the Landscape questions.
- See Doc section below.
19 May Round Table
- Discussed items that didn't get into Hardy for various reasons.
- Rails -- expertise was lacking to complete the packages.
- Mail + Spam -- a wrong direction was taken, which wasn't realized in time to meet the freeze.
- iSCSI some use cases are covered, but others are not. So parts did make it into Hardy and parts didn't.
- Improve QA test cases.
Encrypted Sub-directory in Home
- What are we trying to Achieve? What are the Use Cases?
- Incremental encrypted backups.
- Secure location for a user on a shared server.
- Encrypt information saved to a remote server.
- Probably more beneficial to Desktop rather than Server at this point in time.
- Server is more familiar with the topic
- Dustin recommend it, and he's on the server team
- Enabling this is low hanging fruit, making the pain of implementation relatively low.
- Can be integrated with the Desktop Edition as well.
- Performance issue with encrypting everything
- non-encrypted /boot is a good idea.
- Encrypted Swap is probably needed regardless.
- may consider .cache as well
- If the encrypted directory is mounted and backed up the backup will include unencrypted files.
- Also, once a directory is mounted any user with access rights can also see the files in the clear.
- File-system names are not currently encrypted.
- Obfuscated directory structure and file names will be coming in the next few months.
- Ecryptfs -- sits on top of other file systems (universe: ecryptfs-utils)
- Uses in kernel encryption.
- Tied into PAM -- only need to enter password once.
- Can encrypt remote shares.
- Another technology is ZFS inode level encryption.
- Private home directories by default is not a good idea.
- 0700 /home/username/Desktop to make it private from other users on the system.
- The implementation may be more work than it's worth.
- The fact that other users can see unencrypted files is an issue.
- May be able to supplement the Discretionary Access Controls to prevent access.
- What's missing
- What we can provide in the short term
- What can we do for Intrepid
- Implemented in client form
- Recommended to be released with Intrepid.
- libmapi -- headed toward 1.0. Set of libraries to open a connection to Exchange, using Exchange protocols (MAPI).
- Libraries have been integrated with Evolution.
- Proxy should be available.
Will have further discussion about Intrepid OpenChange commitment.
- Enable the same functionality in Free/OSS.
- Started 5 years ago, as of 12 months ago project has taken off. With big help from Documentation from MS.
- Novell accepted GPLv3 for Evolution portion. (I think this was they've said they will, but they haven't yet.)
- Novell customers have been providing pressure for GPLv3.
Akonadi -- KDE4.1+ groupware infrastructure (http://pim.kde.org/akonadi).
Will integrate with OpenChange.
OpenChange backup utility can backup per user mailbox.
- Preserves Exchange meta-data.
Poor document management through Exchange Public folders. OpenChange allows access to these.
- Will need to run Windows 2008 server for testing.
Why Exchange Matters
- Killer App.
- People stay with Microsoft because of it.
- No equivalent with OSS.
- Linux clients connecting to Exchange server. (Linux clients on MS environments)
- MS clients connecting through Outlook to Linux servers. (Windows clients on Linux Environments)
- Address book provider -- working.
- Message store.
- Proxy for MAPI -- Handles requests from Outlook.
- Client libraries will be integrated into Samba 3.
- Connects SQL data-store with Samba and OpenLDAP.
- Comes with Scripting Language to automate administration tasks.
Small plain-text file format used to represent MAPI objects (libocpf) http://apidocs.openchange.org/libocpf/index.html
- W2k8 Server + AD + DNS + Exchange -- Server
- Vista + Office/Outlook -- Windows Client
Evolution + OpenChange -- Linux Client
Mocabox -- Messaging OpenChange Applications Box -- embedded development platform -- virtual images soon available from the repository
Proposed Security Changes
- Investigate script or something to check for setuid binaries.
- Changes to default settings
/etc/ssh/sshd_config: "PermitRootLogin no"
- Private directories
- /root to 0700
- /home/*/Desktop to 0700
- /home/*/Private to 0700
- Encrypt Swap by default
- Performance issues
- Use case:
- Laptop/Desktop more important than encrypted Swap on a Server.
- Discuss with Desktop Team
- /etc/shadow SHA passwords
- supported by glibc, perhaps not by shadow
- Patch question, will there be any changes in VCS?
- Currently using Bitkeeper
- Looking for new VCS.
- Which patch fixes what?
- Commit notes relate to bug numbers.
- Want to create bug fix patches from release diff?
- Some bugs are fixed by multiple commits, making it hard to create a patch for Ubuntu shipped version.
- MySQL 5.0 received some community features post release.
- Working on making MySQL run faster on Solaris, but not dropping support for other platforms.
- In the future there may be features in MySQL enterprise that aren't in the community release, but for now that isn't on the roadmap.
- Changes will be available to the community.
- Most commonly requested feature on Brain Storm, IRC, etc.
- Define Target Audience
- Not senior Linux/Unix sysadmin.
- New admin, possibly coming from Windows background.
- Consider managing more than 1 machine from the same UI, possibly for the future
- Multiple machines is one of the several cases where potentially a GUI can be more powerful than a commandline
Note that upstreams like OpenLDAP, Samba and OpenChange have GUI admin needs, and have some code out there and that they really don't want to maintain GUIs. So adopting a framework where these projects can just maintain some kind of plugin/parser/something is more attractive to these upstreams. --> This could be done by upstream providing a CLI that allows to modify the configuration without acting directly on the conf files. (see postfix configuration tool as an example) --> This reduces the admin load, but the tool that talks to the CLI still has to be maintained --> This could be done by upstream providing system-tools-backends -- Freedesktop.org project (allows specifying a GUI)
- Web-based GUI
- Build on Free desktop system tools backends
- SMIT type system. (AIX management interface) which is based on command line config commands : nice learning curve, curses+GUI client. Every GUI action can display the commandline that it will eventually run on your behalf.
- Port YaST
- Universal client
- Already in universe
- Configuration Templates, available in the future.
- Configure multiple eBox servers from one eBox installation.
- Can clash with an administrator making changes on the commandline simultaneously
- Has its own configuration database
- eBox authenticates using a non-system user. (eBox has own accounts system -- independent of system)
- Want a consistent authentication mechanism for system configuration changes.
- relies on somewhat-privileged web server
Modules to target for Intrepid
[imported from Boston eBox gobby session - needs updating...]
- SAMBA [required]
- PDC [optional]
- Join Domain (front end to jerry's CLI)
- User Management
- should use whatever backend has been configured (AD, LDAP, passwd) [not required but highly recommended] only if LDAP is local
- Add/Remove user/group
- Add/remove user to group
- Printer [required]
- Not sure that it is working
- Printer level CUPS management
- DHCP [required]
- DNS [not required]
- NTP [not required]
- Mail Server [not required, users]
It would be nice to have eBox more ubuntu-looking.
20 May Round-table
- ISO tests too simple.
- Package python Tests.
- Maybe bzr
- Maybe in a PPA.
- Might break normal system configuration, but a warning would be provided.
- Collect information from test over the Internet.
- Integrate into the Install Options on the ISO.
- Create or use a Framework to run the tests.
- Run tests that come with the packages.
- Test the integration of packages. For example Apache and PHP, Kerberos and NSS, etc.
- For Intrepid create the tests and place them into a PPA.
- Make the UI more flexible without adding complexity.
- Add a Landscape key during install
- Join a domain using Likewise-Open.
- Second install experience -- could use d-i or oem-config
- Use tasksel do handle server profiles (MS-server-like "roles")
Don't want the current tasksel to grow too large >> redesign UI ?
- Give more non-technical descriptions to tasksel tasks (use long description of the seeds).
- Improved presentation of available tasks (tree like, long description).
- Provide an online source for additional task options (dynamically added when starting tasksel):
- use cases: new ISVs packages available after release are available for installation.
- Possibly grey out the options that aren't available due to no Internet connection. This will allow users to know that the options are there.
- Debconf doesn't allow.
- 2-step tasksel : ask all questions at the start, then perform install ?
Nobody uses tasksel ? -> market tasksel more aggressively as the way to handle roles (rebrand it as "add-remove-profile" ? postinstall msg ?)
- Add a Partner Task to the bottom of the Task list.
- The task will then download another Tasksel package with other install Tasks.
- "partner task" that would select/enable the partner repo and run a secondary tasksel.
- Use Aptitude to provide an option to install any available package.
- Use another installer?
- Not really an option due to the amount of work.
- Ubiquity -- Needs X, a lot of work as well.
Likewise Join Domain Example
- Are there other ways to display the domain question?
- What happens when the join fails?
- What we need to implement.
- Full server stack
- Currently doesn't build from source.
- Can be changed in the future.
- Packaged in Multiverse.
- Increasing market share
- Questionable maintenance relationship.
- Right featureset/Ubuntu-style management options
- Needs further investigation and packaging.
- Increasing market share
- Apache Project.
- Modular design. Technologically on par with JBoss and Glassfish v+1.
- Good upstream maintenance relationship.
- not packaged, bfs?
- Not packaged.
- Decreasing market share
- Not sure of upstream maintainability.
- Not packaged.
- Builds from source.
- Not sure of upstream.
- servlet container only
- Tomcat is downstream of Glassfish.
- Already packaged.
- Good upstream maintenance.
- Lost contributors from Sun.
- Packaged in Universe.
- Good upstream.
- Glassfish Servlet Container (v3)
- Needs Maven.
- Includes Felix
- Not packaged. Database access layer - Hibernate (JPA); Eclipse Link; Open JPA (Oracle)
- Need a solution since we currently don't offer one.
- Shared Calendars: tracking people's schedule, check for free/busy.
- Resource/meeting room scheduling
- Shared Contacts.
- Shared Mail Box (sales@xx etc)
- Keep clients, migrate server
- Keep server, migrate clients
zimbra: licensing issues (Yahoo Public license: http://www.zimbra.com/community/downloads.html)- requires logo display
open-Xchange (Community Edition) (http://www.open-xchange.com/wiki/index.php?title=Main_Page):
- - slow release cycle issues. - very bad packaging (requires modified Tomcat server)
- Zarafa - (oops, not Open Source)
- Axigen - not open
darwin calendar (Apache 2.0 license) http://calendarserver.org - work is already under way (https://wiki.ubuntu.com/CalendarServer) and (https://bugs.launchpad.net/ubuntu/+bug/182591) -- note that is has already been packaged for Intrepid (see note in same bug report)
- obm - php, in universe
bongo project (was netmail) temp example: http://dev.mythbuntu.org:8080/ admin:aaaa
svn checkout http://svn.gna.org/svn/bongo/trunk bongo nice web interface
egroupware (http://www.egroupware.org/Home?lang=en) ( In universe, php )
phpgroupware ( http://www.phpgroupware.org/ ) also in Universe
Chandlerproject http://chandlerproject.org/(Java based)
scalix http://www.scalix.com/ , http://www.scalix.com/community/licensing/Scalix_Public_License_1.1.txt (probably DSFG-ok; GPL-incompatible)
OpenGroupware - http://www.opengroupware.org/en/applications/index.html source at http://www.opengroupware.org/en/devs/source/index.html - java not a real open source project, development done by one company
Citadel http://www.citadel.org/doku.php - GPL and have Ubuntu packages. Build your own at http://www.citadel.org/doku.php/faq:installation:compile_debs
- Nice groupware approach
Bedework http://www.bedework.org/bedework/ - BSD type license. Java based. Nice web interface.
SoGO http://sogo.opengroupware.org/ - Open Source Licence. Use Ldap for authentication and PostgreSQL for data management. The web interface is equal to Thunderbird plus Lightning. There is a plugin for syncronization with Funambol.
Discarded (and why)
* Zimbra (due to license):
Zimbra alleged to be a very good solution: likely to be in partner repos.
- all copies of the Original Code in Executable and Source Code form must, as a form of attribution of the original author, include on each user interface screen (i) the original Zimbra logo, and once for each user session (ii) the copyright notice as it appears in the Original Code;
* open-Xchange --> release cycle
- ical over webdav
Interaction with existing desktop clients
- outlook, firebird|thunderbird, evolution, web.
Current open source landscape on those techs aren't entreprise-ready applications.
- Place anywhere
Current kernel doesn't support using a swap file and using hibernation. ("Unlike swsusp, suspend2 can write to any swap partition!", x)
- Display a warning that hibernation won't work.
- Add option to d-i if no swap partition is selected.
- Not the best way.
- If you're going to encrypt Swap why not encrypt everything?
- May be possible to encrypt Swap with minimal impact and maximum gain.
21 May Round-table
- Automatic Upgrades
- Unattended Upgrade, some things won't install without human interaction.
- Change unattended-upgrades to allow for selected updates.
- Need a way to provision updates.
- Rollbacks -- too much work to implement.
- Need a supported way to build a mirror.
- Multiple repositories support (incoming/testing/production1...)
- Need good documentation on setting up the mirror.
- unattended-upgrades package
- Allows you to white list packages
- Can white list repositories.
- Package Blacklists.
- Need to authorize updates before deployment.
- Apply updates based on system configuration type (web, mail, etc).
- Ask about private update mirror during install.
- Do you have a private mirror? If so supply url.
- Matter of wording the question correctly to avoid confusion.
- Identity Management for enterprise deployments
- a tool for users that don't understand ldap and can edit the directory:
- adding, removing and editing ldap entries.
- requires a consistent, simple installation / layout
Ways to manage identities
- not packaged for Ubuntu/Debian
insignificant market share compared to AD & openldap
- includes java-based management tools - not clear how widely used they are
- Mandriva DS
- not packaged
- Work with OpenLDAP in developing a GUI admin tool.
http://directory.apache.org/studio/ - Apache Directory Studio
- LDAP object browser
New OpenLDAP <-> Active Directory Proxy
- Syncrepl-style consumer to pull changes from AD
- with password sync agent
- Syncrepl-style consumer to pull changes from AD
- the schema is available in the tree
- clients can be agnostic about schema
- too low level - solves all problems sub-optimally
- appropriate for an admin tool
- ubuntu directory services package:
- depends on slapd
- default tree:
user & group management
- application configuration in the tree - per package.
- Active Directory
- most OpenLDAP-aware client tools support AD management (see LAT)
- SQL database
- PADL tools (nss-ldap, pam-ldap)
FreeIPA - http://freeipa.org
- schema in packages
- include an integration directory in /etc/ldap/slapd.conf
- bind? (why?)
- heimdal in universe
- not-so-great security history/support
- OpenLDAP and Samba haven't noticed the previous comment being the case
- mit in main
- Not thread safe (enough).
- Doesn't work as well as a server.
- very good security incident cooperative handling
kerberos server with ldap backend: heimdal supports it for years, mit only since 2007 or 2008
- nss and pam using caching slapd.
- nsscache on code.google.com - replacement of nscd.
- Translucent overlay in openldap.
- Needs documented in Ubuntu,
- Allow schema changes without affecting current configuration.
- If you need more than authentication using LDAP an LDAP proxy is needed to handle the additional schemas.
- main issue reported : cannot join a DNS-challenged AD
- DNS issues needs to be documented (or worked-around inside Likewise? no...)
- id mapping.
- gdm integration.
- main issue reported : cannot join a DNS-challenged AD
- LemonLDAP - in universe e.g. lemonldap-ng
- Supports LDAP, SAML, OpenID, etc.
- Does authorization and authentication for Apache.
Review existing package for ldap support.
Focus on integrating ubuntu services in existing ldap based infrastructure:
- using openldap translucent overlay to talk to AD.
Won't boot if array is degraded
- Three options
- Boot in degraded, but functional mode.
- Requires code to enable.
- Nothing programmitically to control what happens.
- Progamatic hooks are now there.
- Don't boot when array is degraded.
- bring ssh on - you'll need loaded modules for network card and set up networking for that
- Boot in degraded, but functional mode.
- Need to allow the admin the ability to choose between the three.
grub is not redundant
- grub is only installed on one of the drives
-> needs to be fixed to allow booting from the second drive.
- Similar to -fPIC?
- Has some performance penalties on i386.
- Lose a register.
- Not really an option for i386.
- A good option for amd64.
- Saves from gaining elevated access from network vulnerabilities?
22 May Round-table
- Discussed intrepid-server-polish
ClamAV and SpamAssassin MIR
- libclamav API changes too frequently.
- Changes break rdepends.
Ubuntu Server Polish
Install by default
- - acl - screen - vim - traceroute - mtr - nmap? It's time for ubuntu-server-base package which will recommend different set of packages than -standard, and which would enable us have more real server and less desktop oriented packages by default.
SSH root login
Ubuntu is proposing to disable root login in the default config
- If user enables root password, than he probably wants to be able to login as root. Most of the people that enable root password will enable SSH root login, because there are reasons to have root enabled. Or give the user the option to select between activating root ssh login or not on install. Check what the openssh default is. Discuss with Colin to change in Debian also so we don't diverge.
Upgrade during the installation
- Consider doing apt-get dist-upgrade at the end of installation, so that there are no updates after installation. We already pull packages from -security if network is accessible. Why not pull them all?
- Patch it to support seLinux and ACL Check cpio also for ACL support
?? At the moment it's in /etc, which sometimes can be mounted as read-only.
?? Use /bin/bash instead of /bin/sh.
Virt Live Migration
- Move a VM between two physical machines without down time.
KVM is very good at Live Migration.http://kvm.qumranet.com/kvmwiki/Migration
- Need shared storage for it to work.
- Information on how to use it?
- Live Migration works in KVM not supported by current management tools.
- Need to detect if shared storage is being used or not.
- Save power by shutting down virtual machines during off hours.
- Move VMs around based on load.
VMWare DRS : http://www.vmware.com/products/vi/vc/drs.html
- Migrate based on problems or roles.
VMWare "High Availability" http://www.vmware.com/products/vi/vc/ha.html
- Scheduled maintenance hardware, patches, etc.
- Hot Copy for backups etc.
- Migrating underused systems, or switching off systems during low use periods to save power
- migrating systems to other servers to provide additional resources
- Zen Orchestrator
Server Package Integration
We need to have a mechanism to install many different application stacks for different server uses.
- - We are calling these scenarios. - The system must be scalable (support many different scenarios), be policy compliant, and allow installation of many different packages with unique configurations per scenario. - Mail server is the initial scenario, but there are many that can be used, so our mechanism needs to be scalable to a fairly arbitrary number of scenarios.
Need to deal with managing config files on install and upgrades
Possibly use FAI called from DI in late install
- - Need to get the scenario space defined and mounted
FAI can be an installer, but as an installer is 'poor'. DI lacks a good understanding of classes of packages. Using DI to install and FAI to configure a particular scenario is using each tool to do what it does best.
- Mail Gateway -- Virus, Spam, Content filtering.
- - Postfix for MTA/MSA - Amavisd-new for integration of post-SMTP mail filtering (SpamAssassin/ClamAV) - Dovecot for SASL
There are many other possible mail scenarios.
[ ATTENTION: the scenario editor here is vaporware. It presents the ideal world ]
We can generalize the idea of installing a server providing a service to a scenario. A scenario basically consists of the following concepts:
- - Scenario Configuration (Variables that affect the concrete parameters of
- the server used in that scenario)
- installed system.
The scenario editor can be implemented either
- - as stand-alone application (think gtk2 or webapp). - integrated into the installation part.
In the first case, the scenario editor would create an installation media on either pendrive or iso image to boot from cd. Also a pure netinst image for use with cobbler or similar is imaginable.
The second variant would support interactive installs only. since it prompts the administrator to enter the scenario configuration.
FAI - the Fully unattended installation And configuration Infrastructure
During a FAI run the following steps (or stages) are done:
- classes: FAI runs shell scripts to determine the classes, in which the
- particular machine participates. Each class may define shell variables, representing the scenario configuration
- disc_config: FAI sets up partitions, creates file systems, etc.
- packages: FAI non-interactively installs the set of packages that belong to
- the determined classes
- scripts: here arbitrary scripts are run (mostly shell scripts, but can also
- be compiled programs or any other scripting language like cfengine, python) depending on the classes defined. These scripts do have access to the (yet unconfigured) installed system, the set classes and shell variables set in stage 'classes'. With that information, they modify the system to provide the configured scenario.
Additionally, every stage can be customized by hooks, that run between the stages. Both pre-run and post-run semantics are available (hackish, but still).
Using FAI as scenario deployment facility
If using the stand alone approach scenario editor, that application has to include the scenario configuration into the CD. The scenario designer would provide scripts to verify the scenario configuration is complete, definition of the set of packages to install and scripts, that turn a system using the scenario configuration into a configured system. These steps map directly to the stages FAI is using.
If using the integrated approach, the system image would query the administrator at install time. This can also be integrated into the classes stage of FAI, which are implemented as shell scripts. The scripts would then interrupt the installation, presenting the administrator the scenario he is about to install, query the scenario configuration and then proceed with installing the system.
In both approaches, the disc_config stage would have to be disabled, because d-i is taking care of this.
Virtual Machine Guest Install
- Distribute ubuntu-vm-builder instead of JeOS ISOs.
- What's the value of JeOS.
- What's the value in distributing ISOs.
- JeOS Users are used to ISOs.
- Create a VM to build custom Virtual Machines.
VM Guest Outcomes
- No longer distribute JeOS ISO.
- Only distribute the tools:
- a web service to produce images
anyone seen this http://dcgrendel.thewaffleiron.net/vmbuilder/2.02/
a preconfigured vm with u-v-b (for vmware & kvm)
- Need to make Soren's wonderful u-v-b more known (funky name ?)
Provisioning server. http://cobbler.et.redhat.com/
- Use Case
- PXE boot install and config.
- Diskless VMs.
- Point it at a repository, CD, mount point, etc.
- Create a Profile that links to a kickstart file.
- Assign machines to the Profile via MAC address.
- Uses DHCP templates to identify clients.
- The process of using cobbler needs documented.
- Seeds help distributions grow.
- Germinate is used to add the packages and dependencies.
Required --- ---- | \ | | | \ |-- Base |-- Platform minimal build-essential --- | | | standard ---- \ \ Server | Server-Ship
- Packages that aren't in main but are supported by Canonical.
- Previously for packages to get into Server they first went into Standard and Desktop seeds.
- mini.iso and server.iso are basically the same, basic difference is the kernel.
- Any core dev can commit to seeds.
- Main == Supported + build-depends
Server Management Integration
- Open IPMI -- moved to main during Hardy. (Intelligent Platform Management Interface).
- Needs tested with a Enterprise Management System.
SBLIM - IBM: http://sblim.wiki.sourceforge.net/
Virtual Host Creation
- Determine features for the next version.
ubuntu-vm-builder Intrepid Features (already developed)
- Error Handling.
- Now running with set -e -u?
- Create directly on a RAW device (such as iSCSI).
- Specify first boot scripts.
- Before first login. (non-interactive)
- After first login. (interactive)
- Specify an ISO file to get packages.
- timezone + keymap setting
- fixed in a u-v-b SRU (copy host settings)
u-vm-b wanted Features / Bugs
- running as non-root ?
- really difficult, losetup mount/unmount being really unfriendly
- should modprobe loop
- Default --dest: from ubuntu-vm-$SUITE-$ARCH to $HOSTNAME-$SUITE-$ARCH-vm
- should allow for overwriting the dest directory
- add virtualbox output format - .vbox
- name used with --libvirt should be ubuntu_hostname or similar (to avoid
ubuntu, ubtuntu_, ubuntu, ...)
- Name change ?
- u-v-b is good : says what it does
- may discourage porting or retargeting
- too long and boring
- UVE - Ubuntu Virtually Everywhere
- Soren Virtually Everywhere
UBERVM UBuntu ...EverywheRe VM
- Cool abstract name for aggressive blogging
- SFGS: Soren's famous golf swing
- Mustek Vystup (or Smer)
23 May Round-table
- SRU new versions of OpenLDAP.
- Package conmux -- Console multiplexor.
- Landscape is a client-server management system
- client, installed on each and every machine
- $server_end (currently expensive.canonical.com web-frontend)
- Canonical is currently the only 'server' provider, which is a paid service
landscape-client polls 'http://expensive.canonical.com/'
- sends information
- retrieves a list of commands to run
- There was been an empty "placeholder" package in expectation of the source (now available 2008-05)
http://www.ubuntu.com/news/landscape has the announcement with feature description
What would the Community like to see?
- E.g. the client could be used standalone, to collect information and share it on the local machine via a text based console
- Having the client on the CD, but not installing it.
- Installing it but not running it.
- Integrating it to the installer so that licensees can enter their key (and let the others ignore it)
- Really hard to ship it on the CD without source-code; client source:
Canonical needs to be happy if other tools start using the Landscape client/server API
deb http://ppa.launchpad.net/landscape/ubuntu hardy main deb-src http://ppa.launchpad.net/landscape/ubuntu hardy main
- The protocol is not currently documented
- Hasn't happened *yet*
- Will happen in due-course
- Question of process for future change control of the protocol spec, if there are both open source and proprietary servers
- The other half of the puzzle that allows regression testing
- Existence of the "server-console" could be advertised in motd
- Landscape-collected data (load...)
- Available updates
- Current time
- MD status (integrated with mdadm)
- Other "system messages"
- Conflict of interest
- Any core-developer is going to be able modify this package in 'main'
- This could break Landscape-server and make Canonical very upset
- (reduced by having some sort of regression testing mechanism)
- There are many MS Exchange servers in the world
- There is only one Landscape server
- People are paying a hundred-millon-dollars for that server to always work
- Ubuntu dev uploads (eg. a security fix) that breaks server
- Lots and lots of stressed people wanting their hundreds and millions back
- There is only
Questions for the Landscape team
- Overview that a DD/Ubuntu person with no Landscape knowledge can understand
- Protocol documentation/examples
- How does the 'dbus' interface interact with the message-broker/polling
- How flexible is the protocol
- Can the information gathered be saved on the local machine
- Does the client currently handle/expect to talk to multiple servers with differing views/ACLs, eg.
- pushing readonly to hwdb.ubuntu.com
- pushing to (yet to be written) local management console
pushing to http://landscape.canonical.com/ when they've bought a support contract
- Would like to have
- Needs *some* GPL client (as a minimum for testing against)
- "Console idea" is an idea of the past? (Think Netware)
- Multi-machine management
- A management tool should focus on decreasing the learning-curve
- Menus can be explored (no need to learn obscure commands)
- Avoids need to specialise/learn
- In the same place as the 'sudo' message, provide a 'console' message
- Are the existing ncurses solutions over the years that could be built on
Answers from `<bigkevmd>`. < bigkevmcd> the messages are bpickled (a textual pickle representation) < bigkevmcd> and sent over https [to https://landscape.canonical.com/] < bigkevmcd> the source for bpickle is part of the landscape client ... < bigkevmcd> sladen: the simple answer is "look at the source" < bigkevmcd> but, mainly because of the tests that are in there
- How to deploy different types of web application frameworks.
- Create policies for packaging web application frameworks.
- Debian already has some policies.
Debian Web application Policy
Gentoo webapp policy
webapp-config tool : http://www.gentoo.org/proj/en/webapps/webapp-config.xml
PHP Web Applications
- Install multiple versions of an app.
- Install multiple instances of an app.
- How to upgrade an installed and packaged app.
- Apps get installed into /usr/share
- 3rd party modules get installed into /usr/local
- Packages need to be modified to allow /usr/share to see /usr/local
- simple user: does not change code, does not change database
- plug-in user: does not change installed code/db/templates, but *adds* 3rd party plugins without changing installed files
- code customizer: changes code/db
- the template-editor : adapts/localizes HTML templates
- The complicated part is dealing with modifications by the user
- by adding plugins in the way that is standard for the web app
- based on instructions on a howto somewhere
- based on their own knowledge
- During an upgrade, perhaps check to see if they have changed anything and just give them a diff if we don't know how to handle it?
Intrepid Server Guide
- move to a use cases:
- file server
- print server
- heterogeneous env. with Windows and Macs
- anti-virus scanning on smb
- move to a use cases:
- software RAID
HowTo for fail-over cluster (using RHCS)
- Document why DNS is needed.
- How to setup Windows DNS with AD.
- Likewise-open Troubleshooting.
- JeOS section update based on ISO availability.
- Cobbler -- provisioning.
- Move the official Server Guide into the Wiki?
- Some still want an installable package.
- Will still ship the package.
- Include a PDF version of the Server Guide with the package.
- Any new features in Ubuntu-VM-Builder.
- Server Guide bug fixes, updates, etc.
- OpenLDAP cn=config documentation needed.
- Review the layout of the sections and standardize them.
Discussion just before the documentation discussion....
- Finds details about machines on the network.
- package management and system inventory via ocs, glpi and puppet
Got a quick demo from Anthony Mercatante "tiono" and Walid Nouh et al they are writing puppet plugin to use inside glpi
ocs-inventory populates glpi system
glpi - asset management system, life cycle management (purchase, contract etc)
http://www.debianadmin.com/glpi-it-and-asset-managemet-software-configuration.html stands for “Gestionnaire libre de parc informatique”, GLPI is the Information Resource-Manager with an additional Administration-Interface
- ocs server - perl and php
- ocs client - multiple languages (for linux agent = Perl + small bit in C)
- glpi - php
- both are only only mysql now
UFW Next Steps
- port ranges
- ufw allow apache
- ufw register/unregister apache
- port open by default
- have a policy question
- limits (eg max X requests in Y time)
- NAT/port forwarding
- TODO: split out backend to allow for making writing frontends easier
Per-Package Config Files
- use port-protocol tuple
- separate out the port/protocol from rest of the declaration
- the port/protocol declaration needs to be able to have multiple ports/protocols
- allow for zones
- allow for localization in the declaration file (perhaps gettext). have the
- domain for gettext be the same as the file name. or ufw_packagename
- allow for default allow/deny
- make sure cli has a way to list the packages that are installed and their
- be sure to check SUSe firewall when looking at zones
- Ability to learn from ufw configs.
- pfsense, fwbuilder, firestarter, fireHOL, shorewall
- talk to eBox about integration
- Integrated Directory Services
- Enable common user authentication using LDAP.
- Need a standard tool to add/remove users.
- adduser is the current tool and needs some code to connect to LDAP.
- Import existing users using an import tool.
- Use some of the cool overlays that are available.
- Implement the Password Policy in LDAP the same as the non-ldap policy.
- Use a default KDC.
--- Spec: foo